CVE-2004-1334

Vulnerability

An integer overflow exists in the ip_options_get function within the Linux kernel prior to version 2.6.10 [1]. This function is invoked during the processing of ancillary data (cmsg) for IP options. By specifying a cmsg_len field that contains a value of -1 (0xFFFFFFFF when interpreted as an unsigned integer), the computation of the length for a memory copy operation can overflow, leading to a heap-based buffer overflow. The affected versions include all 2.6 kernels up to 2.6.9 and 2.4 kernels up to 2.4.28 on i386 (at least) [1]. A related memory leak in ip_options_get was also reported but fixed earlier under CAN-2004-1016; CVE-2004-1334 addresses the integer overflow specifically [2].

Exploitation

An attacker must have local user access to the target system. The exploit requires crafting a message with IP_RECVOPTS or similar IP ancillary data using sendmsg(), providing a cmsg_len value set to -1 [1]. When the kernel processes this malformed control message, the integer overflow triggers a buffer overflow, typically resulting in a kernel panic (crash). As it is a local vulnerability, no network position or authentication beyond a standard user account is needed.

Impact

Successful exploitation leads to a denial of service (DoS) by crashing the kernel. The attacker causes a system-wide outage, requiring a reboot to restore functionality. There is no indication that the overflow allows privilege escalation or arbitrary code execution; the impact is limited to a temporary loss of availability [1][2].

Mitigation

The vulnerability is fixed in Linux kernel version 2.6.10 [1]. Distributions such as Ubuntu 4.10 (Warty Warthog) released updated packages (linux-image-2.6.8.1-4-* version 2.6.8.1-16.5) on December 23, 2004 [2]. Systems still running pre-2.6.10 kernels should upgrade to a patched kernel or apply the available distribution updates. No known workarounds other than patching or restricting local user access exist.