Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v2.6.34 2010-03-20T05:47:23+00:00 2010-03-20T05:47:23+00:00 Pablo Neira Ayuso pablo@netfilter.org 2010-03-16T13:30:44+00:00 urn:sha1:f5d410f2ea7ba340f11815a56e05b9fa9421c421 This patch fixes a unaligned access in nla_get_be64() that was introduced by myself in a17c859849402315613a0015ac8fbf101acf0cc1. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net> 2010-02-18T22:30:18+00:00 Alexey Dobriyan adobriyan@gmail.com 2010-02-18T08:14:31+00:00 urn:sha1:b54452b07a7b1b8cc1385edba3ef2ef6d4679d5a Make remaining netlink policies as const. Fixup coding style where needed. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2009-08-25T14:07:40+00:00 Patrick McHardy kaber@trash.net 2009-08-25T14:07:40+00:00 urn:sha1:3a6c2b419b7768703cfb2cabdb894517c5065e33 Consitfy nlmsghdr arguments to a couple of functions as preparation for the next patch, which will constify the netlink message data in all nfnetlink users. Signed-off-by: Patrick McHardy <kaber@trash.net> 2009-05-27T15:50:35+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-05-27T15:50:35+00:00 urn:sha1:a17c859849402315613a0015ac8fbf101acf0cc1 This patch adds CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ that exposes the u64 handshake sequence number to user-space. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net> 2009-03-25T17:26:30+00:00 Holger Eitzenberger holger@eitzenberger.org 2009-03-25T17:26:30+00:00 urn:sha1:e487eb99cf9381a4f8254fa01747a85818da612b It calculates the max. length of a Netlink policy, which is usefull for allocating Netlink buffers roughly the size of the actual message. Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Patrick McHardy <kaber@trash.net> 2008-12-26T01:21:17+00:00 Vegard Nossum vegard.nossum@gmail.com 2008-12-26T01:21:17+00:00 urn:sha1:619e803d3c1b7bcc17c45e81f309d0b9b3df2d5d See commit 1045b03e07d85f3545118510a587035536030c1c ("netlink: fix overrun in attribute iteration") for a detailed explanation of why this patch is necessary. In short, nlmsg_next() can make "remaining" go negative, and the remaining >= sizeof(...) comparison will promote "remaining" to an unsigned type, which means that the expression will evaluate to true for negative numbers, even though it was not intended. I put "theoretical" in the title because I have no evidence that this can actually happen, but I suspect that a crafted netlink packet can trigger some badness. Note that the last test, which seemingly has the exact same problem (also true for nla_ok()), is perfectly OK, since we already know that remaining is positive. Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2008-10-28T18:59:11+00:00 Patrick McHardy kaber@trash.net 2008-10-28T18:59:11+00:00 urn:sha1:b057efd4d226fcc3a92b0dc6d8ea8e8185ecb260 Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 2008-10-01T13:12:56+00:00 David S. Miller davem@davemloft.net 2008-10-01T13:12:56+00:00 urn:sha1:b262e60309e1b0eb25d300c7e739427d5316abb1 Conflicts: drivers/net/wireless/ath9k/core.c drivers/net/wireless/ath9k/main.c net/core/dev.c 2008-09-12T02:05:29+00:00 Vegard Nossum vegard.nossum@gmail.com 2008-09-12T02:05:29+00:00 urn:sha1:1045b03e07d85f3545118510a587035536030c1c kmemcheck reported this: kmemcheck: Caught 16-bit read from uninitialized memory (f6c1ba30) 0500110001508abf050010000500000002017300140000006f72672e66726565 i i i i i i i i i i i i i u u u u u u u u u u u u u u u u u u u ^ Pid: 3462, comm: wpa_supplicant Not tainted (2.6.27-rc3-00054-g6397ab9-dirty #13) EIP: 0060:[<c05de64a>] EFLAGS: 00010296 CPU: 0 EIP is at nla_parse+0x5a/0xf0 EAX: 00000008 EBX: fffffffd ECX: c06f16c0 EDX: 00000005 ESI: 00000010 EDI: f6c1ba30 EBP: f6367c6c ESP: c0a11e88 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 CR0: 8005003b CR2: f781cc84 CR3: 3632f000 CR4: 000006d0 DR0: c0ead9bc DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: ffff4ff0 DR7: 00000400 [<c05d4b23>] rtnl_setlink+0x63/0x130 [<c05d5f75>] rtnetlink_rcv_msg+0x165/0x200 [<c05ddf66>] netlink_rcv_skb+0x76/0xa0 [<c05d5dfe>] rtnetlink_rcv+0x1e/0x30 [<c05dda21>] netlink_unicast+0x281/0x290 [<c05ddbe9>] netlink_sendmsg+0x1b9/0x2b0 [<c05beef2>] sock_sendmsg+0xd2/0x100 [<c05bf945>] sys_sendto+0xa5/0xd0 [<c05bf9a6>] sys_send+0x36/0x40 [<c05c03d6>] sys_socketcall+0x1e6/0x2c0 [<c020353b>] sysenter_do_call+0x12/0x3f [<ffffffff>] 0xffffffff This is the line in nla_ok(): /** * nla_ok - check if the netlink attribute fits into the remaining bytes * @nla: netlink attribute * @remaining: number of bytes remaining in attribute stream */ static inline int nla_ok(const struct nlattr *nla, int remaining) { return remaining >= sizeof(*nla) && nla->nla_len >= sizeof(*nla) && nla->nla_len <= remaining; } It turns out that remaining can become negative due to alignment in nla_next(). But GCC promotes "remaining" to unsigned in the test against sizeof(*nla) above. Therefore the test succeeds, and the nla_for_each_attr() may access memory outside the received buffer. A short example illustrating this point is here: #include <stdio.h> main(void) { printf("%d\n", -1 >= sizeof(int)); } ...which prints "1". This patch adds a cast in front of the sizeof so that GCC will make a signed comparison and fix the illegal memory dereference. With the patch applied, there is no kmemcheck report. Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com> Acked-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net> 2008-09-03T00:30:27+00:00 Thomas Graf tgraf@suug.ch 2008-09-03T00:30:27+00:00 urn:sha1:2c10b32bf57db7ec6d4cca4c4aa3d86bacb01c8a Removes all _nested_compat() functions from the API. The prio qdisc no longer requires them and netem has its own format anyway. Their existance is only confusing. Resend: Also remove the wrapper macro. Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>