Vigil@nce: Linux kernel, memory corruption of sctp_getsockopt_local_addrs_old
July 2008 by Vigil@nce
A local attacker can create a SCTP socket in order to stop the
system and eventually to execute code.
– Gravity: 2/4
– Consequences: denial of service of computer
– Provenance: user account
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 08/07/2008
– Identifier: VIGILANCE-VUL-7935
IMPACTED PRODUCTS
Linux kernel [confidential versions]
DESCRIPTION
The SCTP protocol (Stream Control Transmission Protocol) creates
associations to send several streams.
The sctp_getsockopt_local_addrs_old() function of the
net/sctp/socket.c file defines local addresses and is called via
setsockopt(). However, this function does not check the number of
received addresses (addr_num) which overflows an integer, then
allocates a short memory area.
A local attacker can therefore create a SCTP socket in order to
stop the system and eventually to execute code.
CHARACTERISTICS
– Identifiers: BID-29990, CVE-2008-2826, VIGILANCE-VUL-7935
– Url: https://vigilance.aql.fr/tree/1/7935