[PATCH] fs: fix nobh data leak

[mv-sheeva.git] / net / ipv4 / tcp_minisocks.c

diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index ac55d8892cf1c4c2c16bd9262c558018cb91d540..30b1e520ad943442fc76f13cc5d3b6d27aa5d657 100644 (file)
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -45,8 +45,7 @@ struct inet_timewait_death_row tcp_death_row = {
        .tw_timer       = TIMER_INITIALIZER(inet_twdr_hangman, 0,
                                            (unsigned long)&tcp_death_row),
        .twkill_work    = __WORK_INITIALIZER(tcp_death_row.twkill_work,
-                                            inet_twdr_twkill_work,
-                                            &tcp_death_row),
+                                            inet_twdr_twkill_work),
 /* Short-time timewait calendar */
 
        .twcal_hand     = -1,
@@ -65,7 +64,7 @@ static __inline__ int tcp_in_window(u32 seq, u32 end_seq, u32 s_win, u32 e_win)
        return (seq == e_win && seq == end_seq);
 }
 
-/* 
+/*
  * * Main purpose of TIME-WAIT state is to close connection gracefully,
  *   when one of ends sits in LAST-ACK or CLOSING retransmitting FIN
  *   (and, probably, tail of data) and one or more our ACKs are lost.
@@ -177,13 +176,13 @@ kill_with_rst:
         *      "When a connection is [...] on TIME-WAIT state [...]
         *      [a TCP] MAY accept a new SYN from the remote TCP to
         *      reopen the connection directly, if it:
-        *      
+        *
         *      (1)  assigns its initial sequence number for the new
         *      connection to be larger than the largest sequence
         *      number it used on the previous connection incarnation,
         *      and
         *
-        *      (2)  returns to TIME-WAIT state if the SYN turns out 
+        *      (2)  returns to TIME-WAIT state if the SYN turns out
         *      to be an old duplicate".
         */
 
@@ -267,9 +266,9 @@ kill:
        return TCP_TW_SUCCESS;
 }
 
-/* 
+/*
  * Move a socket to time-wait or dead fin-wait-2 state.
- */ 
+ */
 void tcp_time_wait(struct sock *sk, int state, int timeo)
 {
        struct inet_timewait_sock *tw = NULL;
@@ -351,8 +350,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo)
                 * socket up.  We've got bigger problems than
                 * non-graceful socket closings.
                 */
-               if (net_ratelimit())
-                       printk(KERN_INFO "TCP: time wait bucket table overflow\n");
+               LIMIT_NETDEBUG(KERN_INFO "TCP: time wait bucket table overflow\n");
        }
 
        tcp_update_metrics(sk);
@@ -361,8 +359,8 @@ void tcp_time_wait(struct sock *sk, int state, int timeo)
 
 void tcp_twsk_destructor(struct sock *sk)
 {
-       struct tcp_timewait_sock *twsk = tcp_twsk(sk);
 #ifdef CONFIG_TCP_MD5SIG
+       struct tcp_timewait_sock *twsk = tcp_twsk(sk);
        if (twsk->tw_md5_keylen)
                tcp_put_md5sig_pool();
 #endif
@@ -483,7 +481,7 @@ struct sock *tcp_create_openreq_child(struct sock *sk, struct request_sock *req,
        return newsk;
 }
 
-/* 
+/*
  *     Process an incoming packet for SYN_RECV sockets represented
  *     as a request_sock.
  */
@@ -493,7 +491,7 @@ struct sock *tcp_check_req(struct sock *sk,struct sk_buff *skb,
                           struct request_sock **prev)
 {
        struct tcphdr *th = skb->h.th;
-       u32 flg = tcp_flag_word(th) & (TCP_FLAG_RST|TCP_FLAG_SYN|TCP_FLAG_ACK);
+       __be32 flg = tcp_flag_word(th) & (TCP_FLAG_RST|TCP_FLAG_SYN|TCP_FLAG_ACK);
        int paws_reject = 0;
        struct tcp_options_received tmp_opt;
        struct sock *child;
@@ -667,11 +665,11 @@ struct sock *tcp_check_req(struct sock *sk,struct sk_buff *skb,
                                 * newsk structure. If we fail to get memory then we
                                 * end up not copying the key across. Shucks.
                                 */
-                               char *newkey = kmalloc(key->keylen, GFP_ATOMIC);
+                               char *newkey = kmemdup(key->key, key->keylen,
+                                                      GFP_ATOMIC);
                                if (newkey) {
                                        if (!tcp_alloc_md5sig_pool())
                                                BUG();
-                                       memcpy(newkey, key->key, key->keylen);
                                        tp->af_specific->md5_add(child, child,
                                                                 newkey,
                                                                 key->keylen);