** Description changed: - When parsing the FAC_CCITT_DEST_NSAP and FAC_CCITT_SRC_NSAP facilities - fields, a remote host can provide a length of greater than 20, resulting - in a stack overflow of the callsign array. When parsing the - FAC_CCITT_DEST_NSAP and FAC_CCITT_SRC_NSAP facilities fields, a remote - host can provide a length of less than 10, resulting in an underflow in - a memcpy size, causing a kernel panic due to massive heap corruption. + The rose_parse_ccitt function in net/rose/rose_subr.c in the Linux + kernel before 2.6.39 does not validate the FAC_CCITT_DEST_NSAP and + FAC_CCITT_SRC_NSAP fields, which allows remote attackers to (1) cause a + denial of service (integer underflow, heap memory corruption, and panic) + via a small length value in data sent to a ROSE socket, or (2) conduct + stack-based buffer overflow attacks via a large length value in data + sent to a ROSE socket. Break-Fix: - be20250c13f88375345ad99950190685eda51eb8
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/912221 Title: CVE-2011-4913 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/912221/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
