Bug 191299

Summary: CVE-2005-4798 nfs client: handle long symlinks properly
Product: Red Hat Enterprise Linux 2.1 Reporter: Marcel Holtmann <holtmann>
Component: kernelAssignee: Don Howard <dhoward>
Status: CLOSED NOTABUG QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.1CC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: impact=moderate,source=bugzilla,reported=20050925,public=20050925
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-10 19:45:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marcel Holtmann 2006-05-10 16:47:24 UTC 
Buffer overflow in NFS readlink handling in the Linux Kernel 2.4 up to 2.4.31
allows remote NFS servers to cause a denial of service via a long symlink.

More detailed description can be found in bug 169230.
Comment 1 Don Howard 2006-05-10 19:45:54 UTC 
It looks like rhel2 gets this right:


        strlen = (u32*)res->buffer;
        /* Convert length of symlink */
        len = ntohl(*strlen);
        if (len > res->bufsiz - 5)
                len = res->bufsiz - 5;
        *strlen = len;
        /* NULL terminate the string we got */
        string = (char *)(strlen + 1);
        string[len] = 0;

(nfs2/3 on pensacola and derry are all similar)