|
|
Date: Wed, 24 Aug 2011 13:50:30 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>,
David Jorm <djorm@...hat.com>
Subject: Re: CVE request: kernel: cifs: singedness issue in
CIFSFindNext()
On 08/24/2011 10:36 AM, Eugene Teo wrote:
> The name_len variable in CIFSFindNext is a signed int that gets set to
> the resume_name_len in the cifs_search_info. The resume_name_len however
> is unsigned and for some infolevels is populated directly from a 32 bit
> value sent by the server.
>
> If the server sends a very large value for this, then that value could
> look negative when converted to a signed int. That would make that value
> pass the PATH_MAX check later in CIFSFindNext. The name_len would then
> be used as a length value for a memcpy. It would then be treated as
> unsigned again, and the memcpy scribbles over a ton of memory.
>
> Fix this by making the name_len an unsigned value in CIFSFindNext.
>
> http://www.spinics.net/lists/linux-cifs/msg03950.html
> https://bugzilla.redhat.com/show_bug.cgi?id=732869
David Jorm from my team assigned CVE-2011-3191 to this.
Thanks, Eugene
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.