[Feature][ZXW-65]merged P49 base code
Change-Id: I3e09c0c3d47483bc645f02310380ecb7fc6f4041
diff --git a/ap/os/linux/linux-3.4.x/net/core/ethtool.c b/ap/os/linux/linux-3.4.x/net/core/ethtool.c
index 7becb3f..e7680c9 100644
--- a/ap/os/linux/linux-3.4.x/net/core/ethtool.c
+++ b/ap/os/linux/linux-3.4.x/net/core/ethtool.c
@@ -691,10 +691,14 @@
static int ethtool_get_wol(struct net_device *dev, char __user *useraddr)
{
- struct ethtool_wolinfo wol = { .cmd = ETHTOOL_GWOL };
+ struct ethtool_wolinfo wol;
if (!dev->ethtool_ops->get_wol)
return -EOPNOTSUPP;
+
+ //CVE-2014-9900
+ memset(&wol, 0, sizeof(struct ethtool_wolinfo));
+ wol.cmd = ETHTOOL_GWOL;
dev->ethtool_ops->get_wol(dev, &wol);
diff --git a/ap/os/linux/linux-3.4.x/net/core/fastproc/fast_common.c b/ap/os/linux/linux-3.4.x/net/core/fastproc/fast_common.c
index 0f45d4a..d3f740d 100755
--- a/ap/os/linux/linux-3.4.x/net/core/fastproc/fast_common.c
+++ b/ap/os/linux/linux-3.4.x/net/core/fastproc/fast_common.c
@@ -1809,7 +1809,7 @@
return 0;
}
- if (skb->nfct_reasm) {
+ if (skb->nfct_reasm && printk_ratelimit()) {
printk("fast6_fw reasm \n");
return 0;
}
diff --git a/ap/os/linux/linux-3.4.x/net/core/net-sysfs.c b/ap/os/linux/linux-3.4.x/net/core/net-sysfs.c
index 8ca2580..eb6e8eb 100644
--- a/ap/os/linux/linux-3.4.x/net/core/net-sysfs.c
+++ b/ap/os/linux/linux-3.4.x/net/core/net-sysfs.c
@@ -765,9 +765,9 @@
kobject_put(kobj);
return error;
}
+ dev_hold(queue->dev); //CVE-2019-20811
kobject_uevent(kobj, KOBJ_ADD);
- dev_hold(queue->dev);
return error;
}
@@ -1250,6 +1250,8 @@
if (error)
goto exit;
+ dev_hold(queue->dev); //CVE-2019-20811
+
#ifdef CONFIG_BQL
error = sysfs_create_group(kobj, &dql_group);
if (error)
@@ -1265,7 +1267,6 @@
#else
kobject_uevent(kobj, KOBJ_ADD);
#endif
- dev_hold(queue->dev);
return 0;
exit:
diff --git a/ap/os/linux/linux-3.4.x/net/core/net_namespace.c b/ap/os/linux/linux-3.4.x/net/core/net_namespace.c
index dd00b71..57e1b68 100644
--- a/ap/os/linux/linux-3.4.x/net/core/net_namespace.c
+++ b/ap/os/linux/linux-3.4.x/net/core/net_namespace.c
@@ -152,6 +152,7 @@
atomic_set(&net->count, 1);
atomic_set(&net->passive, 1);
+ get_random_bytes(&net->hash_mix, sizeof(u32));//BDSA-2019-2065
net->dev_base_seq = 1;
#ifdef NETNS_REFCNT_DEBUG
diff --git a/ap/os/linux/linux-3.4.x/net/core/sock.c b/ap/os/linux/linux-3.4.x/net/core/sock.c
index 4eba6a0..3204c53 100755
--- a/ap/os/linux/linux-3.4.x/net/core/sock.c
+++ b/ap/os/linux/linux-3.4.x/net/core/sock.c
@@ -583,23 +583,15 @@
break;
case SO_SNDBUF:
/* Don't error on this BSD doesn't and if you think
- about it this is right. Otherwise apps have to
- play 'guess the biggest size' games. RCVBUF/SNDBUF
- are treated in BSD as hints */
-
- if (val > sysctl_wmem_max)
- val = sysctl_wmem_max;
+ * about it this is right. Otherwise apps have to
+ * play 'guess the biggest size' games. RCVBUF/SNDBUF
+ * are treated in BSD as hints
+ */
+ val = min_t(u32, val, sysctl_wmem_max); //CVE-2012-6704
set_sndbuf:
sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
- if ((val * 2) < SOCK_MIN_SNDBUF)
- sk->sk_sndbuf = SOCK_MIN_SNDBUF;
- else
- sk->sk_sndbuf = val * 2;
-
- /*
- * Wake up sending tasks if we
- * upped the value.
- */
+ sk->sk_sndbuf = max_t(u32, val * 2, SOCK_MIN_SNDBUF); //CVE-2012-6704
+ /* Wake up sending tasks if we upped the value. */
sk->sk_write_space(sk);
break;
@@ -612,12 +604,11 @@
case SO_RCVBUF:
/* Don't error on this BSD doesn't and if you think
- about it this is right. Otherwise apps have to
- play 'guess the biggest size' games. RCVBUF/SNDBUF
- are treated in BSD as hints */
-
- if (val > sysctl_rmem_max)
- val = sysctl_rmem_max;
+ * about it this is right. Otherwise apps have to
+ * play 'guess the biggest size' games. RCVBUF/SNDBUF
+ * are treated in BSD as hints
+ */
+ val = min_t(u32, val, sysctl_rmem_max); //CVE-2012-6704
set_rcvbuf:
sk->sk_userlocks |= SOCK_RCVBUF_LOCK;
/*
@@ -635,10 +626,7 @@
* returning the value we actually used in getsockopt
* is the most desirable behavior.
