--- /dev/null
+From 4906e50b37e6f6c264e7ee4237343eb2b7f8d16d Mon Sep 17 00:00:00 2001
+From: Pavel Shilovsky <piastry@etersoft.ru>
+Date: Thu, 14 Apr 2011 22:00:56 +0400
+Subject: CIFS: Fix memory over bound bug in cifs_parse_mount_options
+
+From: Pavel Shilovsky <piastry@etersoft.ru>
+
+commit 4906e50b37e6f6c264e7ee4237343eb2b7f8d16d upstream.
+
+While password processing we can get out of options array bound if
+the next character after array is delimiter. The patch adds a check
+if we reach the end.
+
+Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/cifs/connect.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -822,8 +822,7 @@ static int
+ cifs_parse_mount_options(char *options, const char *devname,
+ struct smb_vol *vol)
+ {
+- char *value;
+- char *data;
++ char *value, *data, *end;
+ unsigned int temp_len, i, j;
+ char separator[2];
+ short int override_uid = -1;
+@@ -866,6 +865,7 @@ cifs_parse_mount_options(char *options,
+ if (!options)
+ return 1;
+
++ end = options + strlen(options);
+ if (strncmp(options, "sep=", 4) == 0) {
+ if (options[4] != 0) {
+ separator[0] = options[4];
+@@ -930,6 +930,7 @@ cifs_parse_mount_options(char *options,
+ the only illegal character in a password is null */
+
+ if ((value[temp_len] == 0) &&
++ (value + temp_len < end) &&
+ (value[temp_len+1] == separator[0])) {
+ /* reinsert comma */
+ value[temp_len] = separator[0];
--- /dev/null
+From a294865978b701e4d0d90135672749531b9a900d Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Fri, 6 May 2011 03:27:18 +0000
+Subject: dccp: handle invalid feature options length
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit a294865978b701e4d0d90135672749531b9a900d upstream.
+
+A length of zero (after subtracting two for the type and len fields) for
+the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to
+the subtraction. The subsequent code may read past the end of the
+options value buffer when parsing. I'm unsure of what the consequences
+of this might be, but it's probably not good.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Acked-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/dccp/options.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/dccp/options.c
++++ b/net/dccp/options.c
+@@ -123,6 +123,8 @@ int dccp_parse_options(struct sock *sk,
+ case DCCPO_CHANGE_L ... DCCPO_CONFIRM_R:
+ if (pkt_type == DCCP_PKT_DATA) /* RFC 4340, 6 */
+ break;
++ if (len == 0)
++ goto out_invalid_option;
+ rc = dccp_feat_parse_options(sk, dreq, mandatory, opt,
+ *value, value + 1, len - 1);
+ if (rc)
projects / thirdparty / kernel / stable-queue.git / commitdiff
