In the Linux kernel through 3.2, the rdsmessageallocsgs() function does not validate a value that is used during DMA page allocation, leading to a heap-based out-of-bounds write (related to the rdsrdmaextrasize function in net/rds/rdma.c).
{ "urgency": "not yet assigned" }