Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Tue, 07 Apr 2009 13:41:44 +0800
From: Eugene Teo <eugene@...hat.com>
To: Marcus Meissner <meissner@...e.de>
CC: oss-security@...ts.openwall.com, security@...nel.org, sfrench@...ibm.com
Subject: Re: CVE request? buffer overflow in CIFS in 2.6.*

Hi Marcus,

Marcus Meissner wrote:
> Fixes a kmalloc area overflow in CIFS, number of overwritten bytes
> is depending on the codepage converted to.
> 
> The data seems to come from a remote generated reply blob even, correct
> me if I am wrong. :/

Looks like it's part of the session setup. The NativeFileSystem field is
part of the Tree Connect response (TCon for short).

> And I wonder if "len*2" is sufficient, can't a UCS -> UTF8 conversion
> generate more than 2 byte utf-8 characters for 1 ucs character?

I understand that someone from your side is working on a better patch
for this. Do keep us updated when it goes upstream.

Thanks, Eugene
-- 
Eugene Teo / Red Hat Security Response Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux