Vigil@nce - Linux kernel: denial of service via UDP Fragmentation Offload
December 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When the UDP Fragmentation Offload feature is enabled on a bridge,
an attacker can send IPv6/UDP packets in order to stop the system.
Severity: 2/4
Creation date: 22/11/2011
IMPACTED PRODUCTS
– Fedora
– Linux kernel
– Red Hat Enterprise Linux
DESCRIPTION OF THE VULNERABILITY
The UFO (UDP Fragmentation Offload) feature is used when the
kernel does not fragment UDP packets greater than the MTU. The
network device is thus in charge of this fragmentation.
The udp6_ufo_fragment() function of the net/ipv6/udp.c file is
called by a bridge when the network device does not support UFO.
However, this function does not check if the SKB (Socket Kernel
Buffer) is large enough to insert the IPv6 fragmentation header. A
memory corruption thus occurs.
When the UDP Fragmentation Offload feature is enabled on a bridge,
an attacker can therefore send IPv6/UDP packets in order to stop
the system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-UDP-Fragmentation-Offload-11170