Linux Kernel Fragmentation Handling Vulnerability in Conntrack References

A vulnerability in the Linux kernel's handling of fragmented packets can lead to a conntrack reference leak, causing network namespace cleanup to hang. This issue arises when fragmented IPv6 packets are reassembled and tracked by the conntrack module, but the reassembled packets are not properly defragmented before being processed, leaving dangling references that can block module removal. The problem has been reproduced using the 'ip_defrag.sh' self-test, and is present in the stable Linux kernel.

Impact

The vulnerability can cause the conntrack cleanup process to hang for an extended period, blocking the removal of the conntrack module until userspace has consumed the leaked packets.

Reproduction

The vulnerability can be reproduced by emitting fragmented IPv6 packets within a network namespace. The 'nf_defrag_v6_hook' will reassemble these packets, which then acquire a conntrack reference. When the reassembled packets are processed, they are refragmented, creating additional conntrack references. If the fragments are not defragmented before being queued to the socket, the conntrack references remain, leading to a blockage in the cleanup process.

Remediation

No specific remediation is provided, but the issue can be addressed by managing the conntrack references more effectively during the defragmentation process.