1. 09 Aug, 2013 1 commit
  2. 25 Jul, 2013 1 commit
  3. 08 Feb, 2013 3 commits
  4. 16 Aug, 2012 1 commit
  5. 15 Aug, 2012 1 commit
  6. 29 Nov, 2011 1 commit
    • Xi Wang's avatar
      sctp: better integer overflow check in sctp_auth_create_key() · c89304b8
      Xi Wang authored
      The check from commit 30c2235c
      
       is incomplete and cannot prevent
      cases like key_len = 0x80000000 (INT_MAX + 1).  In that case, the
      left-hand side of the check (INT_MAX - key_len), which is unsigned,
      becomes 0xffffffff (UINT_MAX) and bypasses the check.
      
      However this shouldn't be a security issue.  The function is called
      from the following two code paths:
      
       1) setsockopt()
      
       2) sctp_auth_asoc_set_secret()
      
      In case (1), sca_keylength is never going to exceed 65535 since it's
      bounded by a u16 from the user API.  As such, the key length will
      never overflow.
      
      In case (2), sca_keylength is computed based on the user key (1 short)
      and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
      will not overflow.
      
      In other words, this overflow check is not really necessary.  Just
      make it more correct.
      Signed-off-by: default avatarXi Wang <xi.wang@gmail.com>
      Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c89304b8
  7. 31 Mar, 2011 1 commit
  8. 04 Oct, 2010 1 commit
    • Dan Rosenberg's avatar
      sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac() · 51e97a12
      Dan Rosenberg authored
      
      
      The sctp_asoc_get_hmac() function iterates through a peer's hmac_ids
      array and attempts to ensure that only a supported hmac entry is
      returned.  The current code fails to do this properly - if the last id
      in the array is out of range (greater than SCTP_AUTH_HMAC_ID_MAX), the
      id integer remains set after exiting the loop, and the address of an
      out-of-bounds entry will be returned and subsequently used in the parent
      function, causing potentially ugly memory corruption.  This patch resets
      the id integer to 0 on encountering an invalid id so that NULL will be
      returned after finishing the loop if no valid ids are found.
      Signed-off-by: default avatarDan Rosenberg <drosenberg@vsecurity.com>
      Acked-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      51e97a12
  9. 30 Mar, 2010 1 commit
    • Tejun Heo's avatar
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking... · 5a0e3ad6
      Tejun Heo authored
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
      
      percpu.h is included by sched.h and module.h and thus ends up being
      included when building most .c files.  percpu.h includes slab.h which
      in turn includes gfp.h making everything defined by the two files
      universally available and complicating inclusion dependencies.
      
      percpu.h -> slab.h dependency is about to be removed.  Prepare for
      this change by updating users of gfp and slab facilities include those
      headers directly instead of assuming availability.  As this conversion
      needs to touch large number of source files, the following script is
      used as the basis of conversion.
      
        http://userweb.kernel.org/~tj/misc/slabh-sweep.py
      
      
      
      The script does the followings.
      
      * Scan files for gfp and slab usages and update includes such that
        only the necessary includes are there.  ie. if only gfp is used,
        gfp.h, if slab is used, slab.h.
      
      * When the script inserts a new include, it looks at the include
        blocks and try to put the new include such that its order conforms
        to its surrounding.  It's put in the include block which contains
        core kernel includes, in the same order that the rest are ordered -
        alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
        doesn't seem to be any matching order.
      
      * If the script can't find a place to put a new include (mostly
        because the file doesn't have fitting include block), it prints out
        an error message indicating which .h file needs to be added to the
        file.
      
      The conversion was done in the following steps.
      
      1. The initial automatic conversion of all .c files updated slightly
         over 4000 files, deleting around 700 includes and adding ~480 gfp.h
         and ~3000 slab.h inclusions.  The script emitted errors for ~400
         files.
      
      2. Each error was manually checked.  Some didn't need the inclusion,
         some needed manual addition while adding it to implementation .h or
         embedding .c file was more appropriate for others.  This step added
         inclusions to around 150 files.
      
      3. The script was run again and the output was compared to the edits
         from #2 to make sure no file was left behind.
      
      4. Several build tests were done and a couple of problems were fixed.
         e.g. lib/decompress_*.c used malloc/free() wrappers around slab
         APIs requiring slab.h to be added manually.
      
      5. The script was run on all .h files but without automatically
         editing them as sprinkling gfp.h and slab.h inclusions around .h
         files could easily lead to inclusion dependency hell.  Most gfp.h
         inclusion directives were ignored as stuff from gfp.h was usually
         wildly available and often used in preprocessor macros.  Each
         slab.h inclusion directive was examined and added manually as
         necessary.
      
      6. percpu.h was updated not to include slab.h.
      
      7. Build test were done on the following configurations and failures
         were fixed.  CONFIG_GCOV_KERNEL was turned off for all tests (as my
         distributed build env didn't work with gcov compiles) and a few
         more options had to be turned off depending on archs to make things
         build (like ipr on powerpc/64 which failed due to missing writeq).
      
         * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
         * powerpc and powerpc64 SMP allmodconfig
         * sparc and sparc64 SMP allmodconfig
         * ia64 SMP allmodconfig
         * s390 SMP allmodconfig
         * alpha SMP allmodconfig
         * um on x86_64 SMP allmodconfig
      
      8. percpu.h modifications were reverted so that it could be applied as
         a separate patch and serve as bisection point.
      
      Given the fact that I had only a couple of failures from tests on step
      6, I'm fairly confident about the coverage of this conversion patch.
      If there is a breakage, it's likely to be something in one of the arch
      headers which should be easily discoverable easily on most builds of
      the specific arch.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Guess-its-ok-by: default avatarChristoph Lameter <cl@linux-foundation.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
      5a0e3ad6
  10. 08 Jan, 2009 1 commit
  11. 06 Jan, 2009 1 commit
  12. 27 Aug, 2008 1 commit
  13. 25 Aug, 2008 1 commit
  14. 28 Feb, 2008 1 commit
  15. 05 Feb, 2008 2 commits
    • Vlad Yasevich's avatar
      [SCTP]: Stop claiming that this is a "reference implementation" · 60c778b2
      Vlad Yasevich authored
      
      
      I was notified by Randy Stewart that lksctp claims to be
      "the reference implementation".  First of all, "the
      refrence implementation" was the original implementation
      of SCTP in usersapce written ty Randy and a few others.
      Second, after looking at the definiton of 'reference implementation',
      we don't really meet the requirements.
      Signed-off-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
      60c778b2
    • Wei Yongjun's avatar
      [SCTP]: Fix kernel panic while received AUTH chunk with BAD shared key identifier · 7cc08b55
      Wei Yongjun authored
      
      
      If SCTP-AUTH is enabled, received AUTH chunk with BAD shared key 
      identifier will cause kernel panic.
      
      Test as following:
      step1: enabled /proc/sys/net/sctp/auth_enable
      step 2:  connect  to SCTP server with auth capable. Association is 
      established between endpoints. Then send a AUTH chunk with a bad 
      shareid, SCTP server will kernel panic after received that AUTH chunk.
      
      SCTP client                   SCTP server
        INIT         ---------->  
          (with auth capable)
                     <----------    INIT-ACK
                                    (with auth capable)
        COOKIE-ECHO  ---------->
                     <----------    COOKIE-ACK
        AUTH         ---------->
      
      
      AUTH chunk is like this:
        AUTH chunk
          Chunk type: AUTH (15)
          Chunk flags: 0x00
          Chunk length: 28
          Shared key identifier: 10
          HMAC identifier: SHA-1 (1)
          HMAC: 0000000000000000000000000000000000000000
      
      The assignment of NULL to key can safely be removed, since key_for_each 
      (which is just list_for_each_entry under the covers does an initial 
      assignment to key anyway).
      
      If the endpoint_shared_keys list is empty, or if the key_id being 
      requested does not exist, the function as it currently stands returns 
      the actuall list_head (in this case endpoint_shared_keys.  Since that 
      list_head isn't surrounded by an actuall data structure, the last 
      iteration through list_for_each_entry will do a container_of on key, and 
      we wind up returning a bogus pointer, instead of NULL, as we should.
      
      > Neil Horman wrote:
      >> On Tue, Jan 22, 2008 at 05:29:20PM +0900, Wei Yongjun wrote:
      >>
      >> FWIW, Ack from me.  The assignment of NULL to key can safely be 
      >> removed, since
      >> key_for_each (which is just list_for_each_entry under the covers does 
      >> an initial
      >> assignment to key anyway).
      >> If the endpoint_shared_keys list is empty, or if the key_id being 
      >> requested does
      >> not exist, the function as it currently stands returns the actuall 
      >> list_head (in
      >> this case endpoint_shared_keys.  Since that list_head isn't 
      >> surrounded by an
      >> actuall data structure, the last iteration through 
      >> list_for_each_entry will do a
      >> container_of on key, and we wind up returning a bogus pointer, 
      >> instead of NULL,
      >> as we should.  Wei's patch corrects that.
      >>
      >> Regards
      >> Neil
      >>
      >> Acked-by: Neil Horman <nhorman@tuxdriver.com>
      >>
      >
      > Yep, the patch is correct.
      >
      > Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
      >
      > -vlad
      >
      Signed-off-by: default avatarWei Yongjun <yjwei@cn.fujitsu.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Acked-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7cc08b55
  16. 29 Nov, 2007 2 commits
  17. 29 Oct, 2007 1 commit
  18. 27 Oct, 2007 1 commit
  19. 26 Oct, 2007 1 commit
  20. 24 Oct, 2007 1 commit
  21. 22 Oct, 2007 1 commit
  22. 10 Oct, 2007 2 commits