APPLIED: [CVE-2011-1770] dccp: handle invalid feature options length

Tim Gardner tim.gardner at
Fri Jul 8 02:46:39 UTC 2011

On 07/07/2011 04:12 PM, Andy Whitcroft wrote:
> CVE-2011-1770
> 	Integer underflow in the dccp_parse_options function
> 	(net/dccp/options.c) in the Linux kernel before allows
> 	remote attackers to cause a denial of service via a Datagram
> 	Congestion Control Protocol (DCCP) packet with an invalid feature
> 	options length, which triggers a buffer over-read.
> This problem was introduced in v2.6.29-rc1 and therefore does not affect
> hardy.  The fix for this has already hit lucid, natty, and oneiric via
> mainline and stable.  Following this email is a patch for: lucid/fsl-imx51,
> maverick, maverick/ti-omap4, and natty/ti-omap4; this is a clean
> cherry-pick from the upstream commit.
> Proposing for lucid/fsl-imx51, maverick, maverick/ti-omap4, and natty/ti-omap4.
> -apw

Tim Gardner tim.gardner at

More information about the kernel-team mailing list