CVE-2008-2358: Buffer Overflow

First published: Mon May 19 2008(Updated: )

Description of problem: Backport the feature length validation. Without this it's possible for rlen to ovelflow to 0, causing kmalloc(0), and a heap overflow during DCCP feature reconciliation. rlen = 1 + opt->dccpop_len; rpref = kmalloc(rlen, GFP_ATOMIC); memcpy(&rpref[1], opt->dccpop_val, opt->dccpop_len); Thanks to Brandon Edwards of McAfee Avert labs for discovering this issue. Impact: A vulnerability exists in the DCCP implementation which can be setup and exploited by a local attacker. The vulnerability is an integer overflow which leads to a kmalloc() for 0 bytes, followed by a memory copy into the returned pointer for 255 bytes, which causes a heap overflow. This type of vulnerability can be exploited by a local attacker to gain arbitrary code execution. Version-Release number of selected component (if applicable): 2.6.17 <= x <= 2.6.20 (See the timeline for more details) Additional information: This vulnerability affects the dccp kernel module (shipped as part of the RHEL kernel updates).

Credit: secalert@redhat.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-historical
• collector/nvd-index
• agent/softwarecombine
• agent/first-publish-date
• collector/mitre-cve
• source/MITRE
• agent/author
• agent/weakness
• agent/references
• agent/last-modified-date
• agent/type
• agent/description
• agent/severity
• agent/event
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2008-2358
• agent/tags
• agent/trending
• vendor/linux
• canonical/linux linux kernel
• version/linux linux kernel/2.6.17
• version/linux linux kernel/2.6.20
• version/linux linux kernel/2.6.19
• version/linux linux kernel/2.6.18