From: Greg Kroah-Hartman Date: Wed, 20 Apr 2011 02:53:21 +0000 (-0700) Subject: .38 patches X-Git-Tag: v2.6.38.4~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bc5795ca013ed94a262aeb416ae3c71ada26f3c4;p=thirdparty%2Fkernel%2Fstable-queue.git .38 patches --- diff --git a/queue-2.6.38/bridge-reset-ipcb-in-br_parse_ip_options.patch b/queue-2.6.38/bridge-reset-ipcb-in-br_parse_ip_options.patch new file mode 100644 index 00000000000..048ec1b7572 --- /dev/null +++ b/queue-2.6.38/bridge-reset-ipcb-in-br_parse_ip_options.patch @@ -0,0 +1,46 @@ +From f8e9881c2aef1e982e5abc25c046820cd0b7cf64 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 12 Apr 2011 13:39:14 -0700 +Subject: bridge: reset IPCB in br_parse_ip_options +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eric Dumazet + +commit f8e9881c2aef1e982e5abc25c046820cd0b7cf64 upstream. + +Commit 462fb2af9788a82 (bridge : Sanitize skb before it enters the IP +stack), missed one IPCB init before calling ip_options_compile() + +Thanks to Scot Doyle for his tests and bug reports. + +Reported-by: Scot Doyle +Signed-off-by: Eric Dumazet +Cc: Hiroaki SHIMODA +Acked-by: Bandan Das +Acked-by: Stephen Hemminger +Cc: Jan Lübbe +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/br_netfilter.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/net/bridge/br_netfilter.c ++++ b/net/bridge/br_netfilter.c +@@ -249,11 +249,9 @@ static int br_parse_ip_options(struct sk + goto drop; + } + +- /* Zero out the CB buffer if no options present */ +- if (iph->ihl == 5) { +- memset(IPCB(skb), 0, sizeof(struct inet_skb_parm)); ++ memset(IPCB(skb), 0, sizeof(struct inet_skb_parm)); ++ if (iph->ihl == 5) + return 0; +- } + + opt->optlen = iph->ihl*4 - sizeof(struct iphdr); + if (ip_options_compile(dev_net(dev), opt, skb)) diff --git a/queue-2.6.38/ip-ip_options_compile-resilient-to-null-skb-route.patch b/queue-2.6.38/ip-ip_options_compile-resilient-to-null-skb-route.patch new file mode 100644 index 00000000000..9c145c0f7b4 --- /dev/null +++ b/queue-2.6.38/ip-ip_options_compile-resilient-to-null-skb-route.patch @@ -0,0 +1,59 @@ +From c65353daf137dd41f3ede3baf62d561fca076228 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 14 Apr 2011 05:55:37 +0000 +Subject: ip: ip_options_compile() resilient to NULL skb route + +From: Eric Dumazet + +commit c65353daf137dd41f3ede3baf62d561fca076228 upstream. + +Scot Doyle demonstrated ip_options_compile() could be called with an skb +without an attached route, using a setup involving a bridge, netfilter, +and forged IP packets. + +Let's make ip_options_compile() and ip_options_rcv_srr() a bit more +robust, instead of changing bridge/netfilter code. + +With help from Hiroaki SHIMODA. + +Reported-by: Scot Doyle +Tested-by: Scot Doyle +Signed-off-by: Eric Dumazet +Cc: Stephen Hemminger +Acked-by: Hiroaki SHIMODA +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/ip_options.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/ipv4/ip_options.c ++++ b/net/ipv4/ip_options.c +@@ -329,7 +329,7 @@ int ip_options_compile(struct net *net, + pp_ptr = optptr + 2; + goto error; + } +- if (skb) { ++ if (rt) { + memcpy(&optptr[optptr[2]-1], &rt->rt_spec_dst, 4); + opt->is_changed = 1; + } +@@ -371,7 +371,7 @@ int ip_options_compile(struct net *net, + goto error; + } + opt->ts = optptr - iph; +- if (skb) { ++ if (rt) { + memcpy(&optptr[optptr[2]-1], &rt->rt_spec_dst, 4); + timeptr = (__be32*)&optptr[optptr[2]+3]; + } +@@ -603,7 +603,7 @@ int ip_options_rcv_srr(struct sk_buff *s + unsigned long orefdst; + int err; + +- if (!opt->srr) ++ if (!opt->srr || !rt) + return 0; + + if (skb->pkt_type != PACKET_HOST) diff --git a/queue-2.6.38/series b/queue-2.6.38/series index c2ffd3d34a6..441400ea0c6 100644 --- a/queue-2.6.38/series +++ b/queue-2.6.38/series @@ -68,3 +68,5 @@ usb-fix-unplug-of-device-with-active-streams.patch radeon-fix-kms-cp-writeback-on-big-endian-machines.patch bluetooth-fix-hci_reset-command-synchronization.patch perf-tool-fix-gcc-4.6.0-issues.patch +bridge-reset-ipcb-in-br_parse_ip_options.patch +ip-ip_options_compile-resilient-to-null-skb-route.patch