Author: dannf Date: Thu Aug 17 01:15:39 2006 New Revision: 7171 Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/223_nfs-handle-long-symlinks.diff dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4 Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
Log: * 223_nfs-handle-long-symlinks.diff [SECURITY] Fix buffer overflow in NFS readline handling that allows a remote server to cause a denial of service (crash) via a long symlink Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog ============================================================================== --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Thu Aug 17 01:15:39 2006 @@ -1,3 +1,11 @@ +kernel-source-2.4.27 (2.4.27-10sarge4) UNRELEASED; urgency=high + + * 223_nfs-handle-long-symlinks.diff + [SECURITY] Fix buffer overflow in NFS readline handling that allows a + remote server to cause a denial of service (crash) via a long symlink + + -- dann frazier <[EMAIL PROTECTED]> Wed, 16 Aug 2006 19:13:03 -0600 + kernel-source-2.4.27 (2.4.27-10sarge3) stable-security; urgency=high * 207_smbfs-chroot-escape.diff Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/223_nfs-handle-long-symlinks.diff ============================================================================== --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/223_nfs-handle-long-symlinks.diff Thu Aug 17 01:15:39 2006 @@ -0,0 +1,46 @@ +From: Assar <[EMAIL PROTECTED]> +Date: Wed, 14 Sep 2005 20:59:25 +0000 (-0400) +Subject: [PATCH] nfs client: handle long symlinks properly +X-Git-Tag: v2.4.32-rc1 +X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commitdiff;h=87e03738fc15dc3ea4acde3a5dcb5f84b6b6152b + +[PATCH] nfs client: handle long symlinks properly + +In 2.4.31, the v2/3 nfs readlink accepts too long symlinks. +I have tested this by having a server return long symlinks. + +diff -u linux-2.4.31.orig/fs/nfs/nfs2xdr.c linux-2.4.31/fs/nfs/nfs2xdr.c +--- + +--- a/fs/nfs/nfs2xdr.c ++++ b/fs/nfs/nfs2xdr.c +@@ -571,8 +571,11 @@ nfs_xdr_readlinkres(struct rpc_rqst *req + strlen = (u32*)kmap(rcvbuf->pages[0]); + /* Convert length of symlink */ + len = ntohl(*strlen); +- if (len > rcvbuf->page_len) +- len = rcvbuf->page_len; ++ if (len >= rcvbuf->page_len - sizeof(u32) || len > NFS2_MAXPATHLEN) { ++ printk(KERN_WARNING "NFS: server returned giant symlink!\n"); ++ kunmap(rcvbuf->pages[0]); ++ return -ENAMETOOLONG; ++ } + *strlen = len; + /* NULL terminate the string we got */ + string = (char *)(strlen + 1); +--- a/fs/nfs/nfs3xdr.c ++++ b/fs/nfs/nfs3xdr.c +@@ -759,8 +759,11 @@ nfs3_xdr_readlinkres(struct rpc_rqst *re + strlen = (u32*)kmap(rcvbuf->pages[0]); + /* Convert length of symlink */ + len = ntohl(*strlen); +- if (len > rcvbuf->page_len) +- len = rcvbuf->page_len; ++ if (len >= rcvbuf->page_len - sizeof(u32)) { ++ printk(KERN_WARNING "NFS: server returned giant symlink!\n"); ++ kunmap(rcvbuf->pages[0]); ++ return -ENAMETOOLONG; ++ } + *strlen = len; + /* NULL terminate the string we got */ + string = (char *)(strlen + 1); Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4 ============================================================================== --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4 Thu Aug 17 01:15:39 2006 @@ -0,0 +1 @@ ++ 223_nfs-handle-long-symlinks.diff _______________________________________________ Kernel-svn-changes mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes

