[NETFILTER]: Check policy length in policy match strict mode

[linux-2.6] / net / ipv6 / af_inet6.c

diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 23675ef1f428389db2b439a56e4f201556afff89..6c9711ac1c0324adb5496541efebc55e89a50bf7 100644 (file)
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -22,6 +22,7 @@
 
 
 #include <linux/module.h>
+#include <linux/capability.h>
 #include <linux/config.h>
 #include <linux/errno.h>
 #include <linux/types.h>
@@ -167,6 +168,7 @@ lookup_protocol:
                sk->sk_reuse = 1;
 
        inet = inet_sk(sk);
+       inet->is_icsk = INET_PROTOSW_ICSK & answer_flags;
 
        if (SOCK_RAW == sock->type) {
                inet->num = protocol;
@@ -367,12 +369,6 @@ int inet6_destroy_sock(struct sock *sk)
        struct sk_buff *skb;
        struct ipv6_txoptions *opt;
 
-       /*
-        *      Release destination entry
-        */
-
-       sk_dst_reset(sk);
-
        /* Release rx options */
 
        if ((skb = xchg(&np->pktoptions, NULL)) != NULL)
@@ -433,7 +429,6 @@ int inet6_getname(struct socket *sock, struct sockaddr *uaddr,
 int inet6_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
 {
        struct sock *sk = sock->sk;
-       int err = -EINVAL;
 
        switch(cmd) 
        {
@@ -452,16 +447,15 @@ int inet6_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
        case SIOCSIFDSTADDR:
                return addrconf_set_dstaddr((void __user *) arg);
        default:
-               if (!sk->sk_prot->ioctl ||
-                   (err = sk->sk_prot->ioctl(sk, cmd, arg)) == -ENOIOCTLCMD)
-                       return(dev_ioctl(cmd,(void __user *) arg));             
-               return err;
+               if (!sk->sk_prot->ioctl)
+                       return -ENOIOCTLCMD;
+               return sk->sk_prot->ioctl(sk, cmd, arg);
        }
        /*NOTREACHED*/
        return(0);
 }
 
-struct proto_ops inet6_stream_ops = {
+const struct proto_ops inet6_stream_ops = {
        .family =       PF_INET6,
        .owner =        THIS_MODULE,
        .release =      inet6_release,
@@ -482,7 +476,7 @@ struct proto_ops inet6_stream_ops = {
        .sendpage =     tcp_sendpage
 };
 
-struct proto_ops inet6_dgram_ops = {
+const struct proto_ops inet6_dgram_ops = {
        .family =       PF_INET6,
        .owner =        THIS_MODULE,
        .release =      inet6_release,
@@ -510,7 +504,7 @@ static struct net_proto_family inet6_family_ops = {
 };
 
 /* Same as inet6_dgram_ops, sans udp_poll.  */
-static struct proto_ops inet6_sockraw_ops = {
+static const struct proto_ops inet6_sockraw_ops = {
        .family =       PF_INET6,
        .owner =        THIS_MODULE,
        .release =      inet6_release,
@@ -663,17 +657,38 @@ int inet6_sk_rebuild_header(struct sock *sk)
 
 EXPORT_SYMBOL_GPL(inet6_sk_rebuild_header);
 
+int ipv6_opt_accepted(struct sock *sk, struct sk_buff *skb)
+{
+       struct ipv6_pinfo *np = inet6_sk(sk);
+       struct inet6_skb_parm *opt = IP6CB(skb);
+
+       if (np->rxopt.all) {
+               if ((opt->hop && (np->rxopt.bits.hopopts ||
+                                 np->rxopt.bits.ohopopts)) ||
+                   ((IPV6_FLOWINFO_MASK & *(u32*)skb->nh.raw) &&
+                    np->rxopt.bits.rxflow) ||
+                   (opt->srcrt && (np->rxopt.bits.srcrt ||
+                    np->rxopt.bits.osrcrt)) ||
+                   ((opt->dst1 || opt->dst0) &&
+                    (np->rxopt.bits.dstopts || np->rxopt.bits.odstopts)))
+                       return 1;
+       }
+       return 0;
+}
+
+EXPORT_SYMBOL_GPL(ipv6_opt_accepted);
+
 int
 snmp6_mib_init(void *ptr[2], size_t mibsize, size_t mibalign)
 {
        if (ptr == NULL)
                return -EINVAL;
 
-       ptr[0] = __alloc_percpu(mibsize, mibalign);
+       ptr[0] = __alloc_percpu(mibsize);
        if (!ptr[0])
                goto err0;
 
-       ptr[1] = __alloc_percpu(mibsize, mibalign);
+       ptr[1] = __alloc_percpu(mibsize);
        if (!ptr[1])
                goto err1;