| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Nov 2007 23:28:24 +0100 From: Jörn Engel <joern@...fs.org> To: Przemyslaw Wegrzyn <czajnik@...jsoft.pl> Cc: linux-kernel@...r.kernel.org, Steve French <smfrench@...tin.rr.com> Subject: Re: Buffer overflow in CIFS VFS. Not everyone has the time to read lkml. Added Steve to Cc:, just in case. On Thu, 8 November 2007 22:20:03 +0100, Przemyslaw Wegrzyn wrote: > > I was looking at CIFS VFS code recently, trying to solve other issue, > just to find something that looks like a buffer overflow bug. > The problem is in SendReceive() function in transport.c - it memcpy's > message payload into a buffer passed via out_buf param. The function > assumes that all buffers are of size (CIFSMaxBufSize + > MAX_CIFS_HDR_SIZE) , unfortunately it is also called with smaller > (MAX_CIFS_SMALL_BUFFER_SIZE) buffers. > > To check this finding I patched Samba server to send oversized logoffX > messages. With ~ 16kB messages the client running 2.6.23.1 crashed upon > unmounting. > > I've done a quick fix, available here: > http://czajnick.sitenet.pl/cifs-buffer-overflow-fix.patch.gz Jörn -- When in doubt, punt. When somebody actually complains, go back and fix it... The 90% solution is a good thing. -- Rob Landley - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists