1. 22 Mar, 2011 11 commits
  2. 20 Mar, 2011 7 commits
    • David S. Miller's avatar
    • David S. Miller's avatar
    • Vasiliy Kulikov's avatar
      netfilter: ipt_CLUSTERIP: fix buffer overflow · 961ed183
      Vasiliy Kulikov authored
      'buffer' string is copied from userspace.  It is not checked whether it is
      zero terminated.  This may lead to overflow inside of simple_strtoul().
      Changli Gao suggested to copy not more than user supplied 'size' bytes.
      
      It was introduced before the git epoch.  Files "ipt_CLUSTERIP/*" are
      root writable only by default, however, on some setups permissions might be
      relaxed to e.g. network admin user.
      Signed-off-by: default avatarVasiliy Kulikov <segoon@openwall.com>
      Acked-by: default avatarChangli Gao <xiaosuo@gmail.com>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      961ed183
    • Eric Dumazet's avatar
      netfilter: xtables: fix reentrancy · db856674
      Eric Dumazet authored
      commit f3c5c1bf (make ip_tables reentrant) introduced a race in
      handling the stackptr restore, at the end of ipt_do_table()
      
      We should do it before the call to xt_info_rdunlock_bh(), or we allow
      cpu preemption and another cpu overwrites stackptr of original one.
      
      A second fix is to change the underflow test to check the origptr value
      instead of 0 to detect underflow, or else we allow a jump from different
      hooks.
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Cc: Jan Engelhardt <jengelh@medozas.de>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      db856674
    • Jozsef Kadlecsik's avatar
      netfilter: ipset: fix checking the type revision at create command · 5c1aba46
      Jozsef Kadlecsik authored
      The revision of the set type was not checked at the create command: if the
      userspace sent a valid set type but with not supported revision number,
      it'd create a loop.
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      5c1aba46
    • Jozsef Kadlecsik's avatar
      netfilter: ipset: fix address ranges at hash:*port* types · 5e0c1eb7
      Jozsef Kadlecsik authored
      The hash:*port* types with IPv4 silently ignored when address ranges
      with non TCP/UDP were added/deleted from the set and used the first
      address from the range only.
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      5e0c1eb7
    • David S. Miller's avatar
      niu: Rename NIU parent platform device name to fix conflict. · a769f496
      David S. Miller authored
      When the OF device driver bits were converted over to the platform
      device infrastructure in commit 74888760
      ("dt/net: Eliminate users of of_platform_{,un}register_driver") we
      inadvertantly created probing problems in the OF case.
      
      The NIU driver creates a dummy platform device to represent the
      board that contains one or more child NIU devices.  Unfortunately
      we use the same name, "niu", as the OF device driver itself uses.
      
      The result is that we try to probe the dummy "niu" parent device we
      create, and since it has a NULL ofdevice pointer etc. everything
      explodes:
      
      [783019.128243] niu: niu.c:v1.1 (Apr 22, 2010)
      [783019.128810] Unable to handle kernel NULL pointer dereference
      [783019.128949] tsk->{mm,active_mm}->context = 000000000000039e
      [783019.129078] tsk->{mm,active_mm}->pgd = fffff803afc5a000
      [783019.129206]               \|/ ____ \|/
      [783019.129213]               "@'/ .. \`@"
      [783019.129220]               /_| \__/ |_\
      [783019.129226]                  \__U_/
      [783019.129378] modprobe(2004): Oops [#1]
      [783019.129423] TSTATE: 0000000011001602 TPC: 0000000010052ff8 TNPC: 000000000061bbb4 Y: 00000000    Not tainted
      [783019.129542] TPC: <niu_of_probe+0x3c/0x2dc [niu]>
      [783019.129624] g0: 8080000000000000 g1: 0000000000000000 g2: 0000000010056000 g3: 0000000000000002
      [783019.129733] g4: fffff803fc1da0c0 g5: fffff800441e2000 g6: fffff803fba84000 g7: 0000000000000000
      [783019.129842] o0: fffff803fe7df010 o1: 0000000010055700 o2: 0000000000000000 o3: fffff803fbacaca0
      [783019.129951] o4: 0000000000000080 o5: 0000000000777908 sp: fffff803fba866e1 ret_pc: 0000000010052ff4
      [783019.130083] RPC: <niu_of_probe+0x38/0x2dc [niu]>
      [783019.130165] l0: fffff803fe7df010 l1: fffff803fbacafc0 l2: fffff803fbacaca0 l3: ffffffffffffffed
      [783019.130273] l4: 0000000000000000 l5: 000000007fffffff l6: fffff803fba86f40 l7: 0000000000000001
      [783019.130382] i0: fffff803fe7df000 i1: fffff803fc20aba0 i2: 0000000000000000 i3: 0000000000000001
      [783019.130490] i4: 0000000000000000 i5: 0000000000000000 i6: fffff803fba867a1 i7: 000000000062038c
      [783019.130614] I7: <platform_drv_probe+0xc/0x20>
      
      Fix by simply renaming the parent device to "niu-board".
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a769f496
  3. 19 Mar, 2011 3 commits
  4. 18 Mar, 2011 19 commits