1. 29 Nov, 2011 3 commits
    • Xi Wang's avatar
      sctp: better integer overflow check in sctp_auth_create_key() · c89304b8
      Xi Wang authored
      The check from commit 30c2235c is incomplete and cannot prevent
      cases like key_len = 0x80000000 (INT_MAX + 1).  In that case, the
      left-hand side of the check (INT_MAX - key_len), which is unsigned,
      becomes 0xffffffff (UINT_MAX) and bypasses the check.
      
      However this shouldn't be a security issue.  The function is called
      from the following two code paths:
      
       1) setsockopt()
      
       2) sctp_auth_asoc_set_secret()
      
      In case (1), sca_keylength is never going to exceed 65535 since it's
      bounded by a u16 from the user API.  As such, the key length will
      never overflow.
      
      In case (2), sca_keylength is computed based on the user key (1 short)
      and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
      will not overflow.
      
      In other words, this overflow check is not really necessary.  Just
      make it more correct.
      Signed-off-by: default avatarXi Wang <xi.wang@gmail.com>
      Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c89304b8
    • David S. Miller's avatar
      c1baa884
    • Xi Wang's avatar
      sctp: integer overflow in sctp_auth_create_key() · a5e5c374
      Xi Wang authored
      The previous commit 30c2235c is incomplete and cannot prevent integer
      overflows. For example, when key_len is 0x80000000 (INT_MAX + 1), the
      left-hand side of the check, (INT_MAX - key_len), which is unsigned,
      becomes 0xffffffff (UINT_MAX) and bypasses the check.
      Signed-off-by: default avatarXi Wang <xi.wang@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a5e5c374
  2. 28 Nov, 2011 3 commits
    • Li Wei's avatar
      ipv6: Set mcast_hops to IPV6_DEFAULT_MCASTHOPS when -1 was given. · 2a38e6d5
      Li Wei authored
      We need to set np->mcast_hops to it's default value at this moment
      otherwise when we use it and found it's value is -1, the logic to
      get default hop limit doesn't take multicast into account and will
      return wrong hop limit(IPV6_DEFAULT_HOPLIMIT) which is for unicast.
      Signed-off-by: default avatarLi Wei <lw@cn.fujitsu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2a38e6d5
    • Anton Blanchard's avatar
      net: Fix corruption in /proc/*/net/dev_mcast · 5cac98dd
      Anton Blanchard authored
      I just hit this during my testing. Isn't there another bug lurking?
      
      BUG kmalloc-8: Redzone overwritten
      
      INFO: 0xc0000000de9dec48-0xc0000000de9dec4b. First byte 0x0 instead of 0xcc
      INFO: Allocated in .__seq_open_private+0x30/0xa0 age=0 cpu=5 pid=3896
      	.__kmalloc+0x1e0/0x2d0
      	.__seq_open_private+0x30/0xa0
      	.seq_open_net+0x60/0xe0
      	.dev_mc_seq_open+0x4c/0x70
      	.proc_reg_open+0xd8/0x260
      	.__dentry_open.clone.11+0x2b8/0x400
      	.do_last+0xf4/0x950
      	.path_openat+0xf8/0x480
      	.do_filp_open+0x48/0xc0
      	.do_sys_open+0x140/0x250
      	syscall_exit+0x0/0x40
      
      dev_mc_seq_ops uses dev_seq_start/next/stop but only allocates
      sizeof(struct seq_net_private) of private data, whereas it expects
      sizeof(struct dev_iter_state):
      
      struct dev_iter_state {
      	struct seq_net_private p;
      	unsigned int pos; /* bucket << BUCKET_SPACE + offset */
      };
      
      Create dev_seq_open_ops and use it so we don't have to expose
      struct dev_iter_state.
      
      [ Problem added by commit f04565dd (dev: use name hash for
        dev_seq_ops) -Eric ]
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      Acked-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5cac98dd
    • Aries Lee's avatar
      jme: PHY configuration for compatible issue · c4860ba2
      Aries Lee authored
      To perform PHY calibration and set a different EA value by chip ID,
      Whenever the NIC chip power on, ie booting or resuming, we need to
      force HW to calibrate PHY parameter again, and also set a proper EA
      value which gather from experiment.
      
      Those procedures help to reduce compatible issues(NIC is unable to link
      up in some special case) in giga speed.
      Signed-off-by: default avatarAriesLee <AriesLee@jmicron.com>
      Signed-off-by: default avatarGuo-Fu Tseng <cooldavid@cooldavid.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c4860ba2
  3. 27 Nov, 2011 1 commit
  4. 26 Nov, 2011 10 commits
  5. 25 Nov, 2011 2 commits
  6. 24 Nov, 2011 5 commits
  7. 23 Nov, 2011 6 commits
  8. 22 Nov, 2011 6 commits
  9. 21 Nov, 2011 4 commits