diff options
author | Greg Kroah-Hartman <gregkh@suse.de> | 2011-05-11 15:47:57 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-05-11 15:47:57 -0700 |
commit | daf6f6d63e7912ee81ce8d889752f92fa36889d8 (patch) | |
tree | 95841b91cb56ae93c7fd014a9e0166fcc23bddfe | |
parent | e142b6173629eb878e840184026fa4f86845fab5 (diff) | |
download | longterm-queue-2.6.33-daf6f6d63e7912ee81ce8d889752f92fa36889d8.tar.gz |
.33 patches
-rw-r--r-- | queue-2.6.33/cifs-fix-memory-over-bound-bug-in-cifs_parse_mount_options.patch | 50 | ||||
-rw-r--r-- | queue-2.6.33/dccp-handle-invalid-feature-options-length.patch | 35 | ||||
-rw-r--r-- | queue-2.6.33/series | 2 |
3 files changed, 87 insertions, 0 deletions
diff --git a/queue-2.6.33/cifs-fix-memory-over-bound-bug-in-cifs_parse_mount_options.patch b/queue-2.6.33/cifs-fix-memory-over-bound-bug-in-cifs_parse_mount_options.patch new file mode 100644 index 0000000..2828a89 --- /dev/null +++ b/queue-2.6.33/cifs-fix-memory-over-bound-bug-in-cifs_parse_mount_options.patch @@ -0,0 +1,50 @@ +From 4906e50b37e6f6c264e7ee4237343eb2b7f8d16d Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky <piastry@etersoft.ru> +Date: Thu, 14 Apr 2011 22:00:56 +0400 +Subject: CIFS: Fix memory over bound bug in cifs_parse_mount_options + +From: Pavel Shilovsky <piastry@etersoft.ru> + +commit 4906e50b37e6f6c264e7ee4237343eb2b7f8d16d upstream. + +While password processing we can get out of options array bound if +the next character after array is delimiter. The patch adds a check +if we reach the end. + +Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru> +Reviewed-by: Jeff Layton <jlayton@redhat.com> +Signed-off-by: Steve French <sfrench@us.ibm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/cifs/connect.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -799,8 +799,7 @@ static int + cifs_parse_mount_options(char *options, const char *devname, + struct smb_vol *vol) + { +- char *value; +- char *data; ++ char *value, *data, *end; + unsigned int temp_len, i, j; + char separator[2]; + short int override_uid = -1; +@@ -843,6 +842,7 @@ cifs_parse_mount_options(char *options, + if (!options) + return 1; + ++ end = options + strlen(options); + if (strncmp(options, "sep=", 4) == 0) { + if (options[4] != 0) { + separator[0] = options[4]; +@@ -907,6 +907,7 @@ cifs_parse_mount_options(char *options, + the only illegal character in a password is null */ + + if ((value[temp_len] == 0) && ++ (value + temp_len < end) && + (value[temp_len+1] == separator[0])) { + /* reinsert comma */ + value[temp_len] = separator[0]; diff --git a/queue-2.6.33/dccp-handle-invalid-feature-options-length.patch b/queue-2.6.33/dccp-handle-invalid-feature-options-length.patch new file mode 100644 index 0000000..68b4889 --- /dev/null +++ b/queue-2.6.33/dccp-handle-invalid-feature-options-length.patch @@ -0,0 +1,35 @@ +From a294865978b701e4d0d90135672749531b9a900d Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg <drosenberg@vsecurity.com> +Date: Fri, 6 May 2011 03:27:18 +0000 +Subject: dccp: handle invalid feature options length + +From: Dan Rosenberg <drosenberg@vsecurity.com> + +commit a294865978b701e4d0d90135672749531b9a900d upstream. + +A length of zero (after subtracting two for the type and len fields) for +the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to +the subtraction. The subsequent code may read past the end of the +options value buffer when parsing. I'm unsure of what the consequences +of this might be, but it's probably not good. + +Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> +Acked-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/dccp/options.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/dccp/options.c ++++ b/net/dccp/options.c +@@ -131,6 +131,8 @@ int dccp_parse_options(struct sock *sk, + case DCCPO_CHANGE_L ... DCCPO_CONFIRM_R: + if (pkt_type == DCCP_PKT_DATA) /* RFC 4340, 6 */ + break; ++ if (len == 0) ++ goto out_invalid_option; + rc = dccp_feat_parse_options(sk, dreq, mandatory, opt, + *value, value + 1, len - 1); + if (rc) diff --git a/queue-2.6.33/series b/queue-2.6.33/series index bf74611..b00d1a7 100644 --- a/queue-2.6.33/series +++ b/queue-2.6.33/series @@ -2,3 +2,5 @@ cifs-check-for-bytes_remaining-going-to-zero-in-cifs_sesssetup.patch validate-size-of-efi-guid-partition-entries.patch x86-hw_breakpoints-fix-racy-access-to-ptrace-breakpoints.patch ptrace-prepare-to-fix-racy-accesses-on-task-breakpoints.patch +dccp-handle-invalid-feature-options-length.patch +cifs-fix-memory-over-bound-bug-in-cifs_parse_mount_options.patch |