From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 15 Oct 2012 19:06:58 +0000 (-0700)
Subject: 3.0-stable patches
X-Git-Tag: v3.0.47~29
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=95cc69c869559ba51b13b3dcd4699e0603218cb9;p=thirdparty%2Fkernel%2Fstable-queue.git

3.0-stable patches

added patches:
	pktgen-fix-crash-when-generating-ipv6-packets.patch
---

diff --git a/queue-3.0/pktgen-fix-crash-when-generating-ipv6-packets.patch b/queue-3.0/pktgen-fix-crash-when-generating-ipv6-packets.patch
new file mode 100644
index 00000000000..f9ddff7df63
--- /dev/null
+++ b/queue-3.0/pktgen-fix-crash-when-generating-ipv6-packets.patch
@@ -0,0 +1,44 @@
+From 5aa8b572007c4bca1e6d3dd4c4820f1ae49d6bb2 Mon Sep 17 00:00:00 2001
+From: Amerigo Wang <amwang@redhat.com>
+Date: Tue, 9 Oct 2012 17:48:16 +0000
+Subject: pktgen: fix crash when generating IPv6 packets
+
+From: Amerigo Wang <amwang@redhat.com>
+
+commit 5aa8b572007c4bca1e6d3dd4c4820f1ae49d6bb2 upstream.
+
+For IPv6, sizeof(struct ipv6hdr) = 40, thus the following
+expression will result negative:
+
+        datalen = pkt_dev->cur_pkt_size - 14 -
+                  sizeof(struct ipv6hdr) - sizeof(struct udphdr) -
+                  pkt_dev->pkt_overhead;
+
+And,  the check "if (datalen < sizeof(struct pktgen_hdr))" will be
+passed as "datalen" is promoted to unsigned, therefore will cause
+a crash later.
+
+This is a quick fix by checking if "datalen" is negative. The following
+patch will increase the default value of 'min_pkt_size' for IPv6.
+
+This bug should exist for a long time, so Cc -stable too.
+
+Signed-off-by: Cong Wang <amwang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/pktgen.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/pktgen.c
++++ b/net/core/pktgen.c
+@@ -2932,7 +2932,7 @@ static struct sk_buff *fill_packet_ipv6(
+ 		  sizeof(struct ipv6hdr) - sizeof(struct udphdr) -
+ 		  pkt_dev->pkt_overhead;
+ 
+-	if (datalen < sizeof(struct pktgen_hdr)) {
++	if (datalen < 0 || datalen < sizeof(struct pktgen_hdr)) {
+ 		datalen = sizeof(struct pktgen_hdr);
+ 		if (net_ratelimit())
+ 			pr_info("increased datalen to %d\n", datalen);
diff --git a/queue-3.0/series b/queue-3.0/series
index 23d790e9b9f..fa9b571cfb0 100644
--- a/queue-3.0/series
+++ b/queue-3.0/series
@@ -15,3 +15,4 @@ module-taint-kernel-when-lve-module-is-loaded.patch
 video-udlfb-fix-line-counting-in-fb_write.patch
 viafb-don-t-touch-clock-state-on-olpc-xo-1.5.patch
 timers-fix-endless-looping-between-cascade-and-internal_add_timer.patch
+pktgen-fix-crash-when-generating-ipv6-packets.patch