- 18 Mar, 2013 2 commits
-
-
Eric Dumazet authored
When an ICMP ICMP_FRAG_NEEDED (or ICMPV6_PKT_TOOBIG) message finds a LISTEN socket, and this socket is currently owned by the user, we set TCP_MTU_REDUCED_DEFERRED flag in listener tsq_flags. This is bad because if we clone the parent before it had a chance to clear the flag, the child inherits the tsq_flags value, and next tcp_release_cb() on the child will decrement sk_refcnt. Result is that we might free a live TCP socket, as reported by Dormando. IPv4: Attempt to release TCP socket in state 1 Fix this issue by testing sk_state against TCP_LISTEN early, so that we set TCP_MTU_REDUCED_DEFERRED on appropriate sockets (not a LISTEN one) This bug was introduced in commit 563d34d0 (tcp: dont drop MTU reduction indications) Reported-by: dormando <dormando@rydia.net> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Maciej Żenczykowski authored
The UPDATE_QSTAT function introduced on February 15, 2012 in commit 1355b704 "bnx2x: consistent statistics after internal driver reload" incorrectly fails to handle overflow during addition of the lower 32-bit field of a stat. This bug is present since 3.4-rc1 and should thus be considered a candidate for stable 3.4+ releases. Google-Bug-Id: 8374428 Signed-off-by: Maciej Żenczykowski <maze@google.com> Cc: Mintz Yuval <yuvalmin@broadcom.com> Acked-by: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 17 Mar, 2013 10 commits
-
-
Michael S. Tsirkin authored
ubuf info allocator uses guest controlled head as an index, so a malicious guest could put the same head entry in the ring twice, and we will get two callbacks on the same value. To fix use upend_idx which is guaranteed to be unique. Reported-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Cc: stable@kernel.org Signed-off-by: David S. Miller <davem@davemloft.net>
-
Vlad Yasevich authored
Most of the support was already there. The only thing that was missing was the call to set the flag. Add this call. Signed-off-by: Vlad Yasevich <vyasevic@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Michal Schmidt authored
If the hardware initialization fails in bnx2x_nic_load() after adding napi objects, they would not be deleted. A subsequent attempt to unload the bnx2x module detects a corruption in the napi list. Add the missing napi deletion to the error path. Signed-off-by: Michal Schmidt <mschmidt@redhat.com> Acked-by: Dmitry Kravkov <dmitry@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirelessDavid S. Miller authored
John W. Linville says: ==================== On the NFC bits, Samuel says: "With this one we have: - A fix for properly decreasing socket ack log. - A timer and works cleanup upon NFC device removal. - A monitoroing socket cleanup round from llcp_socket_release. - A proper error report to pending sockets upon NFC device removal." Regarding the Bluetooth bits, Gustavo says: "I have these two patches for 3.9, these add support for two more devices to the bluetooth drivers." Along with those, we have a few wireless driver fixes... Bing Zhao provides an mwifiex to prevent an out-of-bounds memory access. John Crispin offers a Kconfig fix to enable some otherwise dead code in rt2x00. The correct symbols were added in -rc1 through a different tree, but the symbols for enabling the wireless driver didn't match. Larry Finger brings an rtlwifi fix for a scheduling while atomic bug, and another fix for a reassociation problem caused by failing to clear the BSSID after a disconnect. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Mugunthan V N authored
Fix which was done in the following commit in cpsw driver has to be taken forward to davinci emac driver as well. commit d35162f8 Author: Daniel Mack <zonque@gmail.com> Date: Tue Mar 12 06:31:19 2013 +0000 net: ethernet: cpsw: fix usage of cpdma_check_free_tx_desc() Commit fae50823 ("net: ethernet: davinci_cpdma: Add boundary for rx and tx descriptors") introduced a function to check the current allocation state of tx packets. The return value is taken into account to stop the netqork queue on the adapter in case there are no free slots. However, cpdma_check_free_tx_desc() returns 'true' if there is room in the bitmap, not 'false', so the usage of the function is wrong. Reported-by: Prabhakar Lad <prabhakar.csengg@gmail.com> Tested-by: Prabhakar Lad <prabhakar.csengg@gmail.com> Signed-off-by: Mugunthan V N <mugunthanvnm@ti.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Arnd Bergmann authored
The automated ARM build tests have shown that the tulip de4x5 driver uses the old-style virt_to_bus() interface on some architectures. Alpha, Sparc and PowerPC did not hit this problem, because they use a different code path, and most other architectures actually do provide VIRT_TO_BUS. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Cc: Grant Grundler <grundler@parisc-linux.org> Cc: netdev@vger.kernel.org Signed-off-by: David S. Miller <davem@davemloft.net>
-
Arnd Bergmann authored
Disabling CONFIG_VIRT_TO_BUS on ARM showed that the hisax netjet driver depends on this deprecated functionality but is not marked so in Kconfig. Rather than adding ARM to the already long list of architectures that this driver is broken on, this patch adds 'depends on VIRT_TO_BUS' and removes the dependency on !SPARC, which is also implied by that. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Cc: Karsten Keil <isdn@linux-pingi.de> Cc: netdev@vger.kernel.org Signed-off-by: David S. Miller <davem@davemloft.net>
-
Bjørn Mork authored
commit bd329e12 ("net: cdc_ncm: do not bind to NCM compatible MBIM devices") introduced a new policy, preferring MBIM for dual NCM/MBIM functions if the cdc_mbim driver was enabled. This caused a regression for users wanting to use NCM. Devices implementing NCM backwards compatibility according to section 3.2 of the MBIM v1.0 specification allow either NCM or MBIM on a single USB function, using different altsettings. The cdc_ncm and cdc_mbim drivers will both probe such functions, and must agree on a common policy for selecting either MBIM or NCM. Until now, this policy has been set at build time based on CONFIG_USB_NET_CDC_MBIM. Use a module parameter to set the system policy at runtime, allowing the user to prefer NCM on systems with the cdc_mbim driver. Cc: Greg Suarez <gsuarez@smithmicro.com> Cc: Alexey Orishko <alexey.orishko@stericsson.com> Reported-by: Geir Haatveit <nospam@haatveit.nu> Reported-by: Tommi Kyntola <kynde@ts.ray.fi> Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=54791Signed-off-by: Bjørn Mork <bjorn@mork.no> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Vlad Yasevich authored
Range/validity checks on rta_type in rtnetlink_rcv_msg() do not account for flags that may be set. This causes the function to return -EINVAL when flags are set on the type (for example NLA_F_NESTED). Signed-off-by: Vlad Yasevich <vyasevic@redhat.com> Acked-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Timo Teräs authored
This reverts commit 412ed947. The commit is wrong as tiph points to the outer IPv4 header which is installed at ipgre_header() and not the inner one which is protocol dependant. This commit broke succesfully opennhrp which use PF_PACKET socket with ETH_P_NHRP protocol. Additionally ssl_addr is set to the link-layer IPv4 address. This address is written by ipgre_header() to the skb earlier, and this is the IPv4 header tiph should point to - regardless of the inner protocol payload. Signed-off-by: Timo Teräs <timo.teras@iki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 15 Mar, 2013 6 commits
-
-
John W. Linville authored
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem
-
Zhouyi Zhou authored
When neighbour table is full, dst_neigh_lookup/dst_neigh_lookup_skb will return -ENOBUFS which is absolutely non zero, while all the code in kernel which use above functions assume failure only on zero return which will cause panic. (for example: : https://bugzilla.kernel.org/show_bug.cgi?id=54731). This patch corrects above error with smallest changes to kernel source code and also correct two return value check missing bugs in drivers/infiniband/hw/cxgb4/cm.c Tested on my x86_64 SMP machine Reported-by: Zhouyi Zhou <zhouzhouyi@gmail.com> Tested-by: Zhouyi Zhou <zhouzhouyi@gmail.com> Signed-off-by: Zhouyi Zhou <zhouzhouyi@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Robert de Vries authored
The Kconfig file help information incorrectly mentions that the SMSC LAN75xx config option is for SMSC LAN95xx devices. Signed-off-by: Robert de Vries <rhdv@xs4all.nl> Signed-off-by: David S. Miller <davem@davemloft.net>
-
git://git.kernel.org/pub/scm/linux/kernel/git/jesse/openvswitchDavid S. Miller authored
Jesse Gross says: ==================== A few different bug fixes, including several for issues with userspace communication that have gone unnoticed up until now. These are intended for net/3.9. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Georg Hofmann authored
Commit dc975382 introduces napi support but never calls napi_disable. This will generate a kernel oops (kernel BUG at include/linux/netdevice.h:473!) every time, when ndo_stop is called followed by ndo_start. Add the missing napi_diable call. Signed-off-by: Georg Hofmann <georg@hofmannsweb.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Lucas Stach authored
