fix Linux kernel buffer overflow in CIFS

SVN-Revision: 15568

diff --git a/target/linux/generic-2.6/patches-2.6.24/994-cve-2009-1439.patch b/target/linux/generic-2.6/patches-2.6.24/994-cve-2009-1439.patch
new file mode 100644 (file)
index 0000000..6031efa
--- /dev/null
+++ b/target/linux/generic-2.6/patches-2.6.24/994-cve-2009-1439.patch
@@ -0,0 +1,23 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1439
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -3421,16 +3421,13 @@ CIFSTCon(unsigned int xid, struct cifsSe
+                           BCC(smb_buffer_response)) {
+                               kfree(tcon->nativeFileSystem);
+                               tcon->nativeFileSystem =
+-                                  kzalloc(length + 2, GFP_KERNEL);
++                                  kzalloc((4 * length) + 2, GFP_KERNEL);
+                               if (tcon->nativeFileSystem)
+                                       cifs_strfromUCS_le(
+                                               tcon->nativeFileSystem,
+                                               (__le16 *) bcc_ptr,
+                                               length, nls_codepage);
+-                              bcc_ptr += 2 * length;
+-                              bcc_ptr[0] = 0; /* null terminate the string */
+-                              bcc_ptr[1] = 0;
+-                              bcc_ptr += 2;
++                              bcc_ptr += (2 * length) + 2;
+                       }
+                       /* else do not bother copying these information fields*/
+               } else {

diff --git a/target/linux/generic-2.6/patches-2.6.25/994-cve-2009-1439.patch b/target/linux/generic-2.6/patches-2.6.25/994-cve-2009-1439.patch
new file mode 100644 (file)
index 0000000..0e9a94e
--- /dev/null
+++ b/target/linux/generic-2.6/patches-2.6.25/994-cve-2009-1439.patch
@@ -0,0 +1,23 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1439
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -3467,16 +3467,13 @@ CIFSTCon(unsigned int xid, struct cifsSe
+                           BCC(smb_buffer_response)) {
+                               kfree(tcon->nativeFileSystem);
+                               tcon->nativeFileSystem =
+-                                  kzalloc(length + 2, GFP_KERNEL);
++                                  kzalloc((4 * length) + 2, GFP_KERNEL);
+                               if (tcon->nativeFileSystem)
+                                       cifs_strfromUCS_le(
+                                               tcon->nativeFileSystem,
+                                               (__le16 *) bcc_ptr,
+                                               length, nls_codepage);
+-                              bcc_ptr += 2 * length;
+-                              bcc_ptr[0] = 0; /* null terminate the string */
+-                              bcc_ptr[1] = 0;
+-                              bcc_ptr += 2;
++                              bcc_ptr += (2 * length) + 2;
+                       }
+                       /* else do not bother copying these information fields*/
+               } else {

diff --git a/target/linux/generic-2.6/patches-2.6.26/994-cve-2009-1439.patch b/target/linux/generic-2.6/patches-2.6.26/994-cve-2009-1439.patch
new file mode 100644 (file)
index 0000000..044100f
--- /dev/null
+++ b/target/linux/generic-2.6/patches-2.6.26/994-cve-2009-1439.patch
@@ -0,0 +1,23 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1439
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -3466,16 +3466,13 @@ CIFSTCon(unsigned int xid, struct cifsSe
+                           BCC(smb_buffer_response)) {
+                               kfree(tcon->nativeFileSystem);
+                               tcon->nativeFileSystem =
+-                                  kzalloc(length + 2, GFP_KERNEL);
++                                  kzalloc((4 * length) + 2, GFP_KERNEL);
+                               if (tcon->nativeFileSystem)
+                                       cifs_strfromUCS_le(
+                                               tcon->nativeFileSystem,
+                                               (__le16 *) bcc_ptr,
+                                               length, nls_codepage);
+-                              bcc_ptr += 2 * length;
+-                              bcc_ptr[0] = 0; /* null terminate the string */
+-                              bcc_ptr[1] = 0;
+-                              bcc_ptr += 2;
++                              bcc_ptr += (2 * length) + 2;
+                       }
+                       /* else do not bother copying these information fields*/
+               } else {