<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-toradex.git/net, branch v2.6.23.9</title>
<subtitle>Linux kernel for Apalis and Colibri modules</subtitle>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/'/>
<entry>
<title>TCP: Make sure write_queue_from does not begin with NULL ptr (CVE-2007-5501)</title>
<updated>2007-11-16T18:10:56+00:00</updated>
<author>
<name>Ilpo Järvinen</name>
<email>ilpo.jarvinen@helsinki.fi</email>
</author>
<published>2007-11-14T23:47:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=b0f08ee5e5b8dfc3a875a41c24db878373274799'/>
<id>b0f08ee5e5b8dfc3a875a41c24db878373274799</id>
<content type='text'>
patch 96a2d41a3e495734b63bff4e5dd0112741b93b38 in mainline.

NULL ptr can be returned from tcp_write_queue_head to cached_skb
and then assigned to skb if packets_out was zero. Without this,
system is vulnerable to a carefully crafted ACKs which obviously
is remotely triggerable.

Besides, there's very little that needs to be done in sacktag
if there weren't any packets outstanding, just skipping the rest
doesn't hurt.

Signed-off-by: Ilpo Järvinen &lt;ilpo.jarvinen@helsinki.fi&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
patch 96a2d41a3e495734b63bff4e5dd0112741b93b38 in mainline.

NULL ptr can be returned from tcp_write_queue_head to cached_skb
and then assigned to skb if packets_out was zero. Without this,
system is vulnerable to a carefully crafted ACKs which obviously
is remotely triggerable.

Besides, there's very little that needs to be done in sacktag
if there weren't any packets outstanding, just skipping the rest
doesn't hurt.

Signed-off-by: Ilpo Järvinen &lt;ilpo.jarvinen@helsinki.fi&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>mac80211: make ieee802_11_parse_elems return void</title>
<updated>2007-11-16T16:27:39+00:00</updated>
<author>
<name>John W. Linville</name>
<email>linville@tuxdriver.com</email>
</author>
<published>2007-10-26T21:04:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=ef0811638110d6309c4b498a33a9815d694fb6bc'/>
<id>ef0811638110d6309c4b498a33a9815d694fb6bc</id>
<content type='text'>
patch 67a4cce4a89718d252b61aaf58882c69c0e2f6e3 in mainline.

Some APs send management frames with junk padding after the last IE.
We already account for a similar problem with some Apple Airport
devices, but at least one device is known to send more than a single
extra byte.  The device in question is the Draytek Vigor2900:

	http://www.draytek.com.au/products/Vigor2900.php

The junk in question looks like an IE that runs off the end of the
frame.  This cause us to return ParseFailed.  Since the frame in
question is an association response, this causes us to fail to associate
with this AP.

The return code from ieee802_11_parse_elems is superfluous.
All callers still check for the presence of the specific IEs that
interest them anyway.  So, remove the return code so the parse never
"fails".

Acked-by: Michael Wu &lt;flamingice@sourmilk.net&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
patch 67a4cce4a89718d252b61aaf58882c69c0e2f6e3 in mainline.

Some APs send management frames with junk padding after the last IE.
We already account for a similar problem with some Apple Airport
devices, but at least one device is known to send more than a single
extra byte.  The device in question is the Draytek Vigor2900:

	http://www.draytek.com.au/products/Vigor2900.php

The junk in question looks like an IE that runs off the end of the
frame.  This cause us to return ParseFailed.  Since the frame in
question is an association response, this causes us to fail to associate
with this AP.

The return code from ieee802_11_parse_elems is superfluous.
All callers still check for the presence of the specific IEs that
interest them anyway.  So, remove the return code so the parse never
"fails".

Acked-by: Michael Wu &lt;flamingice@sourmilk.net&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>mac80211: only honor IW_SCAN_THIS_ESSID in STA, IBSS, and AP modes</title>
<updated>2007-11-16T16:27:39+00:00</updated>
<author>
<name>John W. Linville</name>
<email>linville@tuxdriver.com</email>
</author>
<published>2007-10-26T21:04:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=f08fdbd7f5f6c0cafce7cdcda8df4e605d065cd6'/>
<id>f08fdbd7f5f6c0cafce7cdcda8df4e605d065cd6</id>
<content type='text'>
patch d114f399b4da6fa7f9da3bbf1fb841370c11e788 in mainline.

The previous IW_SCAN_THIS_ESSID patch left a hole allowing scan
requests on interfaces in inappropriate modes.

Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
patch d114f399b4da6fa7f9da3bbf1fb841370c11e788 in mainline.

The previous IW_SCAN_THIS_ESSID patch left a hole allowing scan
requests on interfaces in inappropriate modes.

Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>mac80211: honor IW_SCAN_THIS_ESSID in siwscan ioctl</title>
<updated>2007-11-16T16:27:39+00:00</updated>
<author>
<name>Bill Moss</name>
<email>bmoss@clemson.edu</email>
</author>
<published>2007-10-26T21:04:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=f4d709e397f075b94649907554ca390738b9c58e'/>
<id>f4d709e397f075b94649907554ca390738b9c58e</id>
<content type='text'>
patch 107acb23ba763197d390ae9ffd347f3e2a524d39 in mainline.

This patch fixes the problem of associating with wpa_secured hidden
AP.  Please try out.

The original author of this patch is Bill Moss &lt;bmoss@clemson.edu&gt;

Signed-off-by: Abhijeet Kolekar &lt;abhijeet.kolekar@intel.com&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
patch 107acb23ba763197d390ae9ffd347f3e2a524d39 in mainline.

This patch fixes the problem of associating with wpa_secured hidden
AP.  Please try out.

The original author of this patch is Bill Moss &lt;bmoss@clemson.edu&gt;

Signed-off-by: Abhijeet Kolekar &lt;abhijeet.kolekar@intel.com&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>mac80211: store SSID in sta_bss_list</title>
<updated>2007-11-16T16:27:39+00:00</updated>
<author>
<name>John W. Linville</name>
<email>linville@tuxdriver.com</email>
</author>
<published>2007-10-26T21:04:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=75fc21b4d27c9e265614690a10b1fb6d2104e004'/>
<id>75fc21b4d27c9e265614690a10b1fb6d2104e004</id>
<content type='text'>
patch cffdd30d20d163343b1c6de25bcb0cc978a1ebf9 in mainline.

Some AP equipment "in the wild" services multiple SSIDs using the
same BSSID.  This patch changes the key of sta_bss_list to include
the SSID as well as the BSSID and the channel so as to prevent one
SSID from eclipsing another SSID with the same BSSID.

Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
patch cffdd30d20d163343b1c6de25bcb0cc978a1ebf9 in mainline.

Some AP equipment "in the wild" services multiple SSIDs using the
same BSSID.  This patch changes the key of sta_bss_list to include
the SSID as well as the BSSID and the channel so as to prevent one
SSID from eclipsing another SSID with the same BSSID.

Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>mac80211: store channel info in sta_bss_list</title>
<updated>2007-11-16T16:27:39+00:00</updated>
<author>
<name>John W. Linville</name>
<email>linville@tuxdriver.com</email>
</author>
<published>2007-10-26T21:04:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=66bc3f66854fdfb09035fa247c936524d19b7454'/>
<id>66bc3f66854fdfb09035fa247c936524d19b7454</id>
<content type='text'>
patch 65c107ab3befc37b21d1c970a6159525bc0121b8 in mainline.

Some AP equipment "in the wild" uses the same BSSID on multiple channels
(particularly "a" vs. "b/g").  This patch changes the key of sta_bss_list
to include both the BSSID and the channel so as to prevent a BSSID on
one channel from eclipsing the same BSSID on another channel.

Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
patch 65c107ab3befc37b21d1c970a6159525bc0121b8 in mainline.

Some AP equipment "in the wild" uses the same BSSID on multiple channels
(particularly "a" vs. "b/g").  This patch changes the key of sta_bss_list
to include both the BSSID and the channel so as to prevent a BSSID on
one channel from eclipsing the same BSSID on another channel.

Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>mac80211: reorder association debug output</title>
<updated>2007-11-16T16:27:39+00:00</updated>
<author>
<name>Johannes Berg</name>
<email>johannes@sipsolutions.net</email>
</author>
<published>2007-10-26T21:04:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=20bf97cfbf4beb8d16f1cd62fdd4befdb2ca39f9'/>
<id>20bf97cfbf4beb8d16f1cd62fdd4befdb2ca39f9</id>
<content type='text'>
patch 1dd84aa213d0f98a91a1ec9be2f750f5f48e75a0 in mainline.

There's no reason to warn about an invalid AID field when the
association was denied.

Signed-off-by: Johannes Berg &lt;johannes@sipsolutions.net&gt;
Acked-by: Michael Wu &lt;flamingice@sourmilk.net&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
patch 1dd84aa213d0f98a91a1ec9be2f750f5f48e75a0 in mainline.

There's no reason to warn about an invalid AID field when the
association was denied.

Signed-off-by: Johannes Berg &lt;johannes@sipsolutions.net&gt;
Acked-by: Michael Wu &lt;flamingice@sourmilk.net&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ieee80211: fix TKIP QoS bug</title>
<updated>2007-11-16T16:27:38+00:00</updated>
<author>
<name>Johannes Berg</name>
<email>johannes@sipsolutions.net</email>
</author>
<published>2007-10-26T21:04:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=31a1d25a569e52f5dc05b6b63a30ea9dcc95677b'/>
<id>31a1d25a569e52f5dc05b6b63a30ea9dcc95677b</id>
<content type='text'>
patch e797aa1b7da6bfcb2e19a10ae5ead9aa7aea732b in mainline.

