[PATCH] ne.c 8139too.c to fix CERT VU#412115, 2.4.20

From: David McCullough (davidm@snapgear.com)
Date: Fri Jan 10 2003 - 09:52:34 EST

Next message: Mihnea Balta: "Kernel hooks just to get rid of copy_[to/from]_user() and syscall overhead?"
Previous message: Jim Roland: "Re: ksoftirqd_CPU0 causing severe latency"
Next in thread: Alan Cox: "Re: [PATCH] ne.c 8139too.c to fix CERT VU#412115, 2.4.20"
Reply: Alan Cox: "Re: [PATCH] ne.c 8139too.c to fix CERT VU#412115, 2.4.20"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,

Here's a patch for the ne2000 driver (ne.c) and the RealTek driver
(8139too.c) in the 2.4.20 kernel to fix the CERT vulnerability VU#412115:

http://www.kb.cert.org/vuls/id/412115

For interest, the smc9194 and FEC ethernet drivers appear to be ok.
Please CC me on any replies,

Cheers,
Davidm

--- linux-2.4.20/drivers/net/ne.c.orig Sat Aug 3 10:39:44 2002
+++ linux-2.4.20/drivers/net/ne.c Sat Jan 11 00:29:36 2003
@@ -623,6 +623,7 @@
                 const unsigned char *buf, const int start_page)
{
         int nic_base = NE_BASE;
+ int pad_count = count >= ETH_ZLEN ? count : ETH_ZLEN;
         unsigned long dma_start;
#ifdef NE_SANITY_CHECK
         int retries = 0;
@@ -669,16 +670,22 @@
         outb_p(ENISR_RDC, nic_base + EN0_ISR);

         /* Now the normal output. */
- outb_p(count & 0xff, nic_base + EN0_RCNTLO);
- outb_p(count >> 8, nic_base + EN0_RCNTHI);
+ outb_p(pad_count & 0xff, nic_base + EN0_RCNTLO);
+ outb_p(pad_count >> 8, nic_base + EN0_RCNTHI);
         outb_p(0x00, nic_base + EN0_RSARLO);
         outb_p(start_page, nic_base + EN0_RSARHI);

         outb_p(E8390_RWRITE+E8390_START, nic_base + NE_CMD);
         if (ei_status.word16) {
                 outsw(NE_BASE + NE_DATAPORT, buf, count>>1);
+ while (count < pad_count) {
+ outw_p(0x00, NE_BASE + NE_DATAPORT);
+ count += 2;
+ }
         } else {
                 outsb(NE_BASE + NE_DATAPORT, buf, count);
+ while (count++ < pad_count)
+ outb_p(0x00, NE_BASE + NE_DATAPORT);
         }

         dma_start = jiffies;

--- linux-2.4.20/drivers/net/8139too.c.orig Fri Nov 29 09:53:13 2002
+++ linux-2.4.20/drivers/net/8139too.c Sat Jan 11 00:29:36 2003
@@ -1683,6 +1683,9 @@

         if (likely(len < TX_BUF_SIZE)) {
                 skb_copy_and_csum_dev(skb, tp->tx_buf[entry]);
+ /* PAD the frame out with zeroes */
+ if (len < (unsigned int) ETH_ZLEN)
+ memset(tp->tx_buf[entry] + len, 0, ETH_ZLEN - len);
                 dev_kfree_skb(skb);
         } else {
                 dev_kfree_skb(skb);

-- 
David McCullough:    Ph: +61 7 3435 2815  http://www.SnapGear.com
davidm@snapgear.com  Fx: +61 7 3891 3630  Custom Embedded Solutions + Security
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Next message: Mihnea Balta: "Kernel hooks just to get rid of copy_[to/from]_user() and syscall overhead?"
Previous message: Jim Roland: "Re: ksoftirqd_CPU0 causing severe latency"
Next in thread: Alan Cox: "Re: [PATCH] ne.c 8139too.c to fix CERT VU#412115, 2.4.20"
Reply: Alan Cox: "Re: [PATCH] ne.c 8139too.c to fix CERT VU#412115, 2.4.20"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Wed Jan 15 2003 - 22:00:33 EST