*/
- if ((val * 2) < SOCK_MIN_RCVBUF)
- sk->sk_rcvbuf = SOCK_MIN_RCVBUF;
- else
- sk->sk_rcvbuf = val * 2;
+ sk->sk_rcvbuf = max_t(u32, val * 2, SOCK_MIN_RCVBUF); //CVE-2012-6704
break;
case SO_RCVBUFFORCE:
@@ -987,7 +975,7 @@
break;
case SO_PASSCRED:
- v.val = test_bit(SOCK_PASSCRED, &sock->flags) ? 1 : 0;
+ v.val = !!test_bit(SOCK_PASSCRED, &sock->flags); //CVE-2012-6704
break;
case SO_PEERCRED:
@@ -1023,7 +1011,7 @@
break;
case SO_PASSSEC:
- v.val = test_bit(SOCK_PASSSEC, &sock->flags) ? 1 : 0;
+ v.val = !!test_bit(SOCK_PASSSEC, &sock->flags); //CVE-2012-6704
break;
case SO_PEERSEC:
@@ -1323,6 +1311,8 @@
sock_copy(newsk, sk);
+ newsk->sk_prot_creator = sk->sk_prot; //BDSA-2017-3696
+
/* SANITY */
get_net(sock_net(newsk));
sk_node_init(&newsk->sk_node);
diff --git a/ap/os/linux/linux-3.4.x/net/core/speed_pool_dl.c b/ap/os/linux/linux-3.4.x/net/core/speed_pool_dl.c
index d761b6a..d20418c 100755
--- a/ap/os/linux/linux-3.4.x/net/core/speed_pool_dl.c
+++ b/ap/os/linux/linux-3.4.x/net/core/speed_pool_dl.c
@@ -15,10 +15,8 @@
typedef unsigned long skb_addr_t;
#define SKB_POOL_AUTO_EXTEND
-#define SKB_SYS_POOL_LARGE_NR (32U)
-#define SKB_SYS_POOL_NR ( SKB_SYS_POOL_LARGE_NR)
-#define SKB_SYS_POOL_BATCH_NR (100U)
-#define SKB_SYS_POOL_MAX_NR (1800U)
+#define SKB_SYS_POOL_NR (32U)
+#define SKB_SYS_POOL_BATCH_NR (100U)
#define SKB_SYS_POOL_0_SIZE (256U) /*skb*/
@@ -74,9 +72,9 @@
#define SKB_SYS_POOL_8_PATCH_NR (1)
#define SKB_SYS_POOL_8_RESERVE_NR (0)
-#define test_bit(nr, val) ((val) & (1UL<<(nr)))
-#define set_bit(nr, val) ((val) |= (1UL<<(nr)))
-#define clear_bit(nr, val) ((val) &= ~(1UL<<(nr)))
+#define pool_test_bit(nr, val) ((val) & (1UL<<(nr)))
+#define pool_set_bit(nr, val) ((val) |= (1UL<<(nr)))
+#define pool_clear_bit(nr, val) ((val) &= ~(1UL<<(nr)))
#define array_start(a) (&(a)[0])
#define array_nr(a) (sizeof(a) / sizeof((a)[0]))
@@ -134,14 +132,14 @@
struct skb_pool_node_impl_t
{
skb_pool_node_impl_t *free_next;
-#if _USE_VEHICLE_DC
+#ifdef _USE_VEHICLE_DC
u32 padding[15];//for cacheline
#endif
#ifdef SKB_DBG_POOL
struct list_head alloc_node;
const char *file;
- unsigned long tick;
- u32 line;
+ unsigned long tick;
+ u32 line;
skb_addr_t *magic_top;
skb_addr_t magic_bottom[SKB_POOL_MAGIC_NR];
#endif
@@ -150,11 +148,11 @@
typedef struct
{
skb_pool_node_impl_t *free_head;
- size_t obj_size;
- skb_count_t obj_cur_nr;
+ size_t obj_size;
+ skb_count_t obj_cur_nr; //µ±Ç°¿ÉÓÃ
//#ifdef SKB_POOL_AUTO_EXTEND
- skb_count_t obj_nr;
+ skb_count_t obj_nr; //×ܹ²
// skb_count_t obj_max_nr;
skb_count_t obj_batch_nr;
skb_count_t obj_reserve_nr;
@@ -163,15 +161,12 @@
#ifdef SKB_DBG_POOL
struct list_head alloc_head;
- skb_count_t obj_cnt;
- skb_count_t obj_max_used_cnt;
+ skb_count_t obj_used_cnt; //µ±Ç°ÒÑʹÓÃ(obj_nr - obj_cur_nr)
+ skb_count_t obj_max_used_cnt; //×î´óʹÓÃ(·åÖµ)
#endif
#ifdef SKB_TRACE
- size_t obj_real_size[2048];
- size_t obj_real_size_cnt;
- skb_count_t obj_used_cnt;
- skb_count_t obj_max_used_cnt;
+ size_t obj_real_size[2048];
#endif
} skb_pool_inner_t;
@@ -205,9 +200,8 @@
static unsigned long skb_sys_pool_bitmap;
static skb_pool_inner_t *skb_sys_pool_inner[SKB_SYS_POOL_NR];
-static skb_count_t skb_sys_pool_large_nr;
-static skb_count_t skb_sys_pool_large_dl_nr;
-static size_t skb_sys_pool_large_size[SKB_SYS_POOL_LARGE_NR];
+static skb_count_t skb_sys_pool_nr;
+static size_t skb_sys_pool_sizes[SKB_SYS_POOL_NR];
#if (SKB_SYS_POOL_0_NR > 0)
static u8 skb_sys_pool_0[skb_pool_size(SKB_SYS_POOL_0_SIZE, SKB_SYS_POOL_0_NR)] skb_align_data;
@@ -245,107 +239,15 @@
static u8 skb_sys_pool_8[skb_pool_size(SKB_SYS_POOL_8_SIZE, SKB_SYS_POOL_8_NR)] skb_align_data;
#endif
-#if (SKB_SYS_POOL_9_NR > 0)
- static u8 skb_sys_pool_9[skb_pool_size(SKB_SYS_POOL_9_SIZE, SKB_SYS_POOL_9_NR)] skb_align_data;
-#endif
-
-#if (SKB_SYS_POOL_10_NR > 0)
- static u8 skb_sys_pool_10[skb_pool_size(SKB_SYS_POOL_10_SIZE, SKB_SYS_POOL_10_NR)] skb_align_data;
-#endif
-
-#if (SKB_SYS_POOL_11_NR > 0)
- static u8 skb_sys_pool_11[skb_pool_size(SKB_SYS_POOL_11_SIZE, SKB_SYS_POOL_11_NR)] skb_align_data;
-#endif
-
-#if (SKB_SYS_POOL_12_NR > 0)
- static u8 skb_sys_pool_12[skb_pool_size(SKB_SYS_POOL_12_SIZE, SKB_SYS_POOL_12_NR)] skb_align_data;
-#endif
-
-#if (SKB_SYS_POOL_13_NR > 0)
- static u8 skb_sys_pool_13[skb_pool_size(SKB_SYS_POOL_13_SIZE, SKB_SYS_POOL_13_NR)] skb_align_data;
-#endif
-
-#if (SKB_SYS_POOL_14_NR > 0)
- static u8 skb_sys_pool_14[skb_pool_size(SKB_SYS_POOL_14_SIZE, SKB_SYS_POOL_14_NR)] skb_align_data;
-#endif
-
-#if (SKB_SYS_POOL_15_NR > 0)
- static u8 skb_sys_pool_15[skb_pool_size(SKB_SYS_POOL_15_SIZE, SKB_SYS_POOL_15_NR)] skb_align_data;
-#endif
-
-#if (SKB_SYS_POOL_16_NR > 0)
- static u8 skb_sys_pool_16[skb_pool_size(SKB_SYS_POOL_16_SIZE, SKB_SYS_POOL_16_NR)] skb_align_data;
-#endif
-
-#if (SKB_SYS_POOL_17_NR > 0)
- static u8 skb_sys_pool_17[skb_pool_size(SKB_SYS_POOL_17_SIZE, SKB_SYS_POOL_17_NR)] skb_align_data;
-#endif
-
-#if (SKB_SYS_POOL_18_NR > 0)
- static u8 skb_sys_pool_18[skb_pool_size(SKB_SYS_POOL_18_SIZE, SKB_SYS_POOL_18_NR)] skb_align_data;
-#endif
-
-#if (SKB_SYS_POOL_19_NR > 0)
- static u8 skb_sys_pool_19[skb_pool_size(SKB_SYS_POOL_19_SIZE, SKB_SYS_POOL_19_NR)] skb_align_data;
-#endif
-
-#if (SKB_SYS_POOL_20_NR > 0)
- static u8 skb_sys_pool_20[skb_pool_size(SKB_SYS_POOL_20_SIZE, SKB_SYS_POOL_20_NR)] skb_align_data;
-#endif
-
-#if (SKB_SYS_POOL_21_NR > 0)
- static u8 skb_sys_pool_21[skb_pool_size(SKB_SYS_POOL_21_SIZE, SKB_SYS_POOL_21_NR)] skb_align_data;
-#endif
-
-#if (SKB_SYS_POOL_22_NR > 0)
- static u8 skb_sys_pool_22[skb_pool_size(SKB_SYS_POOL_22_SIZE, SKB_SYS_POOL_22_NR)] skb_align_data;
-#endif
-
-#if (SKB_SYS_POOL_23_NR > 0)
- static u8 skb_sys_pool_23[skb_pool_size(SKB_SYS_POOL_23_SIZE, SKB_SYS_POOL_23_NR)] skb_align_data;
-#endif
-
-#if (SKB_SYS_POOL_24_NR > 0)
- static u8 skb_sys_pool_24[skb_pool_size(SKB_SYS_POOL_24_SIZE, SKB_SYS_POOL_24_NR)] skb_align_data;
-#endif
-
-#if (SKB_SYS_POOL_25_NR > 0)
- static u8 skb_sys_pool_25[skb_pool_size(SKB_SYS_POOL_25_SIZE, SKB_SYS_POOL_25_NR)] skb_align_data;
-#endif
-
-#if (SKB_SYS_POOL_26_NR > 0)
- static u8 skb_sys_pool_26[skb_pool_size(SKB_SYS_POOL_26_SIZE, SKB_SYS_POOL_26_NR)] skb_align_data;
-#endif
-
-#if (SKB_SYS_POOL_27_NR > 0)
- static u8 skb_sys_pool_27[skb_pool_size(SKB_SYS_POOL_27_SIZE, SKB_SYS_POOL_27_NR)] skb_align_data;
-#endif
-
-#if (SKB_SYS_POOL_28_NR > 0)
- static u8 skb_sys_pool_28[skb_pool_size(SKB_SYS_POOL_28_SIZE, SKB_SYS_POOL_28_NR)] skb_align_data;
-#endif
-
-#if (SKB_SYS_POOL_29_NR > 0)
- static u8 skb_sys_pool_29[skb_pool_size(SKB_SYS_POOL_29_SIZE, SKB_SYS_POOL_29_NR)] skb_align_data;
-#endif
-
-#if (SKB_SYS_POOL_30_NR > 0)
- static u8 skb_sys_pool_30[skb_pool_size(SKB_SYS_POOL_30_SIZE, SKB_SYS_POOL_30_NR)] skb_align_data;
-#endif
-
-#if (SKB_SYS_POOL_31_NR > 0)
- static u8 skb_sys_pool_31[skb_pool_size(SKB_SYS_POOL_31_SIZE, SKB_SYS_POOL_31_NR)] skb_align_data;
-#endif
-
- static struct skb_pool_config_t skb_sys_pool_config[] =
+static struct skb_pool_config_t skb_sys_pool_config[] =
{
#if (SKB_SYS_POOL_0_NR > 0)
{
(void *)array_start(skb_sys_pool_0), /* base address */
SKB_SYS_POOL_0_SIZE, /* object size */
SKB_SYS_POOL_0_NR, /* object number */
- SKB_SYS_POOL_0_PATCH_NR,
- SKB_SYS_POOL_0_RESERVE_NR,
+ SKB_SYS_POOL_0_PATCH_NR,
+ SKB_SYS_POOL_0_RESERVE_NR,
},
#endif
@@ -354,8 +256,8 @@
(void *)array_start(skb_sys_pool_1), /* base address */
SKB_SYS_POOL_1_SIZE, /* object size */
SKB_SYS_POOL_1_NR, /* object number */
- SKB_SYS_POOL_1_PATCH_NR,
- SKB_SYS_POOL_1_RESERVE_NR,
+ SKB_SYS_POOL_1_PATCH_NR,
+ SKB_SYS_POOL_1_RESERVE_NR,
},
#endif
@@ -364,8 +266,8 @@
(void *)array_start(skb_sys_pool_2), /* base address */
SKB_SYS_POOL_2_SIZE, /* object size */
SKB_SYS_POOL_2_NR, /* object number */
- SKB_SYS_POOL_2_PATCH_NR,
- SKB_SYS_POOL_2_RESERVE_NR,
+ SKB_SYS_POOL_2_PATCH_NR,
+ SKB_SYS_POOL_2_RESERVE_NR,
},
#endif
@@ -384,8 +286,8 @@
(void *)array_start(skb_sys_pool_4), /* base address */
SKB_SYS_POOL_4_SIZE, /* object size */
SKB_SYS_POOL_4_NR, /* object number */
- SKB_SYS_POOL_4_PATCH_NR,
- SKB_SYS_POOL_4_RESERVE_NR,
+ SKB_SYS_POOL_4_PATCH_NR,
+ SKB_SYS_POOL_4_RESERVE_NR,
},
#endif
@@ -414,8 +316,8 @@
(void *)array_start(skb_sys_pool_7), /* base address */
SKB_SYS_POOL_7_SIZE, /* object size */
SKB_SYS_POOL_7_NR, /* object number */
- SKB_SYS_POOL_7_PATCH_NR,
- SKB_SYS_POOL_7_RESERVE_NR,
+ SKB_SYS_POOL_7_PATCH_NR,
+ SKB_SYS_POOL_7_RESERVE_NR,
},
#endif
@@ -424,240 +326,8 @@
(void *)array_start(skb_sys_pool_8), /* base address */
SKB_SYS_POOL_8_SIZE, /* object size */
SKB_SYS_POOL_8_NR, /* object number */
- SKB_SYS_POOL_8_PATCH_NR,
- SKB_SYS_POOL_8_RESERVE_NR,
- },
-#endif
-
-#if (SKB_SYS_POOL_9_NR > 0)
- {
- (void *)array_start(skb_sys_pool_9), /* base address */
- SKB_SYS_POOL_9_SIZE, /* object size */
- SKB_SYS_POOL_9_NR, /* object number */
- SKB_SYS_POOL_9_PATCH_NR,
- SKB_SYS_POOL_9_RESERVE_NR,
- },
-#endif
-
-#if (SKB_SYS_POOL_10_NR > 0)
- {
- (void *)array_start(skb_sys_pool_10), /* base address */
- SKB_SYS_POOL_10_SIZE, /* object size */
- SKB_SYS_POOL_10_NR, /* object number */
- SKB_SYS_POOL_10_PATCH_NR,
- SKB_SYS_POOL_10_RESERVE_NR,
- },
-#endif
-
-#if (SKB_SYS_POOL_11_NR > 0)
- {
- (void *)array_start(skb_sys_pool_11), /* base address */
- SKB_SYS_POOL_11_SIZE, /* object size */
- SKB_SYS_POOL_11_NR, /* object number */
- SKB_SYS_POOL_11_PATCH_NR,
- SKB_SYS_POOL_11_RESERVE_NR,
- },
-#endif
-
-#if (SKB_SYS_POOL_12_NR > 0)
- {
- (void *)array_start(skb_sys_pool_12), /* base address */
- SKB_SYS_POOL_12_SIZE, /* object size */
- SKB_SYS_POOL_12_NR, /* object number */
- SKB_SYS_POOL_12_PATCH_NR,
- SKB_SYS_POOL_12_RESERVE_NR,
- },
-#endif
-
-#if (SKB_SYS_POOL_13_NR > 0)
- {
- (void *)array_start(skb_sys_pool_13), /* base address */
- SKB_SYS_POOL_13_SIZE, /* object size */
- SKB_SYS_POOL_13_NR, /* object number */
- SKB_SYS_POOL_13_PATCH_NR,
- SKB_SYS_POOL_13_RESERVE_NR,
- },
-#endif
-
-#if (SKB_SYS_POOL_14_NR > 0)
- {
- (void *)array_start(skb_sys_pool_14), /* base address */
- SKB_SYS_POOL_14_SIZE, /* object size */
- SKB_SYS_POOL_14_NR, /* object number */
- SKB_SYS_POOL_14_PATCH_NR,
- SKB_SYS_POOL_14_RESERVE_NR,
- },
-#endif
-
-#if (SKB_SYS_POOL_15_NR > 0)
- {
- (void *)array_start(skb_sys_pool_15), /* base address */
- SKB_SYS_POOL_15_SIZE, /* object size */
