Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Tue, 21 Apr 2009 10:59:25 +0800
From: Eugene Teo <eugene@...hat.com>
To: Marcus Meissner <meissner@...e.de>
CC: oss-security@...ts.openwall.com, security@...nel.org, sfrench@...ibm.com
Subject: Re: CVE request? buffer overflow in CIFS in 2.6.*

Marcus Meissner wrote:
> On Tue, Apr 07, 2009 at 01:41:44PM +0800, Eugene Teo wrote:
>> Hi Marcus,
>>
>> Marcus Meissner wrote:
>>> Fixes a kmalloc area overflow in CIFS, number of overwritten bytes
>>> is depending on the codepage converted to.
>>>
>>> The data seems to come from a remote generated reply blob even, correct
>>> me if I am wrong. :/
>> Looks like it's part of the session setup. The NativeFileSystem field is
>> part of the Tree Connect response (TCon for short).
>>
>>> And I wonder if "len*2" is sufficient, can't a UCS -> UTF8 conversion
>>> generate more than 2 byte utf-8 characters for 1 ucs character?
>> I understand that someone from your side is working on a better patch
>> for this. Do keep us updated when it goes upstream.
> 
> tracked in the public bugzilla entry:
> https://bugzilla.novell.com/show_bug.cgi?id=492282
> 
> and:
> http://lists.samba.org/archive/linux-cifs-client/2009-April/004322.html ff.
> for the cifs discussion.

Here's an update:
http://lkml.org/lkml/2009/4/20/21

Thanks, Eugene
-- 
Eugene Teo / Red Hat Security Response Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