Bug 447389 - (CVE-2008-2358) CVE-2008-2358 kernel: dccp: sanity check feature length
CVE-2008-2358 kernel: dccp: sanity check feature length
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 447395 447396
  Show dependency treegraph
Reported: 2008-05-19 15:33 EDT by Jan Lieskovsky
Modified: 2010-12-23 14:00 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-12-23 14:00:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2008-05-19 15:33:14 EDT
Description of problem:

Backport the feature length validation.  Without this it's possible for
rlen to ovelflow to 0, causing kmalloc(0), and a heap overflow during
DCCP feature reconciliation.
                rlen = 1 + opt->dccpop_len;
                rpref = kmalloc(rlen, GFP_ATOMIC);
                memcpy(&rpref[1], opt->dccpop_val, opt->dccpop_len);
Thanks to Brandon Edwards of McAfee Avert labs for discovering this issue.


A vulnerability exists in the DCCP implementation which can be setup and
exploited by a local attacker. The vulnerability is an integer overflow which
leads to a kmalloc() for 0 bytes, followed by a memory copy into the returned
pointer for 255 bytes, which causes a heap overflow. This type of vulnerability
can be exploited by a local attacker to gain arbitrary code execution.

Version-Release number of selected component (if applicable):
2.6.17 <= x <= 2.6.20 (See the timeline for more details)

Additional information:

This vulnerability affects the dccp kernel module (shipped as part of the
RHEL kernel updates).
Comment 2 Jan Lieskovsky 2008-05-19 15:40:15 EDT
Proposed patch from the reporter:

diff --git a/net/dccp/feat.c b/net/dccp/feat.c
index a1b0682..aceb1db 100644
--- a/net/dccp/feat.c
+++ b/net/dccp/feat.c
@@ -25,6 +25,11 @@ int dccp_feat_change(struct dccp_minisock *dmsk, u8 type, u8
dccp_pr_debug("feat change type=%d feat=%d\n", type, feature);
+       if (len > 3) {
+               if (net_ratelimit())
+                       printk("%s: invalid length %d\n", __func__, len);
+               return -EINVAL;
+       }
        /* XXX sanity check feat change request */
        /* check if that feature is already being negotiated */
Comment 6 Tomas Hoger 2008-06-10 03:07:02 EDT
Public now, lifting embargo:

Comment 13 Vincent Danen 2010-12-23 14:00:26 EST
This was addressed via:

Red Hat Enterprise Linux version 5 (RHSA-2008:0519)

Note You need to log in before you can comment on or make changes to this bug.