<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/git/stable/linux.git/net/irda, branch linux-2.6.35.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<id>https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/atom?h=linux-2.6.35.y</id>
<link rel='self' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/atom?h=linux-2.6.35.y'/>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/'/>
<updated>2011-04-28T15:21:01+00:00</updated>
<entry>
<title>irda: prevent integer underflow in IRLMP_ENUMDEVICES</title>
<updated>2011-04-28T15:21:01+00:00</updated>
<author>
<name>Dan Rosenberg</name>
<email>drosenberg@vsecurity.com</email>
</author>
<published>2010-12-22T13:58:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=eca877d1ae4a597ff1f213396662690143d01f88'/>
<id>urn:sha1:eca877d1ae4a597ff1f213396662690143d01f88</id>
<content type='text'>
commit fdac1e0697356ac212259f2147aa60c72e334861 upstream.

If the user-provided len is less than the expected offset, the
IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
size value.  While this isn't be a security issue on x86 because it will
get caught by the access_ok() check, it may leak large amounts of kernel
heap on other architectures.  In any event, this patch fixes it.

Signed-off-by: Dan Rosenberg &lt;drosenberg@vsecurity.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Andi Kleen &lt;ak@linux.intel.com&gt;
Cc: Moritz Muehlenhoff &lt;jmm@debian.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;


</content>
</entry>
<entry>
<title>irda: prevent heap corruption on invalid nickname</title>
<updated>2011-04-28T15:20:51+00:00</updated>
<author>
<name>Dan Rosenberg</name>
<email>drosenberg@vsecurity.com</email>
</author>
<published>2011-03-19T20:14:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0b03d0985f309d5f65498220a01d7c2b4bb77661'/>
<id>urn:sha1:0b03d0985f309d5f65498220a01d7c2b4bb77661</id>
<content type='text'>
commit d50e7e3604778bfc2dc40f440e0742dbae399d54 upstream.

Invalid nicknames containing only spaces will result in an underflow in
a memcpy size calculation, subsequently destroying the heap and
panicking.

v2 also catches the case where the provided nickname is longer than the
buffer size, which can result in controllable heap corruption.

Signed-off-by: Dan Rosenberg &lt;drosenberg@vsecurity.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
Signed-off-by: Andi Kleen &lt;ak@linux.intel.com&gt;

</content>
</entry>
<entry>
<title>irda: validate peer name and attribute lengths</title>
<updated>2011-04-28T15:20:51+00:00</updated>
<author>
<name>Dan Rosenberg</name>
<email>drosenberg@vsecurity.com</email>
</author>
<published>2011-03-20T15:32:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=44b722fa1d1fdaecdf6fce55c26f90a98ea4b1d2'/>
<id>urn:sha1:44b722fa1d1fdaecdf6fce55c26f90a98ea4b1d2</id>
<content type='text'>
commit d370af0ef7951188daeb15bae75db7ba57c67846 upstream.

Length fields provided by a peer for names and attributes may be longer
than the destination array sizes.  Validate lengths to prevent stack
buffer overflows.

Signed-off-by: Dan Rosenberg &lt;drosenberg@vsecurity.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
Signed-off-by: Andi Kleen &lt;ak@linux.intel.com&gt;

</content>
</entry>
<entry>
<title>irda: Fix heap memory corruption in iriap.c</title>
<updated>2010-12-14T22:40:00+00:00</updated>
<author>
<name>Samuel Ortiz</name>
<email>samuel@sortiz.org</email>
</author>
<published>2010-10-05T23:03:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=207b45e2615ea1bca44e6efcda22f5d01e66f3f0'/>
<id>urn:sha1:207b45e2615ea1bca44e6efcda22f5d01e66f3f0</id>
<content type='text'>
commit 37f9fc452d138dfc4da2ee1ce5ae85094efc3606 upstream.

While parsing the GetValuebyClass command frame, we could potentially write
passed the skb-&gt;data pointer.

Reported-by: Ilja Van Sprundel &lt;ivansprundel@ioactive.com&gt;
Signed-off-by: Samuel Ortiz &lt;samuel@sortiz.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
Signed-off-by: Andi Kleen &lt;ak@linux.intel.com&gt;

</content>
</entry>
<entry>
<title>irda: Fix parameter extraction stack overflow</title>
<updated>2010-12-14T22:40:00+00:00</updated>
<author>
<name>Samuel Ortiz</name>
<email>samuel@sortiz.org</email>
</author>
<published>2010-10-10T23:17:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c71b988600389db6b35e924382b93644baebf25d'/>
<id>urn:sha1:c71b988600389db6b35e924382b93644baebf25d</id>
<content type='text'>
commit efc463eb508798da4243625b08c7396462cabf9f upstream.

