Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 24 Aug 2011 13:50:30 +0800
From: Eugene Teo <>
CC: "Steven M. Christey" <>,
        David Jorm <>
Subject: Re: CVE request: kernel: cifs: singedness issue in

On 08/24/2011 10:36 AM, Eugene Teo wrote:
> The name_len variable in CIFSFindNext is a signed int that gets set to
> the resume_name_len in the cifs_search_info. The resume_name_len however
> is unsigned and for some infolevels is populated directly from a 32 bit
> value sent by the server.
> If the server sends a very large value for this, then that value could
> look negative when converted to a signed int. That would make that value
> pass the PATH_MAX check later in CIFSFindNext. The name_len would then
> be used as a length value for a memcpy. It would then be treated as
> unsigned again, and the memcpy scribbles over a ton of memory.
> Fix this by making the name_len an unsigned value in CIFSFindNext.

David Jorm from my team assigned CVE-2011-3191 to this.

Thanks, Eugene

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