CVE-2024-49996

{"id": "CVE-2024-49996", "cveTags": [], "metrics": {}, "published": "2024-10-21T18:15:19.760", "references": [{"url": "https://git.kernel.org/stable/c/803b3a39cb096d8718c0aebc03fd19f11c7dc919", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c173d47b69f07cd7ca08efb4e458adbd4725d8e9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c6db81c550cea0c73bd72ef55f579991e0e4ba07", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e2a8910af01653c1c268984855629d71fb81f404", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix buffer overflow when parsing NFS reparse points\n\nReparseDataLength is sum of the InodeType size and DataBuffer size.\nSo to get DataBuffer size it is needed to subtract InodeType's size from\nReparseDataLength.\n\nFunction cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer\nat position after the end of the buffer because it does not subtract\nInodeType size from the length. Fix this problem and correctly subtract\nvariable len.\n\nMember InodeType is present only when reparse buffer is large enough. Check\nfor ReparseDataLength before accessing InodeType to prevent another invalid\nmemory access.\n\nMajor and minor rdev values are present also only when reparse buffer is\nlarge enough. Check for reparse buffer size before calling reparse_mkdev()."}], "lastModified": "2024-10-21T18:15:19.760", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}