Bug 372701 - (CVE-2007-5904) CVE-2007-5904 Buffer overflow in CIFS VFS
CVE-2007-5904 Buffer overflow in CIFS VFS
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity medium
: ---
: ---
Assigned To: Jeff Layton
impact=moderate,source=lkml,reported=...
: Security
Depends On: 372861 372971 372981 372991 373001
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-09 08:40 EST by Jan Lieskovsky
Modified: 2014-06-18 03:37 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-09-16 11:12:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch from reporter Przemyslaw Wegrzyn <czaj...@czajsoft.pl> (28.15 KB, patch)
2007-11-09 08:40 EST, Jan Lieskovsky
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2007-11-09 08:40:24 EST
Description of problem:

The problem is in SendReceive() function in transport.c - it memcpy's
message payload into a buffer passed via out_buf param. The function
assumes that all buffers are of size (CIFSMaxBufSize +
MAX_CIFS_HDR_SIZE) , unfortunately it is also called with smaller
(MAX_CIFS_SMALL_BUFFER_SIZE) buffers.

To check this finding I patched Samba server to send oversized logoffX
messages. With ~ 16kB messages the client running 2.6.23.1 crashed upon
unmounting. 


Public via: 

http://groups.google.com/group/linux.kernel/browse_thread/thread/79b7604447e993a3/6f87de5c1b55567f?hl=en#6f87de5c1b55567f
Comment 1 Jan Lieskovsky 2007-11-09 08:40:24 EST
Created attachment 252721 [details]
Proposed patch from reporter Przemyslaw Wegrzyn <czaj...@czajsoft.pl>
Comment 9 Jan Lieskovsky 2007-11-19 08:35:25 EST
Mark has forwarded to me another link, with more detailed / common patch. See
url:

http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commitdiff;h=133672efbc1085f9af990bdc145e1822ea93bcf3

Against the original Przemyslaw's patch, there are additional changes to the
files: fs/cifs/file.c and fs/cifs/sees.c. 

Jeff, please take a loot at the above URL too to be sure you dont' miss 
something. 

Thanks in advance.
Comment 10 Jeff Layton 2007-11-19 08:52:02 EST
That's the one that I've backported for z-stream. See the patch in bug 372991. I
think I've got it correct -- it at least builds cleanly, though it could
probably use some careful eyes to go over it and make sure that I haven't missed
anything.
Comment 16 Mark J. Cox (Product Security) 2008-01-21 05:07:27 EST
" A buffer overflow was found in the CIFS virtual filesystem. A remote,
authenticated user could issue a request that required a large SMB
response. This response would not fit in the buffer used for storing SMB
response backups, causing an overflow. Such a buffer overflow could lead to
denial of service. (CVE-2007-5904, Moderate)."

Note You need to log in before you can comment on or make changes to this bug.