Bug#435413: oops when Windows server sent bad domain name null terminator
On Wed, Jan 02, 2008 at 08:36:48PM +0100, Lubomir Kundrak wrote:
> Red Hat did not consider this a security issue because of the following
> reply to our question regarding severity and exploitability:
> On Thu, 2007-01-25 at 11:46 -0600, Steven French wrote:
> > I am not aware of any problem with malformed filenames - this is a much
> > more limited issue although perhaps could cause slight memory corruption
> > (it is hard to imagine it being more than a few bytes because the length of
> > the variable area of the smb is checked, and the domain name field in the
> > session structure it is copied into is information), and probably should be
> > added to 2.6.16.x. 2.6.17.x etc.
> > This affects mount time only (the first mount to a server establishes an
> > SMB connection, "session," for which the server response includes a domain
> > name as the last field. If the domain name is not null terminated
> > (Windows has a bug in only appending one rather than two bytes for this
> > particular Unicode, UCS-16, string).
> Thus -- this needs voluntary cooperation of user who already has root
> provileges (mount a smb share) and can cause a harmless oops triggerable
> only at mount time.
I don't know how Red Hat configures the client tools, but it's fairly common
to install the mount.cifs helper suid root specifically to permit users to
mount smb shares in directories of their own. (Nor is this an error;
although the upstream Makefile doesn't install mount.cifs suid by default,
the code is deliberately written with this use case in mind, to the point
that the semantics of specifying user mounts via /etc/fstab are subtly
annoying.) The Debian package ships with this feature enabled, so we should
treat this bug accordingly.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
Reply to: