Linux Kernel PF_IEEE802154 Socket Zero-Sized Packet Handling Vulnerability

A vulnerability exists in the Linux kernel's handling of raw socket messages for the IEEE 802.15.4 protocol. When a zero-sized message is sent through a raw socket using the PF_IEEE802154 protocol, it triggers a warning in the kernel's transmission queue management, indicating an assertion failure due to the empty packet length. This issue arises because the socket's raw_sendmsg() function is allowed to return a zero length, which is then improperly processed by the __dev_queue_xmit() function, leading to the warning. The vulnerability can be reproduced by sending a zero-length message over a PF_IEEE802154 raw socket, which will cause the kernel to assert that the packet length is invalid, even though the socket is designed to handle such cases.

Impact

The vulnerability can cause kernel warnings and potentially disrupt normal packet processing for PF_IEEE802154 sockets, but it does not appear to introduce a severe security risk or lead to a more critical failure.

Reproduction

To reproduce this vulnerability, create a raw socket using the PF_IEEE802154 protocol. Then, send a message through this socket with a length of zero. This will trigger the skb_assert_len() warning in the kernel, as the __dev_queue_xmit() function receives a packet with an invalid length.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is available in the Linux kernel stable tree.