summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2013-04-08netfilter: ipv4: propagate routing errors from ip_route_me_harder()Patrick McHardy
Propagate routing errors from ip_route_me_harder() when dropping a packet using NF_DROP_ERR(). This makes userspace get the proper error instead of EPERM for everything. Example: # ip r a unreachable default table 100 # ip ru add fwmark 0x1 lookup 100 # iptables -t mangle -A OUTPUT -d 8.8.8.8 -j MARK --set-mark 0x1 Current behaviour: PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted New behaviour: PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. ping: sendmsg: Network is unreachable ping: sendmsg: Network is unreachable ping: sendmsg: Network is unreachable ping: sendmsg: Network is unreachable Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-04-07scm: Stop passing struct credEric W. Biederman
Now that uids and gids are completely encapsulated in kuid_t and kgid_t we no longer need to pass struct cred which allowed us to test both the uid and the user namespace for equality. Passing struct cred potentially allows us to pass the entire group list as BSD does but I don't believe the cost of cache line misses justifies retaining code for a future potential application. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netDavid S. Miller
Conflicts: drivers/nfc/microread/mei.c net/netfilter/nfnetlink_queue_core.c Pull in 'net' to get Eric Biederman's AF_UNIX fix, upon which some cleanups are going to go on-top. Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07bnx2x: Fix KR2 rapid link flapYaniv Rosner
Check KR2 recovery time at the beginning of the work-around function. Signed-off-by: Yaniv Rosner <yanivr@broadcom.com> Signed-off-by: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07decnet: remove duplicated include from dn_table.cWei Yongjun
Remove duplicated include. Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07net_cls: remove duplicated include from cls_api.cWei Yongjun
Remove duplicated include. Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07netdev/phy: Implement ieee802.3 clause 45 in mdio-octeon.cDavid Daney
The Octeon SMI/MDIO interfaces can do clause 45 communications, so implement this in the driver. Also fix some comment formatting to make it consistent and to comply with the netdev style. Signed-off-by: David Daney <david.daney@cavium.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-076lowpan: handle dev_queue_xmit() error code properlyAlan Ott
dev_queue_xmit() will return a positive value if the packet could not be queued, often because the real network device (in our case the mac802154 wpan device) has its queue stopped. lowpan_xmit() should handle the positive return code (for the debug statement) and return that value to the higher layer so the higher layer will retry sending the packet. Signed-off-by: Alan Ott <alan@signal11.us> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07mac802154: Increase tx_buffer_lenAlan Ott
Increase the buffer length from 10 to 300 packets. Consider that traffic on mac802154 devices will often be 6LoWPAN, and a full-length (1280 octet) IPv6 packet will fragment into 15 6LoWPAN fragments (because the MTU of IEEE 802.15.4 is 127). A 300-packet queue is really 20 full-length IPv6 packets. With a queue length of 10, an entire IPv6 packet was unable to get queued at one time, causing fragments to be dropped, and making reassembly impossible. Signed-off-by: Alan Ott <alan@signal11.us> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07mac802154: Use netif flow controlAlan Ott
Use netif_stop_queue() and netif_wake_queue() to control the flow of packets to mac802154 devices. Since many IEEE 802.15.4 devices have no output buffer, and since the mac802154 xmit() function is designed to block, netif_stop_queue() is called after each packet. Signed-off-by: Alan Ott <alan@signal11.us> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07mac802154: Do not try to resend failed packetsAlan Ott
When ops->xmit() fails, drop the packet. Devices which support hardware ack and retry (which include all devices currently supported by mainline), will automatically retry sending the packet (in the hardware) up to 3 times, per the 802.15.4 spec. There is no need, and it is incorrect to try to do it in mac802154. Signed-off-by: Alan Ott <alan@signal11.us> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07sctp: fix error return code in __sctp_connect()Wei Yongjun
Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07802: fix a possible race conditionCong Wang
