Bug 447389 (CVE-2008-2358) - CVE-2008-2358 kernel: dccp: sanity check feature length
Summary: CVE-2008-2358 kernel: dccp: sanity check feature length
Alias: CVE-2008-2358
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 447395 447396
TreeView+ depends on / blocked
Reported: 2008-05-19 19:33 UTC by Jan Lieskovsky
Modified: 2021-11-12 19:50 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-12-23 19:00:26 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0519 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-06-25 15:47:49 UTC

Description Jan Lieskovsky 2008-05-19 19:33:14 UTC
Description of problem:

Backport the feature length validation.  Without this it's possible for
rlen to ovelflow to 0, causing kmalloc(0), and a heap overflow during
DCCP feature reconciliation.
                rlen = 1 + opt->dccpop_len;
                rpref = kmalloc(rlen, GFP_ATOMIC);
                memcpy(&rpref[1], opt->dccpop_val, opt->dccpop_len);
Thanks to Brandon Edwards of McAfee Avert labs for discovering this issue.


A vulnerability exists in the DCCP implementation which can be setup and
exploited by a local attacker. The vulnerability is an integer overflow which
leads to a kmalloc() for 0 bytes, followed by a memory copy into the returned
pointer for 255 bytes, which causes a heap overflow. This type of vulnerability
can be exploited by a local attacker to gain arbitrary code execution.

Version-Release number of selected component (if applicable):
2.6.17 <= x <= 2.6.20 (See the timeline for more details)

Additional information:

This vulnerability affects the dccp kernel module (shipped as part of the
RHEL kernel updates).

Comment 2 Jan Lieskovsky 2008-05-19 19:40:15 UTC
Proposed patch from the reporter:

diff --git a/net/dccp/feat.c b/net/dccp/feat.c
index a1b0682..aceb1db 100644
--- a/net/dccp/feat.c
+++ b/net/dccp/feat.c
@@ -25,6 +25,11 @@ int dccp_feat_change(struct dccp_minisock *dmsk, u8 type, u8
dccp_pr_debug("feat change type=%d feat=%d\n", type, feature);
+       if (len > 3) {
+               if (net_ratelimit())
+                       printk("%s: invalid length %d\n", __func__, len);
+               return -EINVAL;
+       }
        /* XXX sanity check feat change request */
        /* check if that feature is already being negotiated */

Comment 6 Tomas Hoger 2008-06-10 07:07:02 UTC
Public now, lifting embargo:


Comment 13 Vincent Danen 2010-12-23 19:00:26 UTC
This was addressed via:

Red Hat Enterprise Linux version 5 (RHSA-2008:0519)

Note You need to log in before you can comment on or make changes to this bug.