Description of problem:
The problem is in SendReceive() function in transport.c - it memcpy's
message payload into a buffer passed via out_buf param. The function
assumes that all buffers are of size (CIFSMaxBufSize +
MAX_CIFS_HDR_SIZE) , unfortunately it is also called with smaller
To check this finding I patched Samba server to send oversized logoffX
messages. With ~ 16kB messages the client running 188.8.131.52 crashed upon
Created attachment 252721 [details]
Proposed patch from reporter Przemyslaw Wegrzyn <czaj...@czajsoft.pl>
Mark has forwarded to me another link, with more detailed / common patch. See
Against the original Przemyslaw's patch, there are additional changes to the
files: fs/cifs/file.c and fs/cifs/sees.c.
Jeff, please take a loot at the above URL too to be sure you dont' miss
Thanks in advance.
That's the one that I've backported for z-stream. See the patch in bug 372991. I
think I've got it correct -- it at least builds cleanly, though it could
probably use some careful eyes to go over it and make sure that I haven't missed
" A buffer overflow was found in the CIFS virtual filesystem. A remote,
authenticated user could issue a request that required a large SMB
response. This response would not fit in the buffer used for storing SMB
response backups, causing an overflow. Such a buffer overflow could lead to
denial of service. (CVE-2007-5904, Moderate)."