Vigil@nce - Linux kernel: denial of service via DCCP getsockopt
March 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can use the getsockopt() function on a DCCP
socket, in order to dereference a NULL pointer, which stops the
kernel.
Impacted products: Linux
Severity: 1/4
Creation date: 07/03/2013
DESCRIPTION OF THE VULNERABILITY
The DCCP (Datagram Congestion Control Protocol) protocol is
implemented in the kernel since version 2.6.14.
The ccid_hc_rx_getsockopt() and ccid_hc_tx_getsockopt() functions
return reception/transmission information about DCCP sockets. They
are called via getsockopt() with an operation number between 128
and 255 (DCCP_SOCKOPT_...). However, if the CCID (Congestion
Control IDentifier) field is NULL, this pointer is dereferenced.
A local attacker can therefore use the getsockopt() function on a
DCCP socket, in order to dereference a NULL pointer, which stops
the kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-DCCP-getsockopt-12490