aboutsummaryrefslogtreecommitdiffstats
path: root/net
Commit message (Collapse)AuthorAge
* [NET_SCHED]: act_ipt: fix regression in ipt actionPatrick McHardy2007-02-02
| | | | | | | | | | | | | | The x_tables patch broke target module autoloading in the ipt action by replacing the ipt_find_target call (which does autoloading) by xt_find_target (which doesn't do autoloading). Additionally xt_find_target may return ERR_PTR values in case of an error, which are not handled. Use xt_request_find_target, which does both autoloading and ERR_PTR handling properly. Also don't forget to drop the target module reference again when xt_check_target fails. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETFILTER]: xt_hashlimit: fix ip6tables dependencyPatrick McHardy2007-01-31
| | | | | | | | | | IP6_NF_IPTABLES=m, CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y results in a linker error since ipv6_find_hdr is defined in ip6_tables.c. Fix similar to Adrian Bunk's H.323 conntrack patch: selecting ip6_tables to be build as module requires hashlimit to be built as module as well. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [SCTP]: Force update of the rto when processing HB-ACKVlad Yasevich2007-01-30
| | | | | | | | | | | | | When processing a HEARTBEAT-ACK it's possible that the transport rto timers will not be updated because a prior T3-RTX processing would have cleared the rto_pending flag on the transport. However, if we received a valid HEARTBEAT-ACK, we want to force update the rto variables, so re-set the rto_pending flag before calling sctp_transport_update_rto(). Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPV6]: fix BUG of ndisc_send_redirect()Li Yewang2007-01-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When I tested IPv6 redirect function about kernel 2.6.19.1, and found that the kernel can send redirect packets whose target address is global address, and the target is not the actual endpoint of communication. But the criteria conform to RFC2461, the target address defines as following: Target Address An IP address that is a better first hop to use for he ICMP Destination Address. When the target is the actual endpoint of communication, i.e., the destination is a neighbor, the Target Address field MUST contain the same value as the ICMP Destination Address field. Otherwise the target is a better first-hop router and the Target Address MUST be the router's link-local address so that hosts can uniquely identify routers. According to this definition, when a router redirect to a host, the target address either the better first-hop router's link-local address or the same as the ICMP destination address field. But the function of ndisc_send_redirect() in net/ipv6/ndisc.c, does not check the target address correctly. There is another definition about receive Redirect message in RFC2461: 8.1. Validation of Redirect Messages A host MUST silently discard any received Redirect message that does not satisfy all of the following validity checks: ...... - The ICMP Target Address is either a link-local address (when redirected to a router) or the same as the ICMP Destination Address (when redirected to the on-link destination). ...... And the receive redirect function of ndisc_redirect_rcv() implemented this definition, checks the target address correctly. if (ipv6_addr_equal(dest, target)) { on_link = 1; } else if (!(ipv6_addr_type(target) & IPV6_ADDR_LINKLOCAL)) { ND_PRINTK2(KERN_WARNING "ICMPv6 Redirect: target address is not link-local.\n"); return; } So, I think the send redirect function must check the target address also. Signed-off-by: Li Yewang <lyw@nanjing-fnst.com> Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPV6]: Fix up some CONFIG typosNeil Horman2007-01-30
| | | | | Signed-off-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETFILTER]: SIP conntrack: fix out of bounds memory accessPatrick McHardy2007-01-30
| | | | | | | | When checking for an @-sign in skp_epaddr_len, make sure not to run over the packet boundaries. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETFILTER]: SIP conntrack: fix skipping over user info in SIP headersLars Immisch2007-01-30
| | | | | | | | | | | | | When trying to skip over the username in the Contact header, stop at the end of the line if no @ is found to avoid mangling following headers. We don't need to worry about continuation lines because we search inside a SIP URI. Fixes Netfilter Bugzilla #532. Signed-off-by: Lars Immisch <lars@ibp.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETFILTER]: xt_connbytes: fix division by zeroPatrick McHardy2007-01-30
| | | | | | | | | | | | | | | | When the packet counter of a connection is zero a division by zero occurs in div64_64(). Fix that by using zero as average value, which is correct as long as the packet counter didn't overflow, at which point we have lost anyway. Additionally we're probably going to go back to 64 bit counters in 2.6.21. Based on patch from Jonas Berlin <xkr47@outerspace.dyndns.org>, with suggestions from KOVACS Krisztian <hidden@balabit.hu>. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [PATCH] knfsd: ratelimit some nfsd messages that are triggered by external ↵NeilBrown2007-01-30
| | | | | | | | | | | | | | events Also remove {NFSD,RPC}_PARANOIA as having the defines doesn't really add anything. The printks covered by RPC_PARANOIA were triggered by badly formatted packets and so should be ratelimited. Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* [IPV4]: Fix single-entry /proc/net/fib_trie output.Robert Olsson2007-01-26
| | | | | | | | | When main table is just a single leaf this gets printed as belonging to the local table in /proc/net/fib_trie. A fix is below. Signed-off-by: Robert Olsson <robert.olsson@its.uu.se> Acked-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds2007-01-26
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | * master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6: [NETFILTER]: nf_conntrack_pptp: fix NAT setup of expected GRE connections [NETFILTER]: nf_nat_pptp: fix expectation removal [NETFILTER]: nf_nat: fix ICMP translation with statically linked conntrack [TCP]: Restore SKB socket owner setting in tcp_transmit_skb(). [AF_PACKET]: Check device down state before hard header callbacks. [DECNET]: Handle a failure in neigh_parms_alloc (take 2) [BNX2]: Fix 2nd port's MAC address. [TCP]: Fix sorting of SACK blocks. [AF_PACKET]: Fix BPF handling. [IPV4]: Fix the fib trie iterator to work with a single entry routing tables
| * [NETFILTER]: nf_conntrack_pptp: fix NAT setup of expected GRE connectionsPatrick McHardy2007-01-26
| | | | | | | | | | | | | | | | | | | | | | When an expected connection arrives, the NAT helper should be called to set up NAT similar to the master connection. The PPTP conntrack helper incorrectly checks whether the _expected_ connection has NAT setup before calling the NAT helper (which is never the case), instead of checkeing whether the _master_ connection is NATed. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NETFILTER]: nf_nat_pptp: fix expectation removalPatrick McHardy2007-01-26
| | | | | | | | | | | | | | | | | | When removing the expectation for the opposite direction, the PPTP NAT helper initializes the tuple for lookup with the addresses of the opposite direction, which makes the lookup fail. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NETFILTER]: nf_nat: fix ICMP translation with statically linked conntrackPatrick McHardy2007-01-26
| | | | | | | | | | | | | | | | | | | | | | | | | | When nf_nat/nf_conntrack_ipv4 are linked statically, nf_nat is initialized before nf_conntrack_ipv4, which makes the nf_ct_l3proto_find_get(AF_INET) call during nf_nat initialization return the generic l3proto instead of the AF_INET specific one. This breaks ICMP error translation since the generic protocol always initializes the IPs in the tuple to 0. Change the linking order and put nf_conntrack_ipv4 first. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [TCP]: Restore SKB socket owner setting in tcp_transmit_skb().David S. Miller2007-01-26
| | | | | | | | | | | | | | | | | | | | | | | | | | Revert 931731123a103cfb3f70ac4b7abfc71d94ba1f03 We can't elide the skb_set_owner_w() here because things like certain netfilter targets (such as owner MATCH) need a socket to be set on the SKB for correct operation. Thanks to Jan Engelhardt and other netfilter list members for pointing this out. Signed-off-by: David S. Miller <davem@davemloft.net>
| * [AF_PACKET]: Check device down state before hard header callbacks.David S. Miller2007-01-25
| | | | | | | | | | | | | | | | | | If the device is down, invoking the device hard header callbacks is not legal, so check it early. Based upon a shaper OOPS report from Frederik Deweerdt. Signed-off-by: David S. Miller <davem@davemloft.net>
| * [DECNET]: Handle a failure in neigh_parms_alloc (take 2)Eric W. Biederman2007-01-25
| | | | | | | | | | | | | | | | | | | | | | While enhancing the neighbour code to handle multiple network namespaces I noticed that decnet is assuming neigh_parms_alloc will allways succeed, which is clearly wrong. So handle the failure. Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Acked-by: Steven Whitehouse <steve@chygwyn.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [TCP]: Fix sorting of SACK blocks.Baruch Even2007-01-25
