![]() |
|
Date: Wed, 24 Aug 2011 13:50:30 +0800 From: Eugene Teo <eugene@...hat.com> To: oss-security@...ts.openwall.com CC: "Steven M. Christey" <coley@...us.mitre.org>, David Jorm <djorm@...hat.com> Subject: Re: CVE request: kernel: cifs: singedness issue in CIFSFindNext() On 08/24/2011 10:36 AM, Eugene Teo wrote: > The name_len variable in CIFSFindNext is a signed int that gets set to > the resume_name_len in the cifs_search_info. The resume_name_len however > is unsigned and for some infolevels is populated directly from a 32 bit > value sent by the server. > > If the server sends a very large value for this, then that value could > look negative when converted to a signed int. That would make that value > pass the PATH_MAX check later in CIFSFindNext. The name_len would then > be used as a length value for a memcpy. It would then be treated as > unsigned again, and the memcpy scribbles over a ton of memory. > > Fix this by making the name_len an unsigned value in CIFSFindNext. > > http://www.spinics.net/lists/linux-cifs/msg03950.html > https://bugzilla.redhat.com/show_bug.cgi?id=732869 David Jorm from my team assigned CVE-2011-3191 to this. Thanks, Eugene
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.