2.6.32-longterm review patch. If anyone has any objections, please let us know.
------------------ From: Dan Rosenberg <[email protected]> commit a294865978b701e4d0d90135672749531b9a900d upstream. A length of zero (after subtracting two for the type and len fields) for the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to the subtraction. The subsequent code may read past the end of the options value buffer when parsing. I'm unsure of what the consequences of this might be, but it's probably not good. Signed-off-by: Dan Rosenberg <[email protected]> Acked-by: Gerrit Renker <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> --- net/dccp/options.c | 2 ++ 1 file changed, 2 insertions(+) --- a/net/dccp/options.c +++ b/net/dccp/options.c @@ -131,6 +131,8 @@ int dccp_parse_options(struct sock *sk, case DCCPO_CHANGE_L ... DCCPO_CONFIRM_R: if (pkt_type == DCCP_PKT_DATA) /* RFC 4340, 6 */ break; + if (len == 0) + goto out_invalid_option; rc = dccp_feat_parse_options(sk, dreq, mandatory, opt, *value, value + 1, len - 1); if (rc) _______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
