Linux Kernel TCP Fast Open Socket Handling Vulnerability in tcp_disconnect()

A vulnerability in the Linux kernel's TCP implementation has been addressed. The issue arose because the tcp_disconnect() function did not properly clear the TCP Fast Open (TFO) related request socket, tcp_sk(sk)->fastopen_rsk, when a socket was disconnected. This oversight occurred in the TCP_ESTABLISHED state, where the TFO socket had not yet completed its three-way handshake. As a result, the retransmit timer was incorrectly triggered, causing a warning and preventing the intended packet from being sent. The vulnerability could be exploited by reusing a server-side TFO socket as a new client before the TFO socket finished its handshake, leading to missed packet retransmissions.

Impact

Failing to retransmit packets can disrupt TCP communication, potentially causing data loss or application-level issues that rely on timely packet delivery.

Reproduction

The vulnerability can be reproduced by creating a server-side TCP Fast Open socket and then reusing it as a client before the TFO socket completes its three-way handshake. This can be done by first accepting a connection, then initiating a new connection to a different destination while the TFO socket is still in the process of establishing a connection. Once the socket is accepted, it will be in the TCP_SYN_RECV state. The tcp_disconnect() function will change the state to TCP_CLOSE, allowing the connection to be reestablished, which also restarts the TCP timers. However, because tcp_disconnect() fails to clear the TFO request socket, the retransmit timer activates, leading to a warning and preventing the retransmission of the intended packet.

Remediation

Users can apply the latest patches from the Linux kernel stable tree to address this vulnerability. Instructions for downloading the patched version are available in the Linux kernel documentation.