| | | | | | | | | | | | | | | | | | | | | | | | | | The sorting of SACK blocks actually munges them rather than sort, causing the TCP stack to ignore some SACK information and breaking the assumption of ordered SACK blocks after sorting. The sort takes the data from a second buffer which isn't moved causing subsequent data moves to occur from the wrong location. The fix is to use a temporary buffer as a normal sort does. Signed-off-By: Baruch Even <baruch@ev-en.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [AF_PACKET]: Fix BPF handling.David S. Miller2007-01-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes a bug introduced by: commit fda9ef5d679b07c9d9097aaf6ef7f069d794a8f9 Author: Dmitry Mishin <dim@openvz.org> Date: Thu Aug 31 15:28:39 2006 -0700 [NET]: Fix sk->sk_filter field access sk_run_filter() returns either 0 or an unsigned 32-bit length which says how much of the packet to retain. If that 32-bit unsigned integer is larger than the packet, this is fine we just leave the packet unchanged. The above commit caused all filter return values which were negative when interpreted as a signed integer to indicate a packet drop, which is wrong. Based upon a report and initial patch by Raivis Bucis. Signed-off-by: David S. Miller <davem@davemloft.net>
| * [IPV4]: Fix the fib trie iterator to work with a single entry routing tablesEric W. Biederman2007-01-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In a kernel with trie routing enabled I had a simple routing setup with only a single route to the outside world and no default route. "ip route table list main" showed my the route just fine but /proc/net/route was an empty file. What was going on? Thinking it was a bug in something I did and I looked deeper. Eventually I setup a second route and everything looked correct, huh? Finally I realized that the it was just the iterator pair in fib_trie_get_first, fib_trie_get_next just could not handle a routing table with a single entry. So to save myself and others further confusion, here is a simple fix for the fib proc iterator so it works even when there is only a single route in a routing table. Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Robert Olsson <robert.olsson@its.uu.se> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [PATCH] knfsd: fix an NFSD bug with full sized, non-page-aligned readsNeilBrown2007-01-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | NFSd assumes that largest number of pages that will be needed for a request+response is 2+N where N pages is the size of the largest permitted read/write request. The '2' are 1 for the non-data part of the request, and 1 for the non-data part of the reply. However, when a read request is not page-aligned, and we choose to use ->sendfile to send it directly from the page cache, we may need N+1 pages to hold the whole reply. This can overflow and array and cause an Oops. This patch increases size of the array for holding pages by one and makes sure that entry is NULL when it is not in use. Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* | [PATCH] knfsd: fix setting of ACL server versionsNeilBrown2007-01-26
|/ | | | | | | | | | | | Due to silly typos, if the nfs versions are explicitly set, no NFSACL versions get enabled. Also improve an error message that would have made this bug a little easier to find. Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* [PATCH] NFS: Fix Oops in rpc_call_sync()Trond Myklebust2007-01-24
| | | | | | | | Fix the Oops in http://bugzilla.linux-nfs.org/show_bug.cgi?id=138 We shouldn't be calling rpc_release_task() for tasks that are not active. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* [SCTP]: Fix compiler warning.Brian Haley2007-01-24
| | | | | | | | | | | | | | | | > --- a/net/sctp/sm_statefuns.c > +++ b/net/sctp/sm_statefuns.c > @@ -462,24 +461,6 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep, > - if (!init_tag) { > - struct sctp_chunk *reply = sctp_make_abort(asoc, chunk, 0); > - if (!reply) > - goto nomem; This introduced a compiler warning, easily fixed. Signed-off-by: Brian Haley <brian.haley@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPV6]: Fixed the size of the netlink message notified by inet6_rt_notify().Noriaki TAKAMIYA2007-01-24
| | | | | | | | | I think the return value of rt6_nlmsg_size() should includes the amount of RTA_METRICS. Signed-off-by: Noriaki TAKAMIYA <takamiya@po.ntts.co.jp> Acked-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
* [TCP]: rare bad TCP checksum with 2.6.19Jarek Poplawski2007-01-24
