Prevent overrun when parsing v6 header options in kernel-ipv6 CVE-2017-9074 and Handle errors reported by xfrm6_find_1stfragopt()
asked 2017-12-13 08:06:10 +0200
This post is a wiki. Anyone with karma >75 is welcome to improve it.
The IPv6 fragmentation implementation in the Linux kernel through 4.11.1 does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls.
ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt()
commit 6e80ac5cc992ab6256c3dae87f7e57db15e1a58c upstream.
xfrm6_find_1stfragopt() may now return an error code and we must not treat it as a length. (Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options"))
incomplete Patch and incomplete Patch for kernel-3.2 are available, completed by this Patch.
files affected: kernel-adaptation-sbj-3.4.108.20161101.1/net/ipv6/af_inet6.c lines 834-839
kernel-adaptation-sbj-3.4.108.20161101.1/net/ipv6/ip6_output.c
kernel-adaptation-sbj-3.4.108.20161101.1/net/ipv6/udp.c
kernel-adaptation-sbj-3.4.108.20161101.1/net/ipv6/xfrm6_mode_ro.c lines 48-53
kernel-adaptation-sbj-3.4.108.20161101.1/net/ipv6/xfrm6_mode_transport.c lines 28-33