From: Nicolas Thill Date: Sun, 3 May 2009 01:01:44 +0000 (+0000) Subject: [8.09] [CVE-2009-1439] fix Linux kernel buffer overflow in CIFS X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=3796417303b19eab15f7e47f746042a37d2fcb61;p=openwrt%2Fsvn-archive%2Farchive.git [8.09] [CVE-2009-1439] fix Linux kernel buffer overflow in CIFS SVN-Revision: 15568 --- diff --git a/target/linux/generic-2.6/patches-2.6.24/994-cve-2009-1439.patch b/target/linux/generic-2.6/patches-2.6.24/994-cve-2009-1439.patch new file mode 100644 index 0000000000..6031efa24f --- /dev/null +++ b/target/linux/generic-2.6/patches-2.6.24/994-cve-2009-1439.patch @@ -0,0 +1,23 @@ +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1439 + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -3421,16 +3421,13 @@ CIFSTCon(unsigned int xid, struct cifsSe + BCC(smb_buffer_response)) { + kfree(tcon->nativeFileSystem); + tcon->nativeFileSystem = +- kzalloc(length + 2, GFP_KERNEL); ++ kzalloc((4 * length) + 2, GFP_KERNEL); + if (tcon->nativeFileSystem) + cifs_strfromUCS_le( + tcon->nativeFileSystem, + (__le16 *) bcc_ptr, + length, nls_codepage); +- bcc_ptr += 2 * length; +- bcc_ptr[0] = 0; /* null terminate the string */ +- bcc_ptr[1] = 0; +- bcc_ptr += 2; ++ bcc_ptr += (2 * length) + 2; + } + /* else do not bother copying these information fields*/ + } else { diff --git a/target/linux/generic-2.6/patches-2.6.25/994-cve-2009-1439.patch b/target/linux/generic-2.6/patches-2.6.25/994-cve-2009-1439.patch new file mode 100644 index 0000000000..0e9a94eee7 --- /dev/null +++ b/target/linux/generic-2.6/patches-2.6.25/994-cve-2009-1439.patch @@ -0,0 +1,23 @@ +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1439 + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -3467,16 +3467,13 @@ CIFSTCon(unsigned int xid, struct cifsSe + BCC(smb_buffer_response)) { + kfree(tcon->nativeFileSystem); + tcon->nativeFileSystem = +- kzalloc(length + 2, GFP_KERNEL); ++ kzalloc((4 * length) + 2, GFP_KERNEL); + if (tcon->nativeFileSystem) + cifs_strfromUCS_le( + tcon->nativeFileSystem, + (__le16 *) bcc_ptr, + length, nls_codepage); +- bcc_ptr += 2 * length; +- bcc_ptr[0] = 0; /* null terminate the string */ +- bcc_ptr[1] = 0; +- bcc_ptr += 2; ++ bcc_ptr += (2 * length) + 2; + } + /* else do not bother copying these information fields*/ + } else { diff --git a/target/linux/generic-2.6/patches-2.6.26/994-cve-2009-1439.patch b/target/linux/generic-2.6/patches-2.6.26/994-cve-2009-1439.patch new file mode 100644 index 0000000000..044100f932 --- /dev/null +++ b/target/linux/generic-2.6/patches-2.6.26/994-cve-2009-1439.patch @@ -0,0 +1,23 @@ +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1439 + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -3466,16 +3466,13 @@ CIFSTCon(unsigned int xid, struct cifsSe + BCC(smb_buffer_response)) { + kfree(tcon->nativeFileSystem); + tcon->nativeFileSystem = +- kzalloc(length + 2, GFP_KERNEL); ++ kzalloc((4 * length) + 2, GFP_KERNEL); + if (tcon->nativeFileSystem) + cifs_strfromUCS_le( + tcon->nativeFileSystem, + (__le16 *) bcc_ptr, + length, nls_codepage); +- bcc_ptr += 2 * length; +- bcc_ptr[0] = 0; /* null terminate the string */ +- bcc_ptr[1] = 0; +- bcc_ptr += 2; ++ bcc_ptr += (2 * length) + 2; + } + /* else do not bother copying these information fields*/ + } else {