Re: CVE request? buffer overflow in CIFS in 2.6.*

[Marcus Meissner <meissner () suse de>]

On Tue, Apr 07, 2009 at 01:41:44PM +0800, Eugene Teo wrote:
> Hi Marcus,
>
> Marcus Meissner wrote:
> > Fixes a kmalloc area overflow in CIFS, number of overwritten bytes
> > is depending on the codepage converted to.
> >
> > The data seems to come from a remote generated reply blob even, correct
> > me if I am wrong. :/
>
> Looks like it's part of the session setup. The NativeFileSystem field is
> part of the Tree Connect response (TCon for short).
>
> > And I wonder if "len*2" is sufficient, can't a UCS -> UTF8 conversion
> > generate more than 2 byte utf-8 characters for 1 ucs character?
>
> I understand that someone from your side is working on a better patch
> for this. Do keep us updated when it goes upstream.

tracked in the public bugzilla entry:
https://bugzilla.novell.com/show_bug.cgi?id=492282

and:
http://lists.samba.org/archive/linux-cifs-client/2009-April/004322.html ff.
for the cifs discussion.

Ciao, Marcus