Annotation of /trunk/kernel26-magellan/patches-2.6.25-r4/0104-2.6.25.5-all-fixes.patch
Parent Directory
| 
Revision Log
Revision 664 -
(hide annotations)
(download)
Thu Jul 10 13:03:47 2008 UTC (15 years, 10 months ago) by niro
File size: 2084 byte(s)
Thu Jul 10 13:03:47 2008 UTC (15 years, 10 months ago) by niro
File size: 2084 byte(s)
-2.6.25-magellan-r4; updated to linux-2.6.25.10
| 1 | niro | 664 | diff --git a/fs/cifs/asn1.c b/fs/cifs/asn1.c |
| 2 | index bcda2c6..5dbba89 100644 | ||
| 3 | --- a/fs/cifs/asn1.c | ||
| 4 | +++ b/fs/cifs/asn1.c | ||
| 5 | @@ -186,6 +186,11 @@ asn1_length_decode(struct asn1_ctx *ctx, unsigned int *def, unsigned int *len) | ||
| 6 | } | ||
| 7 | } | ||
| 8 | } | ||
| 9 | + | ||
| 10 | + /* don't trust len bigger than ctx buffer */ | ||
| 11 | + if (*len > ctx->end - ctx->pointer) | ||
| 12 | + return 0; | ||
| 13 | + | ||
| 14 | return 1; | ||
| 15 | } | ||
| 16 | |||
| 17 | @@ -203,6 +208,10 @@ asn1_header_decode(struct asn1_ctx *ctx, | ||
| 18 | if (!asn1_length_decode(ctx, &def, &len)) | ||
| 19 | return 0; | ||
| 20 | |||
| 21 | + /* primitive shall be definite, indefinite shall be constructed */ | ||
| 22 | + if (*con == ASN1_PRI && !def) | ||
| 23 | + return 0; | ||
| 24 | + | ||
| 25 | if (def) | ||
| 26 | *eoc = ctx->pointer + len; | ||
| 27 | else | ||
| 28 | @@ -389,6 +398,11 @@ asn1_oid_decode(struct asn1_ctx *ctx, | ||
| 29 | unsigned long *optr; | ||
| 30 | |||
| 31 | size = eoc - ctx->pointer + 1; | ||
| 32 | + | ||
| 33 | + /* first subid actually encodes first two subids */ | ||
| 34 | + if (size < 2 || size > ULONG_MAX/sizeof(unsigned long)) | ||
| 35 | + return 0; | ||
| 36 | + | ||
| 37 | *oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC); | ||
| 38 | if (*oid == NULL) | ||
| 39 | return 0; | ||
| 40 | diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c | ||
| 41 | index 540ce6a..5f35f0b 100644 | ||
| 42 | --- a/net/ipv4/netfilter/nf_nat_snmp_basic.c | ||
| 43 | +++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c | ||
| 44 | @@ -231,6 +231,11 @@ static unsigned char asn1_length_decode(struct asn1_ctx *ctx, | ||
| 45 | } | ||
| 46 | } | ||
| 47 | } | ||
| 48 | + | ||
| 49 | + /* don't trust len bigger than ctx buffer */ | ||
| 50 | + if (*len > ctx->end - ctx->pointer) | ||
| 51 | + return 0; | ||
| 52 | + | ||
| 53 | return 1; | ||
| 54 | } | ||
| 55 | |||
| 56 | @@ -249,6 +254,10 @@ static unsigned char asn1_header_decode(struct asn1_ctx *ctx, | ||
| 57 | if (!asn1_length_decode(ctx, &def, &len)) | ||
| 58 | return 0; | ||
| 59 | |||
| 60 | + /* primitive shall be definite, indefinite shall be constructed */ | ||
| 61 | + if (*con == ASN1_PRI && !def) | ||
| 62 | + return 0; | ||
| 63 | + | ||
| 64 | if (def) | ||
| 65 | *eoc = ctx->pointer + len; | ||
| 66 | else | ||
| 67 | @@ -433,6 +442,11 @@ static unsigned char asn1_oid_decode(struct asn1_ctx *ctx, | ||
| 68 | unsigned long *optr; | ||
| 69 | |||
| 70 | size = eoc - ctx->pointer + 1; | ||
| 71 | + | ||
| 72 | + /* first subid actually encodes first two subids */ | ||
| 73 | + if (size < 2 || size > ULONG_MAX/sizeof(unsigned long)) | ||
| 74 | + return 0; | ||
| 75 | + | ||
| 76 | *oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC); | ||
| 77 | if (*oid == NULL) { | ||
| 78 | if (net_ratelimit()) |