| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 24 Dec 2007 23:42:38 +0300
From: "Oleg Gvozdev" <123.oleg@...il.com>
To: linux-kernel@...r.kernel.org
Subject: LINUX kernel 2.6.23: bug in CIFSSMBSetEA
Hello
In fs/cifs/cifssmb.c, in CIFSSMBSetEA (...) function wrong counting of
var exists.
EXISTING CODE:
pSMB->DataCount = sizeof(*parm_data) + ea_value_len + name_len + 1;
MUST BE:
pSMB->DataCount = sizeof(*parm_data) + ea_value_len + name_len;
REASON:
"sizeof(*parm_data)" counts 1 byte from "char name[1];"
So, for example in Samba server (sources/smbd/trans2.c), we can see
wrong processing of EA, cause data sent to server is bigger on 1 byte
then it must be.
See Extra info for details
--------------------------------------------- Extra info
struct fealist *parm_data;
1707 struct fea {
1708 unsigned char EA_flags;
1709 __u8 name_len;
1710 __u16 value_len;
1711 char name[1];
1712 /* optionally followed by value */
1713 };
1714 /* flags for _FEA.fEA */
1715 #define FEA_NEEDEA 0x80 /* need EA bit */
1716
1717 struct fealist {
1718 __u32 list_len;
1719 struct fea list[1];
1720 };
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists