Vigil@nce: Linux kernel, denial of service via DCCP
March 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can send data to a socket after its closure, in
order to stop the kernel.
– Severity: 1/4
– Creation date: 08/03/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The DCCP (Datagram Congestion Control Protocol) protocol is
implemented in the kernel since version 2.6.14.
The dccp_rcv_state_process() function of the net/dccp/input.c file
processes received data. However, when the socket is closed, and
when a Reset packet is received, this function dereferences a NULL
pointer.
A local attacker can therefore send data to a socket after its
closure, in order to stop the kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-DCCP-10430