Found the offending patch!
It's called smbfs-overflow-fixes.dpatch. I've attached a patch that
should fix the same overflow issues, but without breaking utime
functionality. It's stolen from 2.6.10-ac7. :-)
--
Sren Hansen [EMAIL PROTECTED]
diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.10/fs/smbfs/proc.c linux-2.6.10/fs/smbfs/proc.c
--- linux.vanilla-2.6.10/fs/smbfs/proc.c 2004-12-25 21:15:41.0 +
+++ linux-2.6.10/fs/smbfs/proc.c 2004-12-26 23:03:13.0 +
@@ -1427,9 +1427,9 @@
* So we must first calculate the amount of padding used by the server.
*/
data_off -= hdrlen;
- if (data_off SMB_READX_MAX_PAD) {
- PARANOIA(offset is larger than max pad!\n);
- PARANOIA(%d %d\n, data_off, SMB_READX_MAX_PAD);
+ if (data_off SMB_READX_MAX_PAD || data_off 0) {
+ PARANOIA(offset is larger than SMB_READX_MAX_PAD or negative!\n);
+ PARANOIA(%d %d || %d 0\n, data_off, SMB_READX_MAX_PAD, data_off);
req-rq_rlen = req-rq_bufsize + 1;
return;
}
diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.10/fs/smbfs/request.c linux-2.6.10/fs/smbfs/request.c
--- linux.vanilla-2.6.10/fs/smbfs/request.c 2004-12-25 21:15:41.0 +
+++ linux-2.6.10/fs/smbfs/request.c 2004-12-26 23:06:24.0 +
@@ -588,8 +588,18 @@
data_count = WVAL(inbuf, smb_drcnt);
/* Modify offset for the split header/buffer we use */
- data_offset -= hdrlen;
- parm_offset -= hdrlen;
+ if (data_count || data_offset) {
+ if (unlikely(data_offset hdrlen))
+ goto out_bad_data;
+ else
+ data_offset -= hdrlen;
+ }
+ if (parm_count || parm_offset) {
+ if (unlikely(parm_offset hdrlen))
+ goto out_bad_parm;
+ else
+ parm_offset -= hdrlen;
+ }
if (parm_count == parm_tot data_count == data_tot) {
/*
@@ -600,18 +610,22 @@
* response that fits.
*/
VERBOSE(single trans2 response
- dcnt=%d, pcnt=%d, doff=%d, poff=%d\n,
+ dcnt=%u, pcnt=%u, doff=%u, poff=%u\n,
data_count, parm_count,
data_offset, parm_offset);
req-rq_ldata = data_count;
req-rq_lparm = parm_count;
req-rq_data = req-rq_buffer + data_offset;
req-rq_parm = req-rq_buffer + parm_offset;
+ if (unlikely(parm_offset + parm_count req-rq_rlen))
+ goto out_bad_parm;
+ if (unlikely(data_offset + data_count req-rq_rlen))
+ goto out_bad_data;
return 0;
}
VERBOSE(multi trans2 response
- frag=%d, dcnt=%d, pcnt=%d, doff=%d, poff=%d\n,
+ frag=%d, dcnt=%u, pcnt=%u, doff=%u, poff=%u\n,
req-rq_fragment,
data_count, parm_count,
data_offset, parm_offset);
@@ -638,13 +652,15 @@
req-rq_parm = req-rq_trans2buffer;
req-rq_data = req-rq_trans2buffer + parm_tot;
- } else if (req-rq_total_data data_tot ||
- req-rq_total_parm parm_tot)
+ } else if (unlikely(req-rq_total_data data_tot ||
+ req-rq_total_parm parm_tot))
goto out_data_grew;
- if (parm_disp + parm_count req-rq_total_parm)
+ if (unlikely(parm_disp + parm_count req-rq_total_parm ||
+ parm_offset + parm_count req-rq_rlen))
goto out_bad_parm;
- if (data_disp + data_count req-rq_total_data)
+ if (unlikely(data_disp + data_count req-rq_total_data ||
+ data_offset + data_count req-rq_rlen))
goto out_bad_data;
inbuf = req-rq_buffer;
@@ -666,10 +682,9 @@
return 1;
out_too_long:
- printk(KERN_ERR smb_trans2: data/param too long, data=%d, parm=%d\n,
+ printk(KERN_ERR smb_trans2: data/param too long, data=%u, parm=%u\n,
data_tot, parm_tot);
- req-rq_errno = -EIO;
- goto out;
+ goto out_EIO;
out_no_mem:
printk(KERN_ERR smb_trans2: couldn't allocate data area of %d bytes\n,
req-rq_trans2bufsize);
@@ -677,16 +692,15 @@
goto out;
out_data_grew:
printk(KERN_ERR smb_trans2: data/params grew!\n);
- req-rq_errno = -EIO;
- goto out;
+ goto out_EIO;
out_bad_parm:
- printk(KERN_ERR smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d\n,
- parm_disp, parm_count, parm_tot);
- req-rq_errno = -EIO;
- goto out;
+ printk(KERN_ERR smb_trans2: invalid parms, disp=%u, cnt=%u, tot=%u, ofs=%u\n,
+ parm_disp, parm_count, parm_tot, parm_offset);
+ goto out_EIO;
out_bad_data:
- printk(KERN_ERR smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d\n,
- data_disp, data_count, data_tot);
+ printk(KERN_ERR smb_trans2: invalid data, disp=%u, cnt=%u, tot=%u, ofs=%u\n,
+ data_disp, data_count, data_tot, data_offset);
+out_EIO:
req-rq_errno = -EIO;
out:
return req-rq_errno;
smime.p7s
Description: S/MIME cryptographic signature