Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 134640 - CAN-2004-0882 unicode parsing overflow
CAN-2004-0882 unicode parsing overflow
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: samba (Show other bugs)
3.0
All Linux
medium Severity high
: ---
: ---
Assigned To: Jay Fenlason
David Lawrence
impact=important,embargo=20041115
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-10-05 08:01 EDT by Mark J. Cox
Modified: 2014-08-31 19:26 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-11-16 12:37:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2004:632 high SHIPPED_LIVE Important: samba security update 2004-11-16 00:00:00 EST

  None (edit)
Description Mark J. Cox 2004-10-05 08:01:33 EDT 
Stefan Esser reported to vendor-sec on Sep27 a possible remote flaw in
call_trans2qfilepathinfo().   In 3.x the unicode complete filename is
copied into the packet. This will overflow the allocated memory on
longer filenames.

Samba team believe this is just a remote DoS

Embargo date currently not set.
Comment 1 Mark J. Cox 2004-11-12 04:33:02 EST 
Stefan Esser has proved this allows arbitrary code execution.  Embargo
set to 20041115.

> the bug:
>
> trans2.c - static int call_trans2qfilepathinfo(connection_struct *conn,
>
>  data_size = max_data_bytes + 1024;
>  pdata = Realloc(*ppdata, data_size);
>
> max_data_bytes from client is trusted. Can f.e. be 0
> In 2.x this was no problem because only the dos8name was
> copied into the packet. (which was wrong)
>
> In 3.x the unicode complete filename is copied into the
> packet. This will overflow the allocated memory on longer
> filenames.

http://websvn.samba.org/cgi-bin/viewcvs.cgi/trunk/source/smbd/trans2.c?rev=2636&r1=2197&r2=2636

> The use of the new constant  #define DIR_ENTRY_SAFETY_MARGIN 4096
> fixes the problem.
Comment 2 Mark J. Cox 2004-11-12 04:39:26 EST 
Verified fixed by RHSA-2004:632 in progress.
Comment 3 Mark J. Cox 2004-11-15 04:11:08 EST 
Now public.
Comment 4 Josh Bressers 2004-11-16 11:01:08 EST 
This issue does affect RHEL2.1.
Comment 5 Josh Bressers 2004-11-16 12:37:56 EST 
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-632.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.