Vigil@nce - Linux kernel: denial of service via GRO
April 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can send a packet with a malicious VLAN, in order to
stop the kernel if GRO is enabled.
Severity: 2/4
Creation date: 28/03/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The GRO (Generic Receive Offload) feature groups several received
packets in a same SKB (Socket Kernel Buffer), in order to reduce
the number of processing.
When a packet processed with GRO is received with an unknown VLAN
number, the skb->dev (device) field is set to NULL.
The memory area used by SKB is reused to process the following
packets. However, the skb->dev field is not reinitialized between
two usages. The second usage thus dereferences a NULL pointer.
An attacker can therefore send a packet with a malicious VLAN, in
order to stop the kernel if GRO is enabled.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-GRO-10497