/[linux-patches]/genpatches-2.6/trunk/2.6.32/1505_econet-null-ptr-dereference.patch
Gentoo

Contents of /genpatches-2.6/trunk/2.6.32/1505_econet-null-ptr-dereference.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1839 - (show annotations) (download)
Thu Dec 9 00:35:49 2010 UTC (7 years, 10 months ago) by asn
File size: 1911 byte(s)
CVE-2010-3850, CVE-2010-3849, CVE-2010-4258
1 From fa0e846494792e722d817b9d3d625a4ef4896c96 Mon Sep 17 00:00:00 2001
2 From: Phil Blundell <philb@gnu.org>
3 Date: Wed, 24 Nov 2010 11:49:19 -0800
4 Subject: [PATCH] econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849
5
6 Later parts of econet_sendmsg() rely on saddr != NULL, so return early
7 with EINVAL if NULL was passed otherwise an oops may occur.
8
9 Signed-off-by: Phil Blundell <philb@gnu.org>
10 Signed-off-by: David S. Miller <davem@davemloft.net>
11 ---
12 net/econet/af_econet.c | 26 ++++++++------------------
13 1 files changed, 8 insertions(+), 18 deletions(-)
14
15 Index: linux-2.6.36-gentoo-r3/net/econet/af_econet.c
16 ===================================================================
17 --- linux-2.6.36-gentoo-r3.orig/net/econet/af_econet.c
18 +++ linux-2.6.36-gentoo-r3/net/econet/af_econet.c
19 @@ -297,23 +297,14 @@ static int econet_sendmsg(struct kiocb *
20
21 mutex_lock(&econet_mutex);
22
23 - if (saddr == NULL) {
24 - struct econet_sock *eo = ec_sk(sk);
25 -
26 - addr.station = eo->station;
27 - addr.net = eo->net;
28 - port = eo->port;
29 - cb = eo->cb;
30 - } else {
31 - if (msg->msg_namelen < sizeof(struct sockaddr_ec)) {
32 - mutex_unlock(&econet_mutex);
33 - return -EINVAL;
34 - }
35 - addr.station = saddr->addr.station;
36 - addr.net = saddr->addr.net;
37 - port = saddr->port;
38 - cb = saddr->cb;
39 - }
40 + if (saddr == NULL || msg->msg_namelen < sizeof(struct sockaddr_ec)) {
41 + mutex_unlock(&econet_mutex);
42 + return -EINVAL;
43 + }
44 + addr.station = saddr->addr.station;
45 + addr.net = saddr->addr.net;
46 + port = saddr->port;
47 + cb = saddr->cb;
48
49 /* Look for a device with the right network number. */
50 dev = net2dev_map[addr.net];
51 @@ -351,7 +342,6 @@ static int econet_sendmsg(struct kiocb *
52
53 eb = (struct ec_cb *)&skb->cb;
54
55 - /* BUG: saddr may be NULL */
56 eb->cookie = saddr->cookie;
57 eb->sec = *saddr;
58 eb->sent = ec_tx_done;

  ViewVC Help
Powered by ViewVC 1.1.20