net: Compute protocol sequence numbers and fragment IDs using MD5, CVE-2011-3188

[linux-flexiantxendom0-natty.git] / net / dccp / ipv6.c

diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index ab1ab95..3631a6c 100644 (file)
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -29,6 +29,7 @@
 #include <net/transp_v6.h>
 #include <net/ip6_checksum.h>
 #include <net/xfrm.h>
+#include <net/secure_seq.h>
 
 #include "dccp.h"
 #include "ipv6.h"
@@ -69,13 +70,7 @@ static inline void dccp_v6_send_check(struct sock *sk, struct sk_buff *skb)
        dh->dccph_checksum = dccp_v6_csum_finish(skb, &np->saddr, &np->daddr);
 }
 
-static inline __u32 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
-                                                 __be16 sport, __be16 dport   )
-{
-       return secure_tcpv6_sequence_number(saddr, daddr, sport, dport);
-}
-
-static inline __u32 dccp_v6_init_sequence(struct sk_buff *skb)
+static inline __u64 dccp_v6_init_sequence(struct sk_buff *skb)
 {
        return secure_dccpv6_sequence_number(ipv6_hdr(skb)->daddr.s6_addr32,
                                             ipv6_hdr(skb)->saddr.s6_addr32,
@@ -248,7 +243,7 @@ static int dccp_v6_send_response(struct sock *sk, struct request_sock *req,
        struct ipv6_pinfo *np = inet6_sk(sk);
        struct sk_buff *skb;
        struct ipv6_txoptions *opt = NULL;
-       struct in6_addr *final_p = NULL, final;
+       struct in6_addr *final_p, final;
        struct flowi fl;
        int err = -1;
        struct dst_entry *dst;
@@ -265,13 +260,7 @@ static int dccp_v6_send_response(struct sock *sk, struct request_sock *req,
 
        opt = np->opt;
 
-       if (opt != NULL && opt->srcrt != NULL) {
-               const struct rt0_hdr *rt0 = (struct rt0_hdr *)opt->srcrt;
-
-               ipv6_addr_copy(&final, &fl.fl6_dst);
-               ipv6_addr_copy(&fl.fl6_dst, rt0->addr);
-               final_p = &final;
-       }
+       final_p = fl6_update_dst(&fl, opt, &final);
 
        err = ip6_dst_lookup(sk, &dst, &fl);
        if (err)
@@ -292,7 +281,7 @@ static int dccp_v6_send_response(struct sock *sk, struct request_sock *req,
                                                         &ireq6->loc_addr,
                                                         &ireq6->rmt_addr);
                ipv6_addr_copy(&fl.fl6_dst, &ireq6->rmt_addr);
-               err = ip6_xmit(sk, skb, &fl, opt, 0);
+               err = ip6_xmit(sk, skb, &fl, opt);
                err = net_xmit_eval(err);
        }
 
@@ -347,7 +336,7 @@ static void dccp_v6_ctl_send_reset(struct sock *sk, struct sk_buff *rxskb)
        if (!ip6_dst_lookup(ctl_sk, &dst, &fl)) {
                if (xfrm_lookup(net, &dst, &fl, NULL, 0) >= 0) {
                        skb_dst_set(skb, dst);
-                       ip6_xmit(ctl_sk, skb, &fl, NULL, 0);
+                       ip6_xmit(ctl_sk, skb, &fl, NULL);
                        DCCP_INC_STATS_BH(DCCP_MIB_OUTSEGS);
                        DCCP_INC_STATS_BH(DCCP_MIB_OUTRSTS);
                        return;
@@ -545,19 +534,13 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
                goto out_overflow;
 
        if (dst == NULL) {
-               struct in6_addr *final_p = NULL, final;
+               struct in6_addr *final_p, final;
                struct flowi fl;
 
                memset(&fl, 0, sizeof(fl));
                fl.proto = IPPROTO_DCCP;
                ipv6_addr_copy(&fl.fl6_dst, &ireq6->rmt_addr);
-               if (opt != NULL && opt->srcrt != NULL) {
-                       const struct rt0_hdr *rt0 = (struct rt0_hdr *)opt->srcrt;
-
-                       ipv6_addr_copy(&final, &fl.fl6_dst);
-                       ipv6_addr_copy(&fl.fl6_dst, rt0->addr);
-                       final_p = &final;
-               }
+               final_p = fl6_update_dst(&fl, opt, &final);
                ipv6_addr_copy(&fl.fl6_src, &ireq6->loc_addr);
                fl.oif = sk->sk_bound_dev_if;
                fl.fl_ip_dport = inet_rsk(req)->rmt_port;
@@ -576,7 +559,7 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
 
        newsk = dccp_create_openreq_child(sk, req, skb);
        if (newsk == NULL)
-               goto out;
+               goto out_nonewsk;
 
        /*
         * No need to charge this sock to the relevant IPv6 refcnt debug socks
@@ -644,18 +627,22 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
        newinet->inet_daddr = newinet->inet_saddr = LOOPBACK4_IPV6;
        newinet->inet_rcv_saddr = LOOPBACK4_IPV6;
 
+       if (__inet_inherit_port(sk, newsk) < 0) {
+               sock_put(newsk);
+               goto out;
+       }
        __inet6_hash(newsk, NULL);
-       __inet_inherit_port(sk, newsk);
 
        return newsk;
 
 out_overflow:
        NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS);
+out_nonewsk:
+       dst_release(dst);
 out:
        NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENDROPS);
        if (opt != NULL && opt != np->opt)
                sock_kfree_s(sk, opt, opt->tot_len);
-       dst_release(dst);
        return NULL;
 }
 
@@ -885,7 +872,7 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
        struct inet_sock *inet = inet_sk(sk);
        struct ipv6_pinfo *np = inet6_sk(sk);
        struct dccp_sock *dp = dccp_sk(sk);
-       struct in6_addr *saddr = NULL, *final_p = NULL, final;
+       struct in6_addr *saddr = NULL, *final_p, final;
        struct flowi fl;
        struct dst_entry *dst;
        int addr_type;
@@ -988,13 +975,7 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
        fl.fl_ip_sport = inet->inet_sport;
        security_sk_classify_flow(sk, &fl);
 
-       if (np->opt != NULL && np->opt->srcrt != NULL) {
-               const struct rt0_hdr *rt0 = (struct rt0_hdr *)np->opt->srcrt;
-
-               ipv6_addr_copy(&final, &fl.fl6_dst);
-               ipv6_addr_copy(&fl.fl6_dst, rt0->addr);
-               final_p = &final;
-       }
+       final_p = fl6_update_dst(&fl, np->opt, &final);
 
        err = ip6_dst_lookup(sk, &dst, &fl);
        if (err)