[kernel] r17450 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Wed May 18 04:35:40 UTC 2011

Author: dannf
Date: Wed May 18 04:35:37 2011
New Revision: 17450

Log:
dccp: handle invalid feature options length (CVE-2011-1770)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/dccp-handle-invalid-feature-options-length.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/34squeeze1

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================

--- dists/squeeze-security/linux-2.6/debian/changelog	Wed May 18 04:20:31 2011	(r17449)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Wed May 18 04:35:37 2011	(r17450)
@@ -6,6 +6,7 @@
     - cifs: fix NULL pointer dereference in cifs_find_smb_ses
     - cifs: check for NULL session password
   * gre: fix netns vs proto registration ordering (CVE-2011-1767)
+  * dccp: handle invalid feature options length (CVE-2011-1770)
 
  -- dann frazier <dannf at debian.org>  Tue, 17 May 2011 00:41:07 -0600
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/dccp-handle-invalid-feature-options-length.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/dccp-handle-invalid-feature-options-length.patch	Wed May 18 04:35:37 2011	(r17450)
@@ -0,0 +1,30 @@
+commit a294865978b701e4d0d90135672749531b9a900d
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date:   Fri May 6 03:27:18 2011 +0000
+
+    dccp: handle invalid feature options length
+    
+    A length of zero (after subtracting two for the type and len fields) for
+    the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to
+    the subtraction.  The subsequent code may read past the end of the
+    options value buffer when parsing.  I'm unsure of what the consequences
+    of this might be, but it's probably not good.
+    
+    Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+    Cc: stable at kernel.org
+    Acked-by: Gerrit Renker <gerrit at erg.abdn.ac.uk>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/dccp/options.c b/net/dccp/options.c
+index f06ffcf..4b2ab65 100644
+--- a/net/dccp/options.c
++++ b/net/dccp/options.c
+@@ -123,6 +123,8 @@ int dccp_parse_options(struct sock *sk, struct dccp_request_sock *dreq,
+ 		case DCCPO_CHANGE_L ... DCCPO_CONFIRM_R:
+ 			if (pkt_type == DCCP_PKT_DATA)      /* RFC 4340, 6 */
+ 				break;
++			if (len == 0)
++				goto out_invalid_option;
+ 			rc = dccp_feat_parse_options(sk, dreq, mandatory, opt,
+ 						    *value, value + 1, len - 1);
+ 			if (rc)

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/34squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/34squeeze1	Wed May 18 04:20:31 2011	(r17449)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/34squeeze1	Wed May 18 04:35:37 2011	(r17450)
@@ -3,3 +3,4 @@
 + bugfix/all/cifs-fix-NULL-pointer-dereference-in-cifs_find_smb_ses.patch
 + bugfix/all/cifs-check-for-NULL-session-password.patch
 + bugfix/all/gre-fix-netns-vs-proto-registration-ordering.patch
++ bugfix/all/dccp-handle-invalid-feature-options-length.patch

