** Description changed: - Placeholder + In rds_cmsg_rdma_args(), the user-provided args->nr_local value is + restricted to less than UINT_MAX. This seems to need a tighter upper + bound, since the calculation of total iov_size can overflow, resulting + in a small sock_kmalloc() allocation. This would probably just result + in walking off the heap and crashing when calling rds_rdma_pages() with + a high count value. If it somehow doesn't crash here, then memory + corruption could occur soon after.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/721455 Title: CVE-2010-4175 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs