lwn.git/net/dccp/ccid.h, branch v3.7.3

dccp: check ccid before dereferencing

2012-08-16T04:36:31+00:00

ccid_hc_rx_getsockopt() and ccid_hc_tx_getsockopt() might be called with a NULL ccid pointer leading to a NULL pointer dereference. This could lead to a privilege escalation if the attacker is able to map page 0 and prepare it with a fake ccid_ops pointer. Signed-off-by: Mathias Krause Cc: Gerrit Renker Cc: stable@vger.kernel.org Signed-off-by: David S. Miller

dccp: Return-value convention of hc_tx_send_packet()

2010-10-28T17:27:00+00:00

This patch reorganises the return value convention of the CCID TX sending function, to permit more flexible schemes, as required by subsequent patches. Currently the convention is * values < 0 mean error, * a value == 0 means "send now", and * a value x > 0 means "send in x milliseconds". The patch provides symbolic constants and a function to interpret return values. In addition, it caps the maximum positive return value to 0xFFFF milliseconds, corresponding to 65.535 seconds. This is possible since in CCID-3/4 the maximum possible inter-packet gap is fixed at t_mbi = 64 sec. Signed-off-by: Gerrit Renker Signed-off-by: David S. Miller

dccp: remove unused argument in CCID tx function

2010-10-12T04:57:41+00:00

This removes the argument `more' from ccid_hc_tx_packet_sent, since it was nowhere used in the entire code. (Btw, this argument was not even used in the original KAME code where the function initially came from; compare the variable moreToSend in the freebsd61-dccp-kame-28.08.2006.patch kept by Emmanuel Lochin.) Signed-off-by: Gerrit Renker

dccp: Add packet type information to CCID-specific option parsing

2010-09-21T10:14:25+00:00

This 1. adds packet type information to ccid_hc_{rx,tx}_parse_options(). This is necessary, since table 3 in RFC 4340, 5.8 leaves it to the CCIDs to state which options may (not) appear on what packet type. 2. adds such a check for CCID-3's {Loss Event, Receive} Rate as specified in RFC 4340 8.3 ("Receive Rate options MUST NOT be sent on DCCP-Data packets") and 8.5 ("Loss Event Rate options MUST NOT be sent on DCCP-Data packets"). 3. removes an unused argument `idx' from ccid_hc_{rx,tx}_parse_options(). This is also no longer necessary, since the CCID-specific option-parsing routines are passed every single parameter of the type-length-value option encoding. Signed-off-by: Gerrit Renker

dccp: fix bug in cache allocation

2010-02-04T03:00:30+00:00

This fixes a bug introduced in commit de4ef86cfce60d2250111f34f8a084e769f23b16 ("dccp: fix dccp rmmod when kernel configured to use slub", 17 Jan): the vsnprintf used sizeof(slab_name_fmt), which became truncated to 4 bytes, since slab_name_fmt is now a 4-byte pointer and no longer a 32-character array. This lead to error messages such as FATAL: Error inserting dccp: No buffer space available >> kernel: [ 1456.341501] kmem_cache_create: duplicate cache cci generated due to the truncation after the 3rd character. Fixed for the moment by introducing a symbolic constant. Tested to fix the bug. Signed-off-by: Gerrit Renker Acked-by: Neil Horman Signed-off-by: David S. Miller

dccp: fix dccp rmmod when kernel configured to use slub

2010-01-19T09:59:01+00:00

Hey all- I was tinkering with dccp recently and noticed that I BUG halted the kernel when I rmmod-ed the dccp module. The bug halt occured because the page that I passed to kfree failed the PageCompound and PageSlab test in the slub implementation of kfree. I tracked the problem down to the following set of events: 1) dccp, unlike all other uses of kmem_cache_create, allocates a string dynamically when registering a slab cache. This allocated string is freed when the cache is destroyed. 2) Normally, (1) is not an issue, but when Slub is in use, it is possible that caches are 'merged'. This process causes multiple caches of simmilar configuration to use the same cache data structure. When this happens, the new name of the cache is effectively dropped. 3) (2) results in kmem_cache_name returning an ambigous value (i.e. ccid_kmem_cache_destroy, which uses this fuction to retrieve the name pointer for freeing), is no longer guaranteed that the string it assigned is what is returned. 4) If such merge event occurs, ccid_kmem_cache_destroy frees the wrong pointer, which trips over the BUG in the slub implementation of kfree (since its likely not a slab allocation, but rather a pointer into the static string table section. So, what to do about this. At first blush this is pretty clearly a leak in the information that slub owns, and as such a slub bug. Unfortunately, theres no really good way to fix it, without exposing slub specific implementation details to the generic slab interface. Also, even if we could fix this in slub cleanly, I think the RCU free option would force us to do lots of string duplication, not only in slub, but in every slab allocator. As such, I'd like to propose this solution. Basically, I just move the storage for the kmem cache name to the ccid_operations structure. In so doing, we don't have to do the kstrdup or kfree when we allocate/free the various caches for dccp, and so we avoid the problem, by storing names with static memory, rather than heap, the way all other calls to kmem_cache_create do. I've tested this out myself here, and it solves the problem quite well. Signed-off-by: Neil Horman Acked-by: Arnaldo Carvalho de Melo Signed-off-by: David S. Miller

dccp: Clean up ccid.c after integration of CCID plugins

2009-01-05T05:43:23+00:00

This patch cleans up after integrating the CCID modules and, in addition, * moves the if/else cases from ccid_delete() into ccid_hc_{tx,rx}_delete(); * removes the 'gfp' argument to ccid_new() - since it is always gfp_any(). Signed-off-by: Gerrit Renker Signed-off-by: David S. Miller

dccp: Lockless integration of CCID congestion-control plugins

2009-01-05T05:42:53+00:00

Based on Arnaldo's earlier patch, this patch integrates the standardised CCID congestion control plugins (CCID-2 and CCID-3) of DCCP with dccp.ko: * enables a faster connection path by eliminating the need to always go through the CCID registration lock; * updates the implementation to use only a single array whose size equals the number of configured CCIDs instead of the maximum (256); * since the CCIDs are now fixed array elements, synchronization is no longer needed, simplifying use and implementation. CCID-2 is suggested as minimum for a basic DCCP implementation (RFC 4340, 10); CCID-3 is a standards-track CCID supported by RFC 4342 and RFC 5348. Signed-off-by: Gerrit Renker Signed-off-by: David S. Miller

dccp: Remove obsolete parts of the old CCID interface

2008-12-08T09:18:05+00:00

The TX/RX CCIDs of the minisock are now redundant: similar to the Ack Vector case, their value equals initially that of the sysctl, but at the end of feature negotiation may be something different. The old interface removed by this patch thus has been replaced by the newer interface to dynamically query the currently loaded CCIDs. Also removed are the constructors for the TX CCID and the RX CCID, since the switch "rx <-> non-rx" is done by the handler in minisocks.c (and the handler is the only place in the code where CCIDs are loaded). Signed-off-by: Gerrit Renker Acked-by: Ian McDonald Signed-off-by: David S. Miller

dccp: API to query the current TX/RX CCID

2008-11-24T00:04:59+00:00

This provides function to query the current TX/RX CCID dynamically, without reliance on the minisock value, using dynamic information available in the currently loaded CCID module. This query function is then used to (a) provide the getsockopt part for getting/setting CCIDs via sockopts; (b) replace the current test for "which CCID is in use" in probe.c. Signed-off-by: Gerrit Renker Acked-by: Ian McDonald Signed-off-by: David S. Miller