[kernel] r14122 - in dists/etch/linux-2.6: . debian debian/patches/bugfix/all debian/patches/bugfix/all/CVE-2009-0029 debian/patches/series
Dann Frazier
dannf at alioth.debian.org
Sun Aug 16 19:41:24 UTC 2009
Author: dannf
Date: Sun Aug 16 19:41:22 2009
New Revision: 14122
Log:
merge 2.6.18.dfsg.1-24etch3
Added:
dists/etch/linux-2.6/debian/patches/bugfix/all/cifs-fix-oops-when-windows-server-sent-bad-domain-name-null-terminator.patch
- copied unchanged from r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/bugfix/all/cifs-fix-oops-when-windows-server-sent-bad-domain-name-null-terminator.patch
dists/etch/linux-2.6/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch
- copied unchanged from r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch
dists/etch/linux-2.6/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch
- copied unchanged from r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch
dists/etch/linux-2.6/debian/patches/bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch
- copied unchanged from r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch
dists/etch/linux-2.6/debian/patches/bugfix/all/net-fix-possible-NULL-dereference-in-sock_sendpage.patch
- copied unchanged from r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/bugfix/all/net-fix-possible-NULL-dereference-in-sock_sendpage.patch
dists/etch/linux-2.6/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch
- copied unchanged from r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch
dists/etch/linux-2.6/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch
- copied unchanged from r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch
dists/etch/linux-2.6/debian/patches/series/24etch3
- copied unchanged from r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/series/24etch3
Modified:
dists/etch/linux-2.6/ (props changed)
dists/etch/linux-2.6/debian/changelog
dists/etch/linux-2.6/debian/patches/bugfix/all/CVE-2009-0029/ (props changed)
Modified: dists/etch/linux-2.6/debian/changelog
==============================================================================
--- dists/etch/linux-2.6/debian/changelog Sun Aug 16 19:38:32 2009 (r14121)
+++ dists/etch/linux-2.6/debian/changelog Sun Aug 16 19:41:22 2009 (r14122)
@@ -1,3 +1,9 @@
+linux-2.6 (2.6.18.dfsg.1-27) UNRELEASED; urgency=high
+
+ * Merge changes from 2.6.18.dfsg.1-24etch3
+
+ -- dann frazier <dannf at debian.org> Sun, 16 Aug 2009 13:40:08 -0600
+
linux-2.6 (2.6.18.dfsg.1-26) oldstable; urgency=high
* Merge changes from 2.6.18.dfsg.1-24etch2
@@ -14,6 +20,17 @@
-- dann fraizer <dannf at debian.org> Mon, 18 May 2009 23:52:52 -0600
+linux-2.6 (2.6.18.dfsg.1-24etch3) oldstable-security; urgency=high
+
+ * e1000: add missing length check to e1000 receive routine (CVE-2009-1385)
+ * r8169: fix crash when large packets are received (CVE-2009-1389)
+ * nfs4: fix MAY_EXEC handling (CVE-2009-1630)
+ * cifs: fix several string conversion issues (CVE-2009-1633)
+ * net: fix possible NULL dereference in sock_sendpage() (CVE-2009-2692)
+
+ -- dann frazier <dannf at debian.org> Sat, 15 Aug 2009 11:13:20 -0600
+
+>>>>>>> .merge-right.r14121
linux-2.6 (2.6.18.dfsg.1-24etch2) oldstable-security; urgency=high
* Fix mips FTBFS due to a missed rename of the mips-specific
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/cifs-fix-oops-when-windows-server-sent-bad-domain-name-null-terminator.patch (from r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/bugfix/all/cifs-fix-oops-when-windows-server-sent-bad-domain-name-null-terminator.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/cifs-fix-oops-when-windows-server-sent-bad-domain-name-null-terminator.patch Sun Aug 16 19:41:22 2009 (r14122, copy of r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/bugfix/all/cifs-fix-oops-when-windows-server-sent-bad-domain-name-null-terminator.patch)
@@ -0,0 +1,42 @@
+commit 8e6f195af0e1f226e9b2e0256af8df46adb9d595
+Author: Steve French <sfrench at us.ibm.com>
+Date: Mon Jan 22 01:19:30 2007 +0000
+
+ [CIFS] Fix oops when Windows server sent bad domain name null terminator
+
+ Fixes RedHat bug 211672
+
+ Windows sends one byte (instead of two) of null to terminate final Unicode
+ string (domain name) in session setup response in some cases - this caused
+ cifs to misalign some informational strings (making it hard to convert
+ from UCS16 to UTF8).
+
+ Thanks to Shaggy for his help and Akemi Yagi for debugging/testing
+
+ Signed-off-by: Shirish Pargaonkar <shirishp at us.ibm.com>
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
+index bbdda99..7584646 100644
+--- a/fs/cifs/sess.c
++++ b/fs/cifs/sess.c
+@@ -182,11 +182,14 @@ static int decode_unicode_ssetup(char ** pbcc_area, int bleft, struct cifsSesInf
+ cFYI(1,("bleft %d",bleft));
+
+
+- /* word align, if bytes remaining is not even */
+- if(bleft % 2) {
+- bleft--;
+- data++;
+- }
++ /* SMB header is unaligned, so cifs servers word align start of
++ Unicode strings */
++ data++;
++ bleft--; /* Windows servers do not always double null terminate
++ their final Unicode string - in which case we
++ now will not attempt to decode the byte of junk
++ which follows it */
++
+ words_left = bleft / 2;
+
+ /* save off server operating system */
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch (from r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch Sun Aug 16 19:41:22 2009 (r14122, copy of r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch)
@@ -0,0 +1,115 @@
+commit 27b87fe52baba0a55e9723030e76fce94fabcea4
+Author: Jeff Layton <jlayton at redhat.com>
+Date: Tue Apr 14 11:00:53 2009 -0400
+
+ cifs: fix unicode string area word alignment in session setup
+
+ The handling of unicode string area alignment is wrong.
+ decode_unicode_ssetup improperly assumes that it will always be preceded
+ by a pad byte. This isn't the case if the string area is already
+ word-aligned.
+
+ This problem, combined with the bad buffer sizing for the serverDomain
+ string can cause memory corruption. The bad alignment can make it so
+ that the alignment of the characters is off. This can make them
+ translate to characters that are greater than 2 bytes each. If this
+ happens we can overflow the allocation.
+
+ Fix this by fixing the alignment in CIFS_SessSetup instead so we can
+ verify it against the head of the response. Also, clean up the
+ workaround for improperly terminated strings by checking for a
+ odd-length unicode buffers and then forcibly terminating them.
+
+ Finally, resize the buffer for serverDomain. Now that we've fixed
+ the alignment, it's probably fine, but a malicious server could
+ overflow it.
+
+ A better solution for handling these strings is still needed, but
+ this should be a suitable bandaid.
+
+ Signed-off-by: Jeff Layton <jlayton at redhat.com>
+ CC: Stable <stable at vger.kernel.org>
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/fs/cifs/sess.c linux-source-2.6.18/fs/cifs/sess.c
+--- linux-source-2.6.18.orig/fs/cifs/sess.c 2009-08-11 00:19:07.000000000 -0600
++++ linux-source-2.6.18/fs/cifs/sess.c 2009-08-11 00:34:46.000000000 -0600
+@@ -174,27 +174,26 @@ static int decode_unicode_ssetup(char **
+ int words_left, len;
+ char * data = *pbcc_area;
+
+-
+-
+ cFYI(1,("bleft %d",bleft));
+
+-
+- /* SMB header is unaligned, so cifs servers word align start of
+- Unicode strings */
+- data++;
+- bleft--; /* Windows servers do not always double null terminate
+- their final Unicode string - in which case we
+- now will not attempt to decode the byte of junk
+- which follows it */
++ /*
++ * Windows servers do not always double null terminate their final
++ * Unicode string. Check to see if there are an uneven number of bytes
++ * left. If so, then add an extra NULL pad byte to the end of the
++ * response.
