Eric Lee / linux-smarc-t335x-v3.2

18 Oct, 2011

3 commits

  • 7f81e25be   x25: Prevent skb overreads when checking call user data ... Browse Code »

    x25_find_listener does not check that the amount of call user data given
    in the skb is big enough in per-socket comparisons, hence buffer
    overreads may occur. Fix this by adding a check.

    Signed-off-by: Matthew Daley
    Cc: Eric Dumazet
    Cc: Andrew Hendry
    Cc: stable
    Acked-by: Andrew Hendry
    Signed-off-by: David S. Miller

    Matthew Daley
     
  • cb101ed2c   x25: Handle undersized/fragmented skbs ... Browse Code »
    1

    There are multiple locations in the X.25 packet layer where a skb is
    assumed to be of at least a certain size and that all its data is
    currently available at skb->data. These assumptions are not checked,
    hence buffer overreads may occur. Use pskb_may_pull to check these
    minimal size assumptions and ensure that data is available at skb->data
    when necessary, as well as use skb_copy_bits where needed.

    Signed-off-by: Matthew Daley
    Cc: Eric Dumazet
    Cc: Andrew Hendry
    Cc: stable
    Acked-by: Andrew Hendry
    Signed-off-by: David S. Miller

    Matthew Daley
     
  • c7fd0d48b   x25: Validate incoming call user data lengths ... Browse Code »

    X.25 call user data is being copied in its entirety from incoming messages
    without consideration to the size of the destination buffers, leading to
    possible buffer overflows. Validate incoming call user data lengths before
    these copies are performed.

    It appears this issue was noticed some time ago, however nothing seemed to
    come of it: see http://www.spinics.net/lists/linux-x25/msg00043.html and
    commit 8db09f26f912f7c90c764806e804b558da520d4f.

    Signed-off-by: Matthew Daley
    Acked-by: Eric Dumazet
    Tested-by: Andrew Hendry
    Cc: stable
    Signed-off-by: David S. Miller

    Matthew Daley
     

02 Jul, 2011

1 commit

31 Mar, 2011

1 commit

05 Mar, 2011

1 commit

  • 77b228360   x25: remove the BKL ... Browse Code »

    This replaces all instances of lock_kernel in x25
    with lock_sock, taking care to release the socket
    lock around sleeping functions (sock_alloc_send_skb
    and skb_recv_datagram). It is not clear whether
    this is a correct solution, but it seem to be what
    other protocols do in the same situation.

    Includes a fix suggested by Eric Dumazet.

    Signed-off-by: Arnd Bergmann
    Acked-by: David S. Miller
    Tested-by: Andrew Hendry
    Cc: linux-x25@vger.kernel.org
    Cc: netdev@vger.kernel.org
    Cc: Eric Dumazet

    Arnd Bergmann
     

10 Feb, 2011

1 commit

08 Feb, 2011

1 commit

  • 95c304300   x25: possible skb leak on bad facilities ... Browse Code »

    Originally x25_parse_facilities returned
    -1 for an error
    0 meaning 0 length facilities
    >0 the length of the facilities parsed.

    5ef41308f94dc ("x25: Prevent crashing when parsing bad X.25 facilities") introduced more
    error checking in x25_parse_facilities however used 0 to indicate bad parsing
    a6331d6f9a429 ("memory corruption in X.25 facilities parsing") followed this further for
    DTE facilities, again using 0 for bad parsing.

    The meaning of 0 got confused in the callers.
    If the facilities are messed up we can't determine where the data starts.
    So patch makes all parsing errors return -1 and ensures callers close and don't use the skb further.

    Reported-by: Andy Whitcroft
    Signed-off-by: Andrew Hendry
    Signed-off-by: David S. Miller

    andrew hendry
     

09 Dec, 2010

2 commits

29 Nov, 2010

5 commits

20 Nov, 2010

4 commits

13 Nov, 2010

1 commit

  • 5ef41308f   x25: Prevent crashing when parsing bad X.25 facilities ... Browse Code »

    Now with improved comma support.

    On parsing malformed X.25 facilities, decrementing the remaining length
    may cause it to underflow. Since the length is an unsigned integer,
    this will result in the loop continuing until the kernel crashes.

    This patch adds checks to ensure decrementing the remaining length does
    not cause it to wrap around.

    Signed-off-by: Dan Rosenberg
    Signed-off-by: David S. Miller

    Dan Rosenberg
     

04 Nov, 2010

1 commit

24 Oct, 2010

1 commit

  • 5f05647dd   Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 ... Browse Code »

    * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6: (1699 commits)
    bnx2/bnx2x: Unsupported Ethtool operations should return -EINVAL.
    vlan: Calling vlan_hwaccel_do_receive() is always valid.
    tproxy: use the interface primary IP address as a default value for --on-ip
    tproxy: added IPv6 support to the socket match
    cxgb3: function namespace cleanup
    tproxy: added IPv6 support to the TPROXY target
    tproxy: added IPv6 socket lookup function to nf_tproxy_core
    be2net: Changes to use only priority codes allowed by f/w
    tproxy: allow non-local binds of IPv6 sockets if IP_TRANSPARENT is enabled
    tproxy: added tproxy sockopt interface in the IPV6 layer
    tproxy: added udp6_lib_lookup function
    tproxy: added const specifiers to udp lookup functions
    tproxy: split off ipv6 defragmentation to a separate module
    l2tp: small cleanup
    nf_nat: restrict ICMP translation for embedded header
    can: mcp251x: fix generation of error frames
    can: mcp251x: fix endless loop in interrupt handler if CANINTF_MERRF is set
    can-raw: add msg_flags to distinguish local traffic
    9p: client code cleanup
    rds: make local functions/variables static
    ...

    Fix up conflicts in net/core/dev.c, drivers/net/pcmcia/smc91c92_cs.c and
    drivers/net/wireless/ath/ath9k/debug.c as per David

    Linus Torvalds
     

21 Oct, 2010

1 commit

  • 6de5bd128   BKL: introduce CONFIG_BKL. ... Browse Code »

    With all the patches we have queued in the BKL removal tree, only a
    few dozen modules are left that actually rely on the BKL, and even
    there are lots of low-hanging fruit. We need to decide what to do
    about them, this patch illustrates one of the options:

    Every user of the BKL is marked as 'depends on BKL' in Kconfig,
    and the CONFIG_BKL becomes a user-visible option. If it gets
    disabled, no BKL using module can be built any more and the BKL
    code itself is compiled out.

    The one exception is file locking, which is practically always
    enabled and does a 'select BKL' instead. This effectively forces
    CONFIG_BKL to be enabled until we have solved the fs/lockd
    mess and can apply the patch that removes the BKL from fs/locks.c.

    Signed-off-by: Arnd Bergmann

    Arnd Bergmann
     

23 Sep, 2010

2 commits

15 Sep, 2010

4 commits

18 May, 2010

4 commits

28 Apr, 2010

1 commit

23 Apr, 2010

1 commit

  • 5ebfbc06a   X25: Add if_x25.h and x25 to device identifiers ... Browse Code »

    V2 Feedback from John Hughes.
    - Add header for userspace implementations such as xot/xoe to use
    - Use explicit values for interface stability
    - No changes to driver patches

    V1
    - Use identifiers instead of magic numbers for X25 layer 3 to device interface.
    - Also fixed checkpatch notes on updated code.

    [ Add new user header to include/linux/Kbuild -DaveM ]

    Signed-off-by: Andrew Hendry
    Signed-off-by: David S. Miller

    Andrew Hendry
     

22 Apr, 2010

1 commit

  • 2cec6b014   X25 fix dead unaccepted sockets ... Browse Code »

    1, An X25 program binds and listens
    2, calls arrive waiting to be accepted
    3, Program exits without accepting
    4, Sockets time out but don't get correctly cleaned up
    5, cat /proc/net/x25/socket shows the dead sockets with bad inode fields.

    This line borrowed from AX25 sets the dying socket so the timers clean up later.

    Signed-off-by: Andrew Hendry
    Signed-off-by: David S. Miller

    andrew hendry
     

21 Apr, 2010

1 commit

  • aa3951451   net: sk_sleep() helper ... Browse Code »

    Define a new function to return the waitqueue of a "struct sock".

    static inline wait_queue_head_t *sk_sleep(struct sock *sk)
    {
    return sk->sk_sleep;
    }

    Change all read occurrences of sk_sleep by a call to this function.

    Needed for a future RCU conversion. sk_sleep wont be a field directly
    available.

    Signed-off-by: Eric Dumazet
    Signed-off-by: David S. Miller

    Eric Dumazet
     

11 Apr, 2010

1 commit

08 Apr, 2010

2 commits

  • ddd0451fc   x.25 attempts to negotiate invalid throughput ... Browse Code »

    The current X.25 code has some bugs in throughput negotiation:

    1. It does negotiation in all cases, usually there is no need
    2. It incorrectly attempts to negotiate the throughput class in one
    direction only. There are separate throughput classes for input
    and output and if either is negotiated both mist be negotiates.

    This is bug https://bugzilla.kernel.org/show_bug.cgi?id=15681

    This bug was first reported by Daniel Ferenci to the linux-x25 mailing
    list on 6/8/2004, but is still present.

    The current (2.6.34) x.25 code doesn't seem to know that the X.25
    throughput facility includes two values, one for the required
    throughput outbound, one for inbound.

    This causes it to attempt to negotiate throughput 0x0A, which is
    throughput 9600 inbound and the illegal value "0" for inbound
    throughput.

    Because of this some X.25 devices (e.g. Cisco 1600) refuse to connect
    to Linux X.25.

    The following patch fixes this behaviour. Unless the user specifies a
    required throughput it does not attempt to negotiate. If the user
    does not specify a throughput it accepts the suggestion of the remote
    X.25 system. If the user requests a throughput then it validates both
    the input and output throughputs and correctly negotiates them with
    the remote end.

    Signed-off-by: John Hughes
    Tested-by: Andrew Hendry
    Signed-off-by: David S. Miller

    John Hughes
     
  • f5eb917b8   x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet. ... Browse Code »

    Here is a patch to stop X.25 examining fields beyond the end of the packet.

    For example, when a simple CALL ACCEPTED was received:

    10 10 0f

    x25_parse_facilities was attempting to decode the FACILITIES field, but this
    packet contains no facilities field.

    Signed-off-by: John Hughes
    Signed-off-by: David S. Miller

    John Hughes