<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-toradex.git/net/ipv6, branch v2.6.16.51</title>
<subtitle>Linux kernel for Apalis and Colibri modules</subtitle>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/'/>
<entry>
<title>[IPV6]: Disallow RH0 by default (CVE-2007-2242)</title>
<updated>2007-04-30T23:31:47+00:00</updated>
<author>
<name>Adrian Bunk</name>
<email>bunk@stusta.de</email>
</author>
<published>2007-04-30T23:31:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=5225791117b564cd8b5683cf82d9eea45b0f0d59'/>
<id>5225791117b564cd8b5683cf82d9eea45b0f0d59</id>
<content type='text'>
A security issue is emerging.  Disallow Routing Header Type 0 by default
as we have been doing for IPv4.

This version already includes a fix for the original patch.

Signed-off-by: YOSHIFUJI Hideaki &lt;yoshfuji@linux-ipv6.org&gt;
Signed-off-by: Adrian Bunk &lt;bunk@stusta.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
A security issue is emerging.  Disallow Routing Header Type 0 by default
as we have been doing for IPv4.

This version already includes a fix for the original patch.

Signed-off-by: YOSHIFUJI Hideaki &lt;yoshfuji@linux-ipv6.org&gt;
Signed-off-by: Adrian Bunk &lt;bunk@stusta.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[IPv6]: Fix incorrect length check in rawv6_sendmsg()</title>
<updated>2007-04-13T20:58:26+00:00</updated>
<author>
<name>YOSHIFUJI Hideaki</name>
<email>yoshfuji@linux-ipv6.org</email>
</author>
<published>2007-04-13T19:30:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=889cde54cd2a82f6e4d7ed18440e0f6138b06d60'/>
<id>889cde54cd2a82f6e4d7ed18440e0f6138b06d60</id>
<content type='text'>
In article &lt;20070329.142644.70222545.davem@davemloft.net&gt; (at Thu, 29 Mar 2007 14:26:44 -0700 (PDT)), David Miller &lt;davem@davemloft.net&gt; says:

&gt; From: Sridhar Samudrala &lt;sri@us.ibm.com&gt;
&gt; Date: Thu, 29 Mar 2007 14:17:28 -0700
&gt;
&gt; &gt; The check for length in rawv6_sendmsg() is incorrect.
&gt; &gt; As len is an unsigned int, (len &lt; 0) will never be TRUE.
&gt; &gt; I think checking for IPV6_MAXPLEN(65535) is better.
&gt; &gt;
&gt; &gt; Is it possible to send ipv6 jumbo packets using raw
&gt; &gt; sockets? If so, we can remove this check.
&gt;
&gt; I don't see why such a limitation against jumbo would exist,
&gt; does anyone else?
&gt;
&gt; Thanks for catching this Sridhar.  A good compiler should simply
&gt; fail to compile "if (x &lt; 0)" when 'x' is an unsigned type, don't
&gt; you think :-)

Dave, we use "int" for returning value,
so we should fix this anyway, IMHO;
we should not allow len &gt; INT_MAX.

Signed-off-by: YOSHIFUJI Hideaki &lt;yoshfuji@linux-ipv6.org&gt;
Acked-by: Sridhar Samudrala &lt;sri@us.ibm.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@stusta.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In article &lt;20070329.142644.70222545.davem@davemloft.net&gt; (at Thu, 29 Mar 2007 14:26:44 -0700 (PDT)), David Miller &lt;davem@davemloft.net&gt; says:

&gt; From: Sridhar Samudrala &lt;sri@us.ibm.com&gt;
&gt; Date: Thu, 29 Mar 2007 14:17:28 -0700
&gt;
&gt; &gt; The check for length in rawv6_sendmsg() is incorrect.
&gt; &gt; As len is an unsigned int, (len &lt; 0) will never be TRUE.
&gt; &gt; I think checking for IPV6_MAXPLEN(65535) is better.
&gt; &gt;
&gt; &gt; Is it possible to send ipv6 jumbo packets using raw
&gt; &gt; sockets? If so, we can remove this check.
&gt;
&gt; I don't see why such a limitation against jumbo would exist,
&gt; does anyone else?
&gt;
&gt; Thanks for catching this Sridhar.  A good compiler should simply
&gt; fail to compile "if (x &lt; 0)" when 'x' is an unsigned type, don't
&gt; you think :-)

Dave, we use "int" for returning value,
so we should fix this anyway, IMHO;
we should not allow len &gt; INT_MAX.

