oss-security - CVE request: kernel: cifs: fix unicode string area word alignment in session setup

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Date: Mon, 20 Apr 2009 14:26:08 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>
Subject: CVE request: kernel: cifs: fix unicode string area word alignment
 in session setup

According to the upstream commit 27b87fe5, "the handling of unicode
string area alignment is wrong. decode_unicode_ssetup improperly assumes
that it will always be preceded by a pad byte. This isn't the case if
the string area is already word-aligned.

This problem, combined with the bad buffer sizing for the serverDomain
string can cause memory corruption. The bad alignment can make it so
that the alignment of the characters is off. This can make them
translate to characters that are greater than 2 bytes each. If this
happens we can overflow the allocation."

This is similar to the bug Marcus posted recently.

https://bugzilla.redhat.com/show_bug.cgi?id=496572
http://git.kernel.org/linus/27b87fe52baba0a55e9723030e76fce94fabcea4
http://lists.samba.org/archive/linux-cifs-client/2009-April/004399.html

Thanks, Eugene
-- 
Eugene Teo / Red Hat Security Response Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.