diff options
author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2011-07-20 09:32:41 -0400 |
---|---|---|
committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2011-07-20 09:32:41 -0400 |
commit | 7423cb454e855defd4da22fba789ea5ed638000a (patch) | |
tree | 0eab35437e9a7128f1d54e6964316fdb27c139e2 | |
parent | b947974ae62111270eaee4ecae93f124e75cb738 (diff) | |
download | longterm-queue-2.6.34-7423cb454e855defd4da22fba789ea5ed638000a.tar.gz |
add CVE 2011-1770 patch
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
-rw-r--r-- | queue/dccp-handle-invalid-feature-options-length.patch | 34 | ||||
-rw-r--r-- | queue/series | 3 |
2 files changed, 37 insertions, 0 deletions
diff --git a/queue/dccp-handle-invalid-feature-options-length.patch b/queue/dccp-handle-invalid-feature-options-length.patch new file mode 100644 index 0000000..156961c --- /dev/null +++ b/queue/dccp-handle-invalid-feature-options-length.patch @@ -0,0 +1,34 @@ +From cd20a7fd7fee67301ea952651442a636521814d9 Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg <drosenberg@vsecurity.com> +Date: Fri, 6 May 2011 03:27:18 +0000 +Subject: [PATCH] dccp: handle invalid feature options length + +commit a294865978b701e4d0d90135672749531b9a900d upstream. + +A length of zero (after subtracting two for the type and len fields) for +the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to +the subtraction. The subsequent code may read past the end of the +options value buffer when parsing. I'm unsure of what the consequences +of this might be, but it's probably not good. + +Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> +Acked-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/net/dccp/options.c b/net/dccp/options.c +index 1b08cae..b4a853e 100644 +--- a/net/dccp/options.c ++++ b/net/dccp/options.c +@@ -131,6 +131,8 @@ int dccp_parse_options(struct sock *sk, struct dccp_request_sock *dreq, + case DCCPO_CHANGE_L ... DCCPO_CONFIRM_R: + if (pkt_type == DCCP_PKT_DATA) /* RFC 4340, 6 */ + break; ++ if (len == 0) ++ goto out_invalid_option; + rc = dccp_feat_parse_options(sk, dreq, mandatory, opt, + *value, value + 1, len - 1); + if (rc) +-- +1.7.4.4 + diff --git a/queue/series b/queue/series index 9cd1518..4798144 100644 --- a/queue/series +++ b/queue/series @@ -66,3 +66,6 @@ proc-do-proper-range-check-on-readdir-offset.patch can-Add-missing-socket-check-in-can-bcm-release.patch can-add-missing-socket-check-in-can-raw-release.patch nfs4-Ensure-that-ACL-pages-sent-over-NFS-were-not-al.patch + +# Content taken from v2.6.32.41 +dccp-handle-invalid-feature-options-length.patch |