CVE request: NetSMB BSD kernel module (minor)

[Dan Rosenberg <dan.j.rosenberg () gmail com>]

I discovered and reported a minor security issue in the netsmb kernel
module for NetBSD and FreeBSD.  The issue also affects Mac OS X 10.x,
where netsmb is available as a kernel extension.

Several of the subroutines in the netsmb module (see reference below
for vulnerable functions), which are reachable by unprivileged local
users via device ioctls sent to a /dev/nsmb* device, had signedness
errors.  By providing a negative value for a size field for certain
device ioctls (including SMBIOC_LOOKUP and SMBIOC_OPENSESSION for
*BSD), a size check will be bypassed and a memory overallocation will
occur, causing a kernel panic.  NetBSD committed their fix to CVS
today:

http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netsmb/smb_subr.c.diff?r1=1.34&r2=1.35&only_with_tag=MAIN&f=h

Regards,
Dan Rosenberg