dccp: Fill in the Data fields for "Option Error" Resets

[safe/jmp/linux-2.6] / net / dccp / proto.c

diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index a4c1b36..1ca3b26 100644 (file)
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -27,7 +27,6 @@
 #include <net/xfrm.h>
 
 #include <asm/ioctls.h>
-#include <asm/semaphore.h>
 #include <linux/spinlock.h>
 #include <linux/timer.h>
 #include <linux/delay.h>
@@ -238,7 +237,7 @@ int dccp_init_sock(struct sock *sk, const __u8 ctl_sock_initialized)
 
 EXPORT_SYMBOL_GPL(dccp_init_sock);
 
-int dccp_destroy_sock(struct sock *sk)
+void dccp_destroy_sock(struct sock *sk)
 {
        struct dccp_sock *dp = dccp_sk(sk);
        struct dccp_minisock *dmsk = dccp_msk(sk);
@@ -269,8 +268,6 @@ int dccp_destroy_sock(struct sock *sk)
 
        /* clean up feature negotiation state */
        dccp_feat_clean(dmsk);
-
-       return 0;
 }
 
 EXPORT_SYMBOL_GPL(dccp_destroy_sock);
@@ -330,7 +327,7 @@ int dccp_disconnect(struct sock *sk, int flags)
        inet_csk_delack_init(sk);
        __sk_dst_reset(sk);
 
-       BUG_TRAP(!inet->num || icsk->icsk_bind_hash);
+       WARN_ON(inet->num && !icsk->icsk_bind_hash);
 
        sk->sk_error_report(sk);
        return err;
@@ -477,6 +474,11 @@ static int dccp_setsockopt_change(struct sock *sk, int type,
 
        if (copy_from_user(&opt, optval, sizeof(opt)))
                return -EFAULT;
+       /*
+        * rfc4340: 6.1. Change Options
+        */
+       if (opt.dccpsf_len < 1)
+               return -EINVAL;
 
        val = kmalloc(opt.dccpsf_len, GFP_KERNEL);
        if (!val)
@@ -984,7 +986,7 @@ adjudge_to_death:
         */
        local_bh_disable();
        bh_lock_sock(sk);
-       BUG_TRAP(!sock_owned_by_user(sk));
+       WARN_ON(sock_owned_by_user(sk));
 
        /* Have we already been destroyed by a softirq or backlog? */
        if (state != DCCP_CLOSED && sk->sk_state == DCCP_CLOSED)