Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index bd1c65425d4fc02e4b514711a2ee951a122c99fb..0b7f262cd14861aaf21849ee522b3d110c3370d3 100644 (file)
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1406,6 +1406,9 @@ static int do_ebt_set_ctl(struct sock *sk,
 {
        int ret;
 
+       if (!capable(CAP_NET_ADMIN))
+               return -EPERM;
+
        switch(cmd) {
        case EBT_SO_SET_ENTRIES:
                ret = do_replace(sock_net(sk), user, len);
@@ -1425,6 +1428,9 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
        struct ebt_replace tmp;
        struct ebt_table *t;
 
+       if (!capable(CAP_NET_ADMIN))
+               return -EPERM;
+
        if (copy_from_user(&tmp, user, sizeof(tmp)))
                return -EFAULT;
 

diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig
index 79a69805221889c91578ef8f45bf6a8313a3420e..f2d76238b9b5f05c8b95fa9afbcc72d95211f897 100644 (file)
--- a/net/netfilter/ipvs/Kconfig
+++ b/net/netfilter/ipvs/Kconfig
@@ -112,7 +112,8 @@ config      IP_VS_RR
          module, choose M here. If unsure, say N.
  
 config IP_VS_WRR
-        tristate "weighted round-robin scheduling" 
+       tristate "weighted round-robin scheduling"
+       select GCD
        ---help---
          The weighted robin-robin scheduling algorithm directs network
          connections to different real servers based on server weights

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 6bde12da2fe0038660f6d3b7b195e8596c289e1e..c37ac2d7bec44da042af844717084489aae511a6 100644 (file)
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2077,6 +2077,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
        if (!capable(CAP_NET_ADMIN))
                return -EPERM;
 
+       if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX)
+               return -EINVAL;
+       if (len < 0 || len >  MAX_ARG_LEN)
+               return -EINVAL;
        if (len != set_arglen[SET_CMDID(cmd)]) {
                pr_err("set_ctl: len %u != %u\n",
                       len, set_arglen[SET_CMDID(cmd)]);
@@ -2352,17 +2356,25 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
 {
        unsigned char arg[128];
        int ret = 0;
+       unsigned int copylen;
 
        if (!capable(CAP_NET_ADMIN))
                return -EPERM;
 
+       if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_GET_MAX)
+               return -EINVAL;
+
        if (*len < get_arglen[GET_CMDID(cmd)]) {
                pr_err("get_ctl: len %u < %u\n",
                       *len, get_arglen[GET_CMDID(cmd)]);
                return -EINVAL;
        }
 
-       if (copy_from_user(arg, user, get_arglen[GET_CMDID(cmd)]) != 0)
+       copylen = get_arglen[GET_CMDID(cmd)];
+       if (copylen > 128)
+               return -EINVAL;
+
+       if (copy_from_user(arg, user, copylen) != 0)
                return -EFAULT;
 
        if (mutex_lock_interruptible(&__ip_vs_mutex))

diff --git a/net/netfilter/ipvs/ip_vs_wrr.c b/net/netfilter/ipvs/ip_vs_wrr.c
index 6182e8ea0be7fe4bb4aa3fed045981025fcfd5d2..3c115fc197843287d9bf0dff379e6fbdc4f37c02 100644 (file)
--- a/net/netfilter/ipvs/ip_vs_wrr.c
+++ b/net/netfilter/ipvs/ip_vs_wrr.c
@@ -24,6 +24,7 @@
 #include <linux/module.h>
 #include <linux/kernel.h>
 #include <linux/net.h>
+#include <linux/gcd.h>
 
 #include <net/ip_vs.h>
 
@@ -38,20 +39,6 @@ struct ip_vs_wrr_mark {
 };
 
 
-/*
- *    Get the gcd of server weights
- */
-static int gcd(int a, int b)
-{
-       int c;
-
-       while ((c = a % b)) {
-               a = b;
-               b = c;
-       }
-       return b;
-}
-
 static int ip_vs_wrr_gcd_weight(struct ip_vs_service *svc)
 {
        struct ip_vs_dest *dest;

diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 38ea7ef3ccd22fd5f100f8346c1ed94a082c67e4..f0732aa18e4fdd7e68fe7f791e12f9790a8fc7bd 100644 (file)
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -323,24 +323,24 @@ static void update_nl_seq(struct nf_conn *ct, u32 nl_seq,
                          struct nf_ct_ftp_master *info, int dir,
                          struct sk_buff *skb)
 {
-       unsigned int i, oldest = NUM_SEQ_TO_REMEMBER;
+       unsigned int i, oldest;
 
        /* Look for oldest: if we find exact match, we're done. */
        for (i = 0; i < info->seq_aft_nl_num[dir]; i++) {
                if (info->seq_aft_nl[dir][i] == nl_seq)
                        return;
-
-               if (oldest == info->seq_aft_nl_num[dir] ||
-                   before(info->seq_aft_nl[dir][i],
-                          info->seq_aft_nl[dir][oldest]))
-                       oldest = i;
        }
 
        if (info->seq_aft_nl_num[dir] < NUM_SEQ_TO_REMEMBER) {
                info->seq_aft_nl[dir][info->seq_aft_nl_num[dir]++] = nl_seq;
-       } else if (oldest != NUM_SEQ_TO_REMEMBER &&
-                  after(nl_seq, info->seq_aft_nl[dir][oldest])) {
-               info->seq_aft_nl[dir][oldest] = nl_seq;
+       } else {
+               if (before(info->seq_aft_nl[dir][0], info->seq_aft_nl[dir][1]))
+                       oldest = 0;
+               else
+                       oldest = 1;
+
+               if (after(nl_seq, info->seq_aft_nl[dir][oldest]))
+                       info->seq_aft_nl[dir][oldest] = nl_seq;
        }
 }