Linux Kernel CIFS Out-of-Bounds Write Vulnerability in DFS Referral Parsing

A vulnerability allowing an out-of-bounds write has been identified in the Linux kernel's CIFS (Common Internet File System) implementation. This issue arises in the 'parse_dfs_referrals' function, where the kernel improperly handles malformed responses from SMB (Server Message Block) servers regarding DFS (Distributed File System) referrals. Specifically, a malicious SMB server can send an invalid reply to the 'FSCTL_DFS_GET_REFERRALS' command. The reply may be smaller than the expected size or contain an incorrect number of referrals, leading to an out-of-bounds write. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability causes an out-of-bounds write, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

To reproduce this vulnerability, a malicious SMB server must be set up to send crafted responses to the 'FSCTL_DFS_GET_REFERRALS' command. The response should be smaller than the expected size of the 'get_dfs_referral_rsp' structure or contain a number of referrals that does not match the header's 'NumberOfReferrals' field. When the CIFS client processes this invalid response, the out-of-bounds write occurs.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed.