[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: kernel: cifs: singedness issue in
From:       Eugene Teo <eugene () redhat ! com>
Date:       2011-08-24 5:50:30
Message-ID: 4E549126.2000309 () redhat ! com
[Download RAW message or body]

On 08/24/2011 10:36 AM, Eugene Teo wrote:
> The name_len variable in CIFSFindNext is a signed int that gets set to
> the resume_name_len in the cifs_search_info. The resume_name_len however
> is unsigned and for some infolevels is populated directly from a 32 bit
> value sent by the server.
> 
> If the server sends a very large value for this, then that value could
> look negative when converted to a signed int. That would make that value
> pass the PATH_MAX check later in CIFSFindNext. The name_len would then
> be used as a length value for a memcpy. It would then be treated as
> unsigned again, and the memcpy scribbles over a ton of memory.
> 
> Fix this by making the name_len an unsigned value in CIFSFindNext.
> 
> http://www.spinics.net/lists/linux-cifs/msg03950.html
> https://bugzilla.redhat.com/show_bug.cgi?id=732869

David Jorm from my team assigned CVE-2011-3191 to this.

Thanks, Eugene

[prev in list] [next in list] [prev in thread] [next in thread]