Linux Kernel MPTCP Division by Zero Vulnerability in Fast Close Handling

A vulnerability in the Linux kernel's Multipath TCP (MPTCP) implementation can lead to a division-by-zero error. This issue occurs in the 'mptcp_do_fastclose' function when the 'rcv_mss' (received maximum segment size) is not properly initialized before calling 'tcp_send_active_reset'. The vulnerability affects the Linux kernel stable tree and has been addressed by initializing 'rcv_mss' to 'TCP_MIN_MSS' to prevent the division by zero error.

Impact

Exploitation of this vulnerability causes a division-by-zero error, which can lead to a system crash or undefined behavior.

Reproduction

The vulnerability can be reproduced by using a MPTCP socket and invoking the 'mptcp_do_fastclose' function without the 'rcv_mss' being initialized. This can be done by sending a TCP active reset command through a MPTCP socket, which triggers the fast close process. The lack of initialization causes the 'rcv_mss' to default to zero, leading to a division-by-zero error in the 'tcp_select_window' function.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux kernel official website.