Bug 134640
Summary: | CAN-2004-0882 unicode parsing overflow | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 3 | Reporter: | Mark J. Cox <mjc> |
Component: | samba | Assignee: | Jay Fenlason <fenlason> |
Status: | CLOSED ERRATA | QA Contact: | David Lawrence <dkl> |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 3.0 | CC: | jfeeney, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | impact=important,embargo=20041115 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2004-11-16 17:37:56 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Mark J. Cox
2004-10-05 12:01:33 UTC
Stefan Esser has proved this allows arbitrary code execution. Embargo set to 20041115. > the bug: > > trans2.c - static int call_trans2qfilepathinfo(connection_struct *conn, > > data_size = max_data_bytes + 1024; > pdata = Realloc(*ppdata, data_size); > > max_data_bytes from client is trusted. Can f.e. be 0 > In 2.x this was no problem because only the dos8name was > copied into the packet. (which was wrong) > > In 3.x the unicode complete filename is copied into the > packet. This will overflow the allocated memory on longer > filenames. http://websvn.samba.org/cgi-bin/viewcvs.cgi/trunk/source/smbd/trans2.c?rev=2636&r1=2197&r2=2636 > The use of the new constant #define DIR_ENTRY_SAFETY_MARGIN 4096 > fixes the problem. Verified fixed by RHSA-2004:632 in progress. Now public. This issue does affect RHEL2.1. An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2004-632.html |