A flaw was found in the Linux kernel present since v4.0-rc1 and through
v4.13-rc4. A crafted network packet sent remotely by an attacker may force
the kernel to enter an infinite loop in the cipso_v4_optptr() function in
net/ipv4/cipso_ipv4.c leading to a denial-of-service. A certain non-default
configuration of LSM (Linux Security Module) and NetLabel should be set up
on a system before an attacker could leverage this flaw.

Yves Younan discovered that the CIPSO labeling implementation in the Linux
kernel did not properly handle IP header options in some situations. A
remote attacker could use this to specially craft network traffic that
could cause a denial of service (infinite loop).

tyhicks	This issue affects non-default configurations where SELinux or SMACK is being used instead of AppArmor and networking labeling has been configured. It is unlikely that Ubuntu users would be affected by this issue.
sbeattie	further hardening discussion (and why it's likely not needed) around this code in the two netdev emails in the marc.info urls in the references section