++ *
++ * See section 2.7.2 in "Implementing CIFS" for details
++ */
++ if (bleft % 2) {
++ data[bleft] = 0;
++ ++bleft;
++ }
+
+ words_left = bleft / 2;
+
+ /* save off server operating system */
+ len = UniStrnlen((wchar_t *) data, words_left);
+
+-/* We look for obvious messed up bcc or strings in response so we do not go off
+- the end since (at least) WIN2K and Windows XP have a major bug in not null
+- terminating last Unicode string in response */
+ if(len >= words_left)
+ return rc;
+
+@@ -237,13 +236,10 @@ static int decode_unicode_ssetup(char **
+
+ if(ses->serverDomain)
+ kfree(ses->serverDomain);
+- ses->serverDomain = kzalloc(2 * (len + 1), GFP_KERNEL); /* BB FIXME wrong length */
+- if(ses->serverDomain != NULL) {
++ ses->serverDomain = kzalloc((4 * len) + 2, GFP_KERNEL);
++ if (ses->serverDomain != NULL)
+ cifs_strfromUCS_le(ses->serverDomain, (__le16 *)data, len,
+ nls_cp);
+- ses->serverDomain[2*len] = 0;
+- ses->serverDomain[(2*len) + 1] = 0;
+- }
+ data += 2 * (len + 1);
+ words_left -= len + 1;
+
+@@ -524,11 +520,17 @@ CIFS_SessSetup(unsigned int xid, struct
+ }
+
+ /* BB check if Unicode and decode strings */
+- if(smb_buf->Flags2 & SMBFLG2_UNICODE)
++ if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
++ /* unicode string area must be word-aligned */
++ if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
++ ++bcc_ptr;
++ --bytes_remaining;
++ }
+ rc = decode_unicode_ssetup(&bcc_ptr, bytes_remaining,
+- ses, nls_cp);
+- else
++ ses, nls_cp);
++ } else {
+ rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining, ses,nls_cp);
++ }
+
+ ssetup_exit:
+ kfree(str_area);
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch (from r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch Sun Aug 16 19:41:22 2009 (r14122, copy of r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch)
@@ -0,0 +1,27 @@
+commit 7b0c8fcff47a885743125dd843db64af41af5a61
+Author: Suresh Jayaraman <sjayaraman at suse.de>
+Date: Mon Apr 20 18:54:36 2009 +0530
+
+ cifs: Increase size of tmp_buf in cifs_readdir to avoid potential overflows
+
+ Increase size of tmp_buf to possible maximum to avoid potential
+ overflows.
+
+ Pointed-out-by: Jeff Layton <jlayton at redhat.com>
+ Signed-off-by: Suresh Jayaraman <sjayaraman at suse.de>
+ Acked-by: Jeff Layton <jlayton at redhat.com>
+ Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+diff -urpN linux-source-2.6.18.orig/fs/cifs/readdir.c linux-source-2.6.18/fs/cifs/readdir.c
+--- linux-source-2.6.18.orig/fs/cifs/readdir.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/cifs/readdir.c 2009-08-11 00:40:14.000000000 -0600
+@@ -1044,7 +1044,7 @@ int cifs_readdir(struct file *file, void
+ with the rare long characters alloc more to account for
+ such multibyte target UTF-8 characters. cifs_unicode.c,
+ which actually does the conversion, has the same limit */
+- tmp_buf = kmalloc((2 * NAME_MAX) + 4, GFP_KERNEL);
++ tmp_buf = kmalloc((4 * NAME_MAX) + 2, GFP_KERNEL);
+ for(i=0;(i<num_to_fill) && (rc == 0);i++) {
+ if(current_entry == NULL) {
+ /* evaluate whether this case is an error */
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch (from r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch Sun Aug 16 19:41:22 2009 (r14122, copy of r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch)
@@ -0,0 +1,47 @@
+commit ea30e11970a96cfe5e32c03a29332554573b4a10
+Author: Neil Horman <nhorman at tuxdriver.com>
+Date: Tue Jun 2 01:29:58 2009 -0700
+
+ e1000: add missing length check to e1000 receive routine
+
+ Patch to fix bad length checking in e1000. E1000 by default does two
+ things:
+