Signed-off-by: YOSHIFUJI Hideaki &lt;yoshfuji@linux-ipv6.org&gt;
Acked-by: Sridhar Samudrala &lt;sri@us.ibm.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@stusta.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[IPV6] HASHTABLES: Use appropriate seed for caluculating ehash index.</title>
<updated>2007-03-28T20:04:44+00:00</updated>
<author>
<name>YOSHIFUJI Hideaki</name>
<email>yoshfuji@linux-ipv6.org</email>
</author>
<published>2007-03-28T20:04:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=fc9f944188ec3a6eca05b9a9afce9a96c05b0f7a'/>
<id>fc9f944188ec3a6eca05b9a9afce9a96c05b0f7a</id>
<content type='text'>
Tetsuo Handa &lt;handat@pm.nttdata.co.jp&gt; told me that connect(2) with TCPv6
socket almost always took a few minutes to return when we did not have any
ports available in the range of net.ipv4.ip_local_port_range.

The reason was that we used incorrect seed for calculating index of
hash when we check established sockets in __inet6_check_established().

Signed-off-by: YOSHIFUJI Hideaki &lt;yoshfuji@linux-ipv6.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@stusta.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Tetsuo Handa &lt;handat@pm.nttdata.co.jp&gt; told me that connect(2) with TCPv6
socket almost always took a few minutes to return when we did not have any
ports available in the range of net.ipv4.ip_local_port_range.

The reason was that we used incorrect seed for calculating index of
hash when we check established sockets in __inet6_check_established().

Signed-off-by: YOSHIFUJI Hideaki &lt;yoshfuji@linux-ipv6.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@stusta.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED</title>
<updated>2007-03-24T20:30:06+00:00</updated>
<author>
<name>Patrick McHardy</name>
<email>kaber@trash.net</email>
</author>
<published>2007-03-24T20:30:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=72d9f2d497cbd34b77cd47ce3c79d846a63fc9fc'/>
<id>72d9f2d497cbd34b77cd47ce3c79d846a63fc9fc</id>
<content type='text'>
The individual fragments of a packet reassembled by conntrack have the
conntrack reference from the reassembled packet attached, but nfctinfo
is not copied. This leaves it initialized to 0, which unfortunately is
the value of IP_CT_ESTABLISHED.

The result is that all IPv6 fragments are tracked as ESTABLISHED,
allowing them to bypass a usual ruleset which accepts ESTABLISHED
packets early.

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@stusta.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The individual fragments of a packet reassembled by conntrack have the
conntrack reference from the reassembled packet attached, but nfctinfo
is not copied. This leaves it initialized to 0, which unfortunately is
the value of IP_CT_ESTABLISHED.

The result is that all IPv6 fragments are tracked as ESTABLISHED,
allowing them to bypass a usual ruleset which accepts ESTABLISHED
packets early.

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@stusta.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>NETFILTER: nf_conntrack_ipv6: fix crash when handling fragments</title>
<updated>2007-03-24T20:22:33+00:00</updated>
<author>
<name>Patrick McHardy</name>
<email>kaber@trash.net</email>
</author>
<published>2007-03-24T20:22:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=fbe2454a0d10bdbf27680d4bfc93cf0293bc6a6e'/>
<id>fbe2454a0d10bdbf27680d4bfc93cf0293bc6a6e</id>
<content type='text'>
When IPv6 connection tracking splits up a defragmented packet into
its original fragments, the packets are taken from a list and are
passed to the network stack with skb-&gt;next still set. This causes
dev_hard_start_xmit to treat them as GSO fragments, resulting in
a use after free when connection tracking handles the next fragment.

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@stusta.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When IPv6 connection tracking splits up a defragmented packet into
its original fragments, the packets are taken from a list and are
passed to the network stack with skb-&gt;next still set. This causes
dev_hard_start_xmit to treat them as GSO fragments, resulting in
a use after free when connection tracking handles the next fragment.