(Resend with a better changelog) garp_pdu_queue() should ways be called with this spin lock. garp_uninit_applicant() only holds rtnl lock which is not enough here. A possible race can happen as garp_pdu_rcv() is called in BH context: garp_pdu_rcv() |->garp_pdu_parse_msg() |->garp_pdu_parse_attr() |-> garp_gid_event() Found by code inspection. Cc: Eric Dumazet <eric.dumazet@gmail.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: David Ward <david.ward@ll.mit.edu> Cc: "Jorge Boncompte [DTI2]" <jorge@dti2.net> Signed-off-by: Cong Wang <amwang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07selftests: net: add PF_PACKET TPACKET v1/v2/v3 selftestsDaniel Borkmann
This patch adds a simple test case that probes the packet socket's TPACKET_V1, TPACKET_V2 and TPACKET_V3 behavior regarding mmap(2)'ed I/O for a small burst of 100 packets. The test currently runs for ... TPACKET_V1: RX_RING, TX_RING TPACKET_V2: RX_RING, TX_RING TPACKET_V3: RX_RING ... and will output on success: test: TPACKET_V1 with PACKET_RX_RING .................... 100 pkts (9600 bytes) test: TPACKET_V1 with PACKET_TX_RING .................... 100 pkts (9600 bytes) test: TPACKET_V2 with PACKET_RX_RING .................... 100 pkts (9600 bytes) test: TPACKET_V2 with PACKET_TX_RING .................... 100 pkts (9600 bytes) test: TPACKET_V3 with PACKET_RX_RING .................... 100 pkts (9600 bytes) OK. All tests passed Reusable parts of psock_fanout.c have been put into a psock_lib.h file for common usage. Test case successfully tested on x86_64. Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07sctp: remove 'sridhar' from maintainers listSridhar Samudrala
Update SCTP maintainers list. Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07vxlan: Bypass encapsulation if the destination is localSridhar Samudrala
This patch bypasses vxlan encapsulation if the destination vxlan endpoint is a local device. Changes since v1: added missing check for vxlan_find_vni() failure Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07net/mlx4_en: Advertize DCB_CAP_DCBX_HOST in getdcbxOr Gerlitz
When our getdcbx entry is called, DCB_CAP_DCBX_HOST should be advertized too. Cc: John Fastabend <john.r.fastabend@intel.com> Signed-off-by: Sagi Grimberg <sagig@mellanox.com> Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07net/mlx4_en: Enable DCB ETS ops only when supported by the firmwareOr Gerlitz
Enable the DCB ETS ops only when supported by the firmware. For older firmware/cards which don't support ETS, advertize only PFC DCB ops. Signed-off-by: Eugenia Emantayev <eugenia@mellanox.co.il> Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07net/mlx4_core: Added proper description for two device capabilitiesOr Gerlitz
Added readable description for the DPDP and port sensing device capabilities. Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07net: phy: spi_ks8995: use spi_get_drvdata() and spi_set_drvdata()Jingoo Han
Use the wrapper functions for getting and setting the driver data using spi_device instead of using dev_{get|set}_drvdata with &spi->dev, so we can directly pass a struct spi_device. Signed-off-by: Jingoo Han <jg1.han@samsung.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07net: wireless: p54spi: use spi_get_drvdata() and spi_set_drvdata()Jingoo Han
Use the wrapper functions for getting and setting the driver data using spi_device instead of using dev_{get|set}_drvdata with &spi->dev, so we can directly pass a struct spi_device. Signed-off-by: Jingoo Han <jg1.han@samsung.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07net: wireless: wl1251: use spi_get_drvdata() and spi_set_drvdata()Jingoo Han
Use the wrapper functions for getting and setting the driver data using spi_device instead of using dev_{get|set}_drvdata with &spi->dev, so we can directly pass a struct spi_device. Signed-off-by: Jingoo Han <jg1.han@samsung.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07net: ethernet: enc28j60: use spi_get_drvdata() and spi_set_drvdata()Jingoo Han
Use the wrapper functions for getting and setting the driver data using spi_device instead of using dev_{get|set}_drvdata with &spi->dev, so we can directly pass a struct spi_device. Signed-off-by: Jingoo Han <jg1.han@samsung.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07net: ethernet: ks8851: use spi_get_drvdata() and spi_set_drvdata()Jingoo Han
