commit a37912658a4844fa6a1bbf13873e394e15af47a9 Author: Greg Kroah-Hartman Date: Mon Jul 28 10:59:18 2008 -0700 Linux 2.6.25.13 commit 5564d385e9b0cddc7c831af9f90a2f53aa472953 Author: Gerrit Renker Date: Thu Jul 24 00:11:56 2008 -0700 udplite: Protection against coverage value wrap-around [ Upstream commit 47112e25da41d9059626033986dc3353e101f815 ] This patch clamps the cscov setsockopt values to a maximum of 0xFFFF. Setsockopt values greater than 0xffff can cause an unwanted wrap-around. Further, IPv6 jumbograms are not supported (RFC 3838, 3.5), so that values greater than 0xffff are not even useful. Further changes: fixed a typo in the documentation. [ Add USHORT_MAX from upstream to linux/kernel.h -DaveM ] Signed-off-by: Gerrit Renker Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b5fe255cb6adab0cfe9826ce792d0f866323b269 Author: Steffen Klassert Date: Wed Jul 23 23:55:40 2008 -0700 xfrm: fix fragmentation for ipv4 xfrm tunnel [ Upstream commit fe833fca2eac6b3d3ad5e35f44ad4638362f1da8 ] When generating the ip header for the transformed packet we just copy the frag_off field of the ip header from the original packet to the ip header of the new generated packet. If we receive a packet as a chain of fragments, all but the last of the new generated packets have the IP_MF flag set. We have to mask the frag_off field to only keep the IP_DF flag from the original packet. This got lost with git commit 36cf9acf93e8561d9faec24849e57688a81eb9c5 ("[IPSEC]: Separate inner/outer mode processing on output") Signed-off-by: Steffen Klassert Acked-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2377f8ce84aa89678c51cb764337d2f2e1133835 Author: Eric Dumazet Date: Wed Jul 23 23:54:35 2008 -0700 raw: Restore /proc/net/raw correct behavior [ Upstream commit 68be802cd5ad040fe8cfa33ce3031405df2d9117 ] I just noticed "cat /proc/net/raw" was buggy, missing '\n' separators. I believe this was introduced by commit 8cd850efa4948d57a2ed836911cfd1ab299e89c6 ([RAW]: Cleanup IPv4 raw_seq_show.) This trivial patch restores correct behavior, and applies to current Linus tree (should also be applied to stable tree as well.) Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c7e0c40126de5c8de8d3346728b026d6a94c5021 Author: Herbert Xu Date: Wed Jul 23 23:53:55 2008 -0700 pppoe: Unshare skb before anything else [ Upstream commit bc6cffd177f9266af38dba96a2cea06c1e7ff932 ] We need to unshare the skb first as otherwise pskb_may_pull may write to a shared skb which could be bad. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 735699169f8f9963652e53776e2338d823d7a0a8 Author: Herbert Xu Date: Thu Jul 24 00:10:02 2008 -0700 net pppoe: Check packet length on all receive paths [ Upstream commit 392fdb0e35055b96faa9c1cd6ab537805337cdce ] The length field in the PPPOE header wasn't checked completely. This patch causes all packets shorter than the declared length to be dropped. It also changes the memcpy_toiovec call to skb_copy_datagram_iovec so that paged packets (rare for PPPOE) are handled properly. Thanks to Ilja of the Netric Security Team for discovering and reporting this bug, and Chris Wright for the total_len check. [ Incorporate warning fix from Stephen Hemminger. -DaveM ] Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0c9b216d1ce5c322631c21bd6656ec35047ffc87 Author: James Chapman Date: Wed Jul 23 23:52:47 2008 -0700 l2tp: Fix potential memory corruption in pppol2tp_recvmsg() [ Upstream commit 6b6707a50c7598a83820077393f8823ab791abf8 ] This patch fixes a potential memory corruption in pppol2tp_recvmsg(). If skb->len is bigger than the caller's buffer length, memcpy_toiovec() will go into unintialized data on the kernel heap, interpret it as an iovec and start modifying memory. The fix is to change the memcpy_toiovec() call to skb_copy_datagram_iovec() so that paged packets (rare for PPPOL2TP) are handled properly. Also check that the caller's buffer is big enough for the data and set the MSG_TRUNC flag if it is not so. Reported-by: Ilja Signed-off-by: James Chapman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c8330bc571d037b43e116ddfc5ba4a93f334df52 Author: Stephen Hemminger Date: Wed Jul 23 23:52:07 2008 -0700 ipv6: use timer pending [ Upstream commit 847499ce71bdcc8fc542062df6ebed3e596608dd ] This fixes the bridge reference count problem and cleanups ipv6 FIB timer management. Don't use expires field, because it is not a proper way to test, instead use timer_pending(). Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit debf2f2593b0244eb81a4b66beef956a73b4e84f Author: David S. Miller Date: Wed Jul 23 23:49:26 2008 -0700 ipv6: __KERNEL__ ifdef struct ipv6_devconf [ Upstream commit ebb36a978131810c98e7198b1187090c697cf99f ] Based upon a report by Olaf Hering. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7252bc6ab55f64f1ee99a4e777e08a2bef970ac0 Author: Micah Dowty Date: Wed Jul 23 23:46:31 2008 -0700 hdlcdrv: Fix CRC calculation. [ Upstream commit ae6134bdf3197206fba95563d755d2fa50d90ddd ] This is a trivial patch against the hdlcdrv module that fixes its CRC calculation. The finished CRC was overwriting the first two bytes of each packet rather than being appended to the end. I've tested this with 2.6.8 and 2.6.10-rc1, but hdlcdrv hasn't changed much recently so it should work with many other kernel versions. Signed-off-by: Micah Dowty Acked-by: Thomas Sailer Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman