Linux Kernel SCTP NULL Dereference Vulnerability

A vulnerability in the Linux kernel's SCTP (Stream Control Transmission Protocol) implementation can lead to a NULL pointer dereference. This issue occurs in the chunk data processing, where the chunk's skb (socket buffer) pointer is accessed in a conditional block that should only allow a NULL value under specific circumstances. The vulnerability arises because chunk->skb can be NULL only if chunk->head_skb is not. The problem can be reproduced by checking for the frag_list just before updating chunk->skb, ensuring that it is not NULL, as guaranteed by the outer conditional check.

Impact

Exploitation of this vulnerability causes a NULL pointer dereference, leading to a crash or undefined behavior in the kernel.

Reproduction

The vulnerability can be reproduced by sending SCTP chunks that omit the data buffer, specifically in scenarios where chunk->head_skb is set but chunk->skb is NULL. This can be achieved by manipulating SCTP packet fragmentation or by using specific network conditions that trigger the missing chunk data.

Remediation

Users can upgrade to the latest stable version of the Linux kernel where this vulnerability has been addressed.