On Sat, Jan 08, 2005 at 06:36:27PM +0100, S?ren Hansen wrote:
> This bug does not exist in the vanilla version of 2.6.8. A patch added
> somewhere in the Debian kernel-source-2.6.8 packages breaks it. I,
> however, cannot seem to find any patches that should touch smbfs, so I
> can't point it out. I just just rebuilt that particular module with the
> sources from kernel.org and everything works just as well as before.
>
> I believe this bug is severe enough to force a fix in Sarge! It renders
> smbfs TOTALLY useless.
>
> --
> S??ren Hansen <[EMAIL PROTECTED]>
When merging to 2.6.10 I noticed we have a bunch of smbfs changes that
were labelled security fixes. Can you try to rebuild the kernel (or
just smbfs.ko) with the patch below reversed?
#! /bin/sh -e
## <PATCHNAME>.dpatch by <[EMAIL PROTECTED]>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Description: SMBfs overflow fixes
## DP: Patch author: unknown, stolen from -ac tree (probably Stefan Esser,
Juan Quintela, and Urban Widmark)
## DP: Upstream status: unknown
. $(dirname $0)/DPATCH
@DPATCH@
diff -u --new-file --recursive --exclude-from /usr/src/exclude
linux.vanilla-2.6.9/fs/smbfs/proc.c linux-2.6.9/fs/smbfs/proc.c
--- linux.vanilla-2.6.9/fs/smbfs/proc.c 2004-10-20 23:17:20.000000000 +0100
+++ linux-2.6.9/fs/smbfs/proc.c 2004-11-17 19:41:41.000000000 +0000
@@ -1427,9 +1427,9 @@
* So we must first calculate the amount of padding used by the server.
*/
data_off -= hdrlen;
- if (data_off > SMB_READX_MAX_PAD) {
- PARANOIA("offset is larger than max pad!\n");
- PARANOIA("%d > %d\n", data_off, SMB_READX_MAX_PAD);
+ if (data_off > SMB_READX_MAX_PAD || data_off < 0) {
+ PARANOIA("offset is larger than SMB_READX_MAX_PAD or
negative!\n");
+ PARANOIA("%d > %d || %d < 0\n", data_off, SMB_READX_MAX_PAD,
data_off);
req->rq_rlen = req->rq_bufsize + 1;
return;
}
diff -u --new-file --recursive --exclude-from /usr/src/exclude
linux.vanilla-2.6.9/fs/smbfs/request.c linux-2.6.9/fs/smbfs/request.c
--- linux.vanilla-2.6.9/fs/smbfs/request.c 2004-10-20 22:33:50.000000000
+0100
+++ linux-2.6.9/fs/smbfs/request.c 2004-11-17 19:41:41.000000000 +0000
@@ -588,6 +588,10 @@
data_count = WVAL(inbuf, smb_drcnt);
/* Modify offset for the split header/buffer we use */
+ if (data_offset < hdrlen)
+ goto out_bad_data;
+ if (parm_offset < hdrlen)
+ goto out_bad_parm;
data_offset -= hdrlen;
parm_offset -= hdrlen;
@@ -607,6 +611,10 @@
req->rq_lparm = parm_count;
req->rq_data = req->rq_buffer + data_offset;
req->rq_parm = req->rq_buffer + parm_offset;
+ if (parm_offset + parm_count > req->rq_rlen)
+ goto out_bad_parm;
+ if (data_offset + data_count > req->rq_rlen)
+ goto out_bad_data;
return 0;
}
@@ -643,8 +652,12 @@
if (parm_disp + parm_count > req->rq_total_parm)
goto out_bad_parm;
+ if (parm_offset + parm_count > req->rq_rlen)
+ goto out_bad_parm;
if (data_disp + data_count > req->rq_total_data)
goto out_bad_data;
+ if (data_offset + data_count > req->rq_rlen)
+ goto out_bad_data;
inbuf = req->rq_buffer;
memcpy(req->rq_parm + parm_disp, inbuf + parm_offset, parm_count);
@@ -676,13 +692,13 @@
req->rq_errno = -EIO;
goto out;
out_bad_parm:
- printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d\n",
- parm_disp, parm_count, parm_tot);
+ printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d,
ofs=%d\n",
+ parm_disp, parm_count, parm_tot, parm_offset);
req->rq_errno = -EIO;
goto out;
out_bad_data:
- printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d\n",
- data_disp, data_count, data_tot);
+ printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d,
ofs=%d\n",
+ data_disp, data_count, data_tot, data_offset);
req->rq_errno = -EIO;
out:
return req->rq_errno;
