Vigil@nce - Samba: infinite loop of EA List
August 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can generate an infinite loop in the EA List
processing by Samba, in order to trigger a denial of service.
Impacted products: Fedora, MBS, MES, openSUSE, Samba, Slackware
Severity: 2/4
Creation date: 05/08/2013
DESCRIPTION OF THE VULNERABILITY
The NTTRANS command of the SMB/CIFS protocol can indicate a list
of extended attributes (EA List).
The read_nttrans_ea_list() function of the source3/smbd/nttrans.c
file, and the ea_pull_list_chained() function of the
source4/libcli/raw/raweas.c file, process this EA List. However,
if the offset indicated in the packet is too large, an integer
overflows, and Samba continues to loop allocating memory.
An attacker can therefore generate an infinite loop in the EA List
processing by Samba, in order to trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Samba-infinite-loop-of-EA-List-13202