Linux Kernel Vulnerability
A vulnerability in the CIFS client in the Linux Kernel code makes it possible for a manipulated SMB server to cause users systems to crash or be compromised. The problem is caused by a buffer in the
CIFSTCon function in
fs/cifs/connect.c file being too small. This function is used when the server responds to a connection request for a resource, known as a Tree Connect. Overflowing the undersized buffer could allow code to be injected and executed. The bug only comes into play if the users system attempts to mount a resource on a manipulated server.
The Linux developers have already attempted to fix the problem in kernel version 220.127.116.11, by simply doubling the length of the buffer. However, they do not explicitly indicate that this problem is potentially exploitable over a network. In a blog posting (in German), the security specialist Felix von Leitner said he suspected this was a remotely exploitable CIFS issue which had been fixed in 18.104.22.168, but not mentioned in the release announcement.
The CIFS developers did detail their patch for the current kernel which in turn started a discussion on the linux-cifs-client mailing list. Suresh Jayraman from SUSE said he felt that simply doubling the buffer would be insufficient and suggested quadrupling the size. The ensuing discussion led the developers to come to the conclusion that the string handling functions should be completely revised to remove the need to test the length of transferred strings.