kernel/linux.git/include/net/sctp, branch linux-2.6.16.y

SCTP: Reject sctp packets with broadcast addresses.

2006-08-26T00:39:03+00:00

Make SCTP handle broadcast properly Signed-off-by: Vlad Yasevich Signed-off-by: Sridhar Samudrala Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk

Fix sctp privilege elevation (CVE-2006-3745)

2006-08-23T16:01:55+00:00

sctp_make_abort_user() now takes the msg_len along with the msg so that we don't have to recalculate the bytes in iovec. It also uses memcpy_fromiovec() so that we don't go beyond the length allocated. It is good to have this fix even if verify_iovec() is fixed to return error on overflow. Signed-off-by: Sridhar Samudrala Acked-by: David Miller Signed-off-by: Adrian Bunk

[PATCH] SCTP: Respect the real chunk length when walking parameters (CVE-2006-1858)

2006-05-20T22:00:34+00:00

When performing bound checks during the parameter processing, we want to use the real chunk and paramter lengths for bounds instead of the rounded ones. This prevents us from potentially walking of the end if the chunk length was miscalculated. We still use rounded lengths when advancing the pointer. This was found during a conformance test that changed the chunk length without modifying parameters. (Vlad noted elsewhere: the most you'd overflow is 3 bytes, so problem is parameter dependent). Signed-off-by: Vlad Yasevich Signed-off-by: Sridhar Samudrala Signed-off-by: Chris Wright

[PATCH] SCTP: Allow spillover of receive buffer to avoid deadlock. (CVE-2006-2275)

2006-05-09T19:53:21+00:00

This patch fixes a deadlock situation in the receive path by allowing temporary spillover of the receive buffer. - If the chunk we receive has a tsn that immediately follows the ctsn, accept it even if we run out of receive buffer space and renege data with higher TSNs. - Once we accept one chunk in a packet, accept all the remaining chunks even if we run out of receive buffer space. Signed-off-by: Neil Horman Acked-by: Mark Butler Acked-by: Vlad Yasevich Signed-off-by: Sridhar Samudrala Signed-off-by: David S. Miller Signed-off-by: Chris Wright

[SCTP]: Fix 'fast retransmit' to send a TSN only once.

2006-02-03T00:57:31+00:00

SCTP used to "fast retransmit" a TSN every time we hit the number of missing reports for the TSN. However the Implementers Guide specifies that we should only "fast retransmit" a given TSN once. Subsequent retransmits should be timeouts only. Also change the number of missing reports to 3 as per the latest IG(similar to TCP). Signed-off-by: Vlad Yasevich Signed-off-by: Sridhar Samudrala Signed-off-by: David S. Miller

[SCTP]: Fix couple of races between sctp_peeloff() and sctp_rcv().

2006-01-17T19:56:26+00:00

Validate and update the sk in sctp_rcv() to avoid the race where an assoc/ep could move to a different socket after we get the sk, but before the skb is added to the backlog. Also migrate the skb's in backlog queue to new sk when doing a peeloff. Signed-off-by: Sridhar Samudrala

[SCTP]: Fix machine check/connection hang on IA64.

2006-01-17T19:55:57+00:00

sctp_unpack_cookie used an on-stack array called digest as a result/out parameter in the call to crypto_hmac. However, hmac code (crypto_hmac_final) assumes that the 'out' argument is in virtual memory (identity mapped region) and can use virt_to_page call on it. This does not work with the on-stack declared digest. The problems observed so far have been: a) incorrect hmac digest b) machine check and hardware reset. Solution is to define the digest in an identity mapped region by kmalloc'ing it. We can do this once as part of the endpoint structure and re-use it when verifying the SCTP cookie. Signed-off-by: Vlad Yasevich Signed-off-by: Sridhar Samudrala

[SCTP]: Fix bad sysctl formatting of SCTP timeout values on 64-bit m/cs.

2006-01-17T19:55:17+00:00

Change all the structure members that hold jiffies to be of type unsigned long. This also corrects bad sysctl formating on 64 bit architectures. Signed-off-by: Vlad Yasevich Signed-off-by: Sridhar Samudrala

[SCTP]: Fix sctp_cookie alignment in the packet.

2006-01-17T19:52:12+00:00

On 64 bit architectures, sctp_cookie sent as part of INIT-ACK is not aligned on a 64 bit boundry and thus causes unaligned access exceptions. The layout of the cookie prameter is this: |<----- Parameter Header --------------------|<--- Cookie DATA -------- ----------------------------------------------------------------------- | param type (16 bits) | param len (16 bits) | sig [32 bytes] | cookie.. ----------------------------------------------------------------------- The cookie data portion contains 64 bit values on 64 bit architechtures (timeval) that fall on a 32 bit alignment boundry when used as part of the on-wire format, but align correctly when used in internal structures. This patch explicitely pads the on-wire format so that it is properly aligned. Signed-off-by: Vlad Yasevich Signed-off-by: Sridhar Samudrala

[NET]: Use NIP6_FMT in kernel.h

2006-01-13T22:29:07+00:00

There are errors and inconsistency in the display of NIP6 strings. ie: net/ipv6/ip6_flowlabel.c There are errors and inconsistency in the display of NIPQUAD strings too. ie: net/netfilter/nf_conntrack_ftp.c This patch: adds NIP6_FMT to kernel.h changes all code to use NIP6_FMT fixes net/ipv6/ip6_flowlabel.c adds NIPQUAD_FMT to kernel.h fixes net/netfilter/nf_conntrack_ftp.c changes a few uses of "%u.%u.%u.%u" to NIPQUAD_FMT for symmetry to NIP6_FMT Signed-off-by: Joe Perches Signed-off-by: David S. Miller