oss-sec mailing list archives
Re: CVE request? buffer overflow in CIFS in 2.6.*
From: Eugene Teo <eugene () redhat com>
Date: Tue, 21 Apr 2009 21:29:23 +0800
Marcus Meissner wrote:
On Tue, Apr 21, 2009 at 10:59:25AM +0800, Eugene Teo wrote:Marcus Meissner wrote:On Tue, Apr 07, 2009 at 01:41:44PM +0800, Eugene Teo wrote:Hi Marcus, Marcus Meissner wrote:Fixes a kmalloc area overflow in CIFS, number of overwritten bytes is depending on the codepage converted to. The data seems to come from a remote generated reply blob even, correct me if I am wrong. :/Looks like it's part of the session setup. The NativeFileSystem field is part of the Tree Connect response (TCon for short).And I wonder if "len*2" is sufficient, can't a UCS -> UTF8 conversion generate more than 2 byte utf-8 characters for 1 ucs character?I understand that someone from your side is working on a better patch for this. Do keep us updated when it goes upstream.tracked in the public bugzilla entry: https://bugzilla.novell.com/show_bug.cgi?id=492282 and: http://lists.samba.org/archive/linux-cifs-client/2009-April/004322.html ff. for the cifs discussion.Here's an update: http://lkml.org/lkml/2009/4/20/21Our maintainer also referenced: http://lists.samba.org/archive/linux-cifs-client/2009-April/004450.html http://lists.samba.org/archive/linux-cifs-client/2009-April/004452.html They are already in the CIFS git tree: http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=summary http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=7b0c8fcff47a885743125dd843db64af41af5a61 http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=968460ebd8006d55661dec0fb86712b40d71c413
As discussed with Marcus, these two are unrelated to this issue, so we will need new CVE names. I spoke to Jeff Layton about this, and it looks like there are some more in the pipeline (but unrelated to this issue), so stay tuned. Thanks, Eugene -- Eugene Teo / Red Hat Security Response Team
Current thread:
- CVE request? buffer overflow in CIFS in 2.6.* Marcus Meissner (Apr 04)
- Re: CVE request? buffer overflow in CIFS in 2.6.* Eugene Teo (Apr 06)
- Re: CVE request? buffer overflow in CIFS in 2.6.* Marcus Meissner (Apr 07)
- Re: CVE request? buffer overflow in CIFS in 2.6.* Eugene Teo (Apr 20)
- Re: CVE request? buffer overflow in CIFS in 2.6.* Marcus Meissner (Apr 21)
- Re: CVE request? buffer overflow in CIFS in 2.6.* Eugene Teo (Apr 21)
- Re: CVE request? buffer overflow in CIFS in 2.6.* Steven M. Christey (Apr 24)
- Re: CVE request? buffer overflow in CIFS in 2.6.* Eugene Teo (Apr 25)
- Re: CVE request? buffer overflow in CIFS in 2.6.* dann frazier (Apr 29)
- Re: CVE request? buffer overflow in CIFS in 2.6.* Steven French (Apr 29)
- Re: CVE request? buffer overflow in CIFS in 2.6.* dann frazier (Apr 29)
- Re: CVE request? buffer overflow in CIFS in 2.6.* Eugene Teo (Apr 29)
- Update - Re: [oss-security] CVE request? buffer overflow in CIFS in 2.6.* Eugene Teo (May 13)
- Re: Update - Re: [oss-security] CVE request? buffer overflow in CIFS in 2.6.* Jeff Layton (May 14)
- Re: Update - Re: [oss-security] CVE request? buffer overflow in CIFS in 2.6.* Steven M. Christey (May 14)
- Re: Re: Update - Re: [oss-security] CVE request? buffer overflow in CIFS in 2.6.* Marcus Meissner (May 15)
- Re: CVE request? buffer overflow in CIFS in 2.6.* Marcus Meissner (Apr 07)
- Re: CVE request? buffer overflow in CIFS in 2.6.* Eugene Teo (Apr 06)