[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: filesystem corruption



On 16 Feb 2004 15:47:00 -0500
Marc Horowitz <marc@mit.edu> wrote:

> I went back to my source, and he told me I was incorrect in my earlier
> description.  The register which is modified is pci config register
> 0x58 on the PCI-ISA bridge, not the ide controller.

That makes a ton more sense.  We are talking about bits 2 and 3
in PCI config 0x58 in the PCI-ISA bridge.  These two bits do
the same thing, bit 2 for the primary IDE bus and bit 3 for
the secondary IDE bus.

If cleared, the bit tri-states the bus channel pins.  If set, the bit
makes the bus channel pins get controlled by the IDE controller.

Something like this ought to implement said workaround.  (not even
compile tested, beware :-)

ChangeSet@1.1718, 2004-02-16 22:45:02-08:00, yoshfuji@linux-ipv6.org
  [NETFILTER]: Fix signedness overflow in ip{,6}_tables.c
  
  Bug discovered by Olaf Kirch.

diff -Nru a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
--- a/net/ipv4/netfilter/ip_tables.c	Mon Feb 16 22:51:04 2004
+++ b/net/ipv4/netfilter/ip_tables.c	Mon Feb 16 22:51:04 2004
@@ -1529,11 +1529,16 @@
 		      == tcpinfo->flg_cmp,
 		      IPT_TCP_INV_FLAGS))
 		return 0;
-	if (tcpinfo->option &&
-	    !tcp_find_option(tcpinfo->option, skb, tcph.doff*4 - sizeof(tcph),
-			     tcpinfo->invflags & IPT_TCP_INV_OPTION,
-			     hotdrop))
-		return 0;
+	if (tcpinfo->option) {
+		if (tcph.doff * 4 < sizeof(tcph)) {
+			*hotdrop = 1;
+			return 0;
+		}
+		if (!tcp_find_option(tcpinfo->option, skb, tcph.doff*4 - sizeof(tcph),
+				     tcpinfo->invflags & IPT_TCP_INV_OPTION,
+				     hotdrop))
+			return 0;
+	}
 	return 1;
 }
 
diff -Nru a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
--- a/net/ipv6/netfilter/ip6_tables.c	Mon Feb 16 22:51:04 2004
+++ b/net/ipv6/netfilter/ip6_tables.c	Mon Feb 16 22:51:04 2004
@@ -1545,7 +1545,8 @@
 
 	duprintf("tcp_match: finding option\n");
 	/* If we don't have the whole header, drop packet. */
-	if (tcp->doff * 4 > datalen) {
+	if (tcp->doff * 4 < sizeof(struct tcphdr) ||
+	    tcp->doff * 4 > datalen) {
 		*hotdrop = 1;
 		return 0;
 	}




Reply to: