Bug 134640 - CAN-2004-0882 unicode parsing overflow
CAN-2004-0882 unicode parsing overflow
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: samba (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Jay Fenlason
David Lawrence
: Security
Depends On:
  Show dependency treegraph
Reported: 2004-10-05 08:01 EDT by Mark J. Cox (Product Security)
Modified: 2014-08-31 19:26 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-11-16 12:37:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2004-10-05 08:01:33 EDT
Stefan Esser reported to vendor-sec on Sep27 a possible remote flaw in
call_trans2qfilepathinfo().   In 3.x the unicode complete filename is
copied into the packet. This will overflow the allocated memory on
longer filenames.

Samba team believe this is just a remote DoS

Embargo date currently not set.
Comment 1 Mark J. Cox (Product Security) 2004-11-12 04:33:02 EST
Stefan Esser has proved this allows arbitrary code execution.  Embargo
set to 20041115.

> the bug:
> trans2.c - static int call_trans2qfilepathinfo(connection_struct *conn,
>  data_size = max_data_bytes + 1024;
>  pdata = Realloc(*ppdata, data_size);
> max_data_bytes from client is trusted. Can f.e. be 0
> In 2.x this was no problem because only the dos8name was
> copied into the packet. (which was wrong)
> In 3.x the unicode complete filename is copied into the
> packet. This will overflow the allocated memory on longer
> filenames.


> The use of the new constant  #define DIR_ENTRY_SAFETY_MARGIN 4096
> fixes the problem.

Comment 2 Mark J. Cox (Product Security) 2004-11-12 04:39:26 EST
Verified fixed by RHSA-2004:632 in progress.
Comment 3 Mark J. Cox (Product Security) 2004-11-15 04:11:08 EST
Now public.
Comment 4 Josh Bressers 2004-11-16 11:01:08 EST
This issue does affect RHEL2.1.
Comment 5 Josh Bressers 2004-11-16 12:37:56 EST
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.