dccp: handle invalid feature options length, CVE-2011-1770
authorDan Rosenberg <drosenberg@vsecurity.com>
Thu, 7 Jul 2011 22:12:19 +0000 (23:12 +0100)
committerTim Gardner <tim.gardner@canonical.com>
Fri, 8 Jul 2011 02:44:47 +0000 (20:44 -0600)
commitd0bbec5d3f625825cff61f54e9d311d56a8309d1
treef8b0f890b8cd77f06e1f0402e33da58d91539040
parent2d64a696525142d261c4041ecb115125db8444f4
dccp: handle invalid feature options length, CVE-2011-1770

A length of zero (after subtracting two for the type and len fields) for
the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to
the subtraction.  The subsequent code may read past the end of the
options value buffer when parsing.  I'm unsure of what the consequences
of this might be, but it's probably not good.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Acked-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit a294865978b701e4d0d90135672749531b9a900d)
CVE-2011-1770
BugLink: http://bugs.launchpad.net/bugs/806375
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
net/dccp/options.c