Re: Linux 2.6.25.5

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: <linux-kernel@...>, Andrew Morton <akpm@...>, <torvalds@...>, <stable@...>

Date: Friday, June 6, 2008 - 7:27 pm

diff --git a/Makefile b/Makefile
index d921f0b..c5208db 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
 VERSION = 2
 PATCHLEVEL = 6
 SUBLEVEL = 25
-EXTRAVERSION = .4
+EXTRAVERSION = .5
 NAME = Funky Weasel is Jiggy wit it
 
 # *DOCUMENTATION*
diff --git a/fs/cifs/asn1.c b/fs/cifs/asn1.c
index bcda2c6..5dbba89 100644
--- a/fs/cifs/asn1.c
+++ b/fs/cifs/asn1.c
@@ -186,6 +186,11 @@ asn1_length_decode(struct asn1_ctx *ctx, unsigned int *def, unsigned int *len)
 			}
 		}
 	}
+
+	/* don't trust len bigger than ctx buffer */
+	if (*len > ctx->end - ctx->pointer)
+		return 0;
+
 	return 1;
 }
 
@@ -203,6 +208,10 @@ asn1_header_decode(struct asn1_ctx *ctx,
 	if (!asn1_length_decode(ctx, &def, &len))
 		return 0;
 
+	/* primitive shall be definite, indefinite shall be constructed */
+	if (*con == ASN1_PRI && !def)
+		return 0;
+
 	if (def)
 		*eoc = ctx->pointer + len;
 	else
@@ -389,6 +398,11 @@ asn1_oid_decode(struct asn1_ctx *ctx,
 	unsigned long *optr;
 
 	size = eoc - ctx->pointer + 1;
+
+	/* first subid actually encodes first two subids */
+	if (size < 2 || size > ULONG_MAX/sizeof(unsigned long))
+		return 0;
+
 	*oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC);
 	if (*oid == NULL)
 		return 0;
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
index 540ce6a..5f35f0b 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -231,6 +231,11 @@ static unsigned char asn1_length_decode(struct asn1_ctx *ctx,
 			}
 		}
 	}
+
+	/* don't trust len bigger than ctx buffer */
+	if (*len > ctx->end - ctx->pointer)
+		return 0;
+
 	return 1;
 }
 
@@ -249,6 +254,10 @@ static unsigned char asn1_header_decode(struct asn1_ctx *ctx,
 	if (!asn1_length_decode(ctx, &def, &len))
 		return 0;
 
+	/* primitive shall be definite, indefinite shall be constructed */
+	if (*con == ASN1_PRI && !def)
+		return 0;
+
 	if (def)
 		*eoc = ctx->pointer + len;
 	else
@@ -433,6 +442,11 @@ static unsigned char asn1_oid_decode(struct asn1_ctx *ctx,
 	unsigned long *optr;
 
 	size = eoc - ctx->pointer + 1;
+
+	/* first subid actually encodes first two subids */
+	if (size < 2 || size > ULONG_MAX/sizeof(unsigned long))
+		return 0;
+
 	*oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC);
 	if (*oid == NULL) {
 		if (net_ratelimit())
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Linux 2.6.25.5, Chris Wright, (Fri Jun 6, 7:26 pm)

Re: Linux 2.6.25.5, Chris Wright, (Fri Jun 6, 7:27 pm)


linux-kernel:
Linus Torvalds	Linux 2.6.21-rc4
Jens Axboe	[PATCH 0/8] IO queuing and complete affinity
Nicholas A. Bellinger	Re: Integration of SCST in the mainstream Linux kernel
Robin Lee Powell	NFS hang + umount -f: better behaviour requested.
git:

linux-netdev:
David Miller	Re: [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Ingo Molnar	Re: [crash] BUG: unable to handle kernel NULL pointer dereference at 0000000000000...
Gerrit Renker	[PATCH 19/37] dccp: Header option insertion routine for feature-negotiation
Gary Thomas	Marvell 88E609x switch?
linux-fsdevel:
Jamie Lokier	Re: silent semantic changes with reiser4
Jan Kara	[PATCH 10/16] ext4: Remove syncing logic from ext4_file_write
Jack Stone	Re: Versioning file system
Jens Axboe	[PATCH 8/8] vm: Add an tuning knob for vm.max_writeback_pages