a294865978
A length of zero (after subtracting two for the type and len fields) for the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to the subtraction. The subsequent code may read past the end of the options value buffer when parsing. I'm unsure of what the consequences of this might be, but it's probably not good. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Cc: stable@kernel.org Acked-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
---|---|---|
.. | ||
ccids | ||
ackvec.c | ||
ackvec.h | ||
ccid.c | ||
ccid.h | ||
dccp.h | ||
diag.c | ||
feat.c | ||
feat.h | ||
input.c | ||
ipv4.c | ||
ipv6.c | ||
ipv6.h | ||
Kconfig | ||
Makefile | ||
minisocks.c | ||
options.c | ||
output.c | ||
probe.c | ||
proto.c | ||
qpolicy.c | ||
sysctl.c | ||
timer.c |