1
linux/net/dccp
Dan Rosenberg a294865978 dccp: handle invalid feature options length
A length of zero (after subtracting two for the type and len fields) for
the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to
the subtraction.  The subsequent code may read past the end of the
options value buffer when parsing.  I'm unsure of what the consequences
of this might be, but it's probably not good.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Acked-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-05-06 13:05:50 -07:00
..
ccids tcp: Increase the initial congestion window to 10. 2011-02-02 20:48:47 -08:00
ackvec.c
ackvec.h
ccid.c
ccid.h
dccp.h dccp: fix bug in updating the GSR 2011-01-07 12:22:43 +01:00
diag.c
feat.c
feat.h
input.c dccp: fix oops on Reset after close 2011-03-01 23:02:07 -08:00
ipv4.c net: Put fl4_* macros to struct flowi4 and use them again. 2011-03-12 15:08:54 -08:00
ipv6.c net: Put fl6_* macros to struct flowi6 and use them again. 2011-03-12 15:08:55 -08:00
ipv6.h
Kconfig
Makefile dccp: Policy-based packet dequeueing infrastructure 2010-12-07 13:47:12 +01:00
minisocks.c
options.c dccp: handle invalid feature options length 2011-05-06 13:05:50 -07:00
output.c Fix common misspellings 2011-03-31 11:26:23 -03:00
probe.c
proto.c dccp qpolicy: Parameter checking of cmsg qpolicy parameters 2010-12-07 13:47:12 +01:00
qpolicy.c dccp qpolicy: Parameter checking of cmsg qpolicy parameters 2010-12-07 13:47:12 +01:00
sysctl.c dccp: make upper bound for seq_window consistent on 32/64 bit 2011-01-07 12:22:44 +01:00
timer.c