The (1) BPFSANCNLATTR and (2) BPFSANCNLATTRNEST extension implementations in the skrunfilter function in net/core/filter.c in the Linux kernel through 3.14.3 do not check whether a certain length value is sufficiently large, which allows local users to cause a denial of service (integer underflow and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the _skbgetnlattr and _skbgetnlattrnest functions before the vulnerability was announced.