From: Vitaly Mayatskikh <vmayatsk@redhat.com> Date: Wed, 27 Aug 2008 11:25:37 +0200 Subject: [net] dccp_setsockopt_change integer overflow Message-id: m33akqajxq.fsf@gravicappa.englab.brq.redhat.com O-Subject: [RHEL-5.3 PATCH] BZ459235 CVE-2008-3276 Linux kernel dccp_setsockopt_change() integer overflow [rhel-5.3] Bugzilla: 459235 RH-Acked-by: Jiri Pirko <jpirko@redhat.com> RH-Acked-by: David Miller <davem@redhat.com> CVE: CVE-2008-3276 RH-Acked-by: Eugene Teo <eteo@redhat.com> Bugzilla: 459235 CVE: CVE-2008-3276 https://bugzilla.redhat.com/show_bug.cgi?id=459235 Description: ============ Eugene Teo reported that an integer overflow flaw was found in the Linux kernel dccp_setsockopt_change() function. The vulnerability exists due to a lack of sanitisation performed on a user-controlled integer value before the value is employed as the size argument of a memory allocation operation. An attacker may leverage this vulnerability to trigger a kernel panic on a victim's machine remotely. Upstream status: ================ 3e8a0a559c66ee9e7468195691a56fefc3589740 Brew build: https://brewweb.devel.redhat.com/taskinfo?taskID=1439536 diff --git a/net/dccp/proto.c b/net/dccp/proto.c index 6f14bb5..2a2f9e7 100644 --- a/net/dccp/proto.c +++ b/net/dccp/proto.c @@ -431,6 +431,11 @@ static int dccp_setsockopt_change(struct sock *sk, int type, if (copy_from_user(&opt, optval, sizeof(opt))) return -EFAULT; + /* + * rfc4340: 6.1. Change Options + */ + if (opt.dccpsf_len < 1) + return -EINVAL; val = kmalloc(opt.dccpsf_len, GFP_KERNEL); if (!val)