Re: CVE request? buffer overflow in CIFS in 2.6.*

[Marcus Meissner <meissner () suse de>]

On Tue, Apr 21, 2009 at 10:59:25AM +0800, Eugene Teo wrote:
> Marcus Meissner wrote:
> > On Tue, Apr 07, 2009 at 01:41:44PM +0800, Eugene Teo wrote:
> > > Hi Marcus,
> > >
> > > Marcus Meissner wrote:
> > > > Fixes a kmalloc area overflow in CIFS, number of overwritten bytes
> > > > is depending on the codepage converted to.
> > > >
> > > > The data seems to come from a remote generated reply blob even, correct
> > > > me if I am wrong. :/
> > > Looks like it's part of the session setup. The NativeFileSystem field is
> > > part of the Tree Connect response (TCon for short).
> > >
> > > > And I wonder if "len*2" is sufficient, can't a UCS -> UTF8 conversion
> > > > generate more than 2 byte utf-8 characters for 1 ucs character?
> > > I understand that someone from your side is working on a better patch
> > > for this. Do keep us updated when it goes upstream.
> >
> > tracked in the public bugzilla entry:
> > https://bugzilla.novell.com/show_bug.cgi?id=492282
> >
> > and:
> > http://lists.samba.org/archive/linux-cifs-client/2009-April/004322.html ff.
> > for the cifs discussion.
>
> Here's an update:
> http://lkml.org/lkml/2009/4/20/21

Our maintainer also referenced:

http://lists.samba.org/archive/linux-cifs-client/2009-April/004450.html
http://lists.samba.org/archive/linux-cifs-client/2009-April/004452.html

They are already in the CIFS git tree:
http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=summary
        
http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=7b0c8fcff47a885743125dd843db64af41af5a61
        
http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=968460ebd8006d55661dec0fb86712b40d71c413

Ciao, Marcus