[kernel] r13358 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Wed Apr 8 06:04:56 UTC 2009 

Author: dannf
Date: Wed Apr  8 06:04:54 2009
New Revision: 13358

Log:
af_rose/x25: Sanity check the maximum user frame size (CVE-2009-0795)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/15lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Tue Apr  7 12:27:39 2009	(r13357)
+++ dists/lenny-security/linux-2.6/debian/changelog	Wed Apr  8 06:04:54 2009	(r13358)
@@ -8,6 +8,7 @@
     This issue does not effect pre-build Debian kernels.
   * Fix an off-by-two memory error in console selection (CVE-2009-1046)
   * nfsd: drop CAP_MKNOD for non-root (CVE-2009-1072)
+  * af_rose/x25: Sanity check the maximum user frame size (CVE-2009-0795)
 
  -- dann frazier <dannf at debian.org>  Fri, 03 Apr 2009 19:12:51 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch	Wed Apr  8 06:04:54 2009	(r13358)
@@ -0,0 +1,61 @@
+commit 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9
+Author: Alan Cox <alan at lxorguk.ukuu.org.uk>
+Date:   Fri Mar 27 00:28:21 2009 -0700
+
+    af_rose/x25: Sanity check the maximum user frame size
+    
+    Otherwise we can wrap the sizes and end up sending garbage.
+    
+    Closes #10423
+    
+    Signed-off-by: Alan Cox <alan at lxorguk.ukuu.org.uk>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+--- a/net/netrom/af_netrom.c	2008-01-24 15:58:37.000000000 -0700
++++ b/net/netrom/af_netrom.c	2009-04-07 23:56:09.000000000 -0600
+@@ -1074,7 +1074,11 @@ static int nr_sendmsg(struct kiocb *iocb
+ 
+ 	SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n");
+ 
+-	/* Build a packet */
++	/* Build a packet - the conventional user limit is 236 bytes. We can
++	   do ludicrously large NetROM frames but must not overflow */
++	if (len > 65536)
++		return -EMSGSIZE;
++
+ 	SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n");
+ 	size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN;
+ 
+diff -urpN a/net/rose/af_rose.c b/net/rose/af_rose.c
+--- a/net/rose/af_rose.c	2008-01-24 15:58:37.000000000 -0700
++++ b/net/rose/af_rose.c	2009-04-07 23:56:09.000000000 -0600
+@@ -1100,6 +1100,10 @@ static int rose_sendmsg(struct kiocb *io
+ 
+ 	/* Build a packet */
+ 	SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n");
++	/* Sanity check the packet size */
++	if (len > 65535)
++		return -EMSGSIZE;
++
+ 	size = len + AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN;
+ 
+ 	if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL)
+diff -urpN a/net/x25/af_x25.c b/net/x25/af_x25.c
+--- a/net/x25/af_x25.c	2008-01-24 15:58:37.000000000 -0700
++++ b/net/x25/af_x25.c	2009-04-07 23:56:09.000000000 -0600
+@@ -1042,6 +1042,12 @@ static int x25_sendmsg(struct kiocb *ioc
+ 		sx25.sx25_addr   = x25->dest_addr;
+ 	}
+ 
++	/* Sanity check the packet size */
++	if (len > 65535) {
++		rc = -EMSGSIZE;
++		goto out;
++	}
++
+ 	SOCK_DEBUG(sk, "x25_sendmsg: sendto: Addresses built.\n");
+ 
+ 	/* Build a packet */

Modified: dists/lenny-security/linux-2.6/debian/patches/series/15lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/15lenny1	Tue Apr  7 12:27:39 2009	(r13357)
+++ dists/lenny-security/linux-2.6/debian/patches/series/15lenny1	Wed Apr  8 06:04:54 2009	(r13358)
@@ -4,3 +4,4 @@
 + bugfix/all/shm-fix-shmctl(SHM_INFO)-lockup-without-CONFIG_SHMEM.patch
 + bugfix/all/fix-off-by-2-error-in-console-selection.patch
 + bugfix/all/nfsd-drop-CAP_MKNOD-for-non-root.patch
++ bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch

More information about the Kernel-svn-changes mailing list