Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Tue, 7 Apr 2009 10:52:15 +0200
From: Marcus Meissner <meissner@...e.de>
To: Eugene Teo <eugene@...hat.com>
Cc: oss-security@...ts.openwall.com, security@...nel.org,
	sfrench@...ibm.com
Subject: Re: CVE request? buffer overflow in CIFS in 2.6.*

On Tue, Apr 07, 2009 at 01:41:44PM +0800, Eugene Teo wrote:
> Hi Marcus,
> 
> Marcus Meissner wrote:
> > Fixes a kmalloc area overflow in CIFS, number of overwritten bytes
> > is depending on the codepage converted to.
> > 
> > The data seems to come from a remote generated reply blob even, correct
> > me if I am wrong. :/
> 
> Looks like it's part of the session setup. The NativeFileSystem field is
> part of the Tree Connect response (TCon for short).
> 
> > And I wonder if "len*2" is sufficient, can't a UCS -> UTF8 conversion
> > generate more than 2 byte utf-8 characters for 1 ucs character?
> 
> I understand that someone from your side is working on a better patch
> for this. Do keep us updated when it goes upstream.

tracked in the public bugzilla entry:
https://bugzilla.novell.com/show_bug.cgi?id=492282

and:
http://lists.samba.org/archive/linux-cifs-client/2009-April/004322.html ff.
for the cifs discussion.

Ciao, Marcus

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux