dccp: handle invalid feature options length (CVE-2011-1770)
This commit is contained in:
Chuck Ebbert
parent
dd4a4083bb
commit
7e51f2f324
|
|
@ -0,0 +1,35 @@
|
|||
From a294865978b701e4d0d90135672749531b9a900d Mon Sep 17 00:00:00 2001
|
||||
From: Dan Rosenberg <drosenberg@vsecurity.com>
|
||||
Date: Fri, 6 May 2011 03:27:18 +0000
|
||||
Subject: dccp: handle invalid feature options length
|
||||
|
||||
From: Dan Rosenberg <drosenberg@vsecurity.com>
|
||||
|
||||
commit a294865978b701e4d0d90135672749531b9a900d upstream.
|
||||
|
||||
A length of zero (after subtracting two for the type and len fields) for
|
||||
the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to
|
||||
the subtraction. The subsequent code may read past the end of the
|
||||
options value buffer when parsing. I'm unsure of what the consequences
|
||||
of this might be, but it's probably not good.
|
||||
|
||||
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
|
||||
Acked-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
||||
|
||||
---
|
||||
net/dccp/options.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
--- a/net/dccp/options.c
|
||||
+++ b/net/dccp/options.c
|
||||
@@ -123,6 +123,8 @@ int dccp_parse_options(struct sock *sk,
|
||||
case DCCPO_CHANGE_L ... DCCPO_CONFIRM_R:
|
||||
if (pkt_type == DCCP_PKT_DATA) /* RFC 4340, 6 */
|
||||
break;
|
||||
+ if (len == 0)
|
||||
+ goto out_invalid_option;
|
||||
rc = dccp_feat_parse_options(sk, dreq, mandatory, opt,
|
||||
*value, value + 1, len - 1);
|
||||
if (rc)
|
||||
|
|
@ -852,6 +852,9 @@ Patch13969: scsi_dh_hp_sw-fix-deadlock-in-start_stop_endio.patch
|
|||
# fix bug in 2.6.35.13 with old windows servers
|
||||
Patch13970: cifs-add-fallback-in-is_path_accessible-for-old-servers.patch
|
||||
|
||||
# cve-2011-1770
|
||||
Patch13980: dccp-handle-invalid-feature-options-length.patch
|
||||
|
||||
%endif
|
||||
|
||||
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
|
||||
|
|
@ -1603,6 +1606,9 @@ ApplyPatch scsi_dh_hp_sw-fix-deadlock-in-start_stop_endio.patch
|
|||
# fix bug in 2.6.35.13 with old windows servers
|
||||
ApplyPatch cifs-add-fallback-in-is_path_accessible-for-old-servers.patch
|
||||
|
||||
# cve-2011-1770
|
||||
ApplyPatch dccp-handle-invalid-feature-options-length.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2191,6 +2197,7 @@ fi
|
|||
%changelog
|
||||
* Fri May 20 2011 Chuck Ebbert <cebbert@redhat.com> 2.6.35.13-92
|
||||
- Add the rest of the fix for bug #704059
|
||||
- dccp: handle invalid feature options length (CVE-2011-1770)
|
||||
|
||||
* Wed May 18 2011 Chuck Ebbert <cebbert@redhat.com>
|
||||
- Fix cifs bug in 2.6.35.13 with old Windows servers (#704125)
|
||||
|
|
|
|||
Loading…
Reference in New Issue