diff options
author | Greg Kroah-Hartman <gregkh@suse.de> | 2011-05-11 15:45:24 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-05-11 15:45:24 -0700 |
commit | 9efd1ee7c973f2137ef653bcc58d0ee623f34d9e (patch) | |
tree | b4e08d0a3b27cbb1007c5744d58ecf4acb479dd9 | |
parent | e174cc47116266f5fa392a70b3ad05649996fa79 (diff) | |
download | stable-queue-9efd1ee7c973f2137ef653bcc58d0ee623f34d9e.tar.gz |
.38 patches
-rw-r--r-- | queue-2.6.38/cifs-fix-memory-over-bound-bug-in-cifs_parse_mount_options.patch | 50 | ||||
-rw-r--r-- | queue-2.6.38/dccp-handle-invalid-feature-options-length.patch | 35 | ||||
-rw-r--r-- | queue-2.6.38/series | 2 |
3 files changed, 87 insertions, 0 deletions
diff --git a/queue-2.6.38/cifs-fix-memory-over-bound-bug-in-cifs_parse_mount_options.patch b/queue-2.6.38/cifs-fix-memory-over-bound-bug-in-cifs_parse_mount_options.patch new file mode 100644 index 0000000000..89b0ec3052 --- /dev/null +++ b/queue-2.6.38/cifs-fix-memory-over-bound-bug-in-cifs_parse_mount_options.patch @@ -0,0 +1,50 @@ +From 4906e50b37e6f6c264e7ee4237343eb2b7f8d16d Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky <piastry@etersoft.ru> +Date: Thu, 14 Apr 2011 22:00:56 +0400 +Subject: CIFS: Fix memory over bound bug in cifs_parse_mount_options + +From: Pavel Shilovsky <piastry@etersoft.ru> + +commit 4906e50b37e6f6c264e7ee4237343eb2b7f8d16d upstream. + +While password processing we can get out of options array bound if +the next character after array is delimiter. The patch adds a check +if we reach the end. + +Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru> +Reviewed-by: Jeff Layton <jlayton@redhat.com> +Signed-off-by: Steve French <sfrench@us.ibm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/cifs/connect.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -822,8 +822,7 @@ static int + cifs_parse_mount_options(char *options, const char *devname, + struct smb_vol *vol) + { +- char *value; +- char *data; ++ char *value, *data, *end; + unsigned int temp_len, i, j; + char separator[2]; + short int override_uid = -1; +@@ -866,6 +865,7 @@ cifs_parse_mount_options(char *options, + if (!options) + return 1; + ++ end = options + strlen(options); + if (strncmp(options, "sep=", 4) == 0) { + if (options[4] != 0) { + separator[0] = options[4]; +@@ -930,6 +930,7 @@ cifs_parse_mount_options(char *options, + the only illegal character in a password is null */ + + if ((value[temp_len] == 0) && ++ (value + temp_len < end) && + (value[temp_len+1] == separator[0])) { + /* reinsert comma */ + value[temp_len] = separator[0]; diff --git a/queue-2.6.38/dccp-handle-invalid-feature-options-length.patch b/queue-2.6.38/dccp-handle-invalid-feature-options-length.patch new file mode 100644 index 0000000000..48f66a3302 --- /dev/null +++ b/queue-2.6.38/dccp-handle-invalid-feature-options-length.patch @@ -0,0 +1,35 @@ +From a294865978b701e4d0d90135672749531b9a900d Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg <drosenberg@vsecurity.com> +Date: Fri, 6 May 2011 03:27:18 +0000 +Subject: dccp: handle invalid feature options length + +From: Dan Rosenberg <drosenberg@vsecurity.com> + +commit a294865978b701e4d0d90135672749531b9a900d upstream. + +A length of zero (after subtracting two for the type and len fields) for +the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to +the subtraction. The subsequent code may read past the end of the +options value buffer when parsing. I'm unsure of what the consequences +of this might be, but it's probably not good. + +Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> +Acked-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/dccp/options.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/dccp/options.c ++++ b/net/dccp/options.c +@@ -123,6 +123,8 @@ int dccp_parse_options(struct sock *sk, + case DCCPO_CHANGE_L ... DCCPO_CONFIRM_R: + if (pkt_type == DCCP_PKT_DATA) /* RFC 4340, 6 */ + break; ++ if (len == 0) ++ goto out_invalid_option; + rc = dccp_feat_parse_options(sk, dreq, mandatory, opt, + *value, value + 1, len - 1); + if (rc) diff --git a/queue-2.6.38/series b/queue-2.6.38/series index 5fd83e0a49..ce4c58b7a5 100644 --- a/queue-2.6.38/series +++ b/queue-2.6.38/series @@ -16,3 +16,5 @@ don-t-lock-guardpage-if-the-stack-is-growing-up.patch drm-i915-dp-be-paranoid-in-case-we-disable-a-dp-before-it-is-attached.patch drm-i915-lvds-only-act-on-lid-notify-when-the-device-is-on.patch drm-i915-release-object-along-create-user-fb-error-path.patch +dccp-handle-invalid-feature-options-length.patch +cifs-fix-memory-over-bound-bug-in-cifs_parse_mount_options.patch |