1 files changed, 93 insertions, 0 deletions

diff --git a/sys-kernel/win4lin-sources/files/win4lin-sources-2.6.7.smbfs.patch b/sys-kernel/win4lin-sources/files/win4lin-sources-2.6.7.smbfs.patch
new file mode 100644
index 000000000000..99401cf93a0e
--- /dev/null
+++ b/sys-kernel/win4lin-sources/files/win4lin-sources-2.6.7.smbfs.patch
@@ -0,0 +1,93 @@
+diff -urN linux-2.6.8.1/fs/smbfs/proc.c linux-2.6.8.1.plasmaroo/fs/smbfs/proc.c
+--- linux-2.6.8.1/fs/smbfs/proc.c	2004-08-24 17:15:57.000000000 +1000
++++ linux-2.6.8.1.plasmaroo/fs/smbfs/proc.c	2004-11-06 11:27:20.000000000 +1100
+@@ -1427,9 +1427,9 @@
+ 	 * So we must first calculate the amount of padding used by the server.
+ 	 */
+ 	data_off -= hdrlen;
+-	if (data_off > SMB_READX_MAX_PAD) {
+-		PARANOIA("offset is larger than max pad!\n");
+-		PARANOIA("%d > %d\n", data_off, SMB_READX_MAX_PAD);
++	if (data_off > SMB_READX_MAX_PAD || data_off < 0) {
++		PARANOIA("offset is larger than SMB_READX_MAX_PAD or negative!\n");
++		PARANOIA("%d > %d || %d < 0\n", data_off, SMB_READX_MAX_PAD, data_off);
+ 		req->rq_rlen = req->rq_bufsize + 1;
+ 		return;
+ 	}
+diff -urN linux-2.6.8.1/fs/smbfs/request.c linux-2.6.8.1.plasmaroo/fs/smbfs/request.c
+--- linux-2.6.8.1/fs/smbfs/request.c	2004-11-06 11:27:51.000000000 +1100
++++ linux-2.6.8.1.plasmaroo/fs/smbfs/request.c	2004-11-06 11:27:20.000000000 +1100
+@@ -588,6 +588,10 @@
+ 	data_count  = WVAL(inbuf, smb_drcnt);
+ 
+ 	/* Modify offset for the split header/buffer we use */
++	if (data_offset < hdrlen)
++		goto out_bad_data;
++	if (parm_offset < hdrlen)
++		goto out_bad_parm;
+ 	data_offset -= hdrlen;
+ 	parm_offset -= hdrlen;
+ 
+@@ -607,6 +611,10 @@
+ 		req->rq_lparm = parm_count;
+ 		req->rq_data = req->rq_buffer + data_offset;
+ 		req->rq_parm = req->rq_buffer + parm_offset;
++		if (parm_offset + parm_count > req->rq_rlen)
++			goto out_bad_parm;
++		if (data_offset + data_count > req->rq_rlen)
++			goto out_bad_data;
+ 		return 0;
+ 	}
+ 
+@@ -634,6 +642,7 @@
+ 		req->rq_trans2buffer = smb_kmalloc(buf_len, GFP_NOFS);
+ 		if (!req->rq_trans2buffer)
+ 			goto out_no_mem;
++		memset(req->rq_trans2buffer, 0, buf_len);
+ 
+ 		req->rq_parm = req->rq_trans2buffer;
+ 		req->rq_data = req->rq_trans2buffer + parm_tot;
+@@ -643,8 +652,12 @@
+ 
+ 	if (parm_disp + parm_count > req->rq_total_parm)
+ 		goto out_bad_parm;
++	if (parm_offset + parm_count > req->rq_rlen)
++		goto out_bad_parm;
+ 	if (data_disp + data_count > req->rq_total_data)
+ 		goto out_bad_data;
++	if (data_offset + data_count > req->rq_rlen)
++		goto out_bad_data;
+ 
+ 	inbuf = req->rq_buffer;
+ 	memcpy(req->rq_parm + parm_disp, inbuf + parm_offset, parm_count);
+@@ -657,8 +670,11 @@
+ 	 * Check whether we've received all of the data. Note that
+ 	 * we use the packet totals -- total lengths might shrink!
+ 	 */
+-	if (req->rq_ldata >= data_tot && req->rq_lparm >= parm_tot)
++	if (req->rq_ldata >= data_tot && req->rq_lparm >= parm_tot) {
++		req->rq_ldata = data_tot;
++		req->rq_lparm = parm_tot;
+ 		return 0;
++	}
+ 	return 1;
+ 
+ out_too_long:
+@@ -676,13 +692,13 @@
+ 	req->rq_errno = -EIO;
+ 	goto out;
+ out_bad_parm:
+-	printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d\n",
+-	       parm_disp, parm_count, parm_tot);
++	printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d, ofs=%d\n",
++	       parm_disp, parm_count, parm_tot, parm_offset);
+ 	req->rq_errno = -EIO;
+ 	goto out;
+ out_bad_data:
+-	printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d\n",
+-	       data_disp, data_count, data_tot);
++	printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d, ofs=%d\n",
++	       data_disp, data_count, data_tot, data_offset);
+ 	req->rq_errno = -EIO;
+ out:
+ 	return req->rq_errno;