Linux Kernel Netfilter SIP Content-Length Truncation Vulnerability in Connection Tracking

A vulnerability in the Linux kernel's netfilter component, specifically within the SIP connection tracking module, has been addressed. The issue arose because the SIP Content-Length header was parsed using a function that returns an unsigned long value, but the result was stored in an unsigned int variable. On 64-bit systems, this discrepancy caused values exceeding the maximum limit for unsigned int to be silently truncated. As a result, the SIP message boundary was miscalculated, leading the parser to incorrectly process trailing TCP segment data as a separate SIP message, which was then handled by the SDP parser. The vulnerability affected several versions of the Linux kernel.

Impact

Exploitation of this vulnerability could lead to incorrect processing of SIP messages, allowing for potential manipulation or misