[kernel] r17450 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Wed May 18 04:35:40 UTC 2011
Author: dannf
Date: Wed May 18 04:35:37 2011
New Revision: 17450
Log:
dccp: handle invalid feature options length (CVE-2011-1770)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/dccp-handle-invalid-feature-options-length.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/34squeeze1
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Wed May 18 04:20:31 2011 (r17449)
+++ dists/squeeze-security/linux-2.6/debian/changelog Wed May 18 04:35:37 2011 (r17450)
@@ -6,6 +6,7 @@
- cifs: fix NULL pointer dereference in cifs_find_smb_ses
- cifs: check for NULL session password
* gre: fix netns vs proto registration ordering (CVE-2011-1767)
+ * dccp: handle invalid feature options length (CVE-2011-1770)
-- dann frazier <dannf at debian.org> Tue, 17 May 2011 00:41:07 -0600
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/dccp-handle-invalid-feature-options-length.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/dccp-handle-invalid-feature-options-length.patch Wed May 18 04:35:37 2011 (r17450)
@@ -0,0 +1,30 @@
+commit a294865978b701e4d0d90135672749531b9a900d
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Fri May 6 03:27:18 2011 +0000
+
+ dccp: handle invalid feature options length
+
+ A length of zero (after subtracting two for the type and len fields) for
+ the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to
+ the subtraction. The subsequent code may read past the end of the
+ options value buffer when parsing. I'm unsure of what the consequences
+ of this might be, but it's probably not good.
+
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Cc: stable at kernel.org
+ Acked-by: Gerrit Renker <gerrit at erg.abdn.ac.uk>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/dccp/options.c b/net/dccp/options.c
+index f06ffcf..4b2ab65 100644
+--- a/net/dccp/options.c
++++ b/net/dccp/options.c
+@@ -123,6 +123,8 @@ int dccp_parse_options(struct sock *sk, struct dccp_request_sock *dreq,
+ case DCCPO_CHANGE_L ... DCCPO_CONFIRM_R:
+ if (pkt_type == DCCP_PKT_DATA) /* RFC 4340, 6 */
+ break;
++ if (len == 0)
++ goto out_invalid_option;
+ rc = dccp_feat_parse_options(sk, dreq, mandatory, opt,
+ *value, value + 1, len - 1);
+ if (rc)
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/34squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/34squeeze1 Wed May 18 04:20:31 2011 (r17449)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/34squeeze1 Wed May 18 04:35:37 2011 (r17450)
@@ -3,3 +3,4 @@
+ bugfix/all/cifs-fix-NULL-pointer-dereference-in-cifs_find_smb_ses.patch
+ bugfix/all/cifs-check-for-NULL-session-password.patch
+ bugfix/all/gre-fix-netns-vs-proto-registration-ordering.patch
++ bugfix/all/dccp-handle-invalid-feature-options-length.patch
More information about the Kernel-svn-changes
mailing list