- SKB_SYS_POOL_15_NR, /* object number */
- SKB_SYS_POOL_15_PATCH_NR,
- SKB_SYS_POOL_15_RESERVE_NR,
- },
-#endif
-
-#if (SKB_SYS_POOL_16_NR > 0)
- {
- (void *)array_start(skb_sys_pool_16), /* base address */
- SKB_SYS_POOL_16_SIZE, /* object size */
- SKB_SYS_POOL_16_NR, /* object number */
- SKB_SYS_POOL_16_PATCH_NR,
- SKB_SYS_POOL_16_RESERVE_NR,
- },
-#endif
-
-#if (SKB_SYS_POOL_17_NR > 0)
- {
- (void *)array_start(skb_sys_pool_17), /* base address */
- SKB_SYS_POOL_17_SIZE, /* object size */
- SKB_SYS_POOL_17_NR, /* object number */
- SKB_SYS_POOL_17_PATCH_NR,
- SKB_SYS_POOL_17_RESERVE_NR,
- },
-#endif
-
-#if (SKB_SYS_POOL_18_NR > 0)
- {
- (void *)array_start(skb_sys_pool_18), /* base address */
- SKB_SYS_POOL_18_SIZE, /* object size */
- SKB_SYS_POOL_18_NR, /* object number */
- SKB_SYS_POOL_18_PATCH_NR,
- SKB_SYS_POOL_18_RESERVE_NR,
-
- },
-#endif
-
-#if (SKB_SYS_POOL_19_NR > 0)
- {
- (void *)array_start(skb_sys_pool_19), /* base address */
- SKB_SYS_POOL_19_SIZE, /* object size */
- SKB_SYS_POOL_19_NR, /* object number */
- SKB_SYS_POOL_19_PATCH_NR,
- SKB_SYS_POOL_19_RESERVE_NR,
-
- },
-#endif
-
-#if (SKB_SYS_POOL_20_NR > 0)
- {
- (void *)array_start(skb_sys_pool_20), /* base address */
- SKB_SYS_POOL_20_SIZE, /* object size */
- SKB_SYS_POOL_20_NR, /* object number */
- SKB_SYS_POOL_20_PATCH_NR,
- SKB_SYS_POOL_20_RESERVE_NR,
- },
-#endif
-
-#if (SKB_SYS_POOL_21_NR > 0)
- {
- (void *)array_start(skb_sys_pool_21), /* base address */
- SKB_SYS_POOL_21_SIZE, /* object size */
- SKB_SYS_POOL_21_NR, /* object number */
- SKB_SYS_POOL_21_PATCH_NR,
- SKB_SYS_POOL_21_RESERVE_NR,
- },
-#endif
-
-#if (SKB_SYS_POOL_22_NR > 0)
- {
- (void *)array_start(skb_sys_pool_22), /* base address */
- SKB_SYS_POOL_22_SIZE, /* object size */
- SKB_SYS_POOL_22_NR, /* object number */
- SKB_SYS_POOL_22_PATCH_NR,
- SKB_SYS_POOL_22_RESERVE_NR,
- },
-#endif
-
-#if (SKB_SYS_POOL_23_NR > 0)
- {
- (void *)array_start(skb_sys_pool_23), /* base address */
- SKB_SYS_POOL_23_SIZE, /* object size */
- SKB_SYS_POOL_23_NR, /* object number */
- SKB_SYS_POOL_23_PATCH_NR,
- SKB_SYS_POOL_23_RESERVE_NR,
- },
-#endif
-
-#if (SKB_SYS_POOL_24_NR > 0)
- {
- (void *)array_start(skb_sys_pool_24), /* base address */
- SKB_SYS_POOL_24_SIZE, /* object size */
- SKB_SYS_POOL_24_NR, /* object number */
- SKB_SYS_POOL_24_PATCH_NR,
- SKB_SYS_POOL_24_RESERVE_NR,
- },
-#endif
-
-#if (SKB_SYS_POOL_25_NR > 0)
- {
- (void *)array_start(skb_sys_pool_25), /* base address */
- SKB_SYS_POOL_25_SIZE, /* object size */
- SKB_SYS_POOL_25_NR, /* object number */
- SKB_SYS_POOL_25_PATCH_NR,
- SKB_SYS_POOL_25_RESERVE_NR,
- },
-#endif
-
-#if (SKB_SYS_POOL_26_NR > 0)
- {
- (void *)array_start(skb_sys_pool_26), /* base address */
- SKB_SYS_POOL_26_SIZE, /* object size */
- SKB_SYS_POOL_26_NR, /* object number */
- SKB_SYS_POOL_26_PATCH_NR,
- SKB_SYS_POOL_26_RESERVE_NR,
- },
-#endif
-
-#if (SKB_SYS_POOL_27_NR > 0)
- {
- (void *)array_start(skb_sys_pool_27), /* base address */
- SKB_SYS_POOL_27_SIZE, /* object size */
- SKB_SYS_POOL_27_NR, /* object number */
- SKB_SYS_POOL_27_PATCH_NR,
- SKB_SYS_POOL_27_RESERVE_NR,
- },
-#endif
-
-#if (SKB_SYS_POOL_28_NR > 0)
- {
- (void *)array_start(skb_sys_pool_28), /* base address */
- SKB_SYS_POOL_28_SIZE, /* object size */
- SKB_SYS_POOL_28_NR, /* object number */
- SKB_SYS_POOL_28_PATCH_NR,
- SKB_SYS_POOL_28_RESERVE_NR,
- },
-#endif
-
-#if (SKB_SYS_POOL_29_NR > 0)
- {
- (void *)array_start(skb_sys_pool_29), /* base address */
- SKB_SYS_POOL_29_SIZE, /* object size */
- SKB_SYS_POOL_29_NR, /* object number */
- SKB_SYS_POOL_29_PATCH_NR,
- SKB_SYS_POOL_29_RESERVE_NR,
- },
-#endif
-
-#if (SKB_SYS_POOL_30_NR > 0)
- {
- (void *)array_start(skb_sys_pool_30), /* base address */
- SKB_SYS_POOL_30_SIZE, /* object size */
- SKB_SYS_POOL_30_NR, /* object number */
- SKB_SYS_POOL_30_PATCH_NR,
- SKB_SYS_POOL_30_RESERVE_NR,
- },
-#endif
-
-#if (SKB_SYS_POOL_31_NR > 0)
- {
- (void *)array_start(skb_sys_pool_31), /* base address */
- SKB_SYS_POOL_31_SIZE, /* object size */
- SKB_SYS_POOL_31_NR, /* object number */
- SKB_SYS_POOL_31_PATCH_NR,
- SKB_SYS_POOL_31_RESERVE_NR,
+ SKB_SYS_POOL_8_PATCH_NR,
+ SKB_SYS_POOL_8_RESERVE_NR,
},
#endif
};
@@ -665,15 +335,6 @@
/*******************************************************************************
* È«¾Öº¯ÊýÉùÃ÷ *
*******************************************************************************/
-skb_pool_inner_t *skb_pool_create_inner(
- skb_pool_inner_t *inner,
- size_t obj_size,
- skb_count_t obj_nr,
- skb_count_t obj_max_nr,
- skb_count_t obj_batch_nr,
- skb_count_t obj_reserve_nr);
-
-
#ifdef SKB_DBG_POOL
int skb_pool_magic_check(skb_pool_node_impl_t *node)
{
@@ -705,49 +366,50 @@
#else
static inline int skb_pool_magic_check(skb_pool_node_impl_t *node) { return 0; }
-static inline void skb_pool_magic_init(skb_pool_node_impl_t *node){}
+static inline void skb_pool_magic_init(skb_pool_node_impl_t *node) {}
#endif
+
static inline int is_memory_enough(void)
{
return (global_page_state(NR_FREE_PAGES) > wm_min_pages);
}
-int skb_pool_add_inner(
- skb_pool_inner_t *inner,
- unsigned int obj_nr)
