Description of problem: The problem is in SendReceive() function in transport.c - it memcpy's message payload into a buffer passed via out_buf param. The function assumes that all buffers are of size (CIFSMaxBufSize + MAX_CIFS_HDR_SIZE) , unfortunately it is also called with smaller (MAX_CIFS_SMALL_BUFFER_SIZE) buffers. To check this finding I patched Samba server to send oversized logoffX messages. With ~ 16kB messages the client running 2.6.23.1 crashed upon unmounting. Public via: http://groups.google.com/group/linux.kernel/browse_thread/thread/79b7604447e993a3/6f87de5c1b55567f?hl=en#6f87de5c1b55567f
Created attachment 252721 [details] Proposed patch from reporter Przemyslaw Wegrzyn <czaj...>
Mark has forwarded to me another link, with more detailed / common patch. See url: http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commitdiff;h=133672efbc1085f9af990bdc145e1822ea93bcf3 Against the original Przemyslaw's patch, there are additional changes to the files: fs/cifs/file.c and fs/cifs/sees.c. Jeff, please take a loot at the above URL too to be sure you dont' miss something. Thanks in advance.
That's the one that I've backported for z-stream. See the patch in bug 372991. I think I've got it correct -- it at least builds cleanly, though it could probably use some careful eyes to go over it and make sure that I haven't missed anything.
" A buffer overflow was found in the CIFS virtual filesystem. A remote, authenticated user could issue a request that required a large SMB response. This response would not fit in the buffer used for storing SMB response backups, causing an overflow. Such a buffer overflow could lead to denial of service. (CVE-2007-5904, Moderate)."