An error occurred fetching the project authors.
- 25 Apr, 2013 1 commit
-
-
Dan Carpenter authored
The sockaddr_nfc_llcp struct has as hole between ->sa_family and ->dev_idx so I've added a memset() to clear it and prevent an information leak. Also the ->nfc_protocol element wasn't set so I've added that. "uaddr->sa_family" and "llcp_addr->sa_family" are the same thing but it's less confusing to use llcp_addr consistently throughout. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 07 Apr, 2013 1 commit
-
-
Mathias Krause authored
The code in llcp_sock_recvmsg() does not initialize all the members of struct sockaddr_nfc_llcp when filling the sockaddr info. Nor does it initialize the padding bytes of the structure inserted by the compiler for alignment. Also, if the socket is in state LLCP_CLOSED or is shutting down during receive the msg_namelen member is not updated to 0 while otherwise returning with 0, i.e. "success". The msg_namelen update is also missing for stream and seqpacket sockets which don't fill the sockaddr info. Both issues lead to the fact that the code will leak uninitialized kernel stack bytes in net/socket.c. Fix the first issue by initializing the memory used for sockaddr info with memset(0). Fix the second one by setting msg_namelen to 0 early. It will be updated later if we're going to fill the msg_name member. Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org> Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org> Cc: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 26 Mar, 2013 1 commit
-
-
Samuel Ortiz authored
And avoid decreasing the ack log twice when dequeueing connected LLCP sockets. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-
- 20 Mar, 2013 1 commit
-
-
Samuel Ortiz authored
Calling sock_orphan when e.g. the NFC adapter is removed can lead to kernel crashes when e.g. a connection less client is sleeping on the Rx workqueue, waiting for data to show up. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-
- 08 Mar, 2013 1 commit
-
-
Samuel Ortiz authored
This is really difficult to test with real NFC devices, but without this fix an LLCP server will eventually refuse new connections. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-
- 11 Jan, 2013 2 commits
-
-
Samuel Ortiz authored
Safer and more robust than than memcpy_toiovec. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-
Samuel Ortiz authored
We can cast msg_name to a sockaddr_nfc_llcp pointer directly. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-
- 09 Jan, 2013 2 commits
-
-
Samuel Ortiz authored
Not only it was improperly use to queue backlogged RX skbuffs, but it was also not processed at all. If the socket receive queue is full we simply drop the incoming packets. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-
Thierry Escande authored
Set timestamp in sent and received sk_buffs. timestamp is then put in msghdr structure in llcp_sock_recvmsg(). Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-
- 13 Dec, 2012 1 commit
-
-
Dave Jones authored
This is easily triggerable when fuzz-testing as an unprivileged user. We could rate-limit it, but given we don't print similar messages for other protocols, I just removed it. Signed-off-by: Dave Jones <davej@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 26 Oct, 2012 3 commits
-
-
Samuel Ortiz authored
It simply involves getting the client dsap and ssap and calling the UI frame building and sending routine. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-
Samuel Ortiz authored
With connection less PDUs we have to send the SSAP and DSAP as well. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-
Szymon Janc authored
Logical continuations should be on the previous line. Signed-off-by: Szymon Janc <szymon.janc@tieto.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-
- 04 Oct, 2012 1 commit
-
-
Dave Jones authored
Validation of userspace input shouldn't trigger dmesg spamming. Signed-off-by: Dave Jones <davej@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 27 Sep, 2012 1 commit
-
-
Thierry Escande authored
This adds support for socket of type SOCK_RAW to LLCP. sk_buff are copied and sent to raw sockets with a 2 bytes extra header: The first byte header contains the nfc adapter index. The second one contains flags: - 0x01 - Direction (0=RX, 1=TX) - 0x02-0x80 - Reserved A raw socket has to be explicitly bound to a nfc adapter. This is achieved by specifying the adapter index to be bound to in the dev_idx field of the sockaddr_nfc_llcp struct passed to bind(). Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-
- 24 Sep, 2012 1 commit
-
-
Syam Sidhardhan authored
This patch remove the repeated code for checking llcp_sock & llcp_sock->dev against NULL. Signed-off-by: Syam Sidhardhan <s.syam@samsung.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-
- 09 Jul, 2012 6 commits
-
-
Samuel Ortiz authored
They both can potentially be NULL. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-
Samuel Ortiz authored
Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-
Samuel Ortiz authored
This patch fixes a typo and return the correct error when trying to bind 2 sockets to the same service name. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-
Samuel Ortiz authored
The LLCP SAP should only be freed when the socket owning it is released. As long as the socket is alive, the SAP should be reserved in order to e.g. send the right wks array when bringing the MAC up. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-
Samuel Ortiz authored
