--- /dev/null
+From a8cd2f16f11cd3cb6fb8d38bf1928ef01413d861 Mon Sep 17 00:00:00 2001
+From: Changli Gao <xiaosuo@gmail.com>
+Date: Thu, 29 Jul 2010 14:04:18 +0000
+Subject: act_nat: the checksum of ICMP doesn't have pseudo header
+
+
+From: Changli Gao <xiaosuo@gmail.com>
+
+[ Upstream commit 3a3dfb062c2e086c202d34f09ce29634515ad256 ]
+
+after updating the value of the ICMP payload, inet_proto_csum_replace4() should
+be called with zero pseudohdr.
+
+Signed-off-by: Changli Gao <xiaosuo@gmail.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/sched/act_nat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/act_nat.c
++++ b/net/sched/act_nat.c
+@@ -240,7 +240,7 @@ static int tcf_nat(struct sk_buff *skb,
+ iph->saddr = new_addr;
+
+ inet_proto_csum_replace4(&icmph->checksum, skb, addr, new_addr,
+- 1);
++ 0);
+ break;
+ }
+ default:
--- /dev/null
+From 53efbdbb8de2b77bf00819ae2db48aa6e0443484 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Wed, 11 Aug 2010 16:12:35 -0700
+Subject: can: add limit for nframes and clean up signed/unsigned variables
+
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+[ Upstream commit 5b75c4973ce779520b9d1e392483207d6f842cde ]
+
+This patch adds a limit for nframes as the number of frames in TX_SETUP and
+RX_SETUP are derived from a single byte multiplex value by default.
+Use-cases that would require to send/filter more than 256 CAN frames should
+be implemented in userspace for complexity reasons anyway.
+
+Additionally the assignments of unsigned values from userspace to signed
+values in kernelspace and vice versa are fixed by using unsigned values in
+kernelspace consistently.
+
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Reported-by: Ben Hawkes <hawkes@google.com>
+Acked-by: Urs Thuermann <urs.thuermann@volkswagen.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/can/bcm.c | 41 +++++++++++++++++++++++++++--------------
+ 1 file changed, 27 insertions(+), 14 deletions(-)
+
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -59,6 +59,13 @@
+ #include <net/sock.h>
+ #include <net/net_namespace.h>
+
++/*
++ * To send multiple CAN frame content within TX_SETUP or to filter
++ * CAN messages with multiplex index within RX_SETUP, the number of
++ * different filters is limited to 256 due to the one byte index value.
++ */
++#define MAX_NFRAMES 256
++
+ /* use of last_frames[index].can_dlc */
+ #define RX_RECV 0x40 /* received data for this element */
+ #define RX_THR 0x80 /* element not been sent due to throttle feature */
+@@ -88,16 +95,16 @@ struct bcm_op {
+ struct list_head list;
+ int ifindex;
+ canid_t can_id;
+- int flags;
++ u32 flags;
+ unsigned long frames_abs, frames_filtered;
+ struct timeval ival1, ival2;
+ struct hrtimer timer, thrtimer;
+ struct tasklet_struct tsklet, thrtsklet;
+ ktime_t rx_stamp, kt_ival1, kt_ival2, kt_lastmsg;
+ int rx_ifindex;
+- int count;
+- int nframes;
+- int currframe;
++ u32 count;
++ u32 nframes;
++ u32 currframe;
+ struct can_frame *frames;
+ struct can_frame *last_frames;
+ struct can_frame sframe;
+@@ -174,7 +181,7 @@ static int bcm_proc_show(struct seq_file
+
+ seq_printf(m, "rx_op: %03X %-5s ",
+ op->can_id, bcm_proc_getifname(ifname, op->ifindex));
+- seq_printf(m, "[%d]%c ", op->nframes,
++ seq_printf(m, "[%u]%c ", op->nframes,
+ (op->flags & RX_CHECK_DLC)?'d':' ');
+ if (op->kt_ival1.tv64)
+ seq_printf(m, "timeo=%lld ",
+@@ -197,7 +204,7 @@ static int bcm_proc_show(struct seq_file
+
+ list_for_each_entry(op, &bo->tx_ops, list) {
+
+- seq_printf(m, "tx_op: %03X %s [%d] ",
++ seq_printf(m, "tx_op: %03X %s [%u] ",
+ op->can_id,
+ bcm_proc_getifname(ifname, op->ifindex),
+ op->nframes);
+@@ -282,7 +289,7 @@ static void bcm_send_to_user(struct bcm_
+ struct can_frame *firstframe;
+ struct sockaddr_can *addr;
+ struct sock *sk = op->sk;
+- int datalen = head->nframes * CFSIZ;
++ unsigned int datalen = head->nframes * CFSIZ;
+ int err;
+
+ skb = alloc_skb(sizeof(*head) + datalen, gfp_any());
+@@ -467,7 +474,7 @@ rx_changed_settime:
+ * bcm_rx_cmp_to_index - (bit)compares the currently received data to formerly
+ * received data stored in op->last_frames[]
+ */
+-static void bcm_rx_cmp_to_index(struct bcm_op *op, int index,
++static void bcm_rx_cmp_to_index(struct bcm_op *op, unsigned int index,
+ const struct can_frame *rxdata)
+ {
+ /*
+@@ -553,7 +560,8 @@ static enum hrtimer_restart bcm_rx_timeo
+ /*
+ * bcm_rx_do_flush - helper for bcm_rx_thr_flush
+ */
+-static inline int bcm_rx_do_flush(struct bcm_op *op, int update, int index)
++static inline int bcm_rx_do_flush(struct bcm_op *op, int update,
++ unsigned int index)
+ {
+ if ((op->last_frames) && (op->last_frames[index].can_dlc & RX_THR)) {
+ if (update)
+@@ -574,7 +582,7 @@ static int bcm_rx_thr_flush(struct bcm_o
+ int updated = 0;
+
+ if (op->nframes > 1) {
+- int i;
++ unsigned int i;
+
+ /* for MUX filter we start at index 1 */
+ for (i = 1; i < op->nframes; i++)
+@@ -623,7 +631,7 @@ static void bcm_rx_handler(struct sk_buf
+ {
+ struct bcm_op *op = (struct bcm_op *)data;
+ const struct can_frame *rxframe = (struct can_frame *)skb->data;
+- int i;
++ unsigned int i;
+
+ /* disable timeout */
+ hrtimer_cancel(&op->timer);
+@@ -823,14 +831,15 @@ static int bcm_tx_setup(struct bcm_msg_h
+ {
+ struct bcm_sock *bo = bcm_sk(sk);
+ struct bcm_op *op;
+- int i, err;
++ unsigned int i;
++ int err;
+
+ /* we need a real device to send frames */
+ if (!ifindex)
+ return -ENODEV;
+
+- /* we need at least one can_frame */
+- if (msg_head->nframes < 1)
++ /* check nframes boundaries - we need at least one can_frame */
++ if (msg_head->nframes < 1 || msg_head->nframes > MAX_NFRAMES)
+ return -EINVAL;
+
+ /* check the given can_id */
+@@ -994,6 +1003,10 @@ static int bcm_rx_setup(struct bcm_msg_h
+ msg_head->nframes = 0;
+ }
+
++ /* the first element contains the mux-mask => MAX_NFRAMES + 1 */
++ if (msg_head->nframes > MAX_NFRAMES + 1)
++ return -EINVAL;
++
+ if ((msg_head->flags & RX_RTR_FRAME) &&
+ ((msg_head->nframes != 1) ||
+ (!(msg_head->can_id & CAN_RTR_FLAG))))
--- /dev/null
+From d8be78ce534e6546d3c4d0d78e6b98c72d1bf470 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <error27@gmail.com>
+Date: Wed, 4 Aug 2010 23:38:06 +0000
+Subject: isdn: fix information leak
+
+
+From: Dan Carpenter <error27@gmail.com>
+
+[ Upstream commit 4b030d4288a569d6bdeca884d7f102d951f097f2 ]
+
+The main motivation of this patch changing strcpy() to strlcpy().