| | | | | | | | | | | | | | The patch "Replace CHECKSUM_HW by CHECKSUM_PARTIAL/CHECKSUM_COMPLETE" changed to unconditional copying of ip_summed field from collapsed skb. This patch reverts this change. The majority of substantial work including heavy testing and diagnosing by: Michael Tokarev <mjt@tls.msk.ru> Possible reasons pointed by: Herbert Xu and Patrick McHardy. Signed-off-by: Jarek Poplawski <jarkao2@o2.pl> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge master.kernel.org:/pub/scm/linux/kernel/git/holtmann/bluetooth-2.6David S. Miller2007-01-24
|\
| * [Bluetooth] Restrict well known PSM to privileged usersMarcel Holtmann2007-01-22
| | | | | | | | | | | | | | | | The PSM values below 0x1001 of L2CAP are reserved for well known services. Restrict the possibility to bind them to privileged users. Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
| * [Bluetooth] Missing endian swapping for L2CAP socket listMarcel Holtmann2007-01-22
| | | | | | | | | | | | | | The PSM value in the L2CAP socket list must be converted to host order before printing it. Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* | [TCP]: skb is unexpectedly freed.Masayuki Nakagawa2007-01-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I encountered a kernel panic with my test program, which is a very simple IPv6 client-server program. The server side sets IPV6_RECVPKTINFO on a listening socket, and the client side just sends a message to the server. Then the kernel panic occurs on the server. (If you need the test program, please let me know. I can provide it.) This problem happens because a skb is forcibly freed in tcp_rcv_state_process(). When a socket in listening state(TCP_LISTEN) receives a syn packet, then tcp_v6_conn_request() will be called from tcp_rcv_state_process(). If the tcp_v6_conn_request() successfully returns, the skb would be discarded by __kfree_skb(). However, in case of a listening socket which was already set IPV6_RECVPKTINFO, an address of the skb will be stored in treq->pktopts and a ref count of the skb will be incremented in tcp_v6_conn_request(). But, even if the skb is still in use, the skb will be freed. Then someone still using the freed skb will cause the kernel panic. I suggest to use kfree_skb() instead of __kfree_skb(). Signed-off-by: Masayuki Nakagawa <nakagawa.msy@ncos.nec.co.jp> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [IPSEC]: Policy list disorderHerbert Xu2007-01-23
| | | | | | | | | | | | | | | | | | | | | | | | The recent hashing introduced an off-by-one bug in policy list insertion. Instead of adding after the last entry with a lesser or equal priority, we're adding after the successor of that entry. This patch fixes this and also adds a warning if we detect a duplicate entry in the policy list. This should never happen due to this if clause. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [X.25]: Add missing sock_put in x25_receive_dataAndrew Hendry2007-01-23
| | | | | | | | | | | | | | | | __x25_find_socket does a sock_hold. This adds a missing sock_put in x25_receive_data. Signed-off-by: Andrew Hendry <andrew.hendry@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [SCTP]: Fix SACK sequence during shutdownVlad Yasevich2007-01-23
| | | | | | | | | | | | | | | | | | | | | | | | Currently, when association enters SHUTDOWN state,the implementation will SACK any DATA first and then transmit the SHUTDOWN chunk. This is against the order required by 2960bis spec. SHUTDOWN must always be first, followed by SACK. This change forces this order and also enables bundling. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [SCTP]: Correctly handle unexpected INIT-ACK chunk.Vlad Yasevich2007-01-23
| | | | | | | | | | | | | | | | | | Consider the chunk as Out-of-the-Blue if we don't have an endpoint. Otherwise discard it as before. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [SCTP]: Verify some mandatory parameters.Vlad Yasevich2007-01-23
| | | | | | | | | | | | | | | | | | Verify init_tag and a_rwnd mandatory parameters in INIT and INIT-ACK chunks. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [SCTP]: Set correct error cause value for missing parametersVlad Yasevich2007-01-23
| | | | | | | | | | | | | | | | | | sctp_process_missing_param() needs to use the SCTP_ERROR_MISS_PARAM error cause value. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [NETFILTER]: ctnetlink: fix leak in ctnetlink_create_conntrack error pathPatrick McHardy2007-01-23
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [IPV6] MCAST: Fix joining all-node multicast group on device initialization.YOSHIFUJI Hideaki2007-01-23
