length of zero (after subtracting two for the type and len fields) for the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to the subtraction. The subsequent code may read past the end of the options value buffer when parsing. http://marc.info/?l=linux-kernel&m=130468845209036&w=2 Acknowledgements: Red Hat would like to thank Dan Rosenberg for reporting this issue.
Statement: This issue does not affect Red Hat Enterprise Linux 4 and 5: Red Hat Enterprise Linux 4 does not provide support for the Datagram Congestion Control Protocol (DCCP), and Red Hat Enterprise Linux 5, which does support DCCP, did not backport the upstream commit that introduced this issue, e77b8363b. This has been addressed in Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0836.html and https://rhn.redhat.com/errata/RHSA-2011-1253.html.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0836 https://rhn.redhat.com/errata/RHSA-2011-0836.html
Upstream commit: http://git.kernel.org/linus/a294865978b701e4d0d90135672749531b9a900d
This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2011:1253 https://rhn.redhat.com/errata/RHSA-2011-1253.html