[CVE-2011-1770] dccp: handle invalid feature options length
apw at canonical.com
Thu Jul 7 22:12:18 UTC 2011
Integer underflow in the dccp_parse_options function
(net/dccp/options.c) in the Linux kernel before 188.8.131.52 allows
remote attackers to cause a denial of service via a Datagram
Congestion Control Protocol (DCCP) packet with an invalid feature
options length, which triggers a buffer over-read.
This problem was introduced in v2.6.29-rc1 and therefore does not affect
hardy. The fix for this has already hit lucid, natty, and oneiric via
mainline and stable. Following this email is a patch for: lucid/fsl-imx51,
maverick, maverick/ti-omap4, and natty/ti-omap4; this is a clean
cherry-pick from the upstream commit.
Proposing for lucid/fsl-imx51, maverick, maverick/ti-omap4, and natty/ti-omap4.
More information about the kernel-team