Vigil@nce - Linux kernel: denial of service via sctp_packet_config
October 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A remote attacker can send malicious SCTP packets, in order to
stop the system.
Severity: 2/4
Creation date: 27/09/2010
DESCRIPTION OF THE VULNERABILITY
The SCTP protocol (Stream Control Transmission Protocol) can be
used to send several streams in the same session. The SCTP
protocol uses chunks of type:
– 0 : Payload Data (DATA)
– 1 : Initialization (INIT)
– 4 : Heartbeat (HEARTBEAT)
– etc.
An attacker can create a session containing two streams, and send
an HEARTBEAT on one of these streams, and then a DATA
retransmission on the other stream. In this case, the
sctp_packet_config() function is called, and the
sctp_packet_reset() function resets the state of the stream. The
usage of this stream thus corrupts the memory.
A remote attacker can therefore send malicious SCTP packets, in
order to stop the system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-sctp-packet-config-9971