Annotation of /trunk/kernel26-magellan-server/patches-2.6.25-r5/0104-2.6.25.5-all-fixes.patch
Parent Directory | Revision Log
Revision 677 -
(hide annotations)
(download)
Wed Sep 10 21:27:27 2008 UTC (16 years ago) by niro
File size: 2084 byte(s)
Wed Sep 10 21:27:27 2008 UTC (16 years ago) by niro
File size: 2084 byte(s)
2.6.25-magellan-r5: - updated to linux-2.6.25.17
1 | niro | 677 | diff --git a/fs/cifs/asn1.c b/fs/cifs/asn1.c |
2 | index bcda2c6..5dbba89 100644 | ||
3 | --- a/fs/cifs/asn1.c | ||
4 | +++ b/fs/cifs/asn1.c | ||
5 | @@ -186,6 +186,11 @@ asn1_length_decode(struct asn1_ctx *ctx, unsigned int *def, unsigned int *len) | ||
6 | } | ||
7 | } | ||
8 | } | ||
9 | + | ||
10 | + /* don't trust len bigger than ctx buffer */ | ||
11 | + if (*len > ctx->end - ctx->pointer) | ||
12 | + return 0; | ||
13 | + | ||
14 | return 1; | ||
15 | } | ||
16 | |||
17 | @@ -203,6 +208,10 @@ asn1_header_decode(struct asn1_ctx *ctx, | ||
18 | if (!asn1_length_decode(ctx, &def, &len)) | ||
19 | return 0; | ||
20 | |||
21 | + /* primitive shall be definite, indefinite shall be constructed */ | ||
22 | + if (*con == ASN1_PRI && !def) | ||
23 | + return 0; | ||
24 | + | ||
25 | if (def) | ||
26 | *eoc = ctx->pointer + len; | ||
27 | else | ||
28 | @@ -389,6 +398,11 @@ asn1_oid_decode(struct asn1_ctx *ctx, | ||
29 | unsigned long *optr; | ||
30 | |||
31 | size = eoc - ctx->pointer + 1; | ||
32 | + | ||
33 | + /* first subid actually encodes first two subids */ | ||
34 | + if (size < 2 || size > ULONG_MAX/sizeof(unsigned long)) | ||
35 | + return 0; | ||
36 | + | ||
37 | *oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC); | ||
38 | if (*oid == NULL) | ||
39 | return 0; | ||
40 | diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c | ||
41 | index 540ce6a..5f35f0b 100644 | ||
42 | --- a/net/ipv4/netfilter/nf_nat_snmp_basic.c | ||
43 | +++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c | ||
44 | @@ -231,6 +231,11 @@ static unsigned char asn1_length_decode(struct asn1_ctx *ctx, | ||
45 | } | ||
46 | } | ||
47 | } | ||
48 | + | ||
49 | + /* don't trust len bigger than ctx buffer */ | ||
50 | + if (*len > ctx->end - ctx->pointer) | ||
51 | + return 0; | ||
52 | + | ||
53 | return 1; | ||
54 | } | ||
55 | |||
56 | @@ -249,6 +254,10 @@ static unsigned char asn1_header_decode(struct asn1_ctx *ctx, | ||
57 | if (!asn1_length_decode(ctx, &def, &len)) | ||
58 | return 0; | ||
59 | |||
60 | + /* primitive shall be definite, indefinite shall be constructed */ | ||
61 | + if (*con == ASN1_PRI && !def) | ||
62 | + return 0; | ||
63 | + | ||
64 | if (def) | ||
65 | *eoc = ctx->pointer + len; | ||
66 | else | ||
67 | @@ -433,6 +442,11 @@ static unsigned char asn1_oid_decode(struct asn1_ctx *ctx, | ||
68 | unsigned long *optr; | ||
69 | |||
70 | size = eoc - ctx->pointer + 1; | ||
71 | + | ||
72 | + /* first subid actually encodes first two subids */ | ||
73 | + if (size < 2 || size > ULONG_MAX/sizeof(unsigned long)) | ||
74 | + return 0; | ||
75 | + | ||
76 | *oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC); | ||
77 | if (*oid == NULL) { | ||
78 | if (net_ratelimit()) |