Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 24 Aug 2011 13:50:30 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>,
        David Jorm <djorm@...hat.com>
Subject: Re: CVE request: kernel: cifs: singedness issue in
 CIFSFindNext()

On 08/24/2011 10:36 AM, Eugene Teo wrote:
> The name_len variable in CIFSFindNext is a signed int that gets set to
> the resume_name_len in the cifs_search_info. The resume_name_len however
> is unsigned and for some infolevels is populated directly from a 32 bit
> value sent by the server.
> 
> If the server sends a very large value for this, then that value could
> look negative when converted to a signed int. That would make that value
> pass the PATH_MAX check later in CIFSFindNext. The name_len would then
> be used as a length value for a memcpy. It would then be treated as
> unsigned again, and the memcpy scribbles over a ton of memory.
> 
> Fix this by making the name_len an unsigned value in CIFSFindNext.
> 
> http://www.spinics.net/lists/linux-cifs/msg03950.html
> https://bugzilla.redhat.com/show_bug.cgi?id=732869

David Jorm from my team assigned CVE-2011-3191 to this.

Thanks, Eugene

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