Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 44596 Details for
Bug 65877
Kernel: DoS by smbfs remote overflows (CAN-2004-{0883,0949})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
2.4 (2.4.25+) Patch
linux-2.4.25-smbfs.patch (text/plain), 3.35 KB, created by
Tim Yamin (RETIRED)
on 2004-11-23 13:34:26 UTC
(
hide
)
Description:
2.4 (2.4.25+) Patch
Filename:
MIME Type:
Creator:
Tim Yamin (RETIRED)
Created:
2004-11-23 13:34:26 UTC
Size:
3.35 KB
patch
obsolete
>diff -ur linux-2.4.27/fs/smbfs/proc.c linux-2.4.28/fs/smbfs/proc.c >--- linux-2.4.27/fs/smbfs/proc.c 2004-11-12 19:32:24.000000000 +0000 >+++ linux-2.4.28/fs/smbfs/proc.c 2004-11-19 20:18:27.000000000 +0000 >@@ -1289,10 +1289,12 @@ > data_len = WVAL(buf, 1); > > /* we can NOT simply trust the data_len given by the server ... */ >- if (data_len > server->packet_size - (buf+3 - server->packet)) { >- printk(KERN_ERR "smb_proc_read: invalid data length!! " >- "%d > %d - (%p - %p)\n", >- data_len, server->packet_size, buf+3, server->packet); >+ if (data_len > count || >+ (buf+3 - server->packet) + data_len > server->packet_size) { >+ printk(KERN_ERR "smb_proc_read: invalid data length/offset!! " >+ "%d > %d || (%p - %p) + %d > %d\n", >+ data_len, count, >+ buf+3, server->packet, data_len, server->packet_size); > result = -EIO; > goto out; > } >@@ -1378,10 +1380,12 @@ > buf = smb_base(server->packet) + data_off; > > /* we can NOT simply trust the info given by the server ... */ >- if (data_len > server->packet_size - (buf - server->packet)) { >- printk(KERN_ERR "smb_proc_read: invalid data length!! " >- "%d > %d - (%p - %p)\n", >- data_len, server->packet_size, buf, server->packet); >+ if (data_len > count || >+ (buf - server->packet) + data_len > server->packet_size) { >+ printk(KERN_ERR "smb_proc_readX: invalid data length/offset!! " >+ "%d > %d || (%p - %p) + %d > %d\n", >+ data_len, count, >+ buf, server->packet, data_len, server->packet_size); > result = -EIO; > goto out; > } >diff -ur linux-2.4.27/fs/smbfs/sock.c linux-2.4.28/fs/smbfs/sock.c >--- linux-2.4.27/fs/smbfs/sock.c 2004-11-12 19:32:24.000000000 +0000 >+++ linux-2.4.28/fs/smbfs/sock.c 2004-11-19 20:18:27.000000000 +0000 >@@ -571,7 +571,11 @@ > parm_disp, parm_offset, parm_count, > data_disp, data_offset, data_count); > *parm = base + parm_offset; >+ if (*parm - inbuf + parm_tot > server->packet_size) >+ goto out_bad_parm; > *data = base + data_offset; >+ if (*data - inbuf + data_tot > server->packet_size) >+ goto out_bad_data; > goto success; > } > >@@ -591,6 +595,8 @@ > rcv_buf = smb_vmalloc(buf_len); > if (!rcv_buf) > goto out_no_mem; >+ memset(rcv_buf, 0, buf_len); >+ > *parm = rcv_buf; > *data = rcv_buf + total_p; > } else if (data_tot > total_d || parm_tot > total_p) >@@ -598,8 +604,12 @@ > > if (parm_disp + parm_count > total_p) > goto out_bad_parm; >+ if (parm_offset + parm_count > server->packet_size) >+ goto out_bad_parm; > if (data_disp + data_count > total_d) > goto out_bad_data; >+ if (data_offset + data_count > server->packet_size) >+ goto out_bad_data; > memcpy(*parm + parm_disp, base + parm_offset, parm_count); > memcpy(*data + data_disp, base + data_offset, data_count); > >@@ -610,8 +620,11 @@ > * Check whether we've received all of the data. Note that > * we use the packet totals -- total lengths might shrink! > */ >- if (data_len >= data_tot && parm_len >= parm_tot) >+ if (data_len >= data_tot && parm_len >= parm_tot) { >+ data_len = data_tot; >+ parm_len = parm_tot; > break; >+ } > } > > /* >@@ -625,6 +638,9 @@ > server->packet = rcv_buf; > rcv_buf = inbuf; > } else { >+ if (parm_len + data_len > buf_len) >+ goto out_data_grew; >+ > PARANOIA("copying data, old size=%d, new size=%u\n", > server->packet_size, buf_len); > memcpy(inbuf, rcv_buf, parm_len + data_len);
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 65877
:
44595
| 44596 |
44597
|
44598