+int skb_pool_add_inner(skb_pool_inner_t *inner, unsigned int obj_nr)
{
- u32 obj_size;
+ u32 alloc_size;
skb_count_t cnt;
skb_pool_node_impl_t *node = NULL;
- BUG_ON( inner == NULL || obj_nr <= 0);
-//#ifdef SKB_POOL_AUTO_EXTEND
+
+ BUG_ON(inner == NULL || obj_nr == 0);
+
inner->obj_cur_nr += obj_nr;
inner->obj_nr += obj_nr;
-//#endif
- obj_size = inner->obj_size;
+ alloc_size = skb_pool_node_size(inner->obj_size);
// ÉêÇëÇ°ÏÈÅжÏÊ£ÓàÄÚ´æÊÇ·ñ³ä×ã
- if(is_memory_enough())
- node = ( skb_pool_node_impl_t *)kmalloc(skb_pool_node_size(obj_size), GFP_ATOMIC);
- if (node == NULL){
+ if (is_memory_enough())
+ node = (skb_pool_node_impl_t *)kmalloc(alloc_size, GFP_ATOMIC);
+
+ if (node == NULL)
+ {
inner->obj_cur_nr -= obj_nr;
inner->obj_nr -= obj_nr;
return -1;
}
inner->free_head = node;
#ifdef SKB_DBG_POOL
- node->magic_top = skb_pool_magic_top(node, obj_size);
+ node->magic_top = skb_pool_magic_top(node, inner->obj_size);
skb_pool_magic_init(node);
#endif
- for (cnt = 0x01, obj_size = inner->obj_size; cnt < obj_nr; cnt++)
+ for (cnt = 1; cnt < obj_nr; cnt++)
{
// ÉêÇëÇ°ÏÈÅжÏÊ£ÓàÄÚ´æÊÇ·ñ³ä×ã
- if(is_memory_enough())
- node->free_next =( skb_pool_node_impl_t *)kmalloc(skb_pool_node_size(obj_size), GFP_ATOMIC);
+ if (is_memory_enough())
+ node->free_next = (skb_pool_node_impl_t *)kmalloc(alloc_size, GFP_ATOMIC);
else
- node->free_next = NULL;/*no mem*/
- if ( node->free_next == NULL)/*no mem*/
+ node->free_next = NULL; /* no mem */
+ if (node->free_next == NULL)
{
inner->obj_nr -= obj_nr;
inner->obj_nr += cnt;
@@ -757,84 +419,64 @@
node = node->free_next;
#ifdef SKB_DBG_POOL
- node->magic_top = skb_pool_magic_top(node, obj_size);
+ node->magic_top = skb_pool_magic_top(node, inner->obj_size);
skb_pool_magic_init(node);
#endif
}
node->free_next = NULL;
return 0;
-
}
-static void skb_pool_delete_inner(skb_pool_inner_t *inner,unsigned int type)
+static void skb_pool_delete_inner(skb_pool_inner_t *inner, unsigned int type)
{
skb_pool_node_impl_t *node;
skb_pool_node_impl_t *next_free;
BUG_ON(inner == NULL);
node = inner->free_head;
- switch(type){
- case SKB_POOL_RESERVE:
- while (inner->obj_cur_nr > inner->obj_reserve_nr)
- {
- next_free = node->free_next;
-#ifdef SKB_TRACE
- inner->obj_used_cnt--;
-#endif
-#ifdef SKB_DBG_POOL
- list_del(&node->alloc_node);
-#endif
- kfree(node);
- inner->obj_nr--;
- inner->obj_cur_nr--;
- node = next_free;
- }
- if(node != NULL){
- inner->free_head = node;
- }else{
- inner->free_head = NULL;
-#ifdef SKB_DBG_POOL
- INIT_LIST_HEAD(&inner->alloc_head);
- inner->obj_cnt = 0x00;
- inner->obj_max_used_cnt = 0x00;
-#endif
- }
- case SKB_POOL_NORESERVE:
- inner->obj_nr -= inner->obj_cur_nr;
- while (node != NULL)
- {
- next_free = node->free_next;
- kfree(node);
- inner->obj_cur_nr--;
- node = next_free;
- }
- inner->free_head = NULL;
-#ifdef SKB_DBG_POOL
- INIT_LIST_HEAD(&inner->alloc_head);
- inner->obj_cnt = 0x00;
- inner->obj_max_used_cnt = 0x00;
-#endif
- default:
- return;
- }
+ switch(type)
+ {
+ case SKB_POOL_RESERVE:
+ while (inner->obj_cur_nr > inner->obj_reserve_nr)
+ {
+ next_free = node->free_next;
+ kfree(node);
+ inner->obj_nr--;
+ inner->obj_cur_nr--;
+ node = next_free;
+ }
+ inner->free_head = node;
+ break;
+ case SKB_POOL_NORESERVE:
+ inner->obj_nr -= inner->obj_cur_nr;
+ while (node != NULL)
+ {
+ next_free = node->free_next;
+ kfree(node);
+ inner->obj_cur_nr--;
+ node = next_free;
+ }
+ inner->free_head = NULL;
+ break;
+ default:
+ break;
+ }
+ return;
}
void skb_sys_pool_delete(void)
{
- int cnt;
int index;
- int large_nr;
unsigned long flags;
spin_lock_irqsave(&skb_sys_pool_spinlock, flags);
- for (index = 0x00; index < skb_sys_pool_large_nr; index++)
+ for (index = 0; index < skb_sys_pool_nr; index++)
{
if (skb_sys_pool_inner[index] != NULL)
{
- skb_pool_delete_inner(skb_sys_pool_inner[index],SKB_POOL_NORESERVE);
+ skb_pool_delete_inner(skb_sys_pool_inner[index], SKB_POOL_NORESERVE);
}
-
}
spin_unlock_irqrestore(&skb_sys_pool_spinlock, flags);
@@ -844,32 +486,28 @@
skb_pool_inner_t *inner,
size_t obj_size,
skb_count_t obj_nr,
- skb_count_t obj_max_nr,
skb_count_t obj_batch_nr,
skb_count_t obj_reserve_nr)
{
- skb_pool_node_impl_t *node;
+ BUG_ON(!ptr_is_aligned(inner) || obj_size <= 0 || obj_nr <= 0);
- BUG_ON(! ptr_is_aligned(inner) || obj_size <= 0 || obj_nr <= 0);
-
-//#ifdef SKB_POOL_AUTO_EXTEND
- inner->obj_nr = 00;
+ inner->obj_nr = 0;
inner->obj_batch_nr = obj_batch_nr;
inner->obj_reserve_nr = obj_reserve_nr;
-//#endif
#ifdef SKB_TRACE
- inner->obj_cnt = 0x00;
- inner->obj_used_cnt = 0x00;
- inner->obj_max_used_cnt = 0x00;
+ memset(inner->obj_real_size, 0, sizeof(inner->obj_real_size));
#endif
#ifdef SKB_DBG_POOL
INIT_LIST_HEAD(&inner->alloc_head);
+ inner->obj_max_used_cnt = 0;
+ inner->obj_used_cnt = 0;
#endif
+ inner->free_head = NULL;
inner->obj_size = obj_size;
- node = NULL;
+ inner->obj_cur_nr = 0;
if (skb_pool_add_inner(inner, obj_nr) < 0)
return NULL;
@@ -877,31 +515,15 @@
return inner;
}
-static inline int skb_sys_pool_match_by_inner(skb_pool_inner_t **inner)
-{
- BUG_ON(
- inner < array_start(skb_sys_pool_inner) ||
- inner >= array_end(skb_sys_pool_inner));
-