+ 1) Spans rx descriptors for packets that don't fit into 1 skb on recieve
+ 2) Strips the crc from a frame by subtracting 4 bytes from the length prior to
+ doing an skb_put
+
+ Since the e1000 driver isn't written to support receiving packets that span
+ multiple rx buffers, it checks the End of Packet bit of every frame, and
+ discards it if its not set. This places us in a situation where, if we have a
+ spanning packet, the first part is discarded, but the second part is not (since
+ it is the end of packet, and it passes the EOP bit test). If the second part of
+ the frame is small (4 bytes or less), we subtract 4 from it to remove its crc,
+ underflow the length, and wind up in skb_over_panic, when we try to skb_put a
+ huge number of bytes into the skb. This amounts to a remote DOS attack through
+ careful selection of frame size in relation to interface MTU. The fix for this
+ is already in the e1000e driver, as well as the e1000 sourceforge driver, but no
+ one ever pushed it to e1000. This is lifted straight from e1000e, and prevents
+ small frames from causing the underflow described above
+
+ Signed-off-by: Neil Horman <nhorman at tuxdriver.com>
+ Tested-by: Andy Gospodarek <andy at greyhouse.net>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/drivers/net/e1000/e1000_main.c linux-source-2.6.18/drivers/net/e1000/e1000_main.c
+--- linux-source-2.6.18.orig/drivers/net/e1000/e1000_main.c 2008-12-25 14:04:14.000000000 -0700
++++ linux-source-2.6.18/drivers/net/e1000/e1000_main.c 2009-06-06 10:00:41.000000000 -0600
+@@ -3680,8 +3680,9 @@ e1000_clean_rx_irq(struct e1000_adapter
+
+ /* adjust length to remove Ethernet CRC */
+ length -= 4;
+-
+- if (unlikely(!(status & E1000_RXD_STAT_EOP))) {
++ /* !EOP means multiple descriptors were used to store a single
++ * packet, also make sure the frame isn't just CRC only */
++ if (unlikely(!(status & E1000_RXD_STAT_EOP) || (length <= 4))) {
+ /* All receives must fit into a single buffer */
+ E1000_DBG("%s: Receive packet consumed multiple"
+ " buffers\n", netdev->name);
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/net-fix-possible-NULL-dereference-in-sock_sendpage.patch (from r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/bugfix/all/net-fix-possible-NULL-dereference-in-sock_sendpage.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/net-fix-possible-NULL-dereference-in-sock_sendpage.patch Sun Aug 16 19:41:22 2009 (r14122, copy of r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/bugfix/all/net-fix-possible-NULL-dereference-in-sock_sendpage.patch)
@@ -0,0 +1,13 @@
+diff -urpN a/net/socket.c b/net/socket.c
+--- a/net/socket.c 2009-08-15 10:42:05.000000000 -0600
++++ b/net/socket.c 2009-08-15 11:09:49.000000000 -0600
+@@ -698,6 +698,9 @@ static ssize_t sock_sendpage(struct file
+ if (more)
+ flags |= MSG_MORE;
+
++ if (!sock->ops->sendpage)
++ return sock_no_sendpage(sock, page, offset, size, flags);
++
+ return sock->ops->sendpage(sock, page, offset, size, flags);
+ }
+
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch (from r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch Sun Aug 16 19:41:22 2009 (r14122, copy of r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch)
@@ -0,0 +1,38 @@
+commit 7ee2cb7f32b299c2b06a31fde155457203e4b7dd
+Author: Frank Filz <ffilzlnx at us.ibm.com>
+Date: Mon May 18 17:41:40 2009 -0400
+
+ nfs: Fix NFS v4 client handling of MAY_EXEC in nfs_permission.
+
+ The problem is that permission checking is skipped if atomic open is
+ possible, but when exec opens a file, it just opens it O_READONLY which
+ means EXEC permission will not be checked at that time.
