Linux Kernel SCTP Ifwdtsn Skip Overflow Vulnerability

A potential overflow vulnerability has been identified in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation, specifically within the handling of ifwdtsn skips. This issue arises because the traversal function, '_sctp_walk_ifwdtsn', only verifies the position against the chunk's end. Consequently, the remaining data for the last position may be smaller than the size of the 'sctp_ifwdtsn_skip' structure. Dereferencing it as this structure could lead to an overflow. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability could lead to a buffer overflow, potentially allowing for arbitrary code execution or causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by traversing ifwdtsn skips with the '_sctp_walk_ifwdtsn' function. The function will not properly validate the position against the chunk's end, allowing for a situation where the last position's data is less than the size of the 'sctp_ifwdtsn_skip' structure. This can be done by manipulating SCTP stream interleaving, which will trigger the vulnerable code path.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The specific commit that addresses this issue is 32832a2caf82663870126c5186cf8f86c8b2a649.