CVE-2021-47243

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sch_cake: Fix out of bounds when parsing TCP options and header<br /> <br /> The TCP option parser in cake qdisc (cake_get_tcpopt and<br /> cake_tcph_may_drop) could read one byte out of bounds. When the length<br /> is 1, the execution flow gets into the loop, reads one byte of the<br /> opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads<br /> one more byte, which exceeds the length of 1.<br /> <br /> This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack<br /> out of bounds when parsing TCP options.").<br /> <br /> v2 changes:<br /> <br /> Added doff validation in cake_get_tcphdr to avoid parsing garbage as TCP<br /> header. Although it wasn&amp;#39;t strictly an out-of-bounds access (memory was<br /> allocated), garbage values could be read where CAKE expected the TCP<br /> header if doff was smaller than 5.