- return array_index(skb_sys_pool_inner, inner);
-}
-
static inline int skb_sys_pool_match_by_size(u32 size)
{
int index;
- int large_nr;
- for (index = 0x00; index < skb_sys_pool_large_nr; index++)
+ for (index = 0; index < skb_sys_pool_nr; index++)
{
- if (size > skb_sys_pool_large_size[index])
+ if (size > skb_sys_pool_sizes[index])
continue;
-
- large_nr = skb_sys_pool_large_nr ;
- for (index += 0; index < large_nr; index++)
- {
- if (test_bit(index, skb_sys_pool_bitmap))
- return index;
- }
+ return index;
}
return -1;
@@ -915,8 +537,9 @@
node = skb_pool_node(ptr);
index = *(int*)node;
- return skb_sys_pool_inner[index]->obj_size;
+ return skb_sys_pool_inner[index]->obj_size;
}
+
void *skb_sys_pool_alloc(
size_t size
#ifdef SKB_DBG_POOL
@@ -930,35 +553,37 @@
skb_pool_inner_t *inner;
skb_pool_node_impl_t *node;
- BUG_ON( size <= 0);
+ BUG_ON(size == 0);
spin_lock_irqsave(&skb_sys_pool_spinlock, flags);
index = skb_sys_pool_match_by_size(size);
- if (index == -1 )
- {
- if (skb_sys_pool_large_nr >= SKB_SYS_POOL_LARGE_NR - 1)
+ if (index == -1)
+ {
+ skb_pool_inner_t *inner;
+
+ if (skb_sys_pool_nr >= SKB_SYS_POOL_NR)
{
spin_unlock_irqrestore(&skb_sys_pool_spinlock, flags);
return NULL;
- }
- skb_pool_inner_t *inner =(skb_pool_inner_t*)kzalloc(sizeof(skb_pool_inner_t) , GFP_ATOMIC );
- if (inner == NULL){
- spin_unlock_irqrestore(&skb_sys_pool_spinlock, flags);
+ }
+ inner = (skb_pool_inner_t*)kzalloc(sizeof(skb_pool_inner_t), GFP_ATOMIC);
+ if (inner == NULL)
+ {
+ spin_unlock_irqrestore(&skb_sys_pool_spinlock, flags);
return NULL;
}
- if ((skb_sys_pool_inner[skb_sys_pool_large_nr] = skb_pool_create_inner(inner,size,1,SKB_SYS_POOL_MAX_NR,1UL,0))== NULL)
+ if ((skb_sys_pool_inner[skb_sys_pool_nr] = skb_pool_create_inner(inner, size, 1, 1, 0)) == NULL)
{
kfree(inner);
spin_unlock_irqrestore(&skb_sys_pool_spinlock, flags);
return NULL;
}
- skb_sys_pool_large_size[skb_sys_pool_large_nr] = size;
- set_bit(skb_sys_pool_large_nr , skb_sys_pool_bitmap);
- index = skb_sys_pool_large_nr;
- skb_sys_pool_large_nr++;
-
+ skb_sys_pool_sizes[skb_sys_pool_nr] = size;
+ pool_set_bit(skb_sys_pool_nr, skb_sys_pool_bitmap);
+ index = skb_sys_pool_nr;
+ skb_sys_pool_nr++;
}
inner = skb_sys_pool_inner[index];
@@ -966,41 +591,13 @@
if (node == NULL)
{
-#ifdef SKB_POOL_AUTO_EXTEND
if (skb_pool_add_inner(inner, inner->obj_batch_nr) < 0)
{
- spin_unlock_irqrestore(&skb_sys_pool_spinlock, flags);
- return NULL;
- }
-
-#else
- BUG_ON(1);
- spin_unlock_irqrestore(&skb_sys_pool_spinlock, flags);
- return NULL;
-#endif
+ spin_unlock_irqrestore(&skb_sys_pool_spinlock, flags);
+ return NULL;
+ }
}
-#ifdef SKB_TRACE
- if (size < 2048)
- {
- inner->obj_real_size[size] = inner->obj_real_size[size]++;
-
- inner->obj_used_cnt++;
- if (inner->obj_max_used_cnt < inner->obj_used_cnt)
- inner->obj_max_used_cnt = inner->obj_used_cnt;
- }
- else
- {
- if (inner->obj_real_size_cnt >=2048)
- inner->obj_real_size_cnt = 0;
- inner->obj_real_size[ inner->obj_real_size_cnt] = size;
- inner->obj_real_size_cnt++;
-
- inner->obj_used_cnt++;
- if (inner->obj_max_used_cnt < inner->obj_used_cnt)
- inner->obj_max_used_cnt = inner->obj_used_cnt;
- }
-#endif
inner->obj_cur_nr--;
node = inner->free_head;
inner->free_head = node->free_next;
@@ -1008,6 +605,20 @@
#ifdef SKB_DBG_POOL
list_add_tail(&node->alloc_node, &inner->alloc_head);
+ inner->obj_used_cnt++;
+ if (inner->obj_max_used_cnt < inner->obj_used_cnt)
+ inner->obj_max_used_cnt = inner->obj_used_cnt;
+#endif
+
+#ifdef SKB_TRACE
+ if (size < 2048)
+ {
+ inner->obj_real_size[size]++;
+ }
+ else
+ {
+ inner->obj_real_size[0]++;
+ }
#endif
spin_unlock_irqrestore(&skb_sys_pool_spinlock, flags);
@@ -1052,7 +663,7 @@
node = skb_pool_node(ptr);
index = *(int *)node;
- BUG_ON(index == -1 || skb_sys_pool_inner[index] == NULL);
+ BUG_ON(index == -1 || index > skb_sys_pool_nr || skb_sys_pool_inner[index] == NULL);
inner = skb_sys_pool_inner[index];
node->free_next = inner->free_head;
@@ -1061,21 +672,11 @@
#ifdef SKB_DBG_POOL
list_del(&node->alloc_node);
+ inner->obj_used_cnt--;
#endif
if (inner->obj_cur_nr > inner->obj_reserve_nr)
- skb_pool_delete_inner(skb_sys_pool_inner[index],SKB_POOL_RESERVE);
- else{
-
-#ifdef SKB_TRACE
- inner->obj_used_cnt--;
-#endif
- }
-
-#if 0
- if (!test_bit(index, skb_sys_pool_bitmap))
- set_bit(index, skb_sys_pool_bitmap);
-#endif
+ skb_pool_delete_inner(skb_sys_pool_inner[index], SKB_POOL_RESERVE);
spin_unlock_irqrestore(&skb_sys_pool_spinlock, flags);
@@ -1088,7 +689,7 @@
{
u32 cnt;
- BUG_ON( cfg == NULL || cfg_nr > SKB_SYS_POOL_NR);
+ BUG_ON( cfg == NULL || cfg_nr > SKB_SYS_POOL_NR);
for (cnt = 0x00; cnt < cfg_nr; cnt++, cfg++)
{
@@ -1097,17 +698,15 @@
(skb_pool_inner_t *)cfg->addr,
cfg->obj_size,
cfg->obj_nr,
- SKB_SYS_POOL_MAX_NR,
cfg->patch_nr,
cfg->reserve_nr);
- skb_sys_pool_large_size[cnt] = cfg->obj_size;
- skb_sys_pool_large_nr++;
- set_bit(cnt , skb_sys_pool_bitmap);
+ skb_sys_pool_sizes[cnt] = cfg->obj_size;
+ skb_sys_pool_nr++;
+ pool_set_bit(cnt , skb_sys_pool_bitmap);
if (cnt && cnt > 1)
- BUG_ON( cfg->obj_size <= skb_sys_pool_large_size[cnt - 1]);
