aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/can/af_can.c10
-rw-r--r--net/can/bcm.c23
-rw-r--r--net/can/raw.c3
-rw-r--r--net/ipv6/addrconf.c4
-rw-r--r--net/irda/irnetlink.c4
-rw-r--r--net/mac80211/main.c4
-rw-r--r--net/mac80211/mlme.c13
-rw-r--r--net/sctp/sm_statefuns.c9
-rw-r--r--net/sctp/ulpevent.c5
9 files changed, 55 insertions, 20 deletions
diff --git a/net/can/af_can.c b/net/can/af_can.c
index 7e8ca2836452..484bbf6dd032 100644
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -205,12 +205,19 @@ static int can_create(struct net *net, struct socket *sock, int protocol)
205 * -ENOBUFS on full driver queue (see net_xmit_errno()) 205 * -ENOBUFS on full driver queue (see net_xmit_errno())
206 * -ENOMEM when local loopback failed at calling skb_clone() 206 * -ENOMEM when local loopback failed at calling skb_clone()
207 * -EPERM when trying to send on a non-CAN interface 207 * -EPERM when trying to send on a non-CAN interface
208 * -EINVAL when the skb->data does not contain a valid CAN frame
208 */ 209 */
209int can_send(struct sk_buff *skb, int loop) 210int can_send(struct sk_buff *skb, int loop)
210{ 211{
211 struct sk_buff *newskb = NULL; 212 struct sk_buff *newskb = NULL;
213 struct can_frame *cf = (struct can_frame *)skb->data;
212 int err; 214 int err;
213 215
216 if (skb->len != sizeof(struct can_frame) || cf->can_dlc > 8) {
217 kfree_skb(skb);
218 return -EINVAL;
219 }
220
214 if (skb->dev->type != ARPHRD_CAN) { 221 if (skb->dev->type != ARPHRD_CAN) {
215 kfree_skb(skb); 222 kfree_skb(skb);
216 return -EPERM; 223 return -EPERM;
@@ -605,6 +612,7 @@ static int can_rcv(struct sk_buff *skb, struct net_device *dev,
605 struct packet_type *pt, struct net_device *orig_dev) 612 struct packet_type *pt, struct net_device *orig_dev)
606{ 613{
607 struct dev_rcv_lists *d; 614 struct dev_rcv_lists *d;
615 struct can_frame *cf = (struct can_frame *)skb->data;
608 int matches; 616 int matches;
609 617
610 if (dev->type != ARPHRD_CAN || dev_net(dev) != &init_net) { 618 if (dev->type != ARPHRD_CAN || dev_net(dev) != &init_net) {
@@ -612,6 +620,8 @@ static int can_rcv(struct sk_buff *skb, struct net_device *dev,
612 return 0; 620 return 0;
613 } 621 }
614 622
623 BUG_ON(skb->len != sizeof(struct can_frame) || cf->can_dlc > 8);
624
615 /* update statistics */ 625 /* update statistics */
616 can_stats.rx_frames++; 626 can_stats.rx_frames++;
617 can_stats.rx_frames_delta++; 627 can_stats.rx_frames_delta++;
diff --git a/net/can/bcm.c b/net/can/bcm.c
index d9a3a9d13bed..72c2ce904f83 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -298,7 +298,7 @@ static void bcm_send_to_user(struct bcm_op *op, struct bcm_msg_head *head,
298 298
299 if (head->nframes) { 299 if (head->nframes) {
300 /* can_frames starting here */ 300 /* can_frames starting here */
301 firstframe = (struct can_frame *) skb_tail_pointer(skb); 301 firstframe = (struct can_frame *)skb_tail_pointer(skb);
302 302
303 memcpy(skb_put(skb, datalen), frames, datalen); 303 memcpy(skb_put(skb, datalen), frames, datalen);
304 304
@@ -826,6 +826,10 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
826 for (i = 0; i < msg_head->nframes; i++) { 826 for (i = 0; i < msg_head->nframes; i++) {
827 err = memcpy_fromiovec((u8 *)&op->frames[i], 827 err = memcpy_fromiovec((u8 *)&op->frames[i],
