Bug 372701 (CVE-2007-5904) - CVE-2007-5904 Buffer overflow in CIFS VFS
Summary: CVE-2007-5904 Buffer overflow in CIFS VFS
Alias: CVE-2007-5904
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Jeff Layton
QA Contact:
Depends On: 372861 372971 372981 372991 373001
TreeView+ depends on / blocked
Reported: 2007-11-09 13:40 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:22 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-09-16 15:12:29 UTC

Attachments (Terms of Use)
Proposed patch from reporter Przemyslaw Wegrzyn <czaj...@czajsoft.pl> (28.15 KB, patch)
2007-11-09 13:40 UTC, Jan Lieskovsky
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0089 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-01-23 15:07:09 UTC
Red Hat Product Errata RHSA-2008:0167 0 normal SHIPPED_LIVE Moderate: kernel security and bug fix update 2008-03-14 10:30:46 UTC

Description Jan Lieskovsky 2007-11-09 13:40:24 UTC
Description of problem:

The problem is in SendReceive() function in transport.c - it memcpy's
message payload into a buffer passed via out_buf param. The function
assumes that all buffers are of size (CIFSMaxBufSize +
MAX_CIFS_HDR_SIZE) , unfortunately it is also called with smaller

To check this finding I patched Samba server to send oversized logoffX
messages. With ~ 16kB messages the client running crashed upon

Public via: 


Comment 1 Jan Lieskovsky 2007-11-09 13:40:24 UTC
Created attachment 252721 [details]
Proposed patch from reporter Przemyslaw Wegrzyn <czaj...@czajsoft.pl>

Comment 9 Jan Lieskovsky 2007-11-19 13:35:25 UTC
Mark has forwarded to me another link, with more detailed / common patch. See


Against the original Przemyslaw's patch, there are additional changes to the
files: fs/cifs/file.c and fs/cifs/sees.c. 

Jeff, please take a loot at the above URL too to be sure you dont' miss 

Thanks in advance.

Comment 10 Jeff Layton 2007-11-19 13:52:02 UTC
That's the one that I've backported for z-stream. See the patch in bug 372991. I
think I've got it correct -- it at least builds cleanly, though it could
probably use some careful eyes to go over it and make sure that I haven't missed

Comment 16 Mark J. Cox 2008-01-21 10:07:27 UTC
" A buffer overflow was found in the CIFS virtual filesystem. A remote,
authenticated user could issue a request that required a large SMB
response. This response would not fit in the buffer used for storing SMB
response backups, causing an overflow. Such a buffer overflow could lead to
denial of service. (CVE-2007-5904, Moderate)."

Note You need to log in before you can comment on or make changes to this bug.