oss-sec mailing list archives
Re: CVE request? buffer overflow in CIFS in 2.6.*
From: Eugene Teo <eugene () redhat com>
Date: Tue, 07 Apr 2009 13:41:44 +0800
Hi Marcus, Marcus Meissner wrote:
Fixes a kmalloc area overflow in CIFS, number of overwritten bytes is depending on the codepage converted to. The data seems to come from a remote generated reply blob even, correct me if I am wrong. :/
Looks like it's part of the session setup. The NativeFileSystem field is part of the Tree Connect response (TCon for short).
And I wonder if "len*2" is sufficient, can't a UCS -> UTF8 conversion generate more than 2 byte utf-8 characters for 1 ucs character?
I understand that someone from your side is working on a better patch for this. Do keep us updated when it goes upstream. Thanks, Eugene -- Eugene Teo / Red Hat Security Response Team
Current thread:
- CVE request? buffer overflow in CIFS in 2.6.* Marcus Meissner (Apr 04)
- Re: CVE request? buffer overflow in CIFS in 2.6.* Eugene Teo (Apr 06)
- Re: CVE request? buffer overflow in CIFS in 2.6.* Marcus Meissner (Apr 07)
- Re: CVE request? buffer overflow in CIFS in 2.6.* Eugene Teo (Apr 20)
- Re: CVE request? buffer overflow in CIFS in 2.6.* Marcus Meissner (Apr 21)
- Re: CVE request? buffer overflow in CIFS in 2.6.* Eugene Teo (Apr 21)
- Re: CVE request? buffer overflow in CIFS in 2.6.* Steven M. Christey (Apr 24)
- Re: CVE request? buffer overflow in CIFS in 2.6.* Eugene Teo (Apr 25)
- Re: CVE request? buffer overflow in CIFS in 2.6.* dann frazier (Apr 29)
- Re: CVE request? buffer overflow in CIFS in 2.6.* Steven French (Apr 29)
- Re: CVE request? buffer overflow in CIFS in 2.6.* dann frazier (Apr 29)
- Re: CVE request? buffer overflow in CIFS in 2.6.* Eugene Teo (Apr 29)
- Re: CVE request? buffer overflow in CIFS in 2.6.* Marcus Meissner (Apr 07)
- Re: CVE request? buffer overflow in CIFS in 2.6.* Eugene Teo (Apr 06)