Use the wrapper functions for getting and setting the driver data using spi_device instead of using dev_{get|set}_drvdata with &spi->dev, so we can directly pass a struct spi_device. Signed-off-by: Jingoo Han <jg1.han@samsung.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07net: can: mcp251x: use spi_get_drvdata() and spi_set_drvdata()Jingoo Han
Use the wrapper functions for getting and setting the driver data using spi_device instead of using dev_{get|set}_drvdata with &spi->dev, so we can directly pass a struct spi_device. Signed-off-by: Jingoo Han <jg1.han@samsung.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07net: ieee802154: mrf24j40: use spi_get_drvdata() and spi_set_drvdata()Jingoo Han
Use the wrapper functions for getting and setting the driver data using spi_device instead of using dev_{get|set}_drvdata with &spi->dev, so we can directly pass a struct spi_device. Signed-off-by: Jingoo Han <jg1.han@samsung.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07r8169: add a new chip for RTL8106Ehayeswang
Add a new chip for RTL8106E series. Signed-off-by: Hayes Wang <hayeswang@realtek.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07r8169: adjust the flow of hw_starthayeswang
The suggestion as following: - initial settings or default settings - rtl_hw_start_xxx. rtl_hw_start_xxx may change some default settings. - enable tx/rx. This has to be after the above two steps. - rtl_set_rx_mode. AcceptXXXs have to be enabled after enabling tx/rx. Signed-off-by: Hayes Wang <hayeswang@realtek.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07r8169: add a new chip for RTL8111Ghayeswang
Add a new chip for RTL8111G series. Signed-off-by: Hayes Wang <hayeswang@realtek.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07r8169: Update the RTL8111G parametershayeswang
- replace rtl8168g-1.fw with rtl8168g-2.fw which support new method. - fix PHY power down is useless. - disable rx early which causes the rx abnormal. - enable auto fifo. - set 10M IFG to default value. - fix the conflict between jumbo frame and flow control. Signed-off-by: Hayes Wang <hayeswang@realtek.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07r8169: Modify the method for setting firmwarehayeswang
Remove useless action PHY_READ_EFUSE, PHY_READ_MAC_BYTE, PHY_WRITE_MAC_BYTE, PHY_WRITE_ERI_WORD. And define the new action PHY_MDIO_CHG. PHY_MDIO_CHG is used to modify the mdio operation. By the way, the firmware could support setting mac ocp. Signed-off-by: Hayes Wang <hayeswang@realtek.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07r8169: Update PHY settings of RTL8111Ghayeswang
Add the new settings and correct the wrong settings. Signed-off-by: Hayes Wang <hayeswang@realtek.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07r8169: Modify the mothod for PHY settings of RTL8111Ghayeswang
Replace the current settings with rtl_writephy and rtl_readphy. For the hardware, the settings are same with previous ones. This make the setting method like the previous chips. Signed-off-by: Hayes Wang <hayeswang@realtek.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07r8169: Remove firmware codehayeswang
Some codes are belong to binary codes and should be removed. Signed-off-by: Hayes Wang <hayeswang@realtek.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07Merge branch 'infoleaks'David S. Miller
Mathias Krause says: ==================== a few more info leak fixes in the recvmsg path. The error pattern here is the protocol specific recvmsg function is missing the msg_namelen assignment -- either completely or in early exit paths that do not result in errors in __sys_recvmsg()/sys_recvfrom() and, in turn, make them call move_addr_to_user(), leaking the then still uninitialized sockaddr_storage stack variable to userland. My audit was initiated by a rather coarse fix of the leak that can be found in the grsecurity patch, putting a penalty on protocols complying to the rules of recvmsg. So credits for finding the leak in the recvmsg path in __sys_recvmsg() should go to Brad! The buggy protocols/subsystems are rather obscure anyway. As a missing assignment of msg_namelen coupled with a missing filling of msg_name would only result in garbage -- the leak -- in case userland would care about that information, i.e. would provide a msg_name pointer. But obviously current userland does not. While auditing the code for the above pattern I found a few more 'uninitialized members' kind of leaks related to the msg_name filling. Those are fixed in this series, too. I have to admit, I failed to test all of the patches due to missing hardware, e.g. iucv depends on S390 -- hardware I've no access to :/ ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07VSOCK: Fix missing msg_namelen update in vsock_stream_recvmsg()Mathias Krause
