Re: CVE request? buffer overflow in CIFS in 2.6.*

[Steven French <sfrench () us ibm com>]

Yes - the NativeFileSystem field is part of a server generated response 
and is typically tiny ("NTFS" for example).

As soon as Suresh (or his coworkers at  Novell) have a patch - we (Jeff 
and I etc.) will review it.  I think fixing these conversions to be 
cleaner is important, although the risk of exploitable overflow is small 
in practice.


Steve French
Senior Software Engineer
Linux Technology Center - IBM Austin
phone: 512-838-2294
email: sfrench at-sign us dot ibm dot com



Eugene Teo <eugene () redhat com> 
04/07/2009 12:41 AM

To
Marcus Meissner <meissner () suse de>
cc
oss-security () lists openwall com, security () kernel org, Steven 
French/Austin/IBM@IBMUS
Subject
Re: [oss-security] CVE request? buffer overflow in CIFS in 2.6.*






Hi Marcus,

Marcus Meissner wrote:
> Fixes a kmalloc area overflow in CIFS, number of overwritten bytes
> is depending on the codepage converted to.
>
> The data seems to come from a remote generated reply blob even, correct
> me if I am wrong. :/

Looks like it's part of the session setup. The NativeFileSystem field is
part of the Tree Connect response (TCon for short).

> And I wonder if "len*2" is sufficient, can't a UCS -> UTF8 conversion
> generate more than 2 byte utf-8 characters for 1 ucs character?

I understand that someone from your side is working on a better patch
for this. Do keep us updated when it goes upstream.

Thanks, Eugene
-- 
Eugene Teo / Red Hat Security Response Team