Home page logo
/

oss-sec logo oss-sec mailing list archives

CVE request: kernel: cifs: singedness issue in CIFSFindNext()
From: Eugene Teo <eugene () redhat com>
Date: Wed, 24 Aug 2011 10:36:00 +0800

The name_len variable in CIFSFindNext is a signed int that gets set to
the resume_name_len in the cifs_search_info. The resume_name_len however
is unsigned and for some infolevels is populated directly from a 32 bit
value sent by the server.

If the server sends a very large value for this, then that value could
look negative when converted to a signed int. That would make that value
pass the PATH_MAX check later in CIFSFindNext. The name_len would then
be used as a length value for a memcpy. It would then be treated as
unsigned again, and the memcpy scribbles over a ton of memory.

Fix this by making the name_len an unsigned value in CIFSFindNext.

http://www.spinics.net/lists/linux-cifs/msg03950.html
https://bugzilla.redhat.com/show_bug.cgi?id=732869

Thanks, Eugene


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]