Linux Kernel Netfilter H.323 Connection Tracking Out-of-Bounds Read Vulnerability

A vulnerability allowing an out-of-bounds read has been identified in the Linux kernel's netfilter component, specifically within the H.323 connection tracking module. This issue arises in the 'decode_int()' function, where the 'CONS' case reads a length value using 'get_bits(bs, 2)' and subsequently retrieves data with 'get_uint(bs, len)' without properly verifying that the buffer contains the required number of bytes. The current boundary check only ensures the validity of the initial 2 bits, leaving a gap for the 1-4 bytes that 'get_uint()' accesses. As a result, a malformed H.323/RAS packet can exploit this oversight, leading to a slab-out-of-bounds read of 1-4 bytes.

Impact

Exploitation of this vulnerability causes a slab-out-of-bounds read, which can potentially be leveraged for further exploitation, such as arbitrary memory read or information disclosure.

Reproduction

To reproduce this vulnerability, send a malformed H.323/RAS packet that exploits the lack of proper length validation in the 'decode_int()' function of the H.323 connection tracking module. The packet should be crafted to include a length value that, when processed, leads to an out-of-bounds read of 1-4 bytes.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The specific commit addressing this issue is '1e3a3593162c96e8a8de48b1e14f60c3b57fca8a', which is available in the Linux kernel stable tree.