r2214 - in trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches: . series
Christoph Hellwig
hch-guest@costa.debian.org
Sun, 09 Jan 2005 12:10:51 +0100
Author: hch-guest
Date: 2005-01-09 12:10:51 +0100 (Sun, 09 Jan 2005)
New Revision: 2214
Added:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/smbfs-overflow-fixes-2.dpatch
Modified:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-13
Log:
* Replace smbfs-overflow-fixes.patch with a newer version from 2.6.10-ac
that actually works. Thanks to S?ren Hansen <sh@warma.dk> for finding
and submitting it. (Christoph Hellwig) (closes: #283241).
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-13
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-13 2005-01-09 10:32:04 UTC (rev 2213)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-13 2005-01-09 11:10:51 UTC (rev 2214)
@@ -1 +1,3 @@
+ scsi-blacklist-2.dpatch
+- smbfs-overflow-fixes.dpatch
++ smbfs-overflow-fixes-2.dpatch
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/smbfs-overflow-fixes-2.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/smbfs-overflow-fixes-2.dpatch 2005-01-09 10:32:04 UTC (rev 2213)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/smbfs-overflow-fixes-2.dpatch 2005-01-09 11:10:51 UTC (rev 2214)
@@ -0,0 +1,133 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: SMBfs overflow fixes
+## DP: Patch author: unknown, stolen from -ac tree (probably Stefan Esser, Juan Quintela, and Urban Widmark)
+## DP: Upstream status: unknown
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.10/fs/smbfs/proc.c linux-2.6.10/fs/smbfs/proc.c
+--- linux.vanilla-2.6.10/fs/smbfs/proc.c 2004-12-25 21:15:41.000000000 +0000
++++ linux-2.6.10/fs/smbfs/proc.c 2004-12-26 23:03:13.000000000 +0000
+@@ -1427,9 +1427,9 @@
+ * So we must first calculate the amount of padding used by the server.
+ */
+ data_off -= hdrlen;
+- if (data_off > SMB_READX_MAX_PAD) {
+- PARANOIA("offset is larger than max pad!\n");
+- PARANOIA("%d > %d\n", data_off, SMB_READX_MAX_PAD);
++ if (data_off > SMB_READX_MAX_PAD || data_off < 0) {
++ PARANOIA("offset is larger than SMB_READX_MAX_PAD or negative!\n");
++ PARANOIA("%d > %d || %d < 0\n", data_off, SMB_READX_MAX_PAD, data_off);
+ req->rq_rlen = req->rq_bufsize + 1;
+ return;
+ }
+diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.10/fs/smbfs/request.c linux-2.6.10/fs/smbfs/request.c
+--- linux.vanilla-2.6.10/fs/smbfs/request.c 2004-12-25 21:15:41.000000000 +0000
++++ linux-2.6.10/fs/smbfs/request.c 2004-12-26 23:06:24.000000000 +0000
+@@ -588,8 +588,18 @@
+ data_count = WVAL(inbuf, smb_drcnt);
+
+ /* Modify offset for the split header/buffer we use */
+- data_offset -= hdrlen;
+- parm_offset -= hdrlen;
++ if (data_count || data_offset) {
++ if (unlikely(data_offset < hdrlen))
++ goto out_bad_data;
++ else
++ data_offset -= hdrlen;
++ }
++ if (parm_count || parm_offset) {
++ if (unlikely(parm_offset < hdrlen))
++ goto out_bad_parm;
++ else
++ parm_offset -= hdrlen;
++ }
+
+ if (parm_count == parm_tot && data_count == data_tot) {
+ /*
+@@ -600,18 +610,22 @@
+ * response that fits.
+ */
+ VERBOSE("single trans2 response "
+- "dcnt=%d, pcnt=%d, doff=%d, poff=%d\n",
++ "dcnt=%u, pcnt=%u, doff=%u, poff=%u\n",
+ data_count, parm_count,
+ data_offset, parm_offset);
+ req->rq_ldata = data_count;
+ req->rq_lparm = parm_count;
+ req->rq_data = req->rq_buffer + data_offset;
+ req->rq_parm = req->rq_buffer + parm_offset;
++ if (unlikely(parm_offset + parm_count > req->rq_rlen))
++ goto out_bad_parm;
++ if (unlikely(data_offset + data_count > req->rq_rlen))
++ goto out_bad_data;
+ return 0;
+ }
+
+ VERBOSE("multi trans2 response "
+- "frag=%d, dcnt=%d, pcnt=%d, doff=%d, poff=%d\n",
++ "frag=%d, dcnt=%u, pcnt=%u, doff=%u, poff=%u\n",
+ req->rq_fragment,
+ data_count, parm_count,
+ data_offset, parm_offset);
+@@ -638,13 +652,15 @@
+
+ req->rq_parm = req->rq_trans2buffer;
+ req->rq_data = req->rq_trans2buffer + parm_tot;
+- } else if (req->rq_total_data < data_tot ||
+- req->rq_total_parm < parm_tot)
++ } else if (unlikely(req->rq_total_data < data_tot ||
++ req->rq_total_parm < parm_tot))
+ goto out_data_grew;
+
+- if (parm_disp + parm_count > req->rq_total_parm)
++ if (unlikely(parm_disp + parm_count > req->rq_total_parm ||
++ parm_offset + parm_count > req->rq_rlen))
+ goto out_bad_parm;
+- if (data_disp + data_count > req->rq_total_data)
++ if (unlikely(data_disp + data_count > req->rq_total_data ||
++ data_offset + data_count > req->rq_rlen))
+ goto out_bad_data;
+
+ inbuf = req->rq_buffer;
+@@ -666,10 +682,9 @@
+ return 1;
+
+ out_too_long:
+- printk(KERN_ERR "smb_trans2: data/param too long, data=%d, parm=%d\n",
++ printk(KERN_ERR "smb_trans2: data/param too long, data=%u, parm=%u\n",
+ data_tot, parm_tot);
+- req->rq_errno = -EIO;
+- goto out;
++ goto out_EIO;
+ out_no_mem:
+ printk(KERN_ERR "smb_trans2: couldn't allocate data area of %d bytes\n",
+ req->rq_trans2bufsize);
+@@ -677,16 +692,15 @@
+ goto out;
+ out_data_grew:
+ printk(KERN_ERR "smb_trans2: data/params grew!\n");
+- req->rq_errno = -EIO;
+- goto out;
++ goto out_EIO;
+ out_bad_parm:
+- printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d\n",
+- parm_disp, parm_count, parm_tot);
+- req->rq_errno = -EIO;
+- goto out;
++ printk(KERN_ERR "smb_trans2: invalid parms, disp=%u, cnt=%u, tot=%u, ofs=%u\n",
++ parm_disp, parm_count, parm_tot, parm_offset);
++ goto out_EIO;
+ out_bad_data:
+- printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d\n",
+- data_disp, data_count, data_tot);
++ printk(KERN_ERR "smb_trans2: invalid data, disp=%u, cnt=%u, tot=%u, ofs=%u\n",
++ data_disp, data_count, data_tot, data_offset);
++out_EIO:
+ req->rq_errno = -EIO;
+ out:
+ return req->rq_errno;