Linux 2.6.25.5

diff --git a/releases/2.6.25.5/asn1-additional-sanity-checking-during-ber-decoding.patch b/releases/2.6.25.5/asn1-additional-sanity-checking-during-ber-decoding.patch
new file mode 100644 (file)
index 0000000..14f6740
--- /dev/null
+++ b/releases/2.6.25.5/asn1-additional-sanity-checking-during-ber-decoding.patch
@@ -0,0 +1,104 @@
+From ddb2c43594f22843e9f3153da151deaba1a834c5 Mon Sep 17 00:00:00 2001
+From: Chris Wright <chrisw@sous-sol.org>
+Date: Wed, 4 Jun 2008 09:16:33 -0700
+Subject: asn1: additional sanity checking during BER decoding (CVE-2008-1673)
+
+From: Chris Wright <chrisw@sous-sol.org>
+
+upstream commit: ddb2c43594f22843e9f3153da151deaba1a834c5
+
+- Don't trust a length which is greater than the working buffer.
+  An invalid length could cause overflow when calculating buffer size
+  for decoding oid.
+
+- An oid length of zero is invalid and allows for an off-by-one error when
+  decoding oid because the first subid actually encodes first 2 subids.
+
+- A primitive encoding may not have an indefinite length.
+
+Thanks to Wei Wang from McAfee for report.
+
+Cc: Steven French <sfrench@us.ibm.com>
+Cc: stable@kernel.org
+Acked-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ fs/cifs/asn1.c                         |   14 ++++++++++++++
+ net/ipv4/netfilter/nf_nat_snmp_basic.c |   14 ++++++++++++++
+ 2 files changed, 28 insertions(+)
+
+--- a/fs/cifs/asn1.c
++++ b/fs/cifs/asn1.c
+@@ -186,6 +186,11 @@ asn1_length_decode(struct asn1_ctx *ctx,
+                       }
+               }
+       }
++
++      /* don't trust len bigger than ctx buffer */
++      if (*len > ctx->end - ctx->pointer)
++              return 0;
++
+       return 1;
+ }
+ 
+@@ -203,6 +208,10 @@ asn1_header_decode(struct asn1_ctx *ctx,
+       if (!asn1_length_decode(ctx, &def, &len))
+               return 0;
+ 
++      /* primitive shall be definite, indefinite shall be constructed */
++      if (*con == ASN1_PRI && !def)
++              return 0;
++
+       if (def)
+               *eoc = ctx->pointer + len;
+       else
+@@ -389,6 +398,11 @@ asn1_oid_decode(struct asn1_ctx *ctx,
+       unsigned long *optr;
+ 
+       size = eoc - ctx->pointer + 1;
++
++      /* first subid actually encodes first two subids */
++      if (size < 2 || size > ULONG_MAX/sizeof(unsigned long))
++              return 0;
++
+       *oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC);
+       if (*oid == NULL)
+               return 0;
+--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
++++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
+@@ -231,6 +231,11 @@ static unsigned char asn1_length_decode(
+                       }
+               }
+       }
++
++      /* don't trust len bigger than ctx buffer */
++      if (*len > ctx->end - ctx->pointer)
++              return 0;
++
+       return 1;
+ }
+ 
+@@ -249,6 +254,10 @@ static unsigned char asn1_header_decode(
+       if (!asn1_length_decode(ctx, &def, &len))
+               return 0;
+ 
++      /* primitive shall be definite, indefinite shall be constructed */
++      if (*con == ASN1_PRI && !def)
++              return 0;
++
+       if (def)
+               *eoc = ctx->pointer + len;
+       else
+@@ -433,6 +442,11 @@ static unsigned char asn1_oid_decode(str
+       unsigned long *optr;
+ 
+       size = eoc - ctx->pointer + 1;
++
++      /* first subid actually encodes first two subids */
++      if (size < 2 || size > ULONG_MAX/sizeof(unsigned long))
++              return 0;
++
+       *oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC);
+       if (*oid == NULL) {
+               if (net_ratelimit())

diff --git a/releases/2.6.25.5/series b/releases/2.6.25.5/series
new file mode 100644 (file)
index 0000000..05e7044
--- /dev/null
+++ b/releases/2.6.25.5/series
@@ -0,0 +1 @@
+asn1-additional-sanity-checking-during-ber-decoding.patch