Linux Kernel Stream Control Transmission Protocol Send Stream Number Validation Vulnerability

A null pointer dereference vulnerability has been identified in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. This issue arises in a specific scenario where the outgoing stream count of a client is reduced after acknowledging an initialization message, leading to a crash when a thread attempts to send a message on a non-existent stream. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability leads to a null pointer dereference, causing a crash of the affected application or service.

Reproduction

The vulnerability can be reproduced by establishing a connection from a client to a server using SCTP. The client should have its outgoing stream count set to N, while the server's incoming stream count is set to N - 2. A separate thread in the client can then send messages using the stream number N - 1 and wait for the send buffer to become available before processing the initialization acknowledgment. After the acknowledgment is processed, both the client's outgoing stream count and the server's incoming stream count will decrease to N - 2. When the thread that was waiting for the send buffer resumes and attempts to send a message on stream N - 1, which no longer exists, the null pointer dereference occurs, crashing the application.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.