Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: guard option walkers against 1-byte tail reads When the last byte of options is a non-single-byte option kind, walkers that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end of the option area. Add an explicit i == optlen - 1 check before dereferencing op[i + 1] in xt_tcpudp and xt_dccp option walkers.
Product status
2e4e6a17af35be359cc8f1c924f8f198fbd478cc (git) before c2a445367a496a3c25dbc940c10c8bd1cfd4c14a
2e4e6a17af35be359cc8f1c924f8f198fbd478cc (git) before ae1e1267650638136b84c23f2b31250f0ccb6823
2e4e6a17af35be359cc8f1c924f8f198fbd478cc (git) before c39f84e4be1be63fc60ca7141ea7b76edcea5907
2e4e6a17af35be359cc8f1c924f8f198fbd478cc (git) before 9b94f0e42ed248eb31929da84ed9f5310d7ff540
2e4e6a17af35be359cc8f1c924f8f198fbd478cc (git) before 5b18b8b35c7cded2d17b2b2604c9b0694ff48d1c
2e4e6a17af35be359cc8f1c924f8f198fbd478cc (git) before bc18551c6169eac5ed813778d3e3e484002dbbe5
2e4e6a17af35be359cc8f1c924f8f198fbd478cc (git) before d04800323336eebf441d153f43234eac9b833d36
2e4e6a17af35be359cc8f1c924f8f198fbd478cc (git) before cfe770220ac2dbd3e104c6b45094037455da81d4
2.6.16
Any version before 2.6.16
5.10.253 (semver)
5.15.203 (semver)
6.1.167 (semver)
6.6.130 (semver)
6.12.78 (semver)
6.18.19 (semver)
6.19.9 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/c2a445367a496a3c25dbc940c10c8bd1cfd4c14a
git.kernel.org/...c/ae1e1267650638136b84c23f2b31250f0ccb6823
git.kernel.org/...c/c39f84e4be1be63fc60ca7141ea7b76edcea5907
git.kernel.org/...c/9b94f0e42ed248eb31929da84ed9f5310d7ff540
git.kernel.org/...c/5b18b8b35c7cded2d17b2b2604c9b0694ff48d1c
git.kernel.org/...c/bc18551c6169eac5ed813778d3e3e484002dbbe5
git.kernel.org/...c/d04800323336eebf441d153f43234eac9b833d36
git.kernel.org/...c/cfe770220ac2dbd3e104c6b45094037455da81d4