From ${URL} : Linux kernel built with an Ethernet driver(ex virtio-net) which has UDP Fragmentation Offload(UFO) feature ON is vulnerable to a memory corruption flaw when UDP_CORK socket option is set. It could occur when sending large messages, wherein not all messages are greater than maximum transfer unit(MTU) of the underlying medium. An unprivileged user/program could use this flaw to crash the kernel resulting in DoS, or potentially escalate their privileges on the system. Upstream fix: ------------- -> http://patchwork.ozlabs.org/patch/285292/ -> https://git.kernel.org/linus/c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b -> https://git.kernel.org/linus/e93b7d748be887cd7639b113ba7d7ef792a7efb9
CVE-2013-4470 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4470): The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c.
Fixes in 3.11.7 onwards