The code misses to update the msg_namelen member to 0 and therefore makes net/socket.c leak the local, uninitialized sockaddr_storage variable to userland -- 128 bytes of kernel stack memory. Cc: Andy King <acking@vmware.com> Cc: Dmitry Torokhov <dtor@vmware.com> Cc: George Zhang <georgezhang@vmware.com> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07VSOCK: vmci - fix possible info leak in vmci_transport_dgram_dequeue()Mathias Krause
In case we received no data on the call to skb_recv_datagram(), i.e. skb->data is NULL, vmci_transport_dgram_dequeue() will return with 0 without updating msg_namelen leading to net/socket.c leaking the local, uninitialized sockaddr_storage variable to userland -- 128 bytes of kernel stack memory. Fix this by moving the already existing msg_namelen assignment a few lines above. Cc: Andy King <acking@vmware.com> Cc: Dmitry Torokhov <dtor@vmware.com> Cc: George Zhang <georgezhang@vmware.com> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07tipc: fix info leaks via msg_name in recv_msg/recv_streamMathias Krause
The code in set_orig_addr() does not initialize all of the members of struct sockaddr_tipc when filling the sockaddr info -- namely the union is only partly filled. This will make recv_msg() and recv_stream() -- the only users of this function -- leak kernel stack memory as the msg_name member is a local variable in net/socket.c. Additionally to that both recv_msg() and recv_stream() fail to update the msg_namelen member to 0 while otherwise returning with 0, i.e. "success". This is the case for, e.g., non-blocking sockets. This will lead to a 128 byte kernel stack leak in net/socket.c. Fix the first issue by initializing the memory of the union with memset(0). Fix the second one by setting msg_namelen to 0 early as it will be updated later if we're going to fill the msg_name member. Cc: Jon Maloy <jon.maloy@ericsson.com> Cc: Allan Stephens <allan.stephens@windriver.com> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07rose: fix info leak via msg_name in rose_recvmsg()Mathias Krause
The code in rose_recvmsg() does not initialize all of the members of struct sockaddr_rose/full_sockaddr_rose when filling the sockaddr info. Nor does it initialize the padding bytes of the structure inserted by the compiler for alignment. This will lead to leaking uninitialized kernel stack bytes in net/socket.c. Fix the issue by initializing the memory used for sockaddr info with memset(0). Cc: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg()Mathias Krause
The code in llcp_sock_recvmsg() does not initialize all the members of struct sockaddr_nfc_llcp when filling the sockaddr info. Nor does it initialize the padding bytes of the structure inserted by the compiler for alignment. Also, if the socket is in state LLCP_CLOSED or is shutting down during receive the msg_namelen member is not updated to 0 while otherwise returning with 0, i.e. "success". The msg_namelen update is also missing for stream and seqpacket sockets which don't fill the sockaddr info. Both issues lead to the fact that the code will leak uninitialized kernel stack bytes in net/socket.c. Fix the first issue by initializing the memory used for sockaddr info with memset(0). Fix the second one by setting msg_namelen to 0 early. It will be updated later if we're going to fill the msg_name member. Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org> Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org> Cc: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07netrom: fix info leak via msg_name in nr_recvmsg()Mathias Krause
In case msg_name is set the sockaddr info gets filled out, as requested, but the code fails to initialize the padding bytes of struct sockaddr_ax25 inserted by the compiler for alignment. Also the sax25_ndigis member does not get assigned, leaking four more bytes. Both issues lead to the fact that the code will leak uninitialized kernel stack bytes in net/socket.c. Fix both issues by initializing the memory with memset(0). Cc: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07llc: Fix missing msg_namelen update in llc_ui_recvmsg()Mathias Krause
For stream sockets the code misses to update the msg_namelen member to 0 and therefore makes net/socket.c leak the local, uninitialized sockaddr_storage variable to userland -- 128 bytes of kernel stack memory. The msg_namelen update is also missing for datagram sockets in case the socket is shutting down during receive. Fix both issues by setting msg_namelen to 0 early. It will be updated later if we're going to fill the msg_name member. Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07l2tp: fix info leak in l2tp_ip6_recvmsg()Mathias Krause
