iDefense has sent us the attached draft advisory.
A fist look at the code seem to confirm the problem.
Patch should not be too hard. Looking at it.
Again probably not a blocker for 7.3 release.
Created attachment 11444 [details]
Created attachment 11451 [details] [review]
Someone with more knowledge of the FS protocol should check the values I used in the consistency tests ? I'm not sure they are ok and haven't tried to validate them at run time...
Created attachment 11454 [details] [review]
update version of patch
I did some experiments myself.
With proper expression grouping the code now looks correct to me.
Both issues (#12298 and this one) share CVE-2007-4568
CCing Guillem Jover, the xfstt maintainer.
(In reply to comment #3)
> Created an attachment (id=11454) [details]
> update version of patch
> I did some experiments myself.
> With proper expression grouping the code now looks correct to me.
The patch seems fine, that's mostly what it's being done in xfstt. You could use sz_fsQueryXExtents8Req and sz_fsQueryXBitmaps8Req istead of the SIZEOF, but I've not checked if those are used in the rest of the code base.
Created attachment 11503 [details]
Simple program to reproduce the problem in QueryExtents16
tfs2 localhost:7100 hello
(In reply to comment #4)
> Both issues (#12298 and this one) share CVE-2007-4568
iDefense has allocated a new ID for this one : CVE-2007-4990
Fixed in commit ec3ca8fd4c599f41e6f977ce912805ac8ac74f32
on Jul 28, 2016 at 22:17:27.
(provided by the Example extension).