linux-stable.git/net/bridge, branch linux-2.6.18.y Linux kernel stable tree [PATCH] EBTABLES: Prevent wraparounds in checks for entry components' sizes. 2006-12-17T00:20:46+00:00 Al Viro viro@zeniv.linux.org.uk 2006-12-01T03:47:59+00:00 6ed412d5056d4246a7fc7ecf8408007fe60d2567 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> 
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
[PATCH] EBTABLES: Deal with the worst-case behaviour in loop checks. 2006-12-17T00:20:46+00:00 Al Viro viro@zeniv.linux.org.uk 2006-12-01T03:47:58+00:00 6fe7624b306c7db201c07434ac511ab6fc7f0b2c No need to revisit a chain we'd already finished with during the check for current hook. It's either instant loop (which we'd just detected) or a duplicate work. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> 
No need to revisit a chain we'd already finished with during
the check for current hook.  It's either instant loop (which
we'd just detected) or a duplicate work.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
[PATCH] EBTABLES: Verify that ebt_entries have zero ->distinguisher. 2006-12-17T00:20:46+00:00 Al Viro viro@zeniv.linux.org.uk 2006-12-01T03:47:56+00:00 83b44db22cc477cb2f9f6e96d07812245cd060db We need that for iterator to work; existing check had been too weak. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> 
We need that for iterator to work; existing check had been too weak.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
[PATCH] EBTABLES: Fix wraparounds in ebt_entries verification. 2006-12-17T00:20:46+00:00 Al Viro viro@zeniv.linux.org.uk 2006-12-01T03:47:52+00:00 b967e13584aca829627eaf17d19a69edd3fadb40 We need to verify that a) we are not too close to the end of buffer to dereference b) next entry we'll be checking won't be _before_ our While we are at it, don't subtract unrelated pointers... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> 
We need to verify that
	a) we are not too close to the end of buffer to dereference
	b) next entry we'll be checking won't be _before_ our

While we are at it, don't subtract unrelated pointers...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
[PATCH] bridge: fix possible overflow in get_fdb_entries (CVE-2006-5751) 2006-11-29T19:28:24+00:00 Chris Wright chrisw@sous-sol.org 2006-11-20T23:02:49+00:00 9c45f612e952238e27f14e02b4d09123bf415207 Make sure to properly clamp maxnum to avoid overflow (CVE-2006-5751). Signed-off-by: Chris Wright <chrisw@sous-sol.org> Acked-by: Eugene Teo <eteo@redhat.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> 
Make sure to properly clamp maxnum to avoid overflow (CVE-2006-5751).

Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Acked-by: Eugene Teo <eteo@redhat.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
[BRIDGE]: random extra bytes on STP TCN packet 2006-09-18T06:21:08+00:00 Stephen Hemminger shemminger@osdl.org 2006-09-14T03:12:40+00:00 485c2967d622449f4bbfae305a6fc4e185b5b094 We seem to send 3 extra bytes in a TCN, which will be whatever happens to be on the stack. Thanks to Aji_Srinivas@emc.com for seeing. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
We seem to send 3 extra bytes in a TCN, which will be whatever happens
to be on the stack. Thanks to Aji_Srinivas@emc.com for seeing.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[BRIDGE] netfilter: memory corruption fix 2006-08-27T03:28:30+00:00 Stephen Hemminger shemminger@osdl.org 2006-08-27T03:28:30+00:00 3a13813e6effcfad5910d47b15b724621b50b878 The bridge-netfilter code will overwrite memory if there is not headroom in the skb to save the header. This first showed up when using Xen with sky2 driver that doesn't allocate the extra space. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
The bridge-netfilter code will overwrite memory if there is not
headroom in the skb to save the header.  This first showed up when
using Xen with sky2 driver that doesn't allocate the extra space.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[BRIDGE]: Disable SG/GSO if TX checksum is off 2006-08-18T01:22:32+00:00 Herbert Xu herbert@gondor.apana.org.au 2006-08-18T01:22:32+00:00 78eb887733ec8ff5d6e6c69e3c32a187a9303622 When the bridge recomputes features, it does not maintain the constraint that SG/GSO must be off if TX checksum is off. This patch adds that constraint. On a completely unrelated note, I've also added TSO6 and TSO_ECN feature bits if GSO is enabled on the underlying device through the new NETIF_F_GSO_SOFTWARE macro. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> 
When the bridge recomputes features, it does not maintain the
constraint that SG/GSO must be off if TX checksum is off.
This patch adds that constraint.

On a completely unrelated note, I've also added TSO6 and TSO_ECN
feature bits if GSO is enabled on the underlying device through
the new NETIF_F_GSO_SOFTWARE macro.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: ulog: fix panic on SMP kernels 2006-08-14T01:57:54+00:00 Mark Huang mlhuang@cs.princeton.edu 2006-08-14T01:57:54+00:00 dcb7cd97f133f7cfbd181149a1e60215a869f895 Fix kernel panic on various SMP machines. The culprit is a null ub->skb in ulog_send(). If ulog_timer() has already been scheduled on one CPU and is spinning on the lock, and ipt_ulog_packet() flushes the queue on another CPU by calling ulog_send() right before it exits, there will be no skbuff when ulog_timer() acquires the lock and calls ulog_send(). Cancelling the timer in ulog_send() doesn't help because it has already been scheduled and is running on the first CPU. Similar problem exists in ebt_ulog.c and nfnetlink_log.c. Signed-off-by: Mark Huang <mlhuang@cs.princeton.edu> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Fix kernel panic on various SMP machines. The culprit is a null
ub->skb in ulog_send(). If ulog_timer() has already been scheduled on
one CPU and is spinning on the lock, and ipt_ulog_packet() flushes the
queue on another CPU by calling ulog_send() right before it exits,
there will be no skbuff when ulog_timer() acquires the lock and calls
ulog_send(). Cancelling the timer in ulog_send() doesn't help because
it has already been scheduled and is running on the first CPU.

Similar problem exists in ebt_ulog.c and nfnetlink_log.c.

Signed-off-by: Mark Huang <mlhuang@cs.princeton.edu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[BRIDGE]: netlink status fix 2006-08-05T05:59:48+00:00 Stephen Hemminger shemminger@osdl.org 2006-08-03T23:24:02+00:00 bea1b42e1bb184cb75e6bbd95c83e4478dde4ab9 Fix code that passes back netlink status messages about bridge changes. Submitted by Aji_Srinivas@emc.com Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
Fix code that passes back netlink status messages about
bridge changes. Submitted by Aji_Srinivas@emc.com

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>