Date: Thu, 8 Nov 2007 23:28:24 +0100
From: =?utf-8?B?SsO2cm4=?= Engel <joern@logfs.org>
To: Przemyslaw Wegrzyn <czajnik@czajsoft.pl>
Cc: linux-kernel@vger.kernel.org, Steve French <smfrench@austin.rr.com>
Subject: Re: Buffer overflow in CIFS VFS.
Message-ID: <20071108222824.GD18903@lazybastard.org>
References: <47337D83.5040706@czajsoft.pl>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <47337D83.5040706@czajsoft.pl>
User-Agent: Mutt/1.5.9i
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1244
Lines: 31

Not everyone has the time to read lkml.  Added Steve to Cc:, just in
case.

On Thu, 8 November 2007 22:20:03 +0100, Przemyslaw Wegrzyn wrote:
> 
> I was looking at CIFS VFS code recently, trying to solve other issue,
> just to find something that looks like a buffer overflow  bug.
> The problem is in SendReceive() function in transport.c - it memcpy's
> message payload into a buffer passed via out_buf param. The function
> assumes that all buffers are of size (CIFSMaxBufSize +
> MAX_CIFS_HDR_SIZE) , unfortunately it is also called with smaller
> (MAX_CIFS_SMALL_BUFFER_SIZE) buffers.
> 
> To check this finding I patched Samba server to send oversized logoffX
> messages. With ~ 16kB messages the client running 2.6.23.1 crashed upon
> unmounting.
> 
> I've done a quick fix, available here:
> http://czajnick.sitenet.pl/cifs-buffer-overflow-fix.patch.gz

Jörn

-- 
When in doubt, punt.  When somebody actually complains, go back and fix it...
The 90% solution is a good thing.
-- Rob Landley
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/