r1911 - trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches

Andres Salomon dilinger-guest@haydn.debian.org
Wed, 24 Nov 2004 23:30:40 -0700 

Author: dilinger-guest
Date: 2004-11-24 23:30:29 -0700 (Wed, 24 Nov 2004)
New Revision: 1911

Added:
   trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/smbfs-overflow-fixes.dpatch
Log:
urg, forgot to add smbfs-overflow-fixes.dpatch


Added: trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/smbfs-overflow-fixes.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/smbfs-overflow-fixes.dpatch	2004-11-25 06:16:40 UTC (rev 1910)
+++ trunk/kernel/source/kernel-source-2.6.9-2.6.9/debian/patches/smbfs-overflow-fixes.dpatch	2004-11-25 06:30:29 UTC (rev 1911)
@@ -0,0 +1,104 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: SMBfs overflow fixes
+## DP: Patch author: unknown, stolen from -ac tree (probably Stefan Esser,  Juan Quintela, and Urban Widmark)
+## DP: Upstream status: unknown
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.9/fs/smbfs/proc.c linux-2.6.9/fs/smbfs/proc.c
+--- linux.vanilla-2.6.9/fs/smbfs/proc.c	2004-10-20 23:17:20.000000000 +0100
++++ linux-2.6.9/fs/smbfs/proc.c	2004-11-17 19:41:41.000000000 +0000
+@@ -1427,9 +1427,9 @@
+ 	 * So we must first calculate the amount of padding used by the server.
+ 	 */
+ 	data_off -= hdrlen;
+-	if (data_off > SMB_READX_MAX_PAD) {
+-		PARANOIA("offset is larger than max pad!\n");
+-		PARANOIA("%d > %d\n", data_off, SMB_READX_MAX_PAD);
++	if (data_off > SMB_READX_MAX_PAD || data_off < 0) {
++		PARANOIA("offset is larger than SMB_READX_MAX_PAD or negative!\n");
++		PARANOIA("%d > %d || %d < 0\n", data_off, SMB_READX_MAX_PAD, data_off);
+ 		req->rq_rlen = req->rq_bufsize + 1;
+ 		return;
+ 	}
+diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.9/fs/smbfs/request.c linux-2.6.9/fs/smbfs/request.c
+--- linux.vanilla-2.6.9/fs/smbfs/request.c	2004-10-20 22:33:50.000000000 +0100
++++ linux-2.6.9/fs/smbfs/request.c	2004-11-17 19:41:41.000000000 +0000
+@@ -588,6 +588,10 @@
+ 	data_count  = WVAL(inbuf, smb_drcnt);
+ 
+ 	/* Modify offset for the split header/buffer we use */
++	if (data_offset < hdrlen)
++		goto out_bad_data;
++	if (parm_offset < hdrlen)
++		goto out_bad_parm;
+ 	data_offset -= hdrlen;
+ 	parm_offset -= hdrlen;
+ 
+@@ -607,6 +611,10 @@
+ 		req->rq_lparm = parm_count;
+ 		req->rq_data = req->rq_buffer + data_offset;
+ 		req->rq_parm = req->rq_buffer + parm_offset;
++		if (parm_offset + parm_count > req->rq_rlen)
++			goto out_bad_parm;
++		if (data_offset + data_count > req->rq_rlen)
++			goto out_bad_data;
+ 		return 0;
+ 	}
+ 
+@@ -634,6 +642,7 @@
+ 		req->rq_trans2buffer = smb_kmalloc(buf_len, GFP_NOFS);
+ 		if (!req->rq_trans2buffer)
+ 			goto out_no_mem;
++		memset(req->rq_trans2buffer, 0, buf_len);
+ 
+ 		req->rq_parm = req->rq_trans2buffer;
+ 		req->rq_data = req->rq_trans2buffer + parm_tot;
+@@ -643,8 +652,12 @@
+ 
+ 	if (parm_disp + parm_count > req->rq_total_parm)
+ 		goto out_bad_parm;
++	if (parm_offset + parm_count > req->rq_rlen)
++		goto out_bad_parm;
+ 	if (data_disp + data_count > req->rq_total_data)
+ 		goto out_bad_data;
++	if (data_offset + data_count > req->rq_rlen)
++		goto out_bad_data;
+ 
+ 	inbuf = req->rq_buffer;
+ 	memcpy(req->rq_parm + parm_disp, inbuf + parm_offset, parm_count);
+@@ -657,8 +670,11 @@
+ 	 * Check whether we've received all of the data. Note that
+ 	 * we use the packet totals -- total lengths might shrink!
+ 	 */
+-	if (req->rq_ldata >= data_tot && req->rq_lparm >= parm_tot)
++	if (req->rq_ldata >= data_tot && req->rq_lparm >= parm_tot) {
++		req->rq_ldata = data_tot;
++		req->rq_lparm = parm_tot;
+ 		return 0;
++	}
+ 	return 1;
+ 
+ out_too_long:
+@@ -676,13 +692,13 @@
+ 	req->rq_errno = -EIO;
+ 	goto out;
+ out_bad_parm:
+-	printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d\n",
+-	       parm_disp, parm_count, parm_tot);
++	printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d, ofs=%d\n",
++	       parm_disp, parm_count, parm_tot, parm_offset);
+ 	req->rq_errno = -EIO;
+ 	goto out;
+ out_bad_data:
+-	printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d\n",
+-	       data_disp, data_count, data_tot);
++	printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d, ofs=%d\n",
++	       data_disp, data_count, data_tot, data_offset);
+ 	req->rq_errno = -EIO;
+ out:
+ 	return req->rq_errno;