| | | | | | | | | | | | | | | | | | | | Join all-node multicast group after assignment of dev->ip6_ptr because it must be assigned when ipv6_dev_mc_inc() is called. This fixes Bug#7817, reported by <gernoth@informatik.uni-erlangen.de>. Closes: 7817 Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [IPSEC] flow: Fix potential memory leakHerbert Xu2007-01-23
| | | | | | | | | | | | | | | | | | | | | | | | | | When old flow cache entries that are not at the head of their chain trigger a transient security error they get unlinked along with all the entries preceding them in the chain. The preceding entries are not freed correctly. This patch fixes this by simply leaving the entry around. It's based on a suggestion by Venkat Yekkirala. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [PATCH] email change for shemminger@osdl.orgStephen Hemminger2007-01-23
|/ | | | | | | | | Change my email address to reflect OSDL merger. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> [ The irony. Somebody still has his sign-off message hardcoded in a script or his brainstem ;^] Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* [IPV4] devinet: inetdev_init out label moved after RCU assignmentJarek Poplawski2007-01-09
| | | | | | | | | inetdev_init out label moved after RCU assignment (final suggestion by Herbert Xu) Signed-off-by: Jarek Poplawski <jarkao2@o2.pl> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [INET]: style updates for the inet_sock->is_icsk assignment fixPaul Moore2007-01-09
| | | | | | | | | A quick patch to change the inet_sock->is_icsk assignment to better fit with existing kernel coding style. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [SCTP]: Fix err_hdr assignment in sctp_init_cause.Vlad Yasevich2007-01-09
| | | | | | | | The subh->err_hdr should point to the error header, not the data. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETFILTER]: nf_nat: fix hanging connections when loading the NAT modulePatrick McHardy2007-01-09
| | | | | | | | | | | | When loading the NAT module, existing connection tracking entries don't have room for NAT information allocated and packets are dropped, causing hanging connections. They really should be entered into the NAT table as NULL mappings, but the current allocation scheme doesn't allow this. For now simply accept those packets to avoid the hanging connections. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETFILTER]: nf_conntrack_ipv6: fix crash when handling fragmentsPatrick McHardy2007-01-09
| | | | | | | | | | | When IPv6 connection tracking splits up a defragmented packet into its original fragments, the packets are taken from a list and are passed to the network stack with skb->next still set. This causes dev_hard_start_xmit to treat them as GSO fragments, resulting in a use after free when connection tracking handles the next fragment. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [TCP]: Fix iov_len calculation in tcp_v4_send_ack().Craig Schlenter2007-01-09
| | | | | | | | | | | | This fixes the ftp stalls present in the current kernels. All credit goes to Komuro <komurojun-mbn@nifty.com> for tracking this down. The patch is untested but it looks *cough* obviously correct. Signed-off-by: Craig Schlenter <craig@codefountain.com> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETFILTER]: nf_conntrack_netbios_ns: fix uninitialized member in expectationPatrick McHardy2007-01-09
| | | | | | | | | ->helper is uninitialized in the expectation registered by the netbios_ns helper and it later copied to the expected connection, which causes invalid memory dereferences when trying to call the helper. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* NetLabel: correct CIPSO tag handling when adding new DOI definitionsPaul Moore2007-01-09
| | | | | | | | | | | The current netlbl_cipsov4_add_common() function has two problems which are fixed with this patch. The first is an off-by-one bug where it is possibile to overflow the doi_def->tags[] array. The second is a bug where the same doi_def->tags[] array was not always fully initialized, which caused sporadic failures. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* [Bluetooth] Handle device registration failuresMarcel Holtmann2007-01-09
| | | | | | | | In the case the device registration for a new Bluetooth low-level connection fails there is no need to unregister it when the temporary data structure has been removed. Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* [Bluetooth] Fix uninitialized return value for RFCOMM sendmsg()Marcel Holtmann2007-01-09
| | | | | | | | When calling send() with a zero length parameter on a RFCOMM socket it returns a positive value. In this rare case the variable err is used uninitialized and unfortunately its value is returned. Signed-off-by: Marcel Holtmann <marcel@holtmann.org>