+We strcpy() to copy a 48 byte buffers into a 49 byte buffers. So at
+best the last byte has leaked information, or maybe there is an
+overflow? Anyway, this patch closes the information leaks by zeroing
+the memory and the calls to strlcpy() prevent overflows.
+
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/isdn/sc/ioctl.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/isdn/sc/ioctl.c
++++ b/drivers/isdn/sc/ioctl.c
+@@ -174,7 +174,7 @@ int sc_ioctl(int card, scs_ioctl *data)
+ pr_debug("%s: SCIOGETSPID: ioctl received\n",
+ sc_adapter[card]->devicename);
+
+- spid = kmalloc(SCIOC_SPIDSIZE, GFP_KERNEL);
++ spid = kzalloc(SCIOC_SPIDSIZE, GFP_KERNEL);
+ if (!spid) {
+ kfree(rcvmsg);
+ return -ENOMEM;
+@@ -194,7 +194,7 @@ int sc_ioctl(int card, scs_ioctl *data)
+ kfree(rcvmsg);
+ return status;
+ }
+- strcpy(spid, rcvmsg->msg_data.byte_array);
++ strlcpy(spid, rcvmsg->msg_data.byte_array, SCIOC_SPIDSIZE);
+
+ /*
+ * Package the switch type and send to user space
+@@ -272,12 +272,12 @@ int sc_ioctl(int card, scs_ioctl *data)
+ return status;
+ }
+
+- dn = kmalloc(SCIOC_DNSIZE, GFP_KERNEL);
++ dn = kzalloc(SCIOC_DNSIZE, GFP_KERNEL);
+ if (!dn) {
+ kfree(rcvmsg);
+ return -ENOMEM;
+ }
+- strcpy(dn, rcvmsg->msg_data.byte_array);
++ strlcpy(dn, rcvmsg->msg_data.byte_array, SCIOC_DNSIZE);
+ kfree(rcvmsg);
+
+ /*
+@@ -348,7 +348,7 @@ int sc_ioctl(int card, scs_ioctl *data)
+ pr_debug("%s: SCIOSTAT: ioctl received\n",
+ sc_adapter[card]->devicename);
+
+- bi = kmalloc (sizeof(boardInfo), GFP_KERNEL);
++ bi = kzalloc(sizeof(boardInfo), GFP_KERNEL);
+ if (!bi) {
+ kfree(rcvmsg);
+ return -ENOMEM;
--- /dev/null
+From a8d23973cdb1b7a67774a1a649e22d72a02b97e1 Mon Sep 17 00:00:00 2001
+From: Jarek Poplawski <jarkao2@gmail.com>
+Date: Wed, 11 Aug 2010 02:02:10 +0000
+Subject: net: Fix a memmove bug in dev_gro_receive()
+
+
+From: Jarek Poplawski <jarkao2@gmail.com>
+
+[ Upstream commit e5093aec2e6b60c3df2420057ffab9ed4a6d2792 ]
+
+>Xin Xiaohui wrote:
+> I looked into the code dev_gro_receive(), found the code here:
+> if the frags[0] is pulled to 0, then the page will be released,
+> and memmove() frags left.
+> Is that right? I'm not sure if memmove do right or not, but
+> frags[0].size is never set after memove at least. what I think
+> a simple way is not to do anything if we found frags[0].size == 0.
+> The patch is as followed.
+...
+
+This version of the patch fixes the bug directly in memmove.
+
+Reported-by: "Xin, Xiaohui" <xiaohui.xin@intel.com>
+Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2519,7 +2519,7 @@ pull:
+ put_page(skb_shinfo(skb)->frags[0].page);
+ memmove(skb_shinfo(skb)->frags,
+ skb_shinfo(skb)->frags + 1,
+- --skb_shinfo(skb)->nr_frags);
++ --skb_shinfo(skb)->nr_frags * sizeof(skb_frag_t));
+ }
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
