[kernel] r7171 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: patches patches/series

[Dann Frazier]

Author: dannf
Date: Thu Aug 17 01:15:39 2006
New Revision: 7171

Added:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/223_nfs-handle-long-symlinks.diff
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4
Modified:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog

Log:
* 223_nfs-handle-long-symlinks.diff
  [SECURITY] Fix buffer overflow in NFS readline handling that allows a
  remote server to cause a denial of service (crash) via a long symlink

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	Thu Aug 17 01:15:39 2006
@@ -1,3 +1,11 @@
+kernel-source-2.4.27 (2.4.27-10sarge4) UNRELEASED; urgency=high
+
+  * 223_nfs-handle-long-symlinks.diff
+    [SECURITY] Fix buffer overflow in NFS readline handling that allows a
+    remote server to cause a denial of service (crash) via a long symlink
+
+ -- dann frazier <dannf at debian.org>  Wed, 16 Aug 2006 19:13:03 -0600
+
 kernel-source-2.4.27 (2.4.27-10sarge3) stable-security; urgency=high
 
   * 207_smbfs-chroot-escape.diff

Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/223_nfs-handle-long-symlinks.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/223_nfs-handle-long-symlinks.diff	Thu Aug 17 01:15:39 2006
@@ -0,0 +1,46 @@
+From: Assar <assar at permabit.com>
+Date: Wed, 14 Sep 2005 20:59:25 +0000 (-0400)
+Subject: [PATCH] nfs client: handle long symlinks properly
+X-Git-Tag: v2.4.32-rc1
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commitdiff;h=87e03738fc15dc3ea4acde3a5dcb5f84b6b6152b
+
+[PATCH] nfs client: handle long symlinks properly
+
+In 2.4.31, the v2/3 nfs readlink accepts too long symlinks.
+I have tested this by having a server return long symlinks.
+
+diff -u linux-2.4.31.orig/fs/nfs/nfs2xdr.c linux-2.4.31/fs/nfs/nfs2xdr.c
+---
+
+--- a/fs/nfs/nfs2xdr.c
++++ b/fs/nfs/nfs2xdr.c
+@@ -571,8 +571,11 @@ nfs_xdr_readlinkres(struct rpc_rqst *req
+ 	strlen = (u32*)kmap(rcvbuf->pages[0]);
+ 	/* Convert length of symlink */
+ 	len = ntohl(*strlen);
+-	if (len > rcvbuf->page_len)
+-		len = rcvbuf->page_len;
++	if (len >= rcvbuf->page_len - sizeof(u32) || len > NFS2_MAXPATHLEN) {
++		printk(KERN_WARNING "NFS: server returned giant symlink!\n");
++		kunmap(rcvbuf->pages[0]);
++		return -ENAMETOOLONG;
++        }
+ 	*strlen = len;
+ 	/* NULL terminate the string we got */
+ 	string = (char *)(strlen + 1);
+--- a/fs/nfs/nfs3xdr.c
++++ b/fs/nfs/nfs3xdr.c
+@@ -759,8 +759,11 @@ nfs3_xdr_readlinkres(struct rpc_rqst *re
+ 	strlen = (u32*)kmap(rcvbuf->pages[0]);
+ 	/* Convert length of symlink */
+ 	len = ntohl(*strlen);
+-	if (len > rcvbuf->page_len)
+-		len = rcvbuf->page_len;
++	if (len >= rcvbuf->page_len - sizeof(u32)) {
++		printk(KERN_WARNING "NFS: server returned giant symlink!\n");
++		kunmap(rcvbuf->pages[0]);
++		return -ENAMETOOLONG;
++        }
+ 	*strlen = len;
+ 	/* NULL terminate the string we got */
+ 	string = (char *)(strlen + 1);

Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4	Thu Aug 17 01:15:39 2006
@@ -0,0 +1 @@
++ 223_nfs-handle-long-symlinks.diff