[kernel] r17186 - in dists/squeeze/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sun Apr 3 20:30:30 UTC 2011
Author: dannf
Date: Sun Apr 3 20:30:24 2011
New Revision: 17186
Log:
irda: validate peer name and attribute lengths (CVE-2011-1180)
Added:
dists/squeeze/linux-2.6/debian/patches/bugfix/all/irda-validate-peer-name-and-attribute-lengths.patch
Modified:
dists/squeeze/linux-2.6/debian/changelog
dists/squeeze/linux-2.6/debian/patches/series/33
Modified: dists/squeeze/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze/linux-2.6/debian/changelog Sun Apr 3 20:29:30 2011 (r17185)
+++ dists/squeeze/linux-2.6/debian/changelog Sun Apr 3 20:30:24 2011 (r17186)
@@ -16,6 +16,7 @@
This fixes a panic caused by a regression introduced by the fix
for CVE-2011-0711.
* [powerpc] Revert kdump fix from 2.6.32.34 (FTBFS)
+ * irda: validate peer name and attribute lengths (CVE-2011-1180)
-- dann frazier <dannf at debian.org> Thu, 31 Mar 2011 18:43:14 -0600
Added: dists/squeeze/linux-2.6/debian/patches/bugfix/all/irda-validate-peer-name-and-attribute-lengths.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/irda-validate-peer-name-and-attribute-lengths.patch Sun Apr 3 20:30:24 2011 (r17186)
@@ -0,0 +1,35 @@
+commit d370af0ef7951188daeb15bae75db7ba57c67846
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Sun Mar 20 15:32:06 2011 +0000
+
+ irda: validate peer name and attribute lengths
+
+ Length fields provided by a peer for names and attributes may be longer
+ than the destination array sizes. Validate lengths to prevent stack
+ buffer overflows.
+
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Cc: stable at kernel.org
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/irda/iriap.c b/net/irda/iriap.c
+index 5b743bd..3647753 100644
+--- a/net/irda/iriap.c
++++ b/net/irda/iriap.c
+@@ -656,10 +656,16 @@ static void iriap_getvaluebyclass_indication(struct iriap_cb *self,
+ n = 1;
+
+ name_len = fp[n++];
++
++ IRDA_ASSERT(name_len < IAS_MAX_CLASSNAME + 1, return;);
++
+ memcpy(name, fp+n, name_len); n+=name_len;
+ name[name_len] = '\0';
+
+ attr_len = fp[n++];
++
++ IRDA_ASSERT(attr_len < IAS_MAX_ATTRIBNAME + 1, return;);
++
+ memcpy(attr, fp+n, attr_len); n+=attr_len;
+ attr[attr_len] = '\0';
+
Modified: dists/squeeze/linux-2.6/debian/patches/series/33
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/series/33 Sun Apr 3 20:29:30 2011 (r17185)
+++ dists/squeeze/linux-2.6/debian/patches/series/33 Sun Apr 3 20:30:24 2011 (r17186)
@@ -5,3 +5,4 @@
+ bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch
+ debian/revert-powerpc-kdump-fix-in-2.6.32.34.patch
+ bugfix/x86/Save-cr4-to-mmu_cr4_features-at-boot-time.patch
++ bugfix/all/irda-validate-peer-name-and-attribute-lengths.patch
More information about the Kernel-svn-changes
mailing list