Set the right target index and use a better socket declaration routine. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-
Sasha Levin authored
llcp_sock_getname can be called without a device attached to the nfc_llcp_sock. This would lead to the following BUG: [ 362.341807] BUG: unable to handle kernel NULL pointer dereference at (null) [ 362.341815] IP: [<ffffffff836258e5>] llcp_sock_getname+0x75/0xc0 [ 362.341818] PGD 31b35067 PUD 30631067 PMD 0 [ 362.341821] Oops: 0000 [#627] PREEMPT SMP DEBUG_PAGEALLOC [ 362.341826] CPU 3 [ 362.341827] Pid: 7816, comm: trinity-child55 Tainted: G D W 3.5.0-rc4-next-20120628-sasha-00005-g9f23eb7 #479 [ 362.341831] RIP: 0010:[<ffffffff836258e5>] [<ffffffff836258e5>] llcp_sock_getname+0x75/0xc0 [ 362.341832] RSP: 0018:ffff8800304fde88 EFLAGS: 00010286 [ 362.341834] RAX: 0000000000000000 RBX: ffff880033cb8000 RCX: 0000000000000001 [ 362.341835] RDX: ffff8800304fdec4 RSI: ffff8800304fdec8 RDI: ffff8800304fdeda [ 362.341836] RBP: ffff8800304fdea8 R08: 7ebcebcb772b7ffb R09: 5fbfcb9c35bdfd53 [ 362.341838] R10: 4220020c54326244 R11: 0000000000000246 R12: ffff8800304fdec8 [ 362.341839] R13: ffff8800304fdec4 R14: ffff8800304fdec8 R15: 0000000000000044 [ 362.341841] FS: 00007effa376e700(0000) GS:ffff880035a00000(0000) knlGS:0000000000000000 [ 362.341843] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 362.341844] CR2: 0000000000000000 CR3: 0000000030438000 CR4: 00000000000406e0 [ 362.341851] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 362.341856] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 362.341858] Process trinity-child55 (pid: 7816, threadinfo ffff8800304fc000, task ffff880031270000) [ 362.341858] Stack: [ 362.341862] ffff8800304fdea8 ffff880035156780 0000000000000000 0000000000001000 [ 362.341865] ffff8800304fdf78 ffffffff83183b40 00000000304fdec8 0000006000000000 [ 362.341868] ffff8800304f0027 ffffffff83729649 ffff8800304fdee8 ffff8800304fdf48 [ 362.341869] Call Trace: [ 362.341874] [<ffffffff83183b40>] sys_getpeername+0xa0/0x110 [ 362.341877] [<ffffffff83729649>] ? _raw_spin_unlock_irq+0x59/0x80 [ 362.341882] [<ffffffff810f342b>] ? do_setitimer+0x23b/0x290 [ 362.341886] [<ffffffff81985ede>] ? trace_hardirqs_on_thunk+0x3a/0x3f [ 362.341889] [<ffffffff8372a539>] system_call_fastpath+0x16/0x1b [ 362.341921] Code: 84 00 00 00 00 00 b8 b3 ff ff ff 48 85 db 74 54 66 41 c7 04 24 27 00 49 8d 7c 24 12 41 c7 45 00 60 00 00 00 48 8b 83 28 05 00 00 <8b> 00 41 89 44 24 04 0f b6 83 41 05 00 00 41 88 44 24 10 0f b6 [ 362.341924] RIP [<ffffffff836258e5>] llcp_sock_getname+0x75/0xc0 [ 362.341925] RSP <ffff8800304fde88> [ 362.341926] CR2: 0000000000000000 [ 362.341928] ---[ end trace 6d450e935ee18bf3 ]--- Signed-off-by: Sasha Levin <levinsasha928@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
- 08 Jun, 2012 1 commit
-
-
Sasha Levin authored
llcp_sock_getname() might get called before the LLCP socket was created. This condition isn't checked, and llcp_sock_getname will simply deref a NULL ptr in that case. This exists starting with d646960f ("NFC: Initial LLCP support"). Signed-off-by: Sasha Levin <levinsasha928@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
- 04 Jun, 2012 4 commits
-
-
Samuel Ortiz authored
The MIU extension value can be received during the PAX or during the connection establishment process. It's definitely a connection related value rather than a link one. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-
Samuel Ortiz authored
RW can only be fetched from a CONNECT or a CC frame thus making it an end points specific value, not a link one. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-
Samuel Ortiz authored
Simplify the LLCP sockets structure by putting all the connected ones into a single linked list. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-
Samuel Ortiz authored
LLCP sockets point to their local LLCP service, so they need to take a reference on it. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-
- 15 May, 2012 2 commits
-
-
Samuel Ortiz authored
Fix the poll mask depending on the socket state. POLLOUT was missing for example. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Samuel Ortiz authored
Blocking sockets should sleep on a CC (Connection Complete) reception from the connect() call. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
- 06 Mar, 2012 4 commits
-
-
Samuel Ortiz authored
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Samuel Ortiz authored
The socket local pointer needs to be set to NULL when the adapter is removed or the MAC goes down. If the socket release code is called after such an event, the socket reference count still needs to be decreased in order for the socket to eventually be freed. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Samuel Ortiz authored
The parent socket (the bound one) could be freed before its children, so we should unlink the children without trying to reach it through the parent. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Samuel Ortiz authored
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
- 14 Dec, 2011 1 commit
-
-
Samuel Ortiz authored
This patch is an initial implementation for the NFC Logical Link Control protocol. It's also known as NFC peer to peer mode. This is a basic implementation as it lacks SDP (services Discovery Protocol), frames aggregation support, and frame rejecion parsing. Follow up patches will implement those missing features. This code has been tested against a Nexus S phone implementing LLCP 1.0. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-