.38 patches

3 files changed, 87 insertions, 0 deletions

diff --git a/queue-2.6.38/cifs-fix-memory-over-bound-bug-in-cifs_parse_mount_options.patch b/queue-2.6.38/cifs-fix-memory-over-bound-bug-in-cifs_parse_mount_options.patch
new file mode 100644
index 0000000000..89b0ec3052
--- /dev/null
+++ b/queue-2.6.38/cifs-fix-memory-over-bound-bug-in-cifs_parse_mount_options.patch
@@ -0,0 +1,50 @@
+From 4906e50b37e6f6c264e7ee4237343eb2b7f8d16d Mon Sep 17 00:00:00 2001
+From: Pavel Shilovsky <piastry@etersoft.ru>
+Date: Thu, 14 Apr 2011 22:00:56 +0400
+Subject: CIFS: Fix memory over bound bug in cifs_parse_mount_options
+
+From: Pavel Shilovsky <piastry@etersoft.ru>
+
+commit 4906e50b37e6f6c264e7ee4237343eb2b7f8d16d upstream.
+
+While password processing we can get out of options array bound if
+the next character after array is delimiter. The patch adds a check
+if we reach the end.
+
+Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/cifs/connect.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -822,8 +822,7 @@ static int
+ cifs_parse_mount_options(char *options, const char *devname,
+ 			 struct smb_vol *vol)
+ {
+-	char *value;
+-	char *data;
++	char *value, *data, *end;
+ 	unsigned int  temp_len, i, j;
+ 	char separator[2];
+ 	short int override_uid = -1;
+@@ -866,6 +865,7 @@ cifs_parse_mount_options(char *options,
+ 	if (!options)
+ 		return 1;
+ 
++	end = options + strlen(options);
+ 	if (strncmp(options, "sep=", 4) == 0) {
+ 		if (options[4] != 0) {
+ 			separator[0] = options[4];
+@@ -930,6 +930,7 @@ cifs_parse_mount_options(char *options,
+ 			the only illegal character in a password is null */
+ 
+ 			if ((value[temp_len] == 0) &&
++			    (value + temp_len < end) &&
+ 			    (value[temp_len+1] == separator[0])) {
+ 				/* reinsert comma */
+ 				value[temp_len] = separator[0];
diff --git a/queue-2.6.38/dccp-handle-invalid-feature-options-length.patch b/queue-2.6.38/dccp-handle-invalid-feature-options-length.patch
new file mode 100644
index 0000000000..48f66a3302
--- /dev/null
+++ b/queue-2.6.38/dccp-handle-invalid-feature-options-length.patch
@@ -0,0 +1,35 @@
+From a294865978b701e4d0d90135672749531b9a900d Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Fri, 6 May 2011 03:27:18 +0000
+Subject: dccp: handle invalid feature options length
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit a294865978b701e4d0d90135672749531b9a900d upstream.
+
+A length of zero (after subtracting two for the type and len fields) for
+the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to
+the subtraction.  The subsequent code may read past the end of the
+options value buffer when parsing.  I'm unsure of what the consequences
+of this might be, but it's probably not good.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Acked-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/dccp/options.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/dccp/options.c
++++ b/net/dccp/options.c
+@@ -123,6 +123,8 @@ int dccp_parse_options(struct sock *sk,
+ 		case DCCPO_CHANGE_L ... DCCPO_CONFIRM_R:
+ 			if (pkt_type == DCCP_PKT_DATA)      /* RFC 4340, 6 */
+ 				break;
++			if (len == 0)
++				goto out_invalid_option;
+ 			rc = dccp_feat_parse_options(sk, dreq, mandatory, opt,
+ 						    *value, value + 1, len - 1);
+ 			if (rc)
diff --git a/queue-2.6.38/series b/queue-2.6.38/series
index 5fd83e0a49..ce4c58b7a5 100644
--- a/queue-2.6.38/series
+++ b/queue-2.6.38/series
@@ -16,3 +16,5 @@ don-t-lock-guardpage-if-the-stack-is-growing-up.patch
 drm-i915-dp-be-paranoid-in-case-we-disable-a-dp-before-it-is-attached.patch
 drm-i915-lvds-only-act-on-lid-notify-when-the-device-is-on.patch
 drm-i915-release-object-along-create-user-fb-error-path.patch
+dccp-handle-invalid-feature-options-length.patch
+cifs-fix-memory-over-bound-bug-in-cifs_parse_mount_options.patch