3.3-stable patches

added patches:
	hfsplus-fix-potential-buffer-overflows.patch

diff --git a/queue-3.3/hfsplus-fix-potential-buffer-overflows.patch b/queue-3.3/hfsplus-fix-potential-buffer-overflows.patch
new file mode 100644 (file)
index 0000000..81e2a57
--- /dev/null
+++ b/queue-3.3/hfsplus-fix-potential-buffer-overflows.patch
@@ -0,0 +1,74 @@
+From 6f24f892871acc47b40dd594c63606a17c714f77 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Fri, 4 May 2012 12:09:39 -0700
+Subject: hfsplus: Fix potential buffer overflows
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 6f24f892871acc47b40dd594c63606a17c714f77 upstream.
+
+Commit ec81aecb2966 ("hfs: fix a potential buffer overflow") fixed a few
+potential buffer overflows in the hfs filesystem.  But as Timo Warns
+pointed out, these changes also need to be made on the hfsplus
+filesystem as well.
+
+Reported-by: Timo Warns <warns@pre-sense.de>
+Acked-by: WANG Cong <amwang@redhat.com>
+Cc: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Cc: Miklos Szeredi <mszeredi@suse.cz>
+Cc: Sage Weil <sage@newdream.net>
+Cc: Eugene Teo <eteo@redhat.com>
+Cc: Roman Zippel <zippel@linux-m68k.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Dave Anderson <anderson@redhat.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+---
+ fs/hfsplus/catalog.c |    4 ++++
+ fs/hfsplus/dir.c     |   11 +++++++++++
+ 2 files changed, 15 insertions(+)
+
+--- a/fs/hfsplus/catalog.c
++++ b/fs/hfsplus/catalog.c
+@@ -366,6 +366,10 @@ int hfsplus_rename_cat(u32 cnid,
+       err = hfs_brec_find(&src_fd);
+       if (err)
+               goto out;
++      if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) {
++              err = -EIO;
++              goto out;
++      }
+ 
+       hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset,
+                               src_fd.entrylength);
+--- a/fs/hfsplus/dir.c
++++ b/fs/hfsplus/dir.c
+@@ -150,6 +150,11 @@ static int hfsplus_readdir(struct file *
+               filp->f_pos++;
+               /* fall through */
+       case 1:
++              if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
++                      err = -EIO;
++                      goto out;
++              }
++
+               hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
+                       fd.entrylength);
+               if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) {
+@@ -181,6 +186,12 @@ static int hfsplus_readdir(struct file *
+                       err = -EIO;
+                       goto out;
+               }
++
++              if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
++                      err = -EIO;
++                      goto out;
++              }
++
+               hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
+                       fd.entrylength);
+               type = be16_to_cpu(entry.type);

diff --git a/queue-3.3/series b/queue-3.3/series
index bce1629cc4b5e335e7d01cb0051b6d5c318f89cd..502df7f93d1d2b64e653e696bea0223015f8e167 100644 (file)
--- a/queue-3.3/series
+++ b/queue-3.3/series
@@ -73,3 +73,4 @@ iwlwifi-do-not-nulify-ctx-vif-on-reset.patch
 iwlwifi-use-correct-released-ucode-version.patch
 iwlwifi-fix-hardware-queue-programming.patch
 iwlwifi-use-6000g2b-for-6030-device-series.patch
+hfsplus-fix-potential-buffer-overflows.patch

diff --git a/queue-3.3/usb-gadget-storage-gadgets-send-wrong-error-code-for-unknown-commands.patch b/queue-3.3/usb-gadget-storage-gadgets-send-wrong-error-code-for-unknown-commands.patch
index d209d9d303f5abbdc761d28b38a8b09f1e867d1c..69a869ddf6decefdb535fab2fdd6b197121a8383 100644 (file)
--- a/queue-3.3/usb-gadget-storage-gadgets-send-wrong-error-code-for-unknown-commands.patch
+++ b/queue-3.3/usb-gadget-storage-gadgets-send-wrong-error-code-for-unknown-commands.patch
@@ -17,7 +17,7 @@ are nonzero.  All the bits in the mask should be set, not just eight
 of them.
 
 Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-CC: <Michal Nazarewicz <mina86@mina86.com>
+CC: Michal Nazarewicz <mina86@mina86.com>
 Signed-off-by: Felipe Balbi <balbi@ti.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>