Linux Kernel Double-Free Vulnerability in Netrom Routing Function

A double-free vulnerability has been identified in the Linux kernel's Netrom protocol implementation. The issue arises in the 'nr_route_frame()' function, where a socket buffer (old_skb) is freed without first checking if the associated neighbor's AX.25 pointer is NULL. This oversight can lead to the caller function freeing the same socket buffer again, causing a double-free condition. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability leads to a double-free condition, which can potentially be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by sending a Netrom packet that triggers the 'nr_route_frame()' function. The packet should be crafted in a way that the 'nr_neigh->ax25' pointer is NULL, causing the function to free the 'old_skb' socket buffer twice.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree, where this vulnerability has been addressed.