+
+ This problem is observed by the following sequence (executed as root):
+
+ mount -t nfs4 server:/ /mnt4
+ echo "ls" >/mnt4/foo
+ chmod 744 /mnt4/foo
+ su guest -c "mnt4/foo"
+
+ Signed-off-by: Frank Filz <ffilzlnx at us.ibm.com>
+ Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+ Cc: stable at kernel.org
+ Tested-by: Eugene Teo <eugeneteo at kernel.sg>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/fs/nfs/dir.c linux-source-2.6.18/fs/nfs/dir.c
+--- linux-source-2.6.18.orig/fs/nfs/dir.c 2009-05-20 14:12:22.000000000 -0600
++++ linux-source-2.6.18/fs/nfs/dir.c 2009-08-10 23:43:40.000000000 -0600
+@@ -1722,7 +1722,8 @@ int nfs_permission(struct inode *inode,
+ /* NFSv4 has atomic_open... */
+ if (nfs_server_capable(inode, NFS_CAP_ATOMIC_OPEN)
+ && nd != NULL
+- && (nd->flags & LOOKUP_OPEN))
++ && (nd->flags & LOOKUP_OPEN)
++ && !(mask & MAY_EXEC))
+ goto out;
+ break;
+ case S_IFDIR:
Copied: dists/etch/linux-2.6/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch (from r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch Sun Aug 16 19:41:22 2009 (r14122, copy of r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch)
@@ -0,0 +1,50 @@
+commit fdd7b4c3302c93f6833e338903ea77245eb510b4
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Tue Jun 9 04:01:02 2009 -0700
+
+ r8169: fix crash when large packets are received
+
+ Michael Tokarev reported receiving a large packet could crash
+ a machine with RTL8169 NIC.
+ ( original thread at http://lkml.org/lkml/2009/6/8/192 )
+
+ Problem is this driver tells that NIC frames up to 16383 bytes
+ can be received but provides skb to rx ring allocated with
+ smaller sizes (1536 bytes in case standard 1500 bytes MTU is used)
+
+ When a frame larger than what was allocated by driver is received,
+ dma transfert can occurs past the end of buffer and corrupt
+ kernel memory.
+
+ Fix is to tell to NIC what is the maximum size a frame can be.
+
+ This bug is very old, (before git introduction, linux-2.6.10), and
+ should be backported to stable versions.
+
+ Reported-by: Michael Tokarev <mjt at tls.msk.ru>
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Tested-by: Michael Tokarev <mjt at tls.msk.ru>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/drivers/net/r8169.c linux-source-2.6.18/drivers/net/r8169.c
+--- linux-source-2.6.18.orig/drivers/net/r8169.c 2008-12-25 14:04:13.000000000 -0700
++++ linux-source-2.6.18/drivers/net/r8169.c 2009-06-14 19:12:19.000000000 -0600
+@@ -126,7 +126,6 @@ static const int multicast_filter_limit
+ #define RX_DMA_BURST 6 /* Maximum PCI burst, '6' is 1024 */
+ #define TX_DMA_BURST 6 /* Maximum PCI burst, '6' is 1024 */
+ #define EarlyTxThld 0x3F /* 0x3F means NO early transmit */
+-#define RxPacketMaxSize 0x3FE8 /* 16K - 1 - ETH_HLEN - VLAN - CRC... */
+ #define SafeMtu 0x1c20 /* ... actually life sucks beyond ~7k */
+ #define InterFrameGap 0x03 /* 3 means InterFrameGap = the shortest one */
+
+@@ -1875,7 +1874,7 @@ static void rtl8169_hw_start(struct net_
+ RTL_W8(EarlyTxThres, EarlyTxThld);
+
+ /* Low hurts. Let's disable the filtering. */
+- RTL_W16(RxMaxSize, 16383);
++ RTL_W16(RxMaxSize, tp->rx_buf_sz);
+
+ if ((tp->mac_version == RTL_GIGA_MAC_VER_01) ||
+ (tp->mac_version == RTL_GIGA_MAC_VER_02) ||
Copied: dists/etch/linux-2.6/debian/patches/series/24etch3 (from r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/series/24etch3)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch/linux-2.6/debian/patches/series/24etch3 Sun Aug 16 19:41:22 2009 (r14122, copy of r14121, releases/linux-2.6/2.6.18.dfsg.1-24etch3/debian/patches/series/24etch3)
@@ -0,0 +1,7 @@
++ bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch
++ bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch
++ bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch
++ bugfix/all/cifs-fix-oops-when-windows-server-sent-bad-domain-name-null-terminator.patch
++ bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch
++ bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch
++ bugfix/all/net-fix-possible-NULL-dereference-in-sock_sendpage.patch
More information about the Kernel-svn-changes
mailing list