The commit 65b6a277 titled "ieee80211: Fix header-&gt;qos_ctl endian issue"
*introduced* an endianness bug. Partially revert it.

Signed-off-by: Johannes Berg &lt;johannes@sipsolutions.net&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
patch e797aa1b7da6bfcb2e19a10ae5ead9aa7aea732b in mainline.

The commit 65b6a277 titled "ieee80211: Fix header-&gt;qos_ctl endian issue"
*introduced* an endianness bug. Partially revert it.

Signed-off-by: Johannes Berg &lt;johannes@sipsolutions.net&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>NETFILTER: nf_conntrack_tcp: fix connection reopening</title>
<updated>2007-11-16T16:27:38+00:00</updated>
<author>
<name>Jozsef Kadlecsik</name>
<email>kadlec@blackhole.kfki.hu</email>
</author>
<published>2007-11-05T11:37:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=0ac38060c5e1e12e851ed3e281597286b57f9ad1'/>
<id>0ac38060c5e1e12e851ed3e281597286b57f9ad1</id>
<content type='text'>
Upstream commits: 17311393 + bc34b841 merged together.  Merge done by
Patrick McHardy &lt;kaber@trash.net&gt;

[NETFILTER]: nf_conntrack_tcp: fix connection reopening

With your description I could reproduce the bug and actually you were
completely right: the code above is incorrect. Somehow I was able to
misread RFC1122 and mixed the roles :-(:

   When a connection is &gt;&gt;closed actively&lt;&lt;, it MUST linger in
   TIME-WAIT state for a time 2xMSL (Maximum Segment Lifetime).
   However, it MAY &gt;&gt;accept&lt;&lt; a new SYN from the remote TCP to
   reopen the connection directly from TIME-WAIT state, if it:
   [...]

The fix is as follows: if the receiver initiated an active close, then the
sender may reopen the connection - otherwise try to figure out if we hold
a dead connection.

Signed-off-by: Jozsef Kadlecsik &lt;kadlec@blackhole.kfki.hu&gt;
Tested-by: Krzysztof Piotr Oledzki &lt;ole@ans.pl&gt;
Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;


</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Upstream commits: 17311393 + bc34b841 merged together.  Merge done by
Patrick McHardy &lt;kaber@trash.net&gt;

[NETFILTER]: nf_conntrack_tcp: fix connection reopening

With your description I could reproduce the bug and actually you were
completely right: the code above is incorrect. Somehow I was able to
misread RFC1122 and mixed the roles :-(:

   When a connection is &gt;&gt;closed actively&lt;&lt;, it MUST linger in
   TIME-WAIT state for a time 2xMSL (Maximum Segment Lifetime).
   However, it MAY &gt;&gt;accept&lt;&lt; a new SYN from the remote TCP to
   reopen the connection directly from TIME-WAIT state, if it:
   [...]

The fix is as follows: if the receiver initiated an active close, then the
sender may reopen the connection - otherwise try to figure out if we hold
a dead connection.

Signed-off-by: Jozsef Kadlecsik &lt;kadlec@blackhole.kfki.hu&gt;
Tested-by: Krzysztof Piotr Oledzki &lt;ole@ans.pl&gt;
Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;


</pre>
</div>
</content>
</entry>
<entry>
<title>Fix netlink timeouts.</title>
<updated>2007-11-16T16:27:38+00:00</updated>
<author>
<name>Patrick McHardy</name>
<email>kaber@trash.net</email>
</author>
<published>2007-11-13T11:03:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=c6736fd46ba478b59f8293457648432154f0f422'/>
<id>c6736fd46ba478b59f8293457648432154f0f422</id>
<content type='text'>
[NETLINK]: Fix unicast timeouts

[ Upstream commit: c3d8d1e30cace31fed6186a4b8c6b1401836d89c ]

Commit ed6dcf4a in the history.git tree broke netlink_unicast timeouts
by moving the schedule_timeout() call to a new function that doesn't
propagate the remaining timeout back to the caller. This means on each
retry we start with the full timeout again.

ipc/mqueue.c seems to actually want to wait indefinitely so this
behaviour is retained.

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[NETLINK]: Fix unicast timeouts

[ Upstream commit: c3d8d1e30cace31fed6186a4b8c6b1401836d89c ]

Commit ed6dcf4a in the history.git tree broke netlink_unicast timeouts
by moving the schedule_timeout() call to a new function that doesn't
propagate the remaining timeout back to the caller. This means on each
retry we start with the full timeout again.

ipc/mqueue.c seems to actually want to wait indefinitely so this
behaviour is retained.

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
</feed>