The L2TP code for IPv6 fails to initialize the l2tp_conn_id member of struct sockaddr_l2tpip6 and therefore leaks four bytes kernel stack in l2tp_ip6_recvmsg() in case msg_name is set. Initialize l2tp_conn_id with 0 to avoid the info leak. Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07iucv: Fix missing msg_namelen update in iucv_sock_recvmsg()Mathias Krause
The current code does not fill the msg_name member in case it is set. It also does not set the msg_namelen member to 0 and therefore makes net/socket.c leak the local, uninitialized sockaddr_storage variable to userland -- 128 bytes of kernel stack memory. Fix that by simply setting msg_namelen to 0 as obviously nobody cared about iucv_sock_recvmsg() not filling the msg_name in case it was set. Cc: Ursula Braun <ursula.braun@de.ibm.com> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07irda: Fix missing msg_namelen update in irda_recvmsg_dgram()Mathias Krause
The current code does not fill the msg_name member in case it is set. It also does not set the msg_namelen member to 0 and therefore makes net/socket.c leak the local, uninitialized sockaddr_storage variable to userland -- 128 bytes of kernel stack memory. Fix that by simply setting msg_namelen to 0 as obviously nobody cared about irda_recvmsg_dgram() not filling the msg_name in case it was set. Cc: Samuel Ortiz <samuel@sortiz.org> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg()Mathias Krause
The current code does not fill the msg_name member in case it is set. It also does not set the msg_namelen member to 0 and therefore makes net/socket.c leak the local, uninitialized sockaddr_storage variable to userland -- 128 bytes of kernel stack memory. Fix that by simply setting msg_namelen to 0 as obviously nobody cared about caif_seqpkt_recvmsg() not filling the msg_name in case it was set. Cc: Sjur Braendeland <sjur.brandeland@stericsson.com> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07Bluetooth: SCO - Fix missing msg_namelen update in sco_sock_recvmsg()Mathias Krause
If the socket is in state BT_CONNECT2 and BT_SK_DEFER_SETUP is set in the flags, sco_sock_recvmsg() returns early with 0 without updating the possibly set msg_namelen member. This, in turn, leads to a 128 byte kernel stack leak in net/socket.c. Fix this by updating msg_namelen in this case. For all other cases it will be handled in bt_sock_recvmsg(). Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Gustavo Padovan <gustavo@padovan.org> Cc: Johan Hedberg <johan.hedberg@gmail.com> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg()Mathias Krause
If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns early with 0 without updating the possibly set msg_namelen member. This, in turn, leads to a 128 byte kernel stack leak in net/socket.c. Fix this by updating msg_namelen in this case. For all other cases it will be handled in bt_sock_stream_recvmsg(). Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Gustavo Padovan <gustavo@padovan.org> Cc: Johan Hedberg <johan.hedberg@gmail.com> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07Bluetooth: fix possible info leak in bt_sock_recvmsg()Mathias Krause
In case the socket is already shutting down, bt_sock_recvmsg() returns with 0 without updating msg_namelen leading to net/socket.c leaking the local, uninitialized sockaddr_storage variable to userland -- 128 bytes of kernel stack memory. Fix this by moving the msg_namelen assignment in front of the shutdown test. Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Gustavo Padovan <gustavo@padovan.org> Cc: Johan Hedberg <johan.hedberg@gmail.com> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07ax25: fix info leak via msg_name in ax25_recvmsg()Mathias Krause
When msg_namelen is non-zero the sockaddr info gets filled out, as requested, but the code fails to initialize the padding bytes of struct sockaddr_ax25 inserted by the compiler for alignment. Additionally the msg_namelen value is updated to sizeof(struct full_sockaddr_ax25) but is not always filled up to this size. Both issues lead to the fact that the code will leak uninitialized kernel stack bytes in net/socket.c. Fix both issues by initializing the memory with memset(0). Cc: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>