Bug 372701 (CVE-2007-5904) - CVE-2007-5904 Buffer overflow in CIFS VFS
Summary: CVE-2007-5904 Buffer overflow in CIFS VFS
Status: CLOSED CURRENTRELEASE
Alias: CVE-2007-5904
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
low
medium
Target Milestone: ---
Assignee: Jeff Layton
QA Contact:
URL:
Whiteboard: impact=moderate,source=lkml,reported=...
Keywords: Security
Depends On: 372861 372971 372981 372991 373001
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-11-09 13:40 UTC by Jan Lieskovsky
Modified: 2014-06-18 07:37 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-09-16 15:12:29 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch from reporter Przemyslaw Wegrzyn <czaj...@czajsoft.pl> (28.15 KB, patch)
2007-11-09 13:40 UTC, Jan Lieskovsky
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0089 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-01-23 15:07:09 UTC
Red Hat Product Errata RHSA-2008:0167 normal SHIPPED_LIVE Moderate: kernel security and bug fix update 2008-03-14 10:30:46 UTC

Description Jan Lieskovsky 2007-11-09 13:40:24 UTC
Description of problem:

The problem is in SendReceive() function in transport.c - it memcpy's
message payload into a buffer passed via out_buf param. The function
assumes that all buffers are of size (CIFSMaxBufSize +
MAX_CIFS_HDR_SIZE) , unfortunately it is also called with smaller
(MAX_CIFS_SMALL_BUFFER_SIZE) buffers.

To check this finding I patched Samba server to send oversized logoffX
messages. With ~ 16kB messages the client running 2.6.23.1 crashed upon
unmounting. 


Public via: 

http://groups.google.com/group/linux.kernel/browse_thread/thread/79b7604447e993a3/6f87de5c1b55567f?hl=en#6f87de5c1b55567f

Comment 1 Jan Lieskovsky 2007-11-09 13:40:24 UTC
Created attachment 252721 [details]
Proposed patch from reporter Przemyslaw Wegrzyn <czaj...@czajsoft.pl>

Comment 9 Jan Lieskovsky 2007-11-19 13:35:25 UTC
Mark has forwarded to me another link, with more detailed / common patch. See
url:

http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commitdiff;h=133672efbc1085f9af990bdc145e1822ea93bcf3

Against the original Przemyslaw's patch, there are additional changes to the
files: fs/cifs/file.c and fs/cifs/sees.c. 

Jeff, please take a loot at the above URL too to be sure you dont' miss 
something. 

Thanks in advance.

Comment 10 Jeff Layton 2007-11-19 13:52:02 UTC
That's the one that I've backported for z-stream. See the patch in bug 372991. I
think I've got it correct -- it at least builds cleanly, though it could
probably use some careful eyes to go over it and make sure that I haven't missed
anything.


Comment 16 Mark J. Cox 2008-01-21 10:07:27 UTC
" A buffer overflow was found in the CIFS virtual filesystem. A remote,
authenticated user could issue a request that required a large SMB
response. This response would not fit in the buffer used for storing SMB
response backups, causing an overflow. Such a buffer overflow could lead to
denial of service. (CVE-2007-5904, Moderate)."



Note You need to log in before you can comment on or make changes to this bug.