Vigil@nce - Linux kernel: denial of service via ip_expire/icmp_send
May 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A network attacker can use a malicious request in order to create
a denial of service.
Severity: 2/4
Creation date: 18/05/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The icmp_send() function of "/net/ipv4/icmp.c" is used by the
kernel to transmit ICMP error messages when specific conditions
are detected.
The ip_expire() function of "/net/ipv4/ip_fragment.c" manages a
queue of fragments when it exceeds a certain time. and calls
icmp_send () to send an ICMP error.
The kernel stores the packets in structures sk_buff (socket kernel
buffer, or skb).
When a frame is defragmented the last field dst of skb is used to
construct the final skb. However, if a timeout occurs, the first
fragment (dst field of skb) is used to create an ICMP
TIME_EXCEEDED message, and other then a NULL pointer dereference.
So when icmp_send () is called it causes a denial of service.
A network attacker can therefore use a malicious ICMP request in
order to create a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-ip-expire-icmp-send-10668