提交 f47273e5 编写于 作者: L Linus Torvalds

Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6

* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
  [IPV6] fix ipv6_getsockopt_sticky copy_to_user leak
  [IPV6]: Fix for ipv6_setsockopt NULL dereference
  [DCCP]: Initialise write_xmit_timer also on passive sockets
  [IPV4]: Fix rtm_to_ifaddr() error handling.
......@@ -191,6 +191,7 @@ extern void dccp_send_sync(struct sock *sk, const u64 seq,
const enum dccp_pkt_type pkt_type);
extern void dccp_write_xmit(struct sock *sk, int block);
extern void dccp_write_xmit_timer(unsigned long data);
extern void dccp_write_space(struct sock *sk);
extern void dccp_init_xmit_timers(struct sock *sk);
......
......@@ -213,19 +213,6 @@ static int dccp_wait_for_ccid(struct sock *sk, struct sk_buff *skb)
goto out;
}
static void dccp_write_xmit_timer(unsigned long data) {
struct sock *sk = (struct sock *)data;
struct dccp_sock *dp = dccp_sk(sk);
bh_lock_sock(sk);
if (sock_owned_by_user(sk))
sk_reset_timer(sk, &dp->dccps_xmit_timer, jiffies+1);
else
dccp_write_xmit(sk, 0);
bh_unlock_sock(sk);
sock_put(sk);
}
void dccp_write_xmit(struct sock *sk, int block)
{
struct dccp_sock *dp = dccp_sk(sk);
......@@ -434,9 +421,6 @@ static inline void dccp_connect_init(struct sock *sk)
dp->dccps_gar = dp->dccps_iss;
icsk->icsk_retransmits = 0;
init_timer(&dp->dccps_xmit_timer);
dp->dccps_xmit_timer.data = (unsigned long)sk;
dp->dccps_xmit_timer.function = dccp_write_xmit_timer;
}
int dccp_connect(struct sock *sk)
......
......@@ -261,8 +261,33 @@ static void dccp_delack_timer(unsigned long data)
sock_put(sk);
}
/* Transmit-delay timer: used by the CCIDs to delay actual send time */
void dccp_write_xmit_timer(unsigned long data)
{
struct sock *sk = (struct sock *)data;
struct dccp_sock *dp = dccp_sk(sk);
bh_lock_sock(sk);
if (sock_owned_by_user(sk))
sk_reset_timer(sk, &dp->dccps_xmit_timer, jiffies+1);
else
dccp_write_xmit(sk, 0);
bh_unlock_sock(sk);
sock_put(sk);
}
static void dccp_init_write_xmit_timer(struct sock *sk)
{
struct dccp_sock *dp = dccp_sk(sk);
init_timer(&dp->dccps_xmit_timer);
dp->dccps_xmit_timer.data = (unsigned long)sk;
dp->dccps_xmit_timer.function = dccp_write_xmit_timer;
}
void dccp_init_xmit_timers(struct sock *sk)
{
dccp_init_write_xmit_timer(sk);
inet_csk_init_xmit_timers(sk, &dccp_write_timer, &dccp_delack_timer,
&dccp_keepalive_timer);
}
......@@ -502,8 +502,10 @@ static struct in_ifaddr *rtm_to_ifaddr(struct nlmsghdr *nlh)
goto errout;
ifm = nlmsg_data(nlh);
if (ifm->ifa_prefixlen > 32 || tb[IFA_LOCAL] == NULL)
if (ifm->ifa_prefixlen > 32 || tb[IFA_LOCAL] == NULL) {
err = -EINVAL;
goto errout;
}
dev = __dev_get_by_index(ifm->ifa_index);
if (dev == NULL) {
......
......@@ -413,7 +413,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
}
/* routing header option needs extra check */
if (optname == IPV6_RTHDR && opt->srcrt) {
if (optname == IPV6_RTHDR && opt && opt->srcrt) {
struct ipv6_rt_hdr *rthdr = opt->srcrt;
switch (rthdr->type) {
case IPV6_SRCRT_TYPE_0:
......@@ -804,7 +804,7 @@ static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_txoptions *opt,
return 0;
hdr = opt->hopopt;
len = min_t(int, len, ipv6_optlen(hdr));
len = min_t(unsigned int, len, ipv6_optlen(hdr));
if (copy_to_user(optval, hdr, ipv6_optlen(hdr)))
return -EFAULT;
return len;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册