828 msg->msg_iov, CFSIZ); 828 msg->msg_iov, CFSIZ);
829
830 if (op->frames[i].can_dlc > 8)
831 err = -EINVAL;
832
829 if (err < 0) 833 if (err < 0)
830 return err; 834 return err;
831 835
@@ -858,6 +862,10 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
858 for (i = 0; i < msg_head->nframes; i++) { 862 for (i = 0; i < msg_head->nframes; i++) {
859 err = memcpy_fromiovec((u8 *)&op->frames[i], 863 err = memcpy_fromiovec((u8 *)&op->frames[i],
860 msg->msg_iov, CFSIZ); 864 msg->msg_iov, CFSIZ);
865
866 if (op->frames[i].can_dlc > 8)
867 err = -EINVAL;
868
861 if (err < 0) { 869 if (err < 0) {
862 if (op->frames != &op->sframe) 870 if (op->frames != &op->sframe)
863 kfree(op->frames); 871 kfree(op->frames);
@@ -1164,9 +1172,12 @@ static int bcm_tx_send(struct msghdr *msg, int ifindex, struct sock *sk)
1164 1172
1165 skb->dev = dev; 1173 skb->dev = dev;
1166 skb->sk = sk; 1174 skb->sk = sk;
1167 can_send(skb, 1); /* send with loopback */ 1175 err = can_send(skb, 1); /* send with loopback */
1168 dev_put(dev); 1176 dev_put(dev);
1169 1177
1178 if (err)
1179 return err;
1180
1170 return CFSIZ + MHSIZ; 1181 return CFSIZ + MHSIZ;
1171} 1182}
1172 1183
@@ -1185,6 +1196,10 @@ static int bcm_sendmsg(struct kiocb *iocb, struct socket *sock,
1185 if (!bo->bound) 1196 if (!bo->bound)
1186 return -ENOTCONN; 1197 return -ENOTCONN;
1187 1198
1199 /* check for valid message length from userspace */
1200 if (size < MHSIZ || (size - MHSIZ) % CFSIZ)
1201 return -EINVAL;
1202
1188 /* check for alternative ifindex for this bcm_op */ 1203 /* check for alternative ifindex for this bcm_op */
1189 1204
1190 if (!ifindex && msg->msg_name) { 1205 if (!ifindex && msg->msg_name) {
@@ -1259,8 +1274,8 @@ static int bcm_sendmsg(struct kiocb *iocb, struct socket *sock,
1259 break; 1274 break;
1260 1275
1261 case TX_SEND: 1276 case TX_SEND:
1262 /* we need at least one can_frame */ 1277 /* we need exactly one can_frame behind the msg head */
1263 if (msg_head.nframes < 1) 1278 if ((msg_head.nframes != 1) || (size != CFSIZ + MHSIZ))
1264 ret = -EINVAL; 1279 ret = -EINVAL;
1265 else 1280 else
1266 ret = bcm_tx_send(msg, ifindex, sk); 1281 ret = bcm_tx_send(msg, ifindex, sk);
diff --git a/net/can/raw.c b/net/can/raw.c
index 69877b8e7e9c..3e46ee36a1aa 100644
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -632,6 +632,9 @@ static int raw_sendmsg(struct kiocb *iocb, struct socket *sock,
632 } else 632 } else
633 ifindex = ro->ifindex; 633 ifindex = ro->ifindex;
634 634
635 if (size != sizeof(struct can_frame))
636 return -EINVAL;
637
635 dev = dev_get_by_index(&init_net, ifindex); 638 dev = dev_get_by_index(&init_net, ifindex);
636 if (!dev) 639 if (!dev)
637 return -ENXIO; 640 return -ENXIO;
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 2ec73e62202c..8572cb05fc21 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -774,12 +774,12 @@ static void ipv6_del_addr(struct inet6_ifaddr *ifp)
774 } 774 }
775 write_unlock_bh(&idev->lock); 775 write_unlock_bh(&idev->lock);
776 776
777 addrconf_del_timer(ifp);
778
777 ipv6_ifa_notify(RTM_DELADDR, ifp); 779 ipv6_ifa_notify(RTM_DELADDR, ifp);
778 780
779 atomic_notifier_call_chain(&inet6addr_chain, NETDEV_DOWN, ifp); 781 atomic_notifier_call_chain(&inet6addr_chain, NETDEV_DOWN, ifp);
