[FEISTY] CVE-2007-1730: [PATCH] DCCP: Fix exploitable hole in DCCP socket options
Ben Collins
ben.collins at ubuntu.com
Thu May 3 14:58:33 UTC 2007
On Wed, 2007-05-02 at 00:51 +0100, Phillip lougher wrote:
> >From 8d5c5ad485c30a96ab078df2f71b4da207b58c67 Mon Sep 17 00:00:00 2001
> From: Arnaldo Carvalho de Melo <acme at ghostprotocols.net>
> Date: Thu, 29 Mar 2007 11:57:36 -0700
> Subject: [PATCH] DCCP: Fix exploitable hole in DCCP socket options (CVE-2007-1730)
>
> [DCCP] getsockopt: Fix DCCP_SOCKOPT_[SEND,RECV]_CSCOV
>
> We were only checking if there was enough space to put the int, but
> left len as specified by the (malicious) user, sigh, fix it by setting
> len to sizeof(val) and transfering just one int worth of data, the one
> asked for.
>
> Also check for negative len values.
>
> Signed-off-by: Arnaldo Carvalho de Melo <acme at ghostprotocols.net>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
ACK
--
Ubuntu: http://www.ubuntu.com/
Linux1394: http://www.linux1394.org/
More information about the kernel-team
mailing list