.38 patches

diff --git a/queue-2.6.38/bridge-reset-ipcb-in-br_parse_ip_options.patch b/queue-2.6.38/bridge-reset-ipcb-in-br_parse_ip_options.patch
new file mode 100644 (file)
index 0000000..048ec1b
--- /dev/null
+++ b/queue-2.6.38/bridge-reset-ipcb-in-br_parse_ip_options.patch
@@ -0,0 +1,46 @@
+From f8e9881c2aef1e982e5abc25c046820cd0b7cf64 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Tue, 12 Apr 2011 13:39:14 -0700
+Subject: bridge: reset IPCB in br_parse_ip_options
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit f8e9881c2aef1e982e5abc25c046820cd0b7cf64 upstream.
+
+Commit 462fb2af9788a82 (bridge : Sanitize skb before it enters the IP
+stack), missed one IPCB init before calling ip_options_compile()
+
+Thanks to Scot Doyle for his tests and bug reports.
+
+Reported-by: Scot Doyle <lkml@scotdoyle.com>
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Cc: Hiroaki SHIMODA <shimoda.hiroaki@gmail.com>
+Acked-by: Bandan Das <bandan.das@stratus.com>
+Acked-by: Stephen Hemminger <shemminger@vyatta.com>
+Cc: Jan Lübbe <jluebbe@debian.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/bridge/br_netfilter.c |    6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/net/bridge/br_netfilter.c
++++ b/net/bridge/br_netfilter.c
+@@ -249,11 +249,9 @@ static int br_parse_ip_options(struct sk
+               goto drop;
+       }
+ 
+-      /* Zero out the CB buffer if no options present */
+-      if (iph->ihl == 5) {
+-              memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
++      memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
++      if (iph->ihl == 5)
+               return 0;
+-      }
+ 
+       opt->optlen = iph->ihl*4 - sizeof(struct iphdr);
+       if (ip_options_compile(dev_net(dev), opt, skb))

diff --git a/queue-2.6.38/ip-ip_options_compile-resilient-to-null-skb-route.patch b/queue-2.6.38/ip-ip_options_compile-resilient-to-null-skb-route.patch
new file mode 100644 (file)
index 0000000..9c145c0
--- /dev/null
+++ b/queue-2.6.38/ip-ip_options_compile-resilient-to-null-skb-route.patch
@@ -0,0 +1,59 @@
+From c65353daf137dd41f3ede3baf62d561fca076228 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Thu, 14 Apr 2011 05:55:37 +0000
+Subject: ip: ip_options_compile() resilient to NULL skb route
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit c65353daf137dd41f3ede3baf62d561fca076228 upstream.
+
+Scot Doyle demonstrated ip_options_compile() could be called with an skb
+without an attached route, using a setup involving a bridge, netfilter,
+and forged IP packets.
+
+Let's make ip_options_compile() and ip_options_rcv_srr() a bit more
+robust, instead of changing bridge/netfilter code.
+
+With help from Hiroaki SHIMODA.
+
+Reported-by: Scot Doyle <lkml@scotdoyle.com>
+Tested-by: Scot Doyle <lkml@scotdoyle.com>
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Cc: Stephen Hemminger <shemminger@vyatta.com>
+Acked-by: Hiroaki SHIMODA <shimoda.hiroaki@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/ip_options.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/ip_options.c
++++ b/net/ipv4/ip_options.c
+@@ -329,7 +329,7 @@ int ip_options_compile(struct net *net,
+                                       pp_ptr = optptr + 2;
+                                       goto error;
+                               }
+-                              if (skb) {
++                              if (rt) {
+                                       memcpy(&optptr[optptr[2]-1], &rt->rt_spec_dst, 4);
+                                       opt->is_changed = 1;
+                               }
+@@ -371,7 +371,7 @@ int ip_options_compile(struct net *net,
+                                               goto error;
+                                       }
+                                       opt->ts = optptr - iph;
+-                                      if (skb) {
++                                      if (rt)  {
+                                               memcpy(&optptr[optptr[2]-1], &rt->rt_spec_dst, 4);
+                                               timeptr = (__be32*)&optptr[optptr[2]+3];
+                                       }
+@@ -603,7 +603,7 @@ int ip_options_rcv_srr(struct sk_buff *s
+       unsigned long orefdst;
+       int err;
+ 
+-      if (!opt->srr)
++      if (!opt->srr || !rt)
+               return 0;
+ 
+       if (skb->pkt_type != PACKET_HOST)

diff --git a/queue-2.6.38/series b/queue-2.6.38/series
index c2ffd3d34a662638620c96833d00412b8fc6141a..441400ea0c6934cfc1a52360efaf4dac69eafdc3 100644 (file)
--- a/queue-2.6.38/series
+++ b/queue-2.6.38/series
@@ -68,3 +68,5 @@ usb-fix-unplug-of-device-with-active-streams.patch
 radeon-fix-kms-cp-writeback-on-big-endian-machines.patch
 bluetooth-fix-hci_reset-command-synchronization.patch
 perf-tool-fix-gcc-4.6.0-issues.patch
+bridge-reset-ipcb-in-br_parse_ip_options.patch
+ip-ip_options_compile-resilient-to-null-skb-route.patch