+ BUG_ON(cfg->obj_size < skb_sys_pool_sizes[cnt - 1]);
}
- skb_sys_pool_large_dl_nr = skb_sys_pool_large_nr;
}
int __init skb_sys_pool_init(void)
diff --git a/ap/os/linux/linux-3.4.x/net/ipv4/ip_sockglue.c b/ap/os/linux/linux-3.4.x/net/ipv4/ip_sockglue.c
index df9f330..ad439ed 100644
--- a/ap/os/linux/linux-3.4.x/net/ipv4/ip_sockglue.c
+++ b/ap/os/linux/linux-3.4.x/net/ipv4/ip_sockglue.c
@@ -254,6 +254,8 @@
return -EINVAL;
new_ra = on ? kmalloc(sizeof(*new_ra), GFP_KERNEL) : NULL;
+ if (on && !new_ra) //CVE-2019-12381(BDSA-2019-1652)
+ return -ENOMEM;
spin_lock_bh(&ip_ra_lock);
for (rap = &ip_ra_chain;
diff --git a/ap/os/linux/linux-3.4.x/net/ipv4/ping.c b/ap/os/linux/linux-3.4.x/net/ipv4/ping.c
index 9f471c3..5ff3ed1 100644
--- a/ap/os/linux/linux-3.4.x/net/ipv4/ping.c
+++ b/ap/os/linux/linux-3.4.x/net/ipv4/ping.c
@@ -665,11 +665,13 @@
if (msg->msg_name) {
struct sockaddr_in *sin = (struct sockaddr_in *)msg->msg_name;
- sin->sin_family = AF_INET;
- sin->sin_port = 0 /* skb->h.uh->source */;
- sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
- memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
- *addr_len = sizeof(*sin);
+ if (sin) { //CVE-2013-6432
+ sin->sin_family = AF_INET;
+ sin->sin_port = 0 /* skb->h.uh->source */;
+ sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
+ memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
+ *addr_len = sizeof(*sin);
+ }
}
if (isk->cmsg_flags)
ip_cmsg_recv(msg, skb);
diff --git a/ap/os/linux/linux-3.4.x/net/ipv4/tcp.c b/ap/os/linux/linux-3.4.x/net/ipv4/tcp.c
index a18ff4e..82bb0e7 100755
--- a/ap/os/linux/linux-3.4.x/net/ipv4/tcp.c
+++ b/ap/os/linux/linux-3.4.x/net/ipv4/tcp.c
@@ -2174,6 +2174,10 @@
tcp_set_ca_state(sk, TCP_CA_Open);
tcp_clear_retrans(tp);
inet_csk_delack_init(sk);
+ /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0
+ * issue in __tcp_select_window()
+ */
+ icsk->icsk_ack.rcv_mss = TCP_MIN_MSS; //CVE-2017-14106(BDSA-2017-1152)
tcp_init_send_head(sk);
memset(&tp->rx_opt, 0, sizeof(tp->rx_opt));
__sk_dst_reset(sk);
diff --git a/ap/os/linux/linux-3.4.x/net/ipv4/tcp_timer.c b/ap/os/linux/linux-3.4.x/net/ipv4/tcp_timer.c
index 34d4a02..94159fc 100644
--- a/ap/os/linux/linux-3.4.x/net/ipv4/tcp_timer.c
+++ b/ap/os/linux/linux-3.4.x/net/ipv4/tcp_timer.c
@@ -124,6 +124,7 @@
mss = tcp_mtu_to_mss(sk, icsk->icsk_mtup.search_low) >> 1;
mss = min(sysctl_tcp_base_mss, mss);
mss = max(mss, 68 - tp->tcp_header_len);
+ mss = max(mss, TCP_MIN_SND_MSS);//BDSA-2019-1812(CVE-2019-11479)
icsk->icsk_mtup.search_low = tcp_mss_to_mtu(sk, mss);
tcp_sync_mss(sk, icsk->icsk_pmtu_cookie);
}
diff --git a/ap/os/linux/linux-3.4.x/net/ipv6/ip6_output.c b/ap/os/linux/linux-3.4.x/net/ipv6/ip6_output.c
index daadf4c..97aca44 100755
--- a/ap/os/linux/linux-3.4.x/net/ipv6/ip6_output.c
+++ b/ap/os/linux/linux-3.4.x/net/ipv6/ip6_output.c
@@ -563,7 +563,7 @@
int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
{
- u16 offset = sizeof(struct ipv6hdr);
+ unsigned int offset = sizeof(struct ipv6hdr);//CVE-2017-7542(BDSA-2017-0992)
//struct ipv6_opt_hdr *exthdr =//CVE-2017-9074
//(struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
unsigned int packet_len = skb->tail - skb->network_header;
@@ -573,6 +573,7 @@
//while (offset + 1 <= packet_len) {//CVE-2017-9074
while (offset <= packet_len) {
struct ipv6_opt_hdr *exthdr;//CVE-2017-9074
+ unsigned int len;
switch (**nexthdr) {
case NEXTHDR_HOP:
@@ -598,7 +599,11 @@
return -EINVAL;//CVE-2017-9074
exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
offset);
- offset += ipv6_optlen(exthdr);
+ //CVE-2017-7542(BDSA-2017-0992)
+ len = ipv6_optlen(exthdr);
+ if (len + offset >= IPV6_MAXPLEN)
+ return -EINVAL;
+ offset += len;
*nexthdr = &exthdr->nexthdr;//CVE-2017-9074
}
@@ -1430,6 +1435,11 @@
*/
alloclen += sizeof(struct frag_hdr);
+ copy = datalen - transhdrlen - fraggap; //CVE-2017-9242(BDSA-2017-1000)
+ if (copy < 0) {
+ err = -EINVAL;
+ goto error;
+ }
if (transhdrlen) {
skb = sock_alloc_send_skb(sk,
alloclen + hh_len,
@@ -1481,13 +1491,9 @@
data += fraggap;
pskb_trim_unique(skb_prev, maxfraglen);
}
- copy = datalen - transhdrlen - fraggap;
-
- if (copy < 0) {
- err = -EINVAL;
- kfree_skb(skb);
- goto error;
- } else if (copy > 0 && getfrag(from, data + transhdrlen, offset, copy, fraggap, skb) < 0) {
+ if (copy > 0 &&
+ getfrag(from, data + transhdrlen, offset,
+ copy, fraggap, skb) < 0) { //CVE-2017-9242(BDSA-2017-1000)
err = -EFAULT;
kfree_skb(skb);
goto error;
diff --git a/ap/os/linux/linux-3.4.x/net/ipv6/ipv6_sockglue.c b/ap/os/linux/linux-3.4.x/net/ipv6/ipv6_sockglue.c
index ba074eb..8ad6b2f 100755
--- a/ap/os/linux/linux-3.4.x/net/ipv6/ipv6_sockglue.c
+++ b/ap/os/linux/linux-3.4.x/net/ipv6/ipv6_sockglue.c
@@ -67,6 +67,8 @@
return -ENOPROTOOPT;
new_ra = (sel>=0) ? kmalloc(sizeof(*new_ra), GFP_KERNEL) : NULL;
+ if (sel >= 0 && !new_ra) //CVE-2019-12378(BDSA-2019-1655)
+ return -ENOMEM;
write_lock_bh(&ip6_ra_lock);
for (rap = &ip6_ra_chain; (ra=*rap) != NULL; rap = &ra->next) {
@@ -150,6 +152,13 @@
lock_sock(sk);
+ /* BDSA-2022-2918(CVE-2022-3524) */
+ /* Another thread has converted the socket into IPv4 with
+ * IPV6_ADDRFORM concurrently.
