On Sat, Jan 08, 2005 at 06:36:27PM +0100, S?ren Hansen wrote: > This bug does not exist in the vanilla version of 2.6.8. A patch added > somewhere in the Debian kernel-source-2.6.8 packages breaks it. I, > however, cannot seem to find any patches that should touch smbfs, so I > can't point it out. I just just rebuilt that particular module with the > sources from kernel.org and everything works just as well as before. > > I believe this bug is severe enough to force a fix in Sarge! It renders > smbfs TOTALLY useless. > > -- > S??ren Hansen <[EMAIL PROTECTED]>
When merging to 2.6.10 I noticed we have a bunch of smbfs changes that were labelled security fixes. Can you try to rebuild the kernel (or just smbfs.ko) with the patch below reversed? #! /bin/sh -e ## <PATCHNAME>.dpatch by <[EMAIL PROTECTED]> ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: Description: SMBfs overflow fixes ## DP: Patch author: unknown, stolen from -ac tree (probably Stefan Esser, Juan Quintela, and Urban Widmark) ## DP: Upstream status: unknown . $(dirname $0)/DPATCH @DPATCH@ diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.9/fs/smbfs/proc.c linux-2.6.9/fs/smbfs/proc.c --- linux.vanilla-2.6.9/fs/smbfs/proc.c 2004-10-20 23:17:20.000000000 +0100 +++ linux-2.6.9/fs/smbfs/proc.c 2004-11-17 19:41:41.000000000 +0000 @@ -1427,9 +1427,9 @@ * So we must first calculate the amount of padding used by the server. */ data_off -= hdrlen; - if (data_off > SMB_READX_MAX_PAD) { - PARANOIA("offset is larger than max pad!\n"); - PARANOIA("%d > %d\n", data_off, SMB_READX_MAX_PAD); + if (data_off > SMB_READX_MAX_PAD || data_off < 0) { + PARANOIA("offset is larger than SMB_READX_MAX_PAD or negative!\n"); + PARANOIA("%d > %d || %d < 0\n", data_off, SMB_READX_MAX_PAD, data_off); req->rq_rlen = req->rq_bufsize + 1; return; } diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.9/fs/smbfs/request.c linux-2.6.9/fs/smbfs/request.c --- linux.vanilla-2.6.9/fs/smbfs/request.c 2004-10-20 22:33:50.000000000 +0100 +++ linux-2.6.9/fs/smbfs/request.c 2004-11-17 19:41:41.000000000 +0000 @@ -588,6 +588,10 @@ data_count = WVAL(inbuf, smb_drcnt); /* Modify offset for the split header/buffer we use */ + if (data_offset < hdrlen) + goto out_bad_data; + if (parm_offset < hdrlen) + goto out_bad_parm; data_offset -= hdrlen; parm_offset -= hdrlen; @@ -607,6 +611,10 @@ req->rq_lparm = parm_count; req->rq_data = req->rq_buffer + data_offset; req->rq_parm = req->rq_buffer + parm_offset; + if (parm_offset + parm_count > req->rq_rlen) + goto out_bad_parm; + if (data_offset + data_count > req->rq_rlen) + goto out_bad_data; return 0; } @@ -643,8 +652,12 @@ if (parm_disp + parm_count > req->rq_total_parm) goto out_bad_parm; + if (parm_offset + parm_count > req->rq_rlen) + goto out_bad_parm; if (data_disp + data_count > req->rq_total_data) goto out_bad_data; + if (data_offset + data_count > req->rq_rlen) + goto out_bad_data; inbuf = req->rq_buffer; memcpy(req->rq_parm + parm_disp, inbuf + parm_offset, parm_count); @@ -676,13 +692,13 @@ req->rq_errno = -EIO; goto out; out_bad_parm: - printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d\n", - parm_disp, parm_count, parm_tot); + printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d, ofs=%d\n", + parm_disp, parm_count, parm_tot, parm_offset); req->rq_errno = -EIO; goto out; out_bad_data: - printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d\n", - data_disp, data_count, data_tot); + printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d, ofs=%d\n", + data_disp, data_count, data_tot, data_offset); req->rq_errno = -EIO; out: return req->rq_errno;