linux.git/net/ipv6, branch v2.6.17 Linux kernel source tree [IPV6] ROUTE: Don't try less preferred routes for on-link routes. 2006-05-26T20:23:41+00:00 YOSHIFUJI Hideaki yoshfuji@linux-ipv6.org 2006-05-26T20:23:41+00:00 4d0c5911660b97f53c2211afc6ded5dafafa9b78 In addition to the real on-link routes, NONEXTHOP routes should be considered on-link. Problem reported by Meelis Roos <mroos@linux.ee>. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Acked-by: Meelis Roos <mroos@linux.ee> Signed-off-by: David S. Miller <davem@davemloft.net> 
In addition to the real on-link routes, NONEXTHOP routes
should be considered on-link.

Problem reported by Meelis Roos <mroos@linux.ee>.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Acked-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NET]: Fix "ntohl(ntohs" bugs 2006-05-22T23:53:22+00:00 Alexey Dobriyan adobriyan@gmail.com 2006-05-22T23:53:22+00:00 4195f81453b9727f82bb8ceae03411b7fe52a994 Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
 [NETFILTER]: Fix do_add_counters race, possible oops or info leak (CVE-2006-0039) 2006-05-19T09:16:52+00:00 Solar Designer solar@openwall.com 2006-05-19T09:16:52+00:00 2c8ac66bb2ff89e759f0d632a27cc64205e9ddd9 Solar Designer found a race condition in do_add_counters(). The beginning of paddc is supposed to be the same as tmp which was sanity-checked above, but it might not be the same in reality. In case the integer overflow and/or the race condition are triggered, paddc->num_counters might not match the allocation size for paddc. If the check below (t->private->number != paddc->num_counters) nevertheless passes (perhaps this requires the race condition to be triggered), IPT_ENTRY_ITERATE() would read kernel memory beyond the allocation size, potentially causing an oops or leaking sensitive data (e.g., passwords from host system or from another VPS) via counter increments. This requires CAP_NET_ADMIN. Signed-off-by: Solar Designer <solar@openwall.com> Signed-off-by: Kirill Korotaev <dev@openvz.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Solar Designer found a race condition in do_add_counters(). The beginning
of paddc is supposed to be the same as tmp which was sanity-checked
above, but it might not be the same in reality. In case the integer
overflow and/or the race condition are triggered, paddc->num_counters
might not match the allocation size for paddc. If the check below
(t->private->number != paddc->num_counters) nevertheless passes (perhaps
this requires the race condition to be triggered), IPT_ENTRY_ITERATE()
would read kernel memory beyond the allocation size, potentially causing
an oops or leaking sensitive data (e.g., passwords from host system or
from another VPS) via counter increments. This requires CAP_NET_ADMIN.

Signed-off-by: Solar Designer <solar@openwall.com>
Signed-off-by: Kirill Korotaev <dev@openvz.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: fix format specifier for netfilter log targets 2006-05-19T09:15:47+00:00 Philip Craig philipc@snapgear.com 2006-05-19T09:15:47+00:00 5c170a09d9092e63af1658179f29867d32d56b55 The prefix argument for nf_log_packet is a format specifier, so don't pass the user defined string directly to it. Signed-off-by: Philip Craig <philipc@snapgear.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
The prefix argument for nf_log_packet is a format specifier,
so don't pass the user defined string directly to it.

Signed-off-by: Philip Craig <philipc@snapgear.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[IPV6]: Endian fix in net/ipv6/netfilter/ip6t_eui64.c:match(). 2006-05-16T22:24:41+00:00 Alexey Dobriyan adobriyan@gmail.com 2006-05-16T22:24:41+00:00 d8fd0a73169e90022dc3ccf3083ca24573b44b5c Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[IPV6]: skb leakage in inet6_csk_xmit 2006-05-10T20:24:38+00:00 Alexey Kuznetsov kuznet@ms2.inr.ac.ru 2006-05-10T20:24:38+00:00 b0013fd47b14fc26eec07a6b2cec0c2a8954e1d7 inet6_csk_xit does not free skb when routing fails. Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by: David S. Miller <davem@davemloft.net> 
inet6_csk_xit does not free skb when routing fails.

Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
[IPV6]: Fix race in route selection. 2006-04-30T01:33:22+00:00 YOSHIFUJI Hideaki yoshfuji@linux-ipv6.org 2006-04-28T22:59:15+00:00 c302e6d54e468ee9b1e18152e2e9da06953f3473 We eliminated rt6_dflt_lock (to protect default router pointer) at 2.6.17-rc1, and introduced rt6_select() for general router selection. The function is called in the context of rt6_lock read-lock held, but this means, we have some race conditions when we do round-robin. Signed-off-by; YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
We eliminated rt6_dflt_lock (to protect default router pointer)
at 2.6.17-rc1, and introduced rt6_select() for general router selection.
The function is called in the context of rt6_lock read-lock held,
but this means, we have some race conditions when we do round-robin.

Signed-off-by; YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: ip6_tables: remove broken comefrom debugging 2006-04-25T00:27:32+00:00 Patrick McHardy kaber@trash.net 2006-04-25T00:17:49+00:00 e4a79ef811505a8bf8d8edfda8602e23cb2fbdb0 The introduction of x_tables broke comefrom debugging, remove it from ip6_tables as well (ip_tables already got removed). Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
The introduction of x_tables broke comefrom debugging, remove it from
ip6_tables as well (ip_tables already got removed).

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[IPV6]: Clean up hop-by-hop options handler. 2006-04-18T22:57:53+00:00 YOSHIFUJI Hideaki yoshfuji@linux-ipv6.org 2006-04-18T21:48:45+00:00 b809739a1b455396c21de13bcbf6669faf82f747 - Removed unused argument (nhoff) for ipv6_parse_hopopts(). - Make ipv6_parse_hopopts() to align with other extension header handlers. - Removed pointless assignment (hdr), which is not used afterwards. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
- Removed unused argument (nhoff) for ipv6_parse_hopopts().
- Make ipv6_parse_hopopts() to align with other extension header
  handlers.
- Removed pointless assignment (hdr), which is not used afterwards.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[IPV6] XFRM: Fix decoding session with preceding extension header(s). 2006-04-18T22:57:52+00:00 YOSHIFUJI Hideaki yoshfuji@linux-ipv6.org 2006-04-18T21:47:44+00:00 e5d25a90886d62d88fdd7cd5c3375f4fe436be64 We did not correctly decode session with preceding extension header(s). This was because we had already pulled preceding headers, skb->nh.raw + 40 + 1 - skb->data was minus, and pskb_may_pull() failed. We now have IP6CB(skb)->nhoff and skb->h.raw, and we can start parsing / decoding upper layer protocol from current position. Tracked down by Noriaki TAKAMIYA <takamiya@po.ntts.co.jp> and tested by Kazunori Miyazawa <kazunori@miyazawa.org>. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
We did not correctly decode session with preceding extension
header(s).  This was because we had already pulled preceding
headers, skb->nh.raw + 40 + 1 - skb->data was minus, and
pskb_may_pull() failed.

We now have IP6CB(skb)->nhoff and skb->h.raw, and we can
start parsing / decoding upper layer protocol from current
position.

Tracked down by Noriaki TAKAMIYA <takamiya@po.ntts.co.jp>
and tested by Kazunori Miyazawa <kazunori@miyazawa.org>.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>