+ */
+ if (unlikely(sk->sk_family != AF_INET6))
+ goto unlock;
+
switch (optname) {
case IPV6_ADDRFORM:
@@ -854,6 +863,7 @@
break;
}
+unlock: //BDSA-2022-2918(CVE-2022-3524)
release_sock(sk);
return retv;
diff --git a/ap/os/linux/linux-3.4.x/net/ipv6/udp.c b/ap/os/linux/linux-3.4.x/net/ipv6/udp.c
index 0bf27fb..18328b5 100755
--- a/ap/os/linux/linux-3.4.x/net/ipv6/udp.c
+++ b/ap/os/linux/linux-3.4.x/net/ipv6/udp.c
@@ -718,7 +718,8 @@
}
extern void fast_sk_add_ct(struct sk_buff * skb,struct sock *sk);
-
+int udp6_zero_csum_ctrl = 1;
+module_param(udp6_zero_csum_ctrl,int,0644);
int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
int proto)
{
@@ -759,7 +760,7 @@
}
}
- if (udp6_csum_init(skb, uh, proto))
+ if (!(udp6_zero_csum_ctrl && ((IPPROTO_UDP == proto)&&(0 == uh->check))) && udp6_csum_init(skb, uh, proto))
goto discard;
/*
diff --git a/ap/os/linux/linux-3.4.x/net/netfilter/nf_conntrack_netlink.c b/ap/os/linux/linux-3.4.x/net/netfilter/nf_conntrack_netlink.c
index ca7e835..5dfc44b 100644
--- a/ap/os/linux/linux-3.4.x/net/netfilter/nf_conntrack_netlink.c
+++ b/ap/os/linux/linux-3.4.x/net/netfilter/nf_conntrack_netlink.c
@@ -848,6 +848,8 @@
if (!tb[CTA_TUPLE_IP])
return -EINVAL;
+ if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6) //CVE-2020-25211(BDSA-2020-2321)
+ return -EOPNOTSUPP;
tuple->src.l3num = l3num;
err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple);
diff --git a/ap/os/linux/linux-3.4.x/net/netfilter/nfnetlink_queue.c b/ap/os/linux/linux-3.4.x/net/netfilter/nfnetlink_queue.c
index e3c436d..e0275e4 100755
--- a/ap/os/linux/linux-3.4.x/net/netfilter/nfnetlink_queue.c
+++ b/ap/os/linux/linux-3.4.x/net/netfilter/nfnetlink_queue.c
@@ -461,7 +461,7 @@
if (diff < 0) {
unsigned int min_len = skb_transport_offset(e->skb);
//CVE-2022-36946
- if (data_len < min_len)
+ if (data_len < (int)min_len)
return -EINVAL;
if (pskb_trim(e->skb, data_len))
diff --git a/ap/os/linux/linux-3.4.x/net/netfilter/xt_TCPMSS.c b/ap/os/linux/linux-3.4.x/net/netfilter/xt_TCPMSS.c
index 190ad37..31d8a4e 100644
--- a/ap/os/linux/linux-3.4.x/net/netfilter/xt_TCPMSS.c
+++ b/ap/os/linux/linux-3.4.x/net/netfilter/xt_TCPMSS.c
@@ -62,7 +62,7 @@
tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
/* Header cannot be larger than the packet */
- if (tcplen < tcph->doff*4)
+ if (tcplen < tcph->doff*4 || tcph->doff*4 < sizeof(struct tcphdr)) //CVE-2017-18017(BDSA-2017-2798)
return -1;
if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
@@ -113,6 +113,11 @@
if (tcplen > tcph->doff*4)
return 0;
+ /* CVE-2017-18017(BDSA-2017-2798) */
+ /* tcph->doff has 4 bits, do not wrap it to 0 */
+ if (tcph->doff*4 >= 15*4)
+ return 0;
+
/*
* MSS Option not found ?! add it..
*/
diff --git a/ap/os/linux/linux-3.4.x/net/packet/af_packet.c b/ap/os/linux/linux-3.4.x/net/packet/af_packet.c
index dc845ff..8ea15eb 100755
--- a/ap/os/linux/linux-3.4.x/net/packet/af_packet.c
+++ b/ap/os/linux/linux-3.4.x/net/packet/af_packet.c
@@ -568,7 +568,8 @@
default:
return DEFAULT_PRB_RETIRE_TOV;
}
- }
+ } else
+ return DEFAULT_PRB_RETIRE_TOV; //CVE-2019-20812(BDSA-2019-4411)
mbits = (blk_size_in_bytes * 8) / (1024 * 1024);
@@ -1782,8 +1783,11 @@
copy_skb = skb_get(skb);
skb_head = skb->data;
}
- if (copy_skb)
+ if (copy_skb) {
+ memset(&PACKET_SKB_CB(copy_skb)->sa.ll, 0,
+ sizeof(PACKET_SKB_CB(copy_skb)->sa.ll)); //BDSA-2022-2562(CVE-2022-20368)
skb_set_owner_r(copy_skb, sk);
+ }
}
snaplen = po->rx_ring.frame_size - macoff;
if ((int)snaplen < 0)
@@ -2810,15 +2814,25 @@
sock_recv_ts_and_drops(msg, sk, skb);
if (msg->msg_name) {
+ const size_t max_len = min(sizeof(skb->cb),
+ sizeof(struct sockaddr_storage)); //BDSA-2022-2562(CVE-2022-20368)
+ int copy_len;
+
/* If the address length field is there to be filled
* in, we fill it in now.
*/
if (sock->type == SOCK_PACKET) {
msg->msg_namelen = sizeof(struct sockaddr_pkt);
+ copy_len = msg->msg_namelen;
} else {
struct sockaddr_ll *sll = &PACKET_SKB_CB(skb)->sa.ll;
msg->msg_namelen = sll->sll_halen +
offsetof(struct sockaddr_ll, sll_addr);
+ copy_len = msg->msg_namelen;
+ }
+ if (WARN_ON_ONCE(copy_len > max_len)) { //BDSA-2022-2562(CVE-2022-20368)
+ copy_len = max_len;
+ msg->msg_namelen = copy_len;
}
memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa,
msg->msg_namelen);
diff --git a/ap/os/linux/linux-3.4.x/net/wireless/nl80211.c b/ap/os/linux/linux-3.4.x/net/wireless/nl80211.c
index 42ebb4a..72d765e 100755
--- a/ap/os/linux/linux-3.4.x/net/wireless/nl80211.c
+++ b/ap/os/linux/linux-3.4.x/net/wireless/nl80211.c
@@ -6328,6 +6328,9 @@
if (err)
return err;
+ if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
+ !tb[NL80211_REKEY_DATA_KCK]) //CVE-2017-12153(BDSA-2017-1184)
+ return -EINVAL;
if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
return -ERANGE;
if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
diff --git a/ap/os/linux/linux-3.4.x/net/xfrm/xfrm_user.c b/ap/os/linux/linux-3.4.x/net/xfrm/xfrm_user.c
index 812845e..ccf0f6e 100755
--- a/ap/os/linux/linux-3.4.x/net/xfrm/xfrm_user.c
+++ b/ap/os/linux/linux-3.4.x/net/xfrm/xfrm_user.c
@@ -390,7 +390,15 @@
up = nla_data(rp);
ulen = xfrm_replay_state_esn_len(up);
- if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
+ /* CVE-2017-7184 */
+ /* Check the overall length and the internal bitmap length to avoid
+ * potential overflow. */
+ if (nla_len(rp) < ulen ||
+ xfrm_replay_state_esn_len(replay_esn) != ulen ||
+ replay_esn->bmp_len != up->bmp_len)
+ return -EINVAL;
+
+ if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
return -EINVAL;
return 0;
@@ -850,6 +858,7 @@
static int xfrm_dump_sa_done(struct netlink_callback *cb)
{
struct xfrm_state_walk *walk = (struct xfrm_state_walk *) &cb->args[1];
+ if(walk)
xfrm_state_walk_done(walk);
return 0;
}
@@ -860,6 +869,8 @@
struct xfrm_state_walk *walk = (struct xfrm_state_walk *) &cb->args[1];
struct xfrm_dump_info info;
+ if(walk == NULL)
+ return 0;
BUILD_BUG_ON(sizeof(struct xfrm_state_walk) >
sizeof(cb->args) - sizeof(cb->args[0]));
@@ -1527,7 +1538,7 @@
static int xfrm_dump_policy_done(struct netlink_callback *cb)
{
struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
-
+ if(walk)
xfrm_policy_walk_done(walk);
return 0;
}
@@ -1538,6 +1549,8 @@
struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
struct xfrm_dump_info info;
+ if(walk == NULL)
+ return 0;
BUILD_BUG_ON(sizeof(struct xfrm_policy_walk) >
sizeof(cb->args) - sizeof(cb->args[0]));