Re: Fw: Buffer overflow in CIFS VFS.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "J. Bruce Fields" <bfields@fieldses.org>
To: Przemyslaw Wegrzyn <czajnik@czajsoft.pl>
Cc: Steve French <smfrench@gmail.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	LKML <linux-kernel@vger.kernel.org>,
	joern@logfs.org
Subject: Re: Fw: Buffer overflow in CIFS VFS.
Date: Fri, 9 Nov 2007 12:21:35 -0500	[thread overview]
Message-ID: <20071109172135.GD26826@fieldses.org> (raw)
In-Reply-To: <47343DA2.90306@czajsoft.pl>

On Fri, Nov 09, 2007 at 11:59:46AM +0100, Przemyslaw Wegrzyn wrote:
> Steve French wrote:
> > You are correct that the CIFS code calls SendReceive in cases in which
> > the buffer may be too small to fit a large SMB response, and that
> > should be fixed (e.g. to avoid possible overflows due to a server
> > bug), None of the eight cases (SMB TreeDisconnect, SMB uLogoff, SMB
> > Close, SMB FindClose etc.) in which a small buffer is passed in to
> > SendReceive return more than a few dozen bytes (and they are fixed
> > size responses), but I agree that we have to be safe (and we have seen
> > at least one server corrupt the bcc in the ulogoffX response and
> > another on the NTCreateX response) so it would be good to fix.
> >   
> Well, mounting shares from untrusted server is quite uncommon, still
> buffer overrun shall be considered a serious issue, imho.

Also, a compromised machine on the same network could forge the
malicious reply in some cases, right?

--b.

next prev parent reply	other threads:[~2007-11-09 17:21 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <OFA6B04F1D.DE8E7DD9-ON8725738E.00065BC2-8625738E.00066CD4@us.ibm.com>
2007-11-09  2:12 ` Fw: Buffer overflow in CIFS VFS Steve French
2007-11-09 10:59   ` Przemyslaw Wegrzyn
2007-11-09 17:21     ` J. Bruce Fields [this message]
2007-11-09 22:44     ` Steve French
2007-11-10 13:03       ` Przemyslaw Wegrzyn
2007-11-10 19:54         ` Steve French
2007-11-11  0:22           ` Przemyslaw Wegrzyn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20071109172135.GD26826@fieldses.org \
    --to=bfields@fieldses.org \
    --cc=akpm@linux-foundation.org \
    --cc=czajnik@czajsoft.pl \
    --cc=joern@logfs.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=smfrench@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.