oss-sec mailing list archives
Re: CVE request: kernel: cifs: singedness issue in CIFSFindNext()
From: Eugene Teo <eugene () redhat com>
Date: Wed, 24 Aug 2011 13:50:30 +0800
On 08/24/2011 10:36 AM, Eugene Teo wrote:
The name_len variable in CIFSFindNext is a signed int that gets set to the resume_name_len in the cifs_search_info. The resume_name_len however is unsigned and for some infolevels is populated directly from a 32 bit value sent by the server. If the server sends a very large value for this, then that value could look negative when converted to a signed int. That would make that value pass the PATH_MAX check later in CIFSFindNext. The name_len would then be used as a length value for a memcpy. It would then be treated as unsigned again, and the memcpy scribbles over a ton of memory. Fix this by making the name_len an unsigned value in CIFSFindNext. http://www.spinics.net/lists/linux-cifs/msg03950.html https://bugzilla.redhat.com/show_bug.cgi?id=732869
David Jorm from my team assigned CVE-2011-3191 to this. Thanks, Eugene
Current thread:
- CVE request: kernel: cifs: singedness issue in CIFSFindNext() Eugene Teo (Aug 23)
- Re: CVE request: kernel: cifs: singedness issue in CIFSFindNext() Eugene Teo (Aug 23)
- Re: CVE request: kernel: cifs: singedness issue in CIFSFindNext() David Jorm (Aug 24)