Bug#435413: oops when Windows server sent bad domain name null terminator
Red Hat did not consider this a security issue because of the following
reply to our question regarding severity and exploitability:
On Thu, 2007-01-25 at 11:46 -0600, Steven French wrote:
>
> I am not aware of any problem with malformed filenames - this is a much
> more limited issue although perhaps could cause slight memory corruption
> (it is hard to imagine it being more than a few bytes because the length of
> the variable area of the smb is checked, and the domain name field in the
> session structure it is copied into is information), and probably should be
> added to 2.6.16.x. 2.6.17.x etc.
>
> This affects mount time only (the first mount to a server establishes an
> SMB connection, "session," for which the server response includes a domain
> name as the last field. If the domain name is not null terminated
> (Windows has a bug in only appending one rather than two bytes for this
> particular Unicode, UCS-16, string).
Thus -- this needs voluntary cooperation of user who already has root
provileges (mount a smb share) and can cause a harmless oops triggerable
only at mount time.
Regards,
--
Lubomir Kundrak (Red Hat Security Response Team)
Reply to: