[lucid/fsl-imx51,maverick,maverick/ti-omap4,natty/ti-omap4,CVE,1/1] dccp: handle invalid feature options length
diff mbox

Message ID 1310076739-23810-2-git-send-email-apw@canonical.com
State New
Headers show

Commit Message

Andy Whitcroft July 7, 2011, 10:12 p.m. UTC
From: Dan Rosenberg <drosenberg@vsecurity.com>

A length of zero (after subtracting two for the type and len fields) for
the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to
the subtraction.  The subsequent code may read past the end of the
options value buffer when parsing.  I'm unsure of what the consequences
of this might be, but it's probably not good.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Acked-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>

(cherry picked from commit a294865978b701e4d0d90135672749531b9a900d)
BugLink: http://bugs.launchpad.net/bugs/806375
Signed-off-by: Andy Whitcroft <apw@canonical.com>
 net/dccp/options.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff mbox

diff --git a/net/dccp/options.c b/net/dccp/options.c
index 1b08cae..b4a853e 100644
--- a/net/dccp/options.c
+++ b/net/dccp/options.c
@@ -131,6 +131,8 @@  int dccp_parse_options(struct sock *sk, struct dccp_request_sock *dreq,
 			if (pkt_type == DCCP_PKT_DATA)      /* RFC 4340, 6 */
+			if (len == 0)
+				goto out_invalid_option;
 			rc = dccp_feat_parse_options(sk, dreq, mandatory, opt,
 						    *value, value + 1, len - 1);
 			if (rc)