Bug 372701 (CVE-2007-5904)

Summary: CVE-2007-5904 Buffer overflow in CIFS VFS
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Jeff Layton <jlayton>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: unspecifiedCC: eteo, jlayton, kernel-maint, kreilly, sfolkwil, steved
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-09-16 15:12:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 372861, 372971, 372981, 372991, 373001    
Bug Blocks:    
Attachments:
Description Flags
Proposed patch from reporter Przemyslaw Wegrzyn <czaj...@czajsoft.pl> none

Description Jan Lieskovsky 2007-11-09 13:40:24 UTC 
Description of problem:

The problem is in SendReceive() function in transport.c - it memcpy's
message payload into a buffer passed via out_buf param. The function
assumes that all buffers are of size (CIFSMaxBufSize +
MAX_CIFS_HDR_SIZE) , unfortunately it is also called with smaller
(MAX_CIFS_SMALL_BUFFER_SIZE) buffers.

To check this finding I patched Samba server to send oversized logoffX
messages. With ~ 16kB messages the client running 2.6.23.1 crashed upon
unmounting. 


Public via: 

http://groups.google.com/group/linux.kernel/browse_thread/thread/79b7604447e993a3/6f87de5c1b55567f?hl=en#6f87de5c1b55567f
Comment 1 Jan Lieskovsky 2007-11-09 13:40:24 UTC 
Created attachment 252721 [details]
Proposed patch from reporter Przemyslaw Wegrzyn <czaj...>
Comment 9 Jan Lieskovsky 2007-11-19 13:35:25 UTC 
Mark has forwarded to me another link, with more detailed / common patch. See
url:

http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commitdiff;h=133672efbc1085f9af990bdc145e1822ea93bcf3

Against the original Przemyslaw's patch, there are additional changes to the
files: fs/cifs/file.c and fs/cifs/sees.c. 

Jeff, please take a loot at the above URL too to be sure you dont' miss 
something. 

Thanks in advance.
Comment 10 Jeff Layton 2007-11-19 13:52:02 UTC 
That's the one that I've backported for z-stream. See the patch in bug 372991. I
think I've got it correct -- it at least builds cleanly, though it could
probably use some careful eyes to go over it and make sure that I haven't missed
anything.
Comment 16 Mark J. Cox 2008-01-21 10:07:27 UTC 
" A buffer overflow was found in the CIFS virtual filesystem. A remote,
authenticated user could issue a request that required a large SMB
response. This response would not fit in the buffer used for storing SMB
response backups, causing an overflow. Such a buffer overflow could lead to
denial of service. (CVE-2007-5904, Moderate)."