[kernel] r7171 - in
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian:
patches patches/series
Dann Frazier
dannf at costa.debian.org
Thu Aug 17 01:15:42 UTC 2006
Author: dannf
Date: Thu Aug 17 01:15:39 2006
New Revision: 7171
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/223_nfs-handle-long-symlinks.diff
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
Log:
* 223_nfs-handle-long-symlinks.diff
[SECURITY] Fix buffer overflow in NFS readline handling that allows a
remote server to cause a denial of service (crash) via a long symlink
Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Thu Aug 17 01:15:39 2006
@@ -1,3 +1,11 @@
+kernel-source-2.4.27 (2.4.27-10sarge4) UNRELEASED; urgency=high
+
+ * 223_nfs-handle-long-symlinks.diff
+ [SECURITY] Fix buffer overflow in NFS readline handling that allows a
+ remote server to cause a denial of service (crash) via a long symlink
+
+ -- dann frazier <dannf at debian.org> Wed, 16 Aug 2006 19:13:03 -0600
+
kernel-source-2.4.27 (2.4.27-10sarge3) stable-security; urgency=high
* 207_smbfs-chroot-escape.diff
Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/223_nfs-handle-long-symlinks.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/223_nfs-handle-long-symlinks.diff Thu Aug 17 01:15:39 2006
@@ -0,0 +1,46 @@
+From: Assar <assar at permabit.com>
+Date: Wed, 14 Sep 2005 20:59:25 +0000 (-0400)
+Subject: [PATCH] nfs client: handle long symlinks properly
+X-Git-Tag: v2.4.32-rc1
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commitdiff;h=87e03738fc15dc3ea4acde3a5dcb5f84b6b6152b
+
+[PATCH] nfs client: handle long symlinks properly
+
+In 2.4.31, the v2/3 nfs readlink accepts too long symlinks.
+I have tested this by having a server return long symlinks.
+
+diff -u linux-2.4.31.orig/fs/nfs/nfs2xdr.c linux-2.4.31/fs/nfs/nfs2xdr.c
+---
+
+--- a/fs/nfs/nfs2xdr.c
++++ b/fs/nfs/nfs2xdr.c
+@@ -571,8 +571,11 @@ nfs_xdr_readlinkres(struct rpc_rqst *req
+ strlen = (u32*)kmap(rcvbuf->pages[0]);
+ /* Convert length of symlink */
+ len = ntohl(*strlen);
+- if (len > rcvbuf->page_len)
+- len = rcvbuf->page_len;
++ if (len >= rcvbuf->page_len - sizeof(u32) || len > NFS2_MAXPATHLEN) {
++ printk(KERN_WARNING "NFS: server returned giant symlink!\n");
++ kunmap(rcvbuf->pages[0]);
++ return -ENAMETOOLONG;
++ }
+ *strlen = len;
+ /* NULL terminate the string we got */
+ string = (char *)(strlen + 1);
+--- a/fs/nfs/nfs3xdr.c
++++ b/fs/nfs/nfs3xdr.c
+@@ -759,8 +759,11 @@ nfs3_xdr_readlinkres(struct rpc_rqst *re
+ strlen = (u32*)kmap(rcvbuf->pages[0]);
+ /* Convert length of symlink */
+ len = ntohl(*strlen);
+- if (len > rcvbuf->page_len)
+- len = rcvbuf->page_len;
++ if (len >= rcvbuf->page_len - sizeof(u32)) {
++ printk(KERN_WARNING "NFS: server returned giant symlink!\n");
++ kunmap(rcvbuf->pages[0]);
++ return -ENAMETOOLONG;
++ }
+ *strlen = len;
+ /* NULL terminate the string we got */
+ string = (char *)(strlen + 1);
Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4 Thu Aug 17 01:15:39 2006
@@ -0,0 +1 @@
++ 223_nfs-handle-long-symlinks.diff
More information about the Kernel-svn-changes
mailing list