From: Nicolas Thill <nico@openwrt.org>
Date: Thu, 16 Jul 2009 07:04:45 +0000 (+0000)
Subject: [kernel] add 2.6.23 security fixes for rb532 missed in 8.09.1
X-Git-Url: http://git.openwrt.org/?p=openwrt%2Fsvn-archive%2Farchive.git;a=commitdiff_plain;hb=ea61b68b301ce38f255454262906b65c60826bfc

[kernel] add 2.6.23 security fixes for rb532 missed in 8.09.1


SVN-Revision: 16856
---

diff --git a/target/linux/generic-2.6/patches-2.6.23/991-cve-2009-0028.patch b/target/linux/generic-2.6/patches-2.6.23/991-cve-2009-0028.patch
new file mode 100644
index 0000000000..69e0077e74
--- /dev/null
+++ b/target/linux/generic-2.6/patches-2.6.23/991-cve-2009-0028.patch
@@ -0,0 +1,15 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0028
+
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1172,7 +1172,9 @@ static struct task_struct *copy_process(
+ 	p->parent_exec_id = p->self_exec_id;
+ 
+ 	/* ok, now we should be set up.. */
+-	p->exit_signal = (clone_flags & CLONE_THREAD) ? -1 : (clone_flags & CSIGNAL);
++	p->exit_signal = (clone_flags & CLONE_THREAD) ? -1 :
++			 (clone_flags & CLONE_PARENT) ? current->group_leader->exit_signal :
++			 (clone_flags & CSIGNAL);
+ 	p->pdeath_signal = 0;
+ 	p->exit_state = 0;
+ 
diff --git a/target/linux/generic-2.6/patches-2.6.23/992-cve-2009-0065.patch b/target/linux/generic-2.6/patches-2.6.23/992-cve-2009-0065.patch
new file mode 100644
index 0000000000..8304384b7a
--- /dev/null
+++ b/target/linux/generic-2.6/patches-2.6.23/992-cve-2009-0065.patch
@@ -0,0 +1,46 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0065
+
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -3507,6 +3507,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
+ {
+ 	struct sctp_chunk *chunk = arg;
+ 	struct sctp_fwdtsn_hdr *fwdtsn_hdr;
++	struct sctp_fwdtsn_skip *skip;
+ 	__u16 len;
+ 	__u32 tsn;
+ 
+@@ -3536,6 +3537,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
+ 	if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
+ 		goto discard_noforce;
+ 
++	/* Silently discard the chunk if stream-id is not valid */
++	sctp_walk_fwdtsn(skip, chunk) {
++		if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
++			goto discard_noforce;
++	}
++
+ 	sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
+ 	if (len > sizeof(struct sctp_fwdtsn_hdr))
+ 		sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
+@@ -3567,6 +3574,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
+ {
+ 	struct sctp_chunk *chunk = arg;
+ 	struct sctp_fwdtsn_hdr *fwdtsn_hdr;
++	struct sctp_fwdtsn_skip *skip;
+ 	__u16 len;
+ 	__u32 tsn;
+ 
+@@ -3596,6 +3604,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
+ 	if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
+ 		goto gen_shutdown;
+ 
++	/* Silently discard the chunk if stream-id is not valid */
++	sctp_walk_fwdtsn(skip, chunk) {
++		if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
++			goto gen_shutdown;
++	}
++
+ 	sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
+ 	if (len > sizeof(struct sctp_fwdtsn_hdr))
+ 		sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
diff --git a/target/linux/generic-2.6/patches-2.6.23/993-cve-2009-0676.patch b/target/linux/generic-2.6/patches-2.6.23/993-cve-2009-0676.patch
new file mode 100644
index 0000000000..7c6f9a2403
--- /dev/null
+++ b/target/linux/generic-2.6/patches-2.6.23/993-cve-2009-0676.patch
@@ -0,0 +1,13 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0676
+
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -699,6 +699,8 @@ int sock_getsockopt(struct socket *sock,
+ 	if (len < 0)
+ 		return -EINVAL;
+ 
++	v.val = 0;
++
+ 	switch(optname) {
+ 	case SO_DEBUG:
+ 		v.val = sock_flag(sk, SOCK_DBG);
diff --git a/target/linux/generic-2.6/patches-2.6.23/994-cve-2009-1439.patch b/target/linux/generic-2.6/patches-2.6.23/994-cve-2009-1439.patch
new file mode 100644
index 0000000000..34f05e391a
--- /dev/null
+++ b/target/linux/generic-2.6/patches-2.6.23/994-cve-2009-1439.patch
@@ -0,0 +1,21 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1439
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -3398,14 +3398,11 @@ CIFSTCon(unsigned int xid, struct cifsSe
+ 			    BCC(smb_buffer_response)) {
+ 				kfree(tcon->nativeFileSystem);
+ 				tcon->nativeFileSystem =
+-				    kzalloc(length + 2, GFP_KERNEL);
++				    kzalloc((4 * length) + 2, GFP_KERNEL);
+ 				cifs_strfromUCS_le(tcon->nativeFileSystem,
+ 						   (__le16 *) bcc_ptr,
+ 						   length, nls_codepage);
+-				bcc_ptr += 2 * length;
+-				bcc_ptr[0] = 0;	/* null terminate the string */
+-				bcc_ptr[1] = 0;
+-				bcc_ptr += 2;
++				bcc_ptr += (2 * length) + 2;
+ 			}
+ 			/* else do not bother copying these information fields*/
+ 		} else {