Linux Kernel nfnetlink_osf Individual Option Length Validation Vulnerability

A vulnerability exists in the Linux kernel's nfnetlink_osf component, where individual option lengths in fingerprints are not properly validated. This issue can lead to a general protection fault and a null pointer dereference. The vulnerability arises because the nfnl_osf_add_callback function does not check the lengths of individual options, allowing zero-length options to be processed incorrectly. This can cause the nf_osf_match_one function to access null pointers, resulting in a crash. Additionally, an improperly sized MSS option can cause out-of-bounds memory reads.

Impact

Exploitation of this vulnerability leads to a general protection fault and a null pointer dereference, causing a crash.

Reproduction

To reproduce this vulnerability, add a fingerprint with a zero-length option or an MSS option (kind=2) with a length less than 4 bytes. The nfnl_osf_add_callback function will process these options without proper validation, causing the nf_osf_match_one function to dereference a null pointer, leading to a crash.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version.