public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Jerome Marchand <jmarchan@redhat.com>
To: Steve French <sfrench@samba.org>
Cc: linux-cifs@vger.kernel.org,
	"'linux-kernel'" <linux-kernel@vger.kernel.org>
Subject: cifs: out-of-bound write in build_ntlmssp_auth_blob()
Date: Wed, 3 Feb 2016 15:48:17 +0100	[thread overview]
Message-ID: <56B21331.1010402@redhat.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 781 bytes --]

Hi,

While running some test, KASan detected several out-of-bound write
accesses to the ntlmssp blob in build_ntlmssp_auth_blob(). In this case,
the ntlmssp blob was allocated in sess_auth_rawntlmssp_authenticate().
Its size is an "empirical" 5*sizeof(struct _AUTHENTICATE_MESSAGE) (320B
on x86_64). I don't know where this value comes from or if it was ever
appropriate, but it is currently insufficient: the user and domain name
in UTF16 could take 1kB by themselves. I'm not sure what's the proper
way to fix this. Naively I'd say to allocate the blob dynamically in
build_ntlmssp_auth_blob().
While I haven't run into the issue, the size of ntlmssp_blob in
SMB2_sess_setup is too small too (sizeof(struct _NEGOTIATE_MESSAGE) + 500).

Regards,
Jerome Marchand


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

                 reply	other threads:[~2016-02-03 14:48 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56B21331.1010402@redhat.com \
    --to=jmarchan@redhat.com \
    --cc=linux-cifs@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sfrench@samba.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox