From patchwork Thu Jul 7 22:12:19 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 103736 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id D293C1007D7 for ; Fri, 8 Jul 2011 08:12:39 +1000 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1Qewo4-0002zX-Jg; Thu, 07 Jul 2011 22:12:24 +0000 Received: from adelie.canonical.com ([91.189.90.139]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1Qewo2-0002yx-JV for kernel-team@lists.ubuntu.com; Thu, 07 Jul 2011 22:12:22 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by adelie.canonical.com with esmtp (Exim 4.71 #1 (Debian)) id 1Qewo2-00085G-G9; Thu, 07 Jul 2011 22:12:22 +0000 Received: from 79-71-114-181.dynamic.dsl.as9105.com ([79.71.114.181] helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1Qewo2-0002ex-Cd; Thu, 07 Jul 2011 22:12:22 +0000 From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [lucid/fsl-imx51, maverick, maverick/ti-omap4, natty/ti-omap4 CVE 1/1] dccp: handle invalid feature options length Date: Thu, 7 Jul 2011 23:12:19 +0100 Message-Id: <1310076739-23810-2-git-send-email-apw@canonical.com> X-Mailer: git-send-email 1.7.4.1 In-Reply-To: <1310076739-23810-1-git-send-email-apw@canonical.com> References: <1310076739-23810-1-git-send-email-apw@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com From: Dan Rosenberg A length of zero (after subtracting two for the type and len fields) for the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to the subtraction. The subsequent code may read past the end of the options value buffer when parsing. I'm unsure of what the consequences of this might be, but it's probably not good. Signed-off-by: Dan Rosenberg Cc: stable@kernel.org Acked-by: Gerrit Renker Signed-off-by: David S. Miller (cherry picked from commit a294865978b701e4d0d90135672749531b9a900d) CVE-2011-1770 BugLink: http://bugs.launchpad.net/bugs/806375 Signed-off-by: Andy Whitcroft --- net/dccp/options.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/net/dccp/options.c b/net/dccp/options.c index 1b08cae..b4a853e 100644 --- a/net/dccp/options.c +++ b/net/dccp/options.c @@ -131,6 +131,8 @@ int dccp_parse_options(struct sock *sk, struct dccp_request_sock *dreq, case DCCPO_CHANGE_L ... DCCPO_CONFIRM_R: if (pkt_type == DCCP_PKT_DATA) /* RFC 4340, 6 */ break; + if (len == 0) + goto out_invalid_option; rc = dccp_feat_parse_options(sk, dreq, mandatory, opt, *value, value + 1, len - 1); if (rc)