--- /dev/null
+From stable-bounces@linux.kernel.org Wed Jul 5 20:59:29 2006
+Date: Wed, 05 Jul 2006 20:58:51 -0700 (PDT)
+From: David Miller <davem@davemloft.net>
+To: stable@kernel.org
+Cc:
+Subject: PKT_SCHED: Fix error handling while dumping actions
+
+From: Thomas Graf <tgraf@suug.ch>
+
+"return -err" and blindly inheriting the error code in the netlink
+failure exception handler causes errors codes to be returned as
+positive value therefore making them being ignored by the caller.
+
+May lead to sending out incomplete netlink messages.
+
+Signed-off-by: Thomas Graf <tgraf@suug.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ net/sched/act_api.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- linux-2.6.17.3.orig/net/sched/act_api.c
++++ linux-2.6.17.3/net/sched/act_api.c
+@@ -251,15 +251,17 @@ tcf_action_dump(struct sk_buff *skb, str
+ RTA_PUT(skb, a->order, 0, NULL);
+ err = tcf_action_dump_1(skb, a, bind, ref);
+ if (err < 0)
+- goto rtattr_failure;
++ goto errout;
+ r->rta_len = skb->tail - (u8*)r;
+ }
+
+ return 0;
+
+ rtattr_failure:
++ err = -EINVAL;
++errout:
+ skb_trim(skb, b - skb->data);
+- return -err;
++ return err;
+ }
+
+ struct tc_action *tcf_action_init_1(struct rtattr *rta, struct rtattr *est,
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Jul 5 20:58:23 2006
+Date: Wed, 05 Jul 2006 20:58:02 -0700 (PDT)
+From: David Miller <davem@davemloft.net>
+To: stable@kernel.org
+Cc:
+Subject: PKT_SCHED: Fix illegal memory dereferences when dumping actions
+
+From: Thomas Graf <tgraf@suug.ch>
+
+The TCA_ACT_KIND attribute is used without checking its
+availability when dumping actions therefore leading to a
+value of 0x4 being dereferenced.
+
+The use of strcmp() in tc_lookup_action_n() isn't safe
+when fed with string from an attribute without enforcing
+proper NUL termination.
+
+Both bugs can be triggered with malformed netlink message
+and don't require any privileges.
+
+Signed-off-by: Thomas Graf <tgraf@suug.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ net/sched/act_api.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- linux-2.6.17.3.orig/net/sched/act_api.c
++++ linux-2.6.17.3/net/sched/act_api.c
+@@ -777,7 +777,7 @@ replay:
+ return ret;
+ }
+
+-static char *
++static struct rtattr *
+ find_dump_kind(struct nlmsghdr *n)
+ {
+ struct rtattr *tb1, *tb2[TCA_ACT_MAX+1];
+@@ -805,7 +805,7 @@ find_dump_kind(struct nlmsghdr *n)
+ return NULL;
+ kind = tb2[TCA_ACT_KIND-1];
+
+- return (char *) RTA_DATA(kind);
++ return kind;
+ }
+
+ static int
+@@ -818,16 +818,15 @@ tc_dump_action(struct sk_buff *skb, stru
+ struct tc_action a;
+ int ret = 0;
+ struct tcamsg *t = (struct tcamsg *) NLMSG_DATA(cb->nlh);
+- char *kind = find_dump_kind(cb->nlh);
++ struct rtattr *kind = find_dump_kind(cb->nlh);
+
+ if (kind == NULL) {
+ printk("tc_dump_action: action bad kind\n");
+ return 0;
+ }
+
+- a_o = tc_lookup_action_n(kind);
++ a_o = tc_lookup_action(kind);
+ if (a_o == NULL) {
+- printk("failed to find %s\n", kind);
+ return 0;
+ }
+
+@@ -835,7 +834,7 @@ tc_dump_action(struct sk_buff *skb, stru
+ a.ops = a_o;
+
+ if (a_o->walk == NULL) {
+- printk("tc_dump_action: %s !capable of dumping table\n", kind);
++ printk("tc_dump_action: %s !capable of dumping table\n", a_o->kind);
+ goto rtattr_failure;
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Jul 5 20:59:23 2006
+Date: Wed, 05 Jul 2006 20:58:23 -0700 (PDT)
+From: David Miller <davem@davemloft.net>
+To: stable@kernel.org
+Cc:
+Subject: PKT_SCHED: Return ENOENT if action module is unavailable
+
+From: Thomas Graf <tgraf@suug.ch>
+
+Return ENOENT if action module is unavailable
+
+Signed-off-by: Thomas Graf <tgraf@suug.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ net/sched/act_api.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- linux-2.6.17.3.orig/net/sched/act_api.c
++++ linux-2.6.17.3/net/sched/act_api.c
+@@ -306,6 +306,7 @@ struct tc_action *tcf_action_init_1(stru
+ goto err_mod;
+ }
+ #endif
++ *err = -ENOENT;
+ goto err_out;
+ }
+
via-velocity-the-link-is-not-correctly-detected-when-the-device-starts.patch
2-oopses-in-ethtool.patch
kconfig-fix-description-and-dependencies-for-saa7115-module.patch
+pkt_sched-fix-illegal-memory-dereferences-when-dumping-actions.patch
+pkt_sched-return-enoent-if-action-module-is-unavailable.patch
+pkt_sched-fix-error-handling-while-dumping-actions.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