780 782
781 addrconf_del_timer(ifp);
782
783 /* 783 /*
784 * Purge or update corresponding prefix 784 * Purge or update corresponding prefix
785 * 785 *
diff --git a/net/irda/irnetlink.c b/net/irda/irnetlink.c
index 9e1fb82e3220..2f05ec1037ab 100644
--- a/net/irda/irnetlink.c
+++ b/net/irda/irnetlink.c
@@ -101,8 +101,8 @@ static int irda_nl_get_mode(struct sk_buff *skb, struct genl_info *info)
101 101
102 hdr = genlmsg_put(msg, info->snd_pid, info->snd_seq, 102 hdr = genlmsg_put(msg, info->snd_pid, info->snd_seq,
103 &irda_nl_family, 0, IRDA_NL_CMD_GET_MODE); 103 &irda_nl_family, 0, IRDA_NL_CMD_GET_MODE);
104 if (IS_ERR(hdr)) { 104 if (hdr == NULL) {
105 ret = PTR_ERR(hdr); 105 ret = -EMSGSIZE;
106 goto err_out; 106 goto err_out;
107 } 107 }
108 108
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index cc756e93e6c8..cf477ad39dac 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -535,8 +535,6 @@ static int ieee80211_stop(struct net_device *dev)
535 local->sta_hw_scanning = 0; 535 local->sta_hw_scanning = 0;
536 } 536 }
537 537
538 flush_workqueue(local->hw.workqueue);
539
540 sdata->u.sta.flags &= ~IEEE80211_STA_PRIVACY_INVOKED; 538 sdata->u.sta.flags &= ~IEEE80211_STA_PRIVACY_INVOKED;
541 kfree(sdata->u.sta.extra_ie); 539 kfree(sdata->u.sta.extra_ie);
542 sdata->u.sta.extra_ie = NULL; 540 sdata->u.sta.extra_ie = NULL;
@@ -560,6 +558,8 @@ static int ieee80211_stop(struct net_device *dev)
560 558
561 ieee80211_led_radio(local, 0); 559 ieee80211_led_radio(local, 0);
562 560
561 flush_workqueue(local->hw.workqueue);
562
563 tasklet_disable(&local->tx_pending_tasklet); 563 tasklet_disable(&local->tx_pending_tasklet);
564 tasklet_disable(&local->tasklet); 564 tasklet_disable(&local->tasklet);
565 } 565 }
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 37ea04f5bab9..dbc8cf454bc0 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -564,15 +564,14 @@ static void ieee80211_set_associated(struct net_device *dev,
564 sdata->bss_conf.ht_bss_conf = &conf->ht_bss_conf; 564 sdata->bss_conf.ht_bss_conf = &conf->ht_bss_conf;
565 } 565 }
566 566
567 netif_carrier_on(dev);
568 ifsta->flags |= IEEE80211_STA_PREV_BSSID_SET; 567 ifsta->flags |= IEEE80211_STA_PREV_BSSID_SET;
569 memcpy(ifsta->prev_bssid, sdata->u.sta.bssid, ETH_ALEN); 568 memcpy(ifsta->prev_bssid, sdata->u.sta.bssid, ETH_ALEN);
570 memcpy(wrqu.ap_addr.sa_data, sdata->u.sta.bssid, ETH_ALEN); 569 memcpy(wrqu.ap_addr.sa_data, sdata->u.sta.bssid, ETH_ALEN);
571 ieee80211_sta_send_associnfo(dev, ifsta); 570 ieee80211_sta_send_associnfo(dev, ifsta);
572 } else { 571 } else {
572 netif_carrier_off(dev);
573 ieee80211_sta_tear_down_BA_sessions(dev, ifsta->bssid); 573 ieee80211_sta_tear_down_BA_sessions(dev, ifsta->bssid);
574 ifsta->flags &= ~IEEE80211_STA_ASSOCIATED; 574 ifsta->flags &= ~IEEE80211_STA_ASSOCIATED;
575 netif_carrier_off(dev);
576 changed |= ieee80211_reset_erp_info(dev); 575 changed |= ieee80211_reset_erp_info(dev);
577 576
578 sdata->bss_conf.assoc_ht = 0; 577 sdata->bss_conf.assoc_ht = 0;
@@ -586,6 +585,10 @@ static void ieee80211_set_associated(struct net_device *dev,
586 585
587 sdata->bss_conf.assoc = assoc; 586 sdata->bss_conf.assoc = assoc;
588 ieee80211_bss_info_change_notify(sdata, changed); 587 ieee80211_bss_info_change_notify(sdata, changed);
