Home

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one Eric Dumazet says: nf_conntrack_dccp_packet() has an unique: dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); And nothing more is 'pulled' from the packet, depending on the content. dh->dccph_doff, and/or dh->dccph_x ...) So dccp_ack_seq() is happily reading stuff past the _dh buffer. BUG: KASAN: stack-out-of-bounds in nf_conntrack_dccp_packet+0x1134/0x11c0 Read of size 4 at addr ffff000128f66e0c by task syz-executor.2/29371 [..] Fix this by increasing the stack buffer to also include room for the extra sequence numbers and all the known dccp packet type headers, then pull again after the initial validation of the basic header. While at it, mark packets invalid that lack 48bit sequence bit but where RFC says the type MUST use them. Compile tested only. v2: first skb_header_pointer() now needs to adjust the size to only pull the generic header. (Eric) Heads-up: I intend to remove dccp conntrack support later this year.

PUBLISHED Reserved 2025-09-16 | Published 2025-09-16 | Updated 2025-09-16 | Assigner Linux

Product status

Default status
unaffected

2bc780499aa33311ec0f3e42624dfaa7be0ade5e (git) before 337fdce450637ea663bc816edc2ba81e5cdad02e
affected

2bc780499aa33311ec0f3e42624dfaa7be0ade5e (git) before 9bdcda7abaf22f6453e5b5efb7eb4e524095d5d8
affected

2bc780499aa33311ec0f3e42624dfaa7be0ade5e (git) before c052797ac36813419ad3bfa54cb8615db4b41f15
affected

2bc780499aa33311ec0f3e42624dfaa7be0ade5e (git) before 5c618daa5038712c4a4ef8923905a2ea1b8836a1
affected

2bc780499aa33311ec0f3e42624dfaa7be0ade5e (git) before 26bd1f210d3783a691052c51d76bb8a8bbd24c67
affected

2bc780499aa33311ec0f3e42624dfaa7be0ade5e (git) before 8c0980493beed3a80d6329c44ab293dc8c032927
affected

2bc780499aa33311ec0f3e42624dfaa7be0ade5e (git) before ff0a3a7d52ff7282dbd183e7fc29a1fe386b0c30
affected

Default status
affected

2.6.26
affected

Any version before 2.6.26
unaffected

5.4.251 (semver)
unaffected

5.10.188 (semver)
unaffected

5.15.121 (semver)
unaffected

6.1.39 (semver)
unaffected

6.3.13 (semver)
unaffected

6.4.4 (semver)
unaffected

6.5 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/337fdce450637ea663bc816edc2ba81e5cdad02e

git.kernel.org/...c/9bdcda7abaf22f6453e5b5efb7eb4e524095d5d8

git.kernel.org/...c/c052797ac36813419ad3bfa54cb8615db4b41f15

git.kernel.org/...c/5c618daa5038712c4a4ef8923905a2ea1b8836a1

git.kernel.org/...c/26bd1f210d3783a691052c51d76bb8a8bbd24c67

git.kernel.org/...c/8c0980493beed3a80d6329c44ab293dc8c032927

git.kernel.org/...c/ff0a3a7d52ff7282dbd183e7fc29a1fe386b0c30

cve.org (CVE-2023-53333)

nvd.nist.gov (CVE-2023-53333)

Download JSON