Buffer overflow in Linux kernel CIFS implementation
A bug in the implementation of the Common Internet File System (CIFS) in the Linux kernel can be exploited by, for example, a manipulated Samba server to crash a Linux client. It may also be possible to compromise a client using this vulnerability. The vulnerability results from a buffer overflow in the SendReceive function in fs/cifs/transport.c, which can be provoked by excess length SMB responses. CIFS is used for processes such as accessing shared drives. It uses Server Message Blocks (SMB) for data transfer and represents an extension to the old SMBFS under Linux. The Linux kernel usually supports both file systems on the client.
The bug was found in version 2.6.23.1 of the Linux kernel, but earlier versions are probably also affected. A patch on the CVS fixes the problem. The risk of a successful attack is slight, since CIFS is usually only used on local networks and accessible SMB servers should usually be under the control of a trusted administrator. The situation is somewhat different if, for example, one of your colleagues runs a Samba server on their PC serving files for other staff to download.
- [CIFS Fix buffer overflow if server sends corrupt response to small request], security advisory on git.kernel.org
(mba)