Proviously we would only restart the FEC when PHY link or duplex state changed. PHY does not always bring down the link for speed changes, in which case we would not detect any change and keep FEC running. Switching link speed without restarting the FEC results in the FEC being stuck in an indefinite state, generating error conditions for every packet. Signed-off-by: Lucas Stach <l.stach@pengutronix.de> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 14 Mar, 2013 2 commits
-
-
Pavel Emelyanov authored
Hi. I'm trying to send big chunks of memory from application address space via TCP socket using vmsplice + splice like this mem = mmap(128Mb); vmsplice(pipe[1], mem); /* splice memory into pipe */ splice(pipe[0], tcp_socket); /* send it into network */ When I'm lucky and a huge page splices into the pipe and then into the socket _and_ client and server ends of the TCP connection are on the same host, communicating via lo, the whole connection gets stuck! The sending queue becomes full and app stops writing/splicing more into it, but the receiving queue remains empty, and that's why. The __skb_fill_page_desc observes a tail page of a huge page and erroneously propagates its page->pfmemalloc value onto socket (the pfmemalloc on tail pages contain garbage). Then this skb->pfmemalloc leaks through lo and due to the tcp_v4_rcv sk_filter if (skb->pfmemalloc && !sock_flag(sk, SOCK_MEMALLOC)) /* true */ return -ENOMEM goto release_and_discard; no packets reach the socket. Even TCP re-transmits are dropped by this, as skb cloning clones the pfmemalloc flag as well. That said, here's the proper page->pfmemalloc propagation onto socket: we must check the huge-page's head page only, other pages' pfmemalloc and mapping values do not contain what is expected in this place. However, I'm not sure whether this fix is _complete_, since pfmemalloc propagation via lo also oesn't look great. Both, bit propagation from page to skb and this check in sk_filter, were introduced by c48a11c7 (netvm: propagate page->pfmemalloc to skb), in v3.5 so Mel and stable@ are in Cc. Signed-off-by: Pavel Emelyanov <xemul@parallels.com> Acked-by: Eric Dumazet <edumazet@google.com> Acked-by: Mel Gorman <mgorman@suse.de> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
Chrome OS team reported a crash on a Pixel ChromeBook in TCP stack : https://code.google.com/p/chromium/issues/detail?id=182056 commit a21d4572 (tcp: avoid order-1 allocations on wifi and tx path) did a poor choice adding an 'avail_size' field to skb, while what we really needed was a 'reserved_tailroom' one. It would have avoided commit 22b4a4f2 (tcp: fix retransmit of partially acked frames) and this commit. Crash occurs because skb_split() is not aware of the 'avail_size' management (and should not be aware) Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Mukesh Agrawal <quiche@chromium.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 13 Mar, 2013 11 commits
-
-
Larry Finger authored
The driver was failing to clear the BSSID when a disconnect happened. That prevented a reconnection. This problem is reported at https://bugzilla.redhat.com/show_bug.cgi?id=789605, https://bugzilla.redhat.com/show_bug.cgi?id=866786, https://bugzilla.redhat.com/show_bug.cgi?id=906734, and https://bugzilla.kernel.org/show_bug.cgi?id=46171. Thanks to Jussi Kivilinna for making the critical observation that led to the solution. Reported-by: Jussi Kivilinna <jussi.kivilinna@iki.fi> Tested-by: Jussi Kivilinna <jussi.kivilinna@iki.fi> Tested-by: Alessandro Lannocca <alessandro.lannocca@gmail.com> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Cc: Stable <stable@vger.kernel.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
John Crispin authored
Since v3.9-rc1 the kernel has basic support for Ralink WiSoC. The config symbols are named slightly different than before. Fix the rt2x00 to match the new symbols. The commit causing this breakage is: commit ae2b5bb6 Author: John Crispin <blogic@openwrt.org> Date: Sun Jan 20 22:05:30 2013 +0100 MIPS: ralink: adds Kbuild files Signed-off-by: John Crispin <blogic@openwrt.org> Acked-by: Gertjan van Wingerde <gwingerde@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Bjørn Mork authored
commit bd877e4 ("net: qmi_wwan: use a single bind function for all device types") made Gobi 1K devices fail probing. Using the number of endpoints in the default altsetting to decide whether the function use one or two interfaces is wrong. Other altsettings may provide more endpoints. With Gobi 1K devices, USB interface #3's altsetting is 0 by default, but altsetting 0 only provides one interrupt endpoint and is not sufficent for QMI. Altsetting 1 provides all 3 endpoints required for qmi_wwan and works with QMI. Gobi 1K layout for intf#3 is: Interface Descriptor: 255/255/255 bInterfaceNumber 3 bAlternateSetting 0 Endpoint Descriptor: Interrupt IN Interface Descriptor: 255/255/255 bInterfaceNumber 3 bAlternateSetting 1 Endpoint Descriptor: Interrupt IN Endpoint Descriptor: Bulk IN Endpoint Descriptor: Bulk OUT Prior to commit bd877e4, we would call usbnet_get_endpoints before giving up finding enough endpoints. Removing the early endpoint number test and the strict functional descriptor requirement allow qmi_wwan_bind to continue until usbnet_get_endpoints has made the final attempt to collect endpoints. This restores the behaviour from before commit bd877e4 without losing the added benefit of using a single bind function. The driver has always required a CDC Union functional descriptor for two-interface functions. Using the existence of this descriptor to detect two-interface functions is the logically correct method. Reported-by: Dan Williams <dcbw@redhat.com> Signed-off-by: Bjørn Mork <bjorn@mork.no> Tested-by: Dan Williams <dcbw@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Denis V. Lunev authored
a long time ago by the commit commit 93456b6d Author: Denis V. Lunev <den@openvz.org> Date: Thu Jan 10 03:23:38 2008 -0800 [IPV4]: Unify access to the routing tables. the defenition of FIB_HASH_TABLE size has obtained wrong dependency: it should depend upon CONFIG_IP_MULTIPLE_TABLES (as was in the original code) but it was depended from CONFIG_IP_ROUTE_MULTIPATH This patch returns the situation to the original state. The problem was spotted by Tingwei Liu. Signed-off-by: Denis V. Lunev <den@openvz.org> CC: Tingwei Liu <tingw.liu@gmail.com> CC: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Xufeng Zhang authored
sctp_assoc_lookup_tsn() function searchs which transport a certain TSN was sent on, if not found in the active_path transport, then go search all the other transports in the peer's transport_addr_list, however, we should continue to the next entry rather than break the loop when meet the active_path transport. Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Vlad Yasevich authored
When SCTP is done processing a duplicate cookie chunk, it tries to delete a newly created association. For that, it has to set the right association for the side-effect processing to work. However, when it uses the SCTP_CMD_NEW_ASOC command, that performs more work then really needed (like hashing the associationa and assigning it an id) and there is no point to do that only to delete the association as a next step. In fact, it also creates an impossible condition where an association may be found by the getsockopt() call, and that association is empty. This causes a crash in some sctp getsockopts. The solution is rather simple. We simply use SCTP_CMD_SET_ASOC command that doesn't have all the overhead and does exactly what we need. Reported-by: Karl Heiss <kheiss@gmail.com> Tested-by: Karl Heiss <kheiss@gmail.com> CC: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: Vlad Yasevich <vyasevich@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Nithin Sujir authored
Commit d13ba512 ("tg3: Remove SPEED_UNKNOWN checks") cleaned up the autoneg advertisement by removing some dead code. One effect of this change was that the advertisement register would not be updated if autoneg is turned off. This exposed a bug on the 5715 device w.r.t linking. The 5715 defaults to advertise only 10Mb Full duplex. But with autoneg disabled, it needs the configured speed enabled in the advertisement register to link up. This patch adds the work around to advertise all speeds on the 5715 when autoneg is disabled. Reported-by: Marcin Miotk <marcinmiotk81@gmail.com> Reviewed-by: Benjamin Li <benli@broadcom.com> Signed-off-by: Nithin Nayak Sujir <nsujir@broadcom.com> Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
git://git.kernel.org/pub/scm/linux/kernel/git/bwh/sfcDavid S. Miller authored
Ben Hutchings says: ==================== Just the one bug fix I mentioned before, but it's a pretty important one as it can cause silent data corruption or IOMMU page faults. This would be suitable for stable and should apply cleanly to all the 3.x.y branches. I'm still working through testing of larger sets of fixes. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Veaceslav Falico authored
bond_update_speed_duplex() might sleep while calling underlying slave's routines. Move it out of atomic context in bond_enslave() and remove it from bond_miimon_commit() - it was introduced by commit 546add79, however when the slave interfaces go up/change state it's their responsibility to fire NETDEV_UP/NETDEV_CHANGE events so that bonding can properly update their speed. I've tested it on all combinations of ifup/ifdown, autoneg/speed/duplex changes, remote-controlled and local, on (not) MII-based cards. All changes are visible. Signed-off-by: Veaceslav Falico <vfalico@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Daniel Mack authored
