[CVE-2011-1093] dccp: fix oops on Reset after close
apw at canonical.com
Thu Jul 21 13:59:46 UTC 2011
The dccp_rcv_state_process function in net/dccp/input.c in the
Datagram Congestion Control Protocol (DCCP) implementation in
the Linux kernel before 2.6.38 does not properly handle packets
for a CLOSED endpoint, which allows remote attackers to cause a
denial of service (NULL pointer dereference and OOPS) by sending
a DCCP-Close packet followed by a DCCP-Reset packet.
The fix for this has hit lucid and later via mainline and stable.
Following this are two patches, the first for hardy, the second for
lucid/fsl-imx51 and maverick/ti-omap4. I all cases they are a simple
cherry-pick from the mainline commit as applied to the existing branches;
hardy differs in context only.
Proposing for hardy, lucid/fsl-imx51 and maverick/ti-omap4.
More information about the kernel-team