** Description changed: - Placeholder + Fixed-by: a294865978b701e4d0d90135672749531b9a900d + + commit a294865978b701e4d0d90135672749531b9a900d + Author: Dan Rosenberg <[email protected]> + Date: Fri May 6 03:27:18 2011 +0000 + + dccp: handle invalid feature options length + + A length of zero (after subtracting two for the type and len fields) for + the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to + the subtraction. The subsequent code may read past the end of the + options value buffer when parsing. I'm unsure of what the consequences + of this might be, but it's probably not good. + + Signed-off-by: Dan Rosenberg <[email protected]> + Cc: [email protected] + Acked-by: Gerrit Renker <[email protected]> + Signed-off-by: David S. Miller <[email protected]> + + + Introduced-by: e77b8363b2ea7c0d89919547c1a8b0562f298b57 + + commit e77b8363b2ea7c0d89919547c1a8b0562f298b57 + Author: Gerrit Renker <[email protected]> + Date: Mon Dec 1 23:32:35 2008 -0800 + + dccp: Process incoming Change feature-negotiation options + + This adds/replaces code for processing incoming ChangeL/R options. + The main difference is that: + * mandatory FN options are now interpreted inside the function + (there are too many individual cases to do this externally); + * the function returns an appropriate Reset code or 0, + which is then used to fill in the data for the Reset packet. + + Old code, which is no longer used or referenced, has been removed. + + Signed-off-by: Gerrit Renker <[email protected]> + Signed-off-by: David S. Miller <[email protected]>
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/806375 Title: CVE-2011-1770 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/806375/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
