From http://blog.fefe.de/?ts=b72905a8: - kzalloc(length + 2, GFP_KERNEL); + kzalloc(2*(length + 1), GFP_KERNEL); In 2.6.29.1 the buffersize was increase to prevent the overflow, but the jury is still out, if that was enough: http://lists.samba.org/archive/linux-cifs-client/2009-April/004322.html see also: http://www.securityfocus.com/bid/34453/info http://www.vupen.com/english/advisories/2009/0974 That seem to be the current patches: http://lists.samba.org/archive/linux-cifs-client/2009-April/004421.html I'm not sure, if the fix in 2.6.29.1 is enough, or if this rework is needed to really fix this cifs problem.
An even bigger increase of this buffer landed in Linus tree: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=f083def68f84b04fe3f97312498911afce79609e contains: - kzalloc(2*(length + 1), GFP_KERNEL); + kzalloc((4 * length) + 2, GFP_KERNEL);
Current status: http://marc.info/?l=linux-cifs-client&m=124160962414513&w=2 These 5 patches where acked and should probably hit the stable queue soon.
CVE-2009-1439 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1439): Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel 2.6.29 and earlier allows remote attackers to cause a denial of service (crash) via a long nativeFileSystem field in a Tree Connect response to an SMB mount request.
The fix to 4*length from comment #1 and several other cifs fixes have been released as 2.6.29.4
Stabling for vanilla-sources-2.6.29.4 and the corresponding gentoo-sources has been requested in Bug 271774
http://suva.vyatta.com/git/?p=linux-vyatta.git;a=commitdiff_plain;h=5a12457e62aab1e19aa1b1d9bdbe53f26e9ed689 http://suva.vyatta.com/git/?p=linux-vyatta.git;a=commitdiff_plain;h=a7a7d2fe8813c3bee7d7db9ba889fc2c2dd39dd7 http://suva.vyatta.com/git/?p=linux-vyatta.git;a=commitdiff_plain;h=9381701c0f0722ffc1dab1c55ecd48f6d0b5be6f http://suva.vyatta.com/git/?p=linux-vyatta.git;a=commitdiff_plain;h=e9012cf5e92b7812f5fc88fdd1ddaecc34a5b904 http://suva.vyatta.com/git/?p=linux-vyatta.git;a=commitdiff_plain;h=5b0ecf297e133be1e4767b1e446a6d7902274c13
If anyone is interested in seeing a full overview of the patch series that was applied by 2.6.29 through 2.6.29.6 to clean up the CIFS filesystem code, resolving this bug and bug 271802 (CVE-2009-1633), please refer to my comment on the latter: http://bugs.gentoo.org/show_bug.cgi?id=271802#c1 The interesting thing is that the current state of the codebase invalidates the requirement to apply these two patches (if backporting): 5b0ecf297e133be1e4767b1e446a6d7902274c13 a7a7d2fe8813c3bee7d7db9ba889fc2c2dd39dd7