From 3796417303b19eab15f7e47f746042a37d2fcb61 Mon Sep 17 00:00:00 2001
From: Nicolas Thill <nico@openwrt.org>
Date: Sun, 3 May 2009 01:01:44 +0000
Subject: [PATCH] [8.09] [CVE-2009-1439] fix Linux kernel buffer overflow in
 CIFS

SVN-Revision: 15568
---
 .../patches-2.6.24/994-cve-2009-1439.patch    | 23 +++++++++++++++++++
 .../patches-2.6.25/994-cve-2009-1439.patch    | 23 +++++++++++++++++++
 .../patches-2.6.26/994-cve-2009-1439.patch    | 23 +++++++++++++++++++
 3 files changed, 69 insertions(+)
 create mode 100644 target/linux/generic-2.6/patches-2.6.24/994-cve-2009-1439.patch
 create mode 100644 target/linux/generic-2.6/patches-2.6.25/994-cve-2009-1439.patch
 create mode 100644 target/linux/generic-2.6/patches-2.6.26/994-cve-2009-1439.patch

diff --git a/target/linux/generic-2.6/patches-2.6.24/994-cve-2009-1439.patch b/target/linux/generic-2.6/patches-2.6.24/994-cve-2009-1439.patch
new file mode 100644
index 0000000000..6031efa24f
--- /dev/null
+++ b/target/linux/generic-2.6/patches-2.6.24/994-cve-2009-1439.patch
@@ -0,0 +1,23 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1439
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -3421,16 +3421,13 @@ CIFSTCon(unsigned int xid, struct cifsSe
+ 			    BCC(smb_buffer_response)) {
+ 				kfree(tcon->nativeFileSystem);
+ 				tcon->nativeFileSystem =
+-				    kzalloc(length + 2, GFP_KERNEL);
++				    kzalloc((4 * length) + 2, GFP_KERNEL);
+ 				if (tcon->nativeFileSystem)
+ 					cifs_strfromUCS_le(
+ 						tcon->nativeFileSystem,
+ 						(__le16 *) bcc_ptr,
+ 						length, nls_codepage);
+-				bcc_ptr += 2 * length;
+-				bcc_ptr[0] = 0;	/* null terminate the string */
+-				bcc_ptr[1] = 0;
+-				bcc_ptr += 2;
++				bcc_ptr += (2 * length) + 2;
+ 			}
+ 			/* else do not bother copying these information fields*/
+ 		} else {
diff --git a/target/linux/generic-2.6/patches-2.6.25/994-cve-2009-1439.patch b/target/linux/generic-2.6/patches-2.6.25/994-cve-2009-1439.patch
new file mode 100644
index 0000000000..0e9a94eee7
--- /dev/null
+++ b/target/linux/generic-2.6/patches-2.6.25/994-cve-2009-1439.patch
@@ -0,0 +1,23 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1439
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -3467,16 +3467,13 @@ CIFSTCon(unsigned int xid, struct cifsSe
+ 			    BCC(smb_buffer_response)) {
+ 				kfree(tcon->nativeFileSystem);
+ 				tcon->nativeFileSystem =
+-				    kzalloc(length + 2, GFP_KERNEL);
++				    kzalloc((4 * length) + 2, GFP_KERNEL);
+ 				if (tcon->nativeFileSystem)
+ 					cifs_strfromUCS_le(
+ 						tcon->nativeFileSystem,
+ 						(__le16 *) bcc_ptr,
+ 						length, nls_codepage);
+-				bcc_ptr += 2 * length;
+-				bcc_ptr[0] = 0;	/* null terminate the string */
+-				bcc_ptr[1] = 0;
+-				bcc_ptr += 2;
++				bcc_ptr += (2 * length) + 2;
+ 			}
+ 			/* else do not bother copying these information fields*/
+ 		} else {
diff --git a/target/linux/generic-2.6/patches-2.6.26/994-cve-2009-1439.patch b/target/linux/generic-2.6/patches-2.6.26/994-cve-2009-1439.patch
new file mode 100644
index 0000000000..044100f932
--- /dev/null
+++ b/target/linux/generic-2.6/patches-2.6.26/994-cve-2009-1439.patch
@@ -0,0 +1,23 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1439
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -3466,16 +3466,13 @@ CIFSTCon(unsigned int xid, struct cifsSe
+ 			    BCC(smb_buffer_response)) {
+ 				kfree(tcon->nativeFileSystem);
+ 				tcon->nativeFileSystem =
+-				    kzalloc(length + 2, GFP_KERNEL);
++				    kzalloc((4 * length) + 2, GFP_KERNEL);
+ 				if (tcon->nativeFileSystem)
+ 					cifs_strfromUCS_le(
+ 						tcon->nativeFileSystem,
+ 						(__le16 *) bcc_ptr,
+ 						length, nls_codepage);
+-				bcc_ptr += 2 * length;
+-				bcc_ptr[0] = 0;	/* null terminate the string */
+-				bcc_ptr[1] = 0;
+-				bcc_ptr += 2;
++				bcc_ptr += (2 * length) + 2;
+ 			}
+ 			/* else do not bother copying these information fields*/
+ 		} else {
-- 
2.30.2