r1911 - trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches
Andres Salomon
dilinger-guest@haydn.debian.org
Wed, 24 Nov 2004 23:30:40 -0700
Author: dilinger-guest
Date: 2004-11-24 23:30:29 -0700 (Wed, 24 Nov 2004)
New Revision: 1911
Added:
trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/smbfs-overflow-fixes.dpatch
Log:
urg, forgot to add smbfs-overflow-fixes.dpatch
Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/smbfs-overflow-fixes.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/smbfs-overflow-fixes.dpatch 2004-11-25 06:16:40 UTC (rev 1910)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/smbfs-overflow-fixes.dpatch 2004-11-25 06:30:29 UTC (rev 1911)
@@ -0,0 +1,104 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: SMBfs overflow fixes
+## DP: Patch author: unknown, stolen from -ac tree (probably Stefan Esser, Juan Quintela, and Urban Widmark)
+## DP: Upstream status: unknown
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.9/fs/smbfs/proc.c linux-2.6.9/fs/smbfs/proc.c
+--- linux.vanilla-2.6.9/fs/smbfs/proc.c 2004-10-20 23:17:20.000000000 +0100
++++ linux-2.6.9/fs/smbfs/proc.c 2004-11-17 19:41:41.000000000 +0000
+@@ -1427,9 +1427,9 @@
+ * So we must first calculate the amount of padding used by the server.
+ */
+ data_off -= hdrlen;
+- if (data_off > SMB_READX_MAX_PAD) {
+- PARANOIA("offset is larger than max pad!\n");
+- PARANOIA("%d > %d\n", data_off, SMB_READX_MAX_PAD);
++ if (data_off > SMB_READX_MAX_PAD || data_off < 0) {
++ PARANOIA("offset is larger than SMB_READX_MAX_PAD or negative!\n");
++ PARANOIA("%d > %d || %d < 0\n", data_off, SMB_READX_MAX_PAD, data_off);
+ req->rq_rlen = req->rq_bufsize + 1;
+ return;
+ }
+diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.9/fs/smbfs/request.c linux-2.6.9/fs/smbfs/request.c
+--- linux.vanilla-2.6.9/fs/smbfs/request.c 2004-10-20 22:33:50.000000000 +0100
++++ linux-2.6.9/fs/smbfs/request.c 2004-11-17 19:41:41.000000000 +0000
+@@ -588,6 +588,10 @@
+ data_count = WVAL(inbuf, smb_drcnt);
+
+ /* Modify offset for the split header/buffer we use */
++ if (data_offset < hdrlen)
++ goto out_bad_data;
++ if (parm_offset < hdrlen)
++ goto out_bad_parm;
+ data_offset -= hdrlen;
+ parm_offset -= hdrlen;
+
+@@ -607,6 +611,10 @@
+ req->rq_lparm = parm_count;
+ req->rq_data = req->rq_buffer + data_offset;
+ req->rq_parm = req->rq_buffer + parm_offset;
++ if (parm_offset + parm_count > req->rq_rlen)
++ goto out_bad_parm;
++ if (data_offset + data_count > req->rq_rlen)
++ goto out_bad_data;
+ return 0;
+ }
+
+@@ -634,6 +642,7 @@
+ req->rq_trans2buffer = smb_kmalloc(buf_len, GFP_NOFS);
+ if (!req->rq_trans2buffer)
+ goto out_no_mem;
++ memset(req->rq_trans2buffer, 0, buf_len);
+
+ req->rq_parm = req->rq_trans2buffer;
+ req->rq_data = req->rq_trans2buffer + parm_tot;
+@@ -643,8 +652,12 @@
+
+ if (parm_disp + parm_count > req->rq_total_parm)
+ goto out_bad_parm;
++ if (parm_offset + parm_count > req->rq_rlen)
++ goto out_bad_parm;
+ if (data_disp + data_count > req->rq_total_data)
+ goto out_bad_data;
++ if (data_offset + data_count > req->rq_rlen)
++ goto out_bad_data;
+
+ inbuf = req->rq_buffer;
+ memcpy(req->rq_parm + parm_disp, inbuf + parm_offset, parm_count);
+@@ -657,8 +670,11 @@
+ * Check whether we've received all of the data. Note that
+ * we use the packet totals -- total lengths might shrink!
+ */
+- if (req->rq_ldata >= data_tot && req->rq_lparm >= parm_tot)
++ if (req->rq_ldata >= data_tot && req->rq_lparm >= parm_tot) {
++ req->rq_ldata = data_tot;
++ req->rq_lparm = parm_tot;
+ return 0;
++ }
+ return 1;
+
+ out_too_long:
+@@ -676,13 +692,13 @@
+ req->rq_errno = -EIO;
+ goto out;
+ out_bad_parm:
+- printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d\n",
+- parm_disp, parm_count, parm_tot);
++ printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d, ofs=%d\n",
++ parm_disp, parm_count, parm_tot, parm_offset);
+ req->rq_errno = -EIO;
+ goto out;
+ out_bad_data:
+- printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d\n",
+- data_disp, data_count, data_tot);
++ printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d, ofs=%d\n",
++ data_disp, data_count, data_tot, data_offset);
+ req->rq_errno = -EIO;
+ out:
+ return req->rq_errno;