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@stusta.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[IPV6]: ipv6_fl_socklist is inadvertently shared.</title>
<updated>2007-03-20T22:23:13+00:00</updated>
<author>
<name>Masayuki Nakagawa</name>
<email>nakagawa.msy@ncos.nec.co.jp</email>
</author>
<published>2007-03-20T22:23:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=202e363b00807107da624289eb2257ea32b29420'/>
<id>202e363b00807107da624289eb2257ea32b29420</id>
<content type='text'>
The ipv6_fl_socklist from listening socket is inadvertently shared
with new socket created for connection.  This leads to a variety of
interesting, but fatal, bugs. For example, removing one of the
sockets may lead to the other socket's encountering a page fault
when the now freed list is referenced.

The fix is to not share the flow label list with the new socket.

Signed-off-by: Masayuki Nakagawa &lt;nakagawa.msy@ncos.nec.co.jp&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@stusta.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The ipv6_fl_socklist from listening socket is inadvertently shared
with new socket created for connection.  This leads to a variety of
interesting, but fatal, bugs. For example, removing one of the
sockets may lead to the other socket's encountering a page fault
when the now freed list is referenced.

The fix is to not share the flow label list with the new socket.

Signed-off-by: Masayuki Nakagawa &lt;nakagawa.msy@ncos.nec.co.jp&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@stusta.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[IPV6] fix ipv6_getsockopt_sticky copy_to_user leak</title>
<updated>2007-03-11T06:43:46+00:00</updated>
<author>
<name>Chris Wright</name>
<email>chrisw@sous-sol.org</email>
</author>
<published>2007-03-11T06:43:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=3c872db41104b651851b10784b0a99c8e268c89c'/>
<id>3c872db41104b651851b10784b0a99c8e268c89c</id>
<content type='text'>
User supplied len &lt; 0 can cause leak of kernel memory.
Use unsigned compare instead.

Signed-off-by: Chris Wright &lt;chrisw@sous-sol.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@stusta.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
User supplied len &lt; 0 can cause leak of kernel memory.
Use unsigned compare instead.

Signed-off-by: Chris Wright &lt;chrisw@sous-sol.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@stusta.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[IPV6]: Fix for ipv6_setsockopt NULL dereference</title>
<updated>2007-03-11T06:42:33+00:00</updated>
<author>
<name>Olaf Kirch</name>
<email>olaf.kirch@oracle.com</email>
</author>
<published>2007-03-11T06:42:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=6d2c0df71d1ecc0ed52f0631c6aee8d7f992cc43'/>
<id>6d2c0df71d1ecc0ed52f0631c6aee8d7f992cc43</id>
<content type='text'>
I came across this bug in http://bugzilla.kernel.org/show_bug.cgi?id=8155

Signed-off-by: Olaf Kirch &lt;olaf.kirch@oracle.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@stusta.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
I came across this bug in http://bugzilla.kernel.org/show_bug.cgi?id=8155

Signed-off-by: Olaf Kirch &lt;olaf.kirch@oracle.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@stusta.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[IPV6]: Handle np-&gt;opt being NULL in ipv6_getsockopt_sticky(). (CVE-2007-1000)</title>
<updated>2007-03-09T06:15:40+00:00</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2007-03-09T06:15:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=5edf0f4dfbc697487add3c6eaecca1c9bf285d84'/>
<id>5edf0f4dfbc697487add3c6eaecca1c9bf285d84</id>
<content type='text'>
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@stusta.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@stusta.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[IPV6]: /proc/net/anycast6 unbalanced inet6_dev refcnt</title>
<updated>2007-03-08T07:40:07+00:00</updated>
<author>
<name>David Stevens</name>
<email>dlstevens@us.ibm.com</email>
</author>
<published>2007-03-08T07:40:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=42e1e229bad37376acf033f14baad9fca2e8584f'/>
<id>42e1e229bad37376acf033f14baad9fca2e8584f</id>
<content type='text'>
Reading /proc/net/anycast6 when there is no anycast address
on an interface results in an ever-increasing inet6_dev reference
count, as well as a reference to the netdevice you can't get rid of.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@stusta.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Reading /proc/net/anycast6 when there is no anycast address
on an interface results in an ever-increasing inet6_dev reference
count, as well as a reference to the netdevice you can't get rid of.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Adrian Bunk &lt;bunk@stusta.de&gt;
</pre>
</div>
</content>
</entry>
</feed>
