linux kernel 2.6.33.13 dccp handle invalid feature options length

2011.07.01

Credit: Dan Rosenberg

Risk: High

Local: No

Remote: Yes

CVE: CVE-2011-1770

CWE: CWE-189

CVSS Base Score: 7.8/10

Impact Subscore: 6.9/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: None

Integrity impact: None

Availability impact: Complete

A length of zero (after subtracting two for the type and len fields) for
the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to
the subtraction. The subsequent code may read past the end of the
options value buffer when parsing. I'm unsure of what the consequences
of this might be, but it's probably not good.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
---
net/dccp/options.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/net/dccp/options.c b/net/dccp/options.c
index f06ffcf..4b2ab65 100644
--- a/net/dccp/options.c
+++ b/net/dccp/options.c
@@ -123,6 +123,8 @@ int dccp_parse_options(struct sock *sk, struct dccp_request_sock *dreq,
case DCCPO_CHANGE_L ... DCCPO_CONFIRM_R:
if (pkt_type == DCCP_PKT_DATA) /* RFC 4340, 6 */
break;
+ if (len == 0)
+ goto out_invalid_option;
rc = dccp_feat_parse_options(sk, dreq, mandatory, opt,
*value, value + 1, len - 1);
if (rc)

References:

https://bugzilla.redhat.com/show_bug.cgi?id=703011

http://marc.info/?l=linux-kernel&m=130469305815140&w=2

http://marc.info/?l=linux-kernel&m=130468845209036&w=2

http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061366.html

http://www.securitytracker.com/id?1025592

http://www.securityfocus.2000com/bid/47769

http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.33/ChangeLog-2.6.33.14

http://secunia.com/advisories/44932

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}