Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 44597 Details for
Bug 65877
Kernel: DoS by smbfs remote overflows (CAN-2004-{0883,0949})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
<= 2.6.8.1 Patch
linux-2.6.8.1-smbfs.patch (text/plain), 3.23 KB, created by
Tim Yamin (RETIRED)
on 2004-11-23 13:34:47 UTC
(
hide
)
Description:
<= 2.6.8.1 Patch
Filename:
MIME Type:
Creator:
Tim Yamin (RETIRED)
Created:
2004-11-23 13:34:47 UTC
Size:
3.23 KB
patch
obsolete
>diff -urN linux-2.6.8.1/fs/smbfs/proc.c linux-2.6.8.1.plasmaroo/fs/smbfs/proc.c >--- linux-2.6.8.1/fs/smbfs/proc.c 2004-08-24 17:15:57.000000000 +1000 >+++ linux-2.6.8.1.plasmaroo/fs/smbfs/proc.c 2004-11-06 11:27:20.000000000 +1100 >@@ -1427,9 +1427,9 @@ > * So we must first calculate the amount of padding used by the server. > */ > data_off -= hdrlen; >- if (data_off > SMB_READX_MAX_PAD) { >- PARANOIA("offset is larger than max pad!\n"); >- PARANOIA("%d > %d\n", data_off, SMB_READX_MAX_PAD); >+ if (data_off > SMB_READX_MAX_PAD || data_off < 0) { >+ PARANOIA("offset is larger than SMB_READX_MAX_PAD or negative!\n"); >+ PARANOIA("%d > %d || %d < 0\n", data_off, SMB_READX_MAX_PAD, data_off); > req->rq_rlen = req->rq_bufsize + 1; > return; > } >diff -urN linux-2.6.8.1/fs/smbfs/request.c linux-2.6.8.1.plasmaroo/fs/smbfs/request.c >--- linux-2.6.8.1/fs/smbfs/request.c 2004-11-06 11:27:51.000000000 +1100 >+++ linux-2.6.8.1.plasmaroo/fs/smbfs/request.c 2004-11-06 11:27:20.000000000 +1100 >@@ -588,6 +588,10 @@ > data_count = WVAL(inbuf, smb_drcnt); > > /* Modify offset for the split header/buffer we use */ >+ if (data_offset < hdrlen) >+ goto out_bad_data; >+ if (parm_offset < hdrlen) >+ goto out_bad_parm; > data_offset -= hdrlen; > parm_offset -= hdrlen; > >@@ -607,6 +611,10 @@ > req->rq_lparm = parm_count; > req->rq_data = req->rq_buffer + data_offset; > req->rq_parm = req->rq_buffer + parm_offset; >+ if (parm_offset + parm_count > req->rq_rlen) >+ goto out_bad_parm; >+ if (data_offset + data_count > req->rq_rlen) >+ goto out_bad_data; > return 0; > } > >@@ -634,6 +642,7 @@ > req->rq_trans2buffer = smb_kmalloc(buf_len, GFP_NOFS); > if (!req->rq_trans2buffer) > goto out_no_mem; >+ memset(req->rq_trans2buffer, 0, buf_len); > > req->rq_parm = req->rq_trans2buffer; > req->rq_data = req->rq_trans2buffer + parm_tot; >@@ -643,8 +652,12 @@ > > if (parm_disp + parm_count > req->rq_total_parm) > goto out_bad_parm; >+ if (parm_offset + parm_count > req->rq_rlen) >+ goto out_bad_parm; > if (data_disp + data_count > req->rq_total_data) > goto out_bad_data; >+ if (data_offset + data_count > req->rq_rlen) >+ goto out_bad_data; > > inbuf = req->rq_buffer; > memcpy(req->rq_parm + parm_disp, inbuf + parm_offset, parm_count); >@@ -657,8 +670,11 @@ > * Check whether we've received all of the data. Note that > * we use the packet totals -- total lengths might shrink! > */ >- if (req->rq_ldata >= data_tot && req->rq_lparm >= parm_tot) >+ if (req->rq_ldata >= data_tot && req->rq_lparm >= parm_tot) { >+ req->rq_ldata = data_tot; >+ req->rq_lparm = parm_tot; > return 0; >+ } > return 1; > > out_too_long: >@@ -676,13 +692,13 @@ > req->rq_errno = -EIO; > goto out; > out_bad_parm: >- printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d\n", >- parm_disp, parm_count, parm_tot); >+ printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d, ofs=%d\n", >+ parm_disp, parm_count, parm_tot, parm_offset); > req->rq_errno = -EIO; > goto out; > out_bad_data: >- printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d\n", >- data_disp, data_count, data_tot); >+ printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d, ofs=%d\n", >+ data_disp, data_count, data_tot, data_offset); > req->rq_errno = -EIO; > out: > return req->rq_errno;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=44597">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 65877
:
44595
|
44596
| 44597 |
44598
