[kernel] r4831 - in dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series

Wed Nov 16 06:45:31 UTC 2005

Author: horms
Date: Wed Nov 16 06:45:29 2005
New Revision: 4831

Added:
   dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/196_net-bridge-if_del-panic.diff
   dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/197_net-plip-invalid-ioctl.diff
Modified:
   dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-12
Log:
* 196_net-bridge-if_del-panic.diff
   Fix panic when non-existant bridge is deleted
   (closes: #255406)
 
*  197_net-plip-invalid-ioctl.diff
   Detect invalid ioctls in plip driver
   (closes: #252187)



Modified: dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================

--- dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	(original)
+++ dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	Wed Nov 16 06:45:29 2005
@@ -83,7 +83,15 @@
   * 195_net-ipv6-udp_v6_get_port-loop.diff
      [SECURITY] Fix infinite loop in udp_v6_get_port().  See CVE-2005-2973
 
- -- Simon Horman <horms at debian.org>  Mon, 31 Oct 2005 18:43:51 +0900
+  * 196_net-bridge-if_del-panic.diff
+     Fix panic when non-existant bridge is deleted
+     (closes: #255406)
+
+  *  197_net-plip-invalid-ioctl.diff
+     Detect invalid ioctls in plip driver
+     (closes: #252187)
+
+ -- Simon Horman <horms at debian.org>  Wed, 16 Nov 2005 14:56:28 +0900
 
 kernel-source-2.4.27 (2.4.27-11) unstable; urgency=low
 

Added: dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/196_net-bridge-if_del-panic.diff
==============================================================================
--- (empty file)
+++ dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/196_net-bridge-if_del-panic.diff	Wed Nov 16 06:45:29 2005
@@ -0,0 +1,43 @@
+# Date: Sun, 20 Jun 2004 19:56:26 +0200
+# From: Erich Schubert <erich at debian.org>
+# Changes: Rebackported from 2.6.14, Horms <horms at debian.org>
+# Reported: http://bugs.debian.org/255406
+# Security: No
+# Upstream: Forwarded to upstream
+
+Package: kernel-source-2.4.26
+Severity: normal
+
+Some time ago i found a kernel crash in 2.4.x and reported it to LKML.
+Unfortunately i never recieved a reply, and i didn't see it in recent
+pre-releases of the 2.4.x kernel.
+
+To verify your system is vulnerable (need bridge support):
+$ brctl addbr br0
+$ brctl addbr br1
+$ brctl addif br0 eth0
+$ brctl delif br1 eth0
+(note br1 in last line, not br0! Deleting from the wrong bridge triggers
+the kernel crash.)
+
+This is a 1:1 backport (100% copy&paste) from 2.6.5 of the fix.
+Verify yourself, grab the file from 2.6.5, go to the function, copy the
+code, paste it and the issue is done. Returns "einval" on invalid
+requests instead of causing an inconsistency and a panic.
+
+(fixed sometime in 2.5.x it seems; it might be worth looking at when
+this was fixed - it might contain other fixes, too.)
+
+--- a/net/bridge/br_if.c	2005-11-16 14:46:05.000000000 +0900
++++ b/net/bridge/br_if.c	2005-11-16 14:46:09.000000000 +0900
+@@ -246,6 +246,10 @@
+ int br_del_if(struct net_bridge *br, struct net_device *dev)
+ {
+ 	int retval;
++	struct net_bridge_port *p = dev->br_port;
++
++	if (!p || p->br != br)
++		return -EINVAL;
+ 
+ 	br_write_lock_bh(BR_NETPROTO_LOCK);
+ 	write_lock(&br->lock);

Added: dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/197_net-plip-invalid-ioctl.diff
==============================================================================
--- (empty file)
+++ dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/197_net-plip-invalid-ioctl.diff	Wed Nov 16 06:45:29 2005
@@ -0,0 +1,20 @@
+# Date: Wed, 2 Jun 2004 09:29:20 +1000
+# From: Herbert Xu <herbert at gondor.apana.org.au>
+# Changes: 
+# Reported: http://bugs.debian.org/252187
+# Security: No
+# Upstream: Fixed
+
+===== drivers/net/plip.c 1.20 vs edited =====
+--- 1.20/drivers/net/plip.c	2004-03-04 05:52:24 +11:00
++++ edited/drivers/net/plip.c	2004-06-02 09:21:05 +10:00
+@@ -1219,6 +1219,9 @@
+ 	struct net_local *nl = netdev_priv(dev);
+ 	struct plipconf *pc = (struct plipconf *) &rq->ifr_data;
+ 
++	if (cmd != SIOCDEVPLIP)
++		return -EOPNOTSUPP;
++
+ 	switch(pc->pcmd) {
+ 	case PLIP_GET_TIMEOUT:
+ 		pc->trigger = nl->trigger;

Modified: dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-12
==============================================================================
--- dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-12	(original)
+++ dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-12	Wed Nov 16 06:45:29 2005
@@ -11,3 +11,5 @@
 + 192_orinoco-info-leak.diff
 + 194_xfs-inode-race.diff
 + 195_net-ipv6-udp_v6_get_port-loop.diff
++ 196_net-bridge-if_del-panic.diff
++ 197_net-plip-invalid-ioctl.diff