Reported-by: Ilja Van Sprundel &lt;ivansprundel@ioactive.com&gt;
Signed-off-by: Samuel Ortiz &lt;samuel@sortiz.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
Signed-off-by: Andi Kleen &lt;ak@linux.intel.com&gt;

</content>
</entry>
<entry>
<title>irda: Correctly clean up self-&gt;ias_obj on irda_bind() failure.</title>
<updated>2010-09-27T00:18:12+00:00</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2010-08-31T01:35:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2f2c0c6440110d7436f202ecf918734243e7b870'/>
<id>urn:sha1:2f2c0c6440110d7436f202ecf918734243e7b870</id>
<content type='text'>
[ Upstream commit 628e300cccaa628d8fb92aa28cb7530a3d5f2257 ]

If irda_open_tsap() fails, the irda_bind() code tries to destroy
the -&gt;ias_obj object by hand, but does so wrongly.

In particular, it fails to a) release the hashbin attached to the
object and b) reset the self-&gt;ias_obj pointer to NULL.

Fix both problems by using irias_delete_object() and explicitly
setting self-&gt;ias_obj to NULL, just as irda_release() does.

Reported-by: Tavis Ormandy &lt;taviso@cmpxchg8b.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
</content>
</entry>
<entry>
<title>irda: off by one</title>
<updated>2010-09-20T20:36:34+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>error27@gmail.com</email>
</author>
<published>2010-09-04T03:14:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=edcc17148783ddd92a0e23c1a8ae3282607b1220'/>
<id>urn:sha1:edcc17148783ddd92a0e23c1a8ae3282607b1220</id>
<content type='text'>
commit cf9b94f88bdbe8a02015fc30d7c232b2d262d4ad upstream.

This is an off by one.  We would go past the end when we NUL terminate
the "value" string at end of the function.  The "value" buffer is
allocated in irlan_client_parse_response() or
irlan_provider_parse_command().

CC: stable@kernel.org
Signed-off-by: Dan Carpenter &lt;error27@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;

</content>
</entry>
<entry>
<title>net: Remove unnecessary returns from void function()s</title>
<updated>2010-05-18T06:23:14+00:00</updated>
<author>
<name>Joe Perches</name>
<email>joe@perches.com</email>
</author>
<published>2010-05-18T06:08:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3fa21e07e6acefa31f974d57fba2b6920a7ebd1a'/>
<id>urn:sha1:3fa21e07e6acefa31f974d57fba2b6920a7ebd1a</id>
<content type='text'>
This patch removes from net/ (but not any netfilter files)
all the unnecessary return; statements that precede the
last closing brace of void functions.

It does not remove the returns that are immediately
preceded by a label as gcc doesn't like that.

Done via:
$ grep -rP --include=*.[ch] -l "return;\n}" net/ | \
  xargs perl -i -e 'local $/ ; while (&lt;&gt;) { s/\n[ \t\n]+return;\n}/\n}/g; print; }'

Signed-off-by: Joe Perches &lt;joe@perches.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
<entry>
<title>net: sk_sleep() helper</title>
<updated>2010-04-20T23:37:13+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>eric.dumazet@gmail.com</email>
</author>
<published>2010-04-20T13:03:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=aa395145165cb06a0d0885221bbe0ce4a564391d'/>
<id>urn:sha1:aa395145165cb06a0d0885221bbe0ce4a564391d</id>
<content type='text'>
Define a new function to return the waitqueue of a "struct sock".

static inline wait_queue_head_t *sk_sleep(struct sock *sk)
{
	return sk-&gt;sk_sleep;
}

Change all read occurrences of sk_sleep by a call to this function.

Needed for a future RCU conversion. sk_sleep wont be a field directly
available.

Signed-off-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
<entry>
<title>Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6</title>
<updated>2010-04-11T21:53:53+00:00</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2010-04-11T21:53:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=871039f02f8ec4ab2e5e9010718caa8e085786f1'/>
<id>urn:sha1:871039f02f8ec4ab2e5e9010718caa8e085786f1</id>
<content type='text'>
Conflicts:
	drivers/net/stmmac/stmmac_main.c
	drivers/net/wireless/wl12xx/wl1271_cmd.c
	drivers/net/wireless/wl12xx/wl1271_main.c
	drivers/net/wireless/wl12xx/wl1271_spi.c
	net/core/ethtool.c
	net/mac80211/scan.c
</content>
</entry>
</feed>
