Bug 372701 - (CVE-2007-5904) CVE-2007-5904 Buffer overflow in CIFS VFS
CVE-2007-5904 Buffer overflow in CIFS VFS
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Jeff Layton
: Security
Depends On: 372861 372971 372981 372991 373001
  Show dependency treegraph
Reported: 2007-11-09 08:40 EST by Jan Lieskovsky
Modified: 2014-06-18 03:37 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-09-16 11:12:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Proposed patch from reporter Przemyslaw Wegrzyn <czaj...@czajsoft.pl> (28.15 KB, patch)
2007-11-09 08:40 EST, Jan Lieskovsky
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2007-11-09 08:40:24 EST
Description of problem:

The problem is in SendReceive() function in transport.c - it memcpy's
message payload into a buffer passed via out_buf param. The function
assumes that all buffers are of size (CIFSMaxBufSize +
MAX_CIFS_HDR_SIZE) , unfortunately it is also called with smaller

To check this finding I patched Samba server to send oversized logoffX
messages. With ~ 16kB messages the client running crashed upon

Public via: 

Comment 1 Jan Lieskovsky 2007-11-09 08:40:24 EST
Created attachment 252721 [details]
Proposed patch from reporter Przemyslaw Wegrzyn <czaj...@czajsoft.pl>
Comment 9 Jan Lieskovsky 2007-11-19 08:35:25 EST
Mark has forwarded to me another link, with more detailed / common patch. See


Against the original Przemyslaw's patch, there are additional changes to the
files: fs/cifs/file.c and fs/cifs/sees.c. 

Jeff, please take a loot at the above URL too to be sure you dont' miss 

Thanks in advance.
Comment 10 Jeff Layton 2007-11-19 08:52:02 EST
That's the one that I've backported for z-stream. See the patch in bug 372991. I
think I've got it correct -- it at least builds cleanly, though it could
probably use some careful eyes to go over it and make sure that I haven't missed
Comment 16 Mark J. Cox 2008-01-21 05:07:27 EST
" A buffer overflow was found in the CIFS virtual filesystem. A remote,
authenticated user could issue a request that required a large SMB
response. This response would not fit in the buffer used for storing SMB
response backups, causing an overflow. Such a buffer overflow could lead to
denial of service. (CVE-2007-5904, Moderate)."

Note You need to log in before you can comment on or make changes to this bug.