Vigil@nce: Linux kernel, denial of service via ipv6_hop_jumbo
January 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker an use an IPv6 packet with an Hop-by-Hop header in
order to stop the kernel.
Severity: 2/4
Consequences: denial of service of computer
Provenance: internet server
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 14/01/2010
IMPACTED PRODUCTS
- Linux kernel
DESCRIPTION OF THE VULNERABILITY
An IPv6 packet can contain a Hop-by-hop header which indicates
options for each router on the path.
The ipv6_hop_jumbo() function of the net/ipv6/exthdrs.c file does
not check if the macro skb_dst() is null. A NULL pointer is then
dereferenced, which stops the kernel.
A remote attacker can therefore create a denial of service on
computers where IPv6 is enabled.
CHARACTERISTICS
Identifiers: BID-37810, CVE-2010-0006, VIGILANCE-VUL-9351
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-ipv6-hop-jumbo-9351