[CVE-2011-1770] dccp: handle invalid feature options length

Andy Whitcroft apw at canonical.com
Thu Jul 7 22:12:18 UTC 2011

	Integer underflow in the dccp_parse_options function
	(net/dccp/options.c) in the Linux kernel before allows
	remote attackers to cause a denial of service via a Datagram
	Congestion Control Protocol (DCCP) packet with an invalid feature
	options length, which triggers a buffer over-read.

This problem was introduced in v2.6.29-rc1 and therefore does not affect
hardy.  The fix for this has already hit lucid, natty, and oneiric via
mainline and stable.  Following this email is a patch for: lucid/fsl-imx51,
maverick, maverick/ti-omap4, and natty/ti-omap4; this is a clean
cherry-pick from the upstream commit.

Proposing for lucid/fsl-imx51, maverick, maverick/ti-omap4, and natty/ti-omap4.


More information about the kernel-team mailing list