** Changed in: linux-lts-backport-maverick (Ubuntu Lucid)
Status: In Progress => Fix Committed
** Changed in: linux-ti-omap4 (Ubuntu Oneiric)
Status: In Progress => Fix Committed
** Description changed:
- Fixed-by: a294865978b701e4d0d90135672749531b9a900d
-
- commit a294865978b701e4d0d90135672749531b9a900d
- Author: Dan Rosenberg <[email protected]>
- Date: Fri May 6 03:27:18 2011 +0000
-
- dccp: handle invalid feature options length
-
- A length of zero (after subtracting two for the type and len fields) for
- the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to
- the subtraction. The subsequent code may read past the end of the
- options value buffer when parsing. I'm unsure of what the consequences
- of this might be, but it's probably not good.
-
- Signed-off-by: Dan Rosenberg <[email protected]>
- Cc: [email protected]
- Acked-by: Gerrit Renker <[email protected]>
- Signed-off-by: David S. Miller <[email protected]>
-
+ Integer underflow in the dccp_parse_options function
+ (net/dccp/options.c) in the Linux kernel before 2.6.33.14 allows remote
+ attackers to cause a denial of service via a Datagram Congestion Control
+ Protocol (DCCP) packet with an invalid feature options length, which
+ triggers a buffer over-read.
Introduced-by: e77b8363b2ea7c0d89919547c1a8b0562f298b57
-
- commit e77b8363b2ea7c0d89919547c1a8b0562f298b57
- Author: Gerrit Renker <[email protected]>
- Date: Mon Dec 1 23:32:35 2008 -0800
-
- dccp: Process incoming Change feature-negotiation options
-
- This adds/replaces code for processing incoming ChangeL/R options.
- The main difference is that:
- * mandatory FN options are now interpreted inside the function
- (there are too many individual cases to do this externally);
- * the function returns an appropriate Reset code or 0,
- which is then used to fill in the data for the Reset packet.
-
- Old code, which is no longer used or referenced, has been removed.
-
- Signed-off-by: Gerrit Renker <[email protected]>
- Signed-off-by: David S. Miller <[email protected]>
+ Fixed-by: a294865978b701e4d0d90135672749531b9a900d
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/806375
Title:
CVE-2011-1770
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/806375/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
