Linux Kernel Netfilter H.323 Connection Tracking Out-of-Bounds Read Vulnerability

An out-of-bounds read vulnerability has been identified in the Linux kernel's netfilter component, specifically within the H.323 connection tracking module. This issue arises in the 'DecodeQ931()' function, where a 16-bit length is read from the packet and then decremented by one to skip the protocol discriminator byte. If the resulting length is zero, the decrement wraps to -1, which is then incorrectly interpreted as a large value by the decoder, leading to an out-of-bounds read. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability causes an out-of-bounds read, which can potentially be exploited to read sensitive information from memory or to cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by sending a crafted packet to a system running an affected version of the Linux kernel with netfilter H.323 connection tracking enabled. The packet must be constructed in such a way that the UserUserIE code path is triggered, and the length field is set to zero, causing the decrement to wrap to -1 and leading to the out-of-bounds read.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for upgrading the Linux kernel can be found in the official Linux documentation.