Red Hat Bugzilla – Bug 134640
CAN-2004-0882 unicode parsing overflow
Last modified: 2014-08-31 19:26:41 EDT
Stefan Esser reported to vendor-sec on Sep27 a possible remote flaw in
call_trans2qfilepathinfo(). In 3.x the unicode complete filename is
copied into the packet. This will overflow the allocated memory on
Samba team believe this is just a remote DoS
Embargo date currently not set.
Stefan Esser has proved this allows arbitrary code execution. Embargo
set to 20041115.
> the bug:
> trans2.c - static int call_trans2qfilepathinfo(connection_struct *conn,
> data_size = max_data_bytes + 1024;
> pdata = Realloc(*ppdata, data_size);
> max_data_bytes from client is trusted. Can f.e. be 0
> In 2.x this was no problem because only the dos8name was
> copied into the packet. (which was wrong)
> In 3.x the unicode complete filename is copied into the
> packet. This will overflow the allocated memory on longer
> The use of the new constant #define DIR_ENTRY_SAFETY_MARGIN 4096
> fixes the problem.
Verified fixed by RHSA-2004:632 in progress.
This issue does affect RHEL2.1.
An errata has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.