588
589 if (assoc)
590 netif_carrier_on(dev);
591
589 wrqu.ap_addr.sa_family = ARPHRD_ETHER; 592 wrqu.ap_addr.sa_family = ARPHRD_ETHER;
590 wireless_send_event(dev, SIOCGIWAP, &wrqu, NULL); 593 wireless_send_event(dev, SIOCGIWAP, &wrqu, NULL);
591} 594}
@@ -3694,8 +3697,10 @@ static int ieee80211_sta_find_ibss(struct net_device *dev,
3694 spin_unlock_bh(&local->sta_bss_lock); 3697 spin_unlock_bh(&local->sta_bss_lock);
3695 3698
3696#ifdef CONFIG_MAC80211_IBSS_DEBUG 3699#ifdef CONFIG_MAC80211_IBSS_DEBUG
3697 printk(KERN_DEBUG " sta_find_ibss: selected %s current " 3700 if (found)
3698 "%s\n", print_mac(mac, bssid), print_mac(mac2, ifsta->bssid)); 3701 printk(KERN_DEBUG " sta_find_ibss: selected %s current "
3702 "%s\n", print_mac(mac, bssid),
3703 print_mac(mac2, ifsta->bssid));
3699#endif /* CONFIG_MAC80211_IBSS_DEBUG */ 3704#endif /* CONFIG_MAC80211_IBSS_DEBUG */
3700 if (found && memcmp(ifsta->bssid, bssid, ETH_ALEN) != 0 && 3705 if (found && memcmp(ifsta->bssid, bssid, ETH_ALEN) != 0 &&
3701 (bss = ieee80211_rx_bss_get(dev, bssid, 3706 (bss = ieee80211_rx_bss_get(dev, bssid,
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index b66a41d03c0d..8848d329aa2c 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -5893,12 +5893,6 @@ static int sctp_eat_data(const struct sctp_association *asoc,
5893 return SCTP_IERROR_NO_DATA; 5893 return SCTP_IERROR_NO_DATA;
5894 } 5894 }
5895 5895
5896 /* If definately accepting the DATA chunk, record its TSN, otherwise
5897 * wait for renege processing.
5898 */
5899 if (SCTP_CMD_CHUNK_ULP == deliver)
5900 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn));
5901
5902 chunk->data_accepted = 1; 5896 chunk->data_accepted = 1;
5903 5897
5904 /* Note: Some chunks may get overcounted (if we drop) or overcounted 5898 /* Note: Some chunks may get overcounted (if we drop) or overcounted
@@ -5918,6 +5912,9 @@ static int sctp_eat_data(const struct sctp_association *asoc,
5918 * and discard the DATA chunk. 5912 * and discard the DATA chunk.
5919 */ 5913 */
5920 if (ntohs(data_hdr->stream) >= asoc->c.sinit_max_instreams) { 5914 if (ntohs(data_hdr->stream) >= asoc->c.sinit_max_instreams) {
5915 /* Mark tsn as received even though we drop it */
5916 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn));
5917
5921 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, 5918 err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM,
5922 &data_hdr->stream, 5919 &data_hdr->stream,
5923 sizeof(data_hdr->stream)); 5920 sizeof(data_hdr->stream));
diff --git a/net/sctp/ulpevent.c b/net/sctp/ulpevent.c
index ce6cda6b6994..a1f654aea268 100644
--- a/net/sctp/ulpevent.c
+++ b/net/sctp/ulpevent.c
@@ -710,6 +710,11 @@ struct sctp_ulpevent *sctp_ulpevent_make_rcvmsg(struct sctp_association *asoc,
710 if (!skb) 710 if (!skb)
711 goto fail; 711 goto fail;
712 712
713 /* Now that all memory allocations for this chunk succeeded, we
714 * can mark it as received so the tsn_map is updated correctly.
715 */
716 sctp_tsnmap_mark(&asoc->peer.tsn_map, ntohl(chunk->subh.data_hdr->tsn));
717
713 /* First calculate the padding, so we don't inadvertently 718 /* First calculate the padding, so we don't inadvertently
714 * pass up the wrong length to the user. 719 * pass up the wrong length to the user.
715 * 720 *