Commit fae50823 ("net: ethernet: davinci_cpdma: Add boundary for rx and tx descriptors") introduced a function to check the current allocation state of tx packets. The return value is taken into account to stop the netqork queue on the adapter in case there are no free slots. However, cpdma_check_free_tx_desc() returns 'true' if there is room in the bitmap, not 'false', so the usage of the function is wrong. Signed-off-by: Daniel Mack <zonque@gmail.com> Cc: Mugunthan V N <mugunthanvnm@ti.com> Reported-by: Sven Neumann <s.neumann@raumfeld.com> Reported-by: Andreas Fenkart <andreas.fenkart@streamunlimited.com> Tested-by: Mugunthan V N <mugunthanvnm@ti.com> Acked-by: Mugunthan V N <mugunthanvnm@ti.com> Tested-by: Andreas Fenkart <andreas.fenkart@streamunlimited.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 12 Mar, 2013 8 commits
-
-
Ben Hutchings authored
Using TX push when notifying the NIC of multiple new descriptors in the ring will very occasionally cause the TX DMA engine to re-use an old descriptor. This can result in a duplicated or partly duplicated packet (new headers with old data), or an IOMMU page fault. This does not happen when the pushed descriptor is the only one written. TX push also provides little latency benefit when a packet requires more than one descriptor. Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
-
Li RongQing authored
[ Bug added added in commit 05e8ef4a (net: factor out skb_mac_gso_segment() from skb_gso_segment() ) ] move vlan_depth out of while loop, or else vlan_depth always is ETH_HLEN, can not be increased, and lead to infinite loop when frame has two vlan headers. Signed-off-by: Li RongQing <roy.qing.li@gmail.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Chen Gang authored
k is u32 which never < 0, need type cast, or cause issue. Signed-off-by: Chen Gang <gang.chen@asianux.com> Acked-by: Russell King <rmk+kernel@arm.linux.org.uk> Acked-by: Mircea Gherzan <mgherzan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Veaceslav Falico authored
__netpoll_cleanup() is called in netconsole_netdev_event() while holding a spinlock. Release/acquire the spinlock before/after it and restart the loop. Also, disable the netconsole completely, because we won't have chance after the restart of the loop, and might end up in a situation where nt->enabled == 1 and nt->np.dev == NULL. Signed-off-by: Veaceslav Falico <vfalico@redhat.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
stephen hemminger authored
The bridge multicast fast leave feature was added sufficient space was not reserved in the netlink message. This means the flag may be lost in netlink events and results of queries. Found by observation while looking up some netlink stuff for discussion with Vlad. Problem introduced by commit c2d3babf Author: David S. Miller <davem@davemloft.net> Date: Wed Dec 5 16:24:45 2012 -0500 bridge: implement multicast fast leave Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
git://git.open-mesh.org/linux-mergeDavid S. Miller authored
Included changes ares: - fix packet parsing routine to avoid to read beyond the packet boundary Signed-off-by: David S. Miller <davem@davemloft.net>
-
David Ward authored
This is needed in order to detect if the timestamp option appears more than once in a packet, to remove the option if the packet is fragmented, etc. My previous change neglected to store the option location when the router addresses were prespecified and Pointer > Length. But now the option location is also stored when Flag is an unrecognized value, to ensure these option handling behaviors are still performed. Signed-off-by: David Ward <david.ward@ll.mit.edu> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Santosh Rastapur authored
New scheme calls for 3rd party VPD at offset 0x0 and Chelsio VPD at offset 0x400 of the function. If no 3rd party VPD is present, then a copy of Chelsio's VPD will be at offset 0x0 to keep in line with PCI spec which requires the VPD to be present at offset 0x0. Signed-off-by: Santosh Rastapur <santosh@chelsio.com> Signed-off-by: Vipul Pandya <vipul@chelsio.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 11 Mar, 2013 1 commit
-
-
Marek Lindner authored
batadv_iv_ogm_process() accesses the packet using the tt_num_changes attribute regardless of the real packet len (assuming the length check was done before). Therefore a length check is needed to avoid reading random memory. Signed-off-by: Marek Lindner <lindner_marek@yahoo.de> Signed-off-by: Antonio Quartulli <ordex@autistici.org>
-