Vigil@nce: Linux kernel, denial of service via SCTP
May 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can send a malformed SCTP packet, in order to stop the
kernel.
– Severity: 2/4
– Creation date: 29/04/2010
DESCRIPTION OF THE VULNERABILITY
The SCTP protocol uses chunks of type:
– 0 : Payload Data (DATA)
– 1 : Initialization (INIT)
– 9 : Operation Error (ERROR)
– etc.
When a listening SCTP service receives an INIT chunk containing an
error, it returns an ERROR chunk. However, if the INIT packet
contains several errors, the size allocated for the ERROR chunk is
too short. The kernel thus detects an overflow and stops in
skb_over_panic by calling the BUG() macro.
An attacker can therefore send a malformed SCTP packet, in order
to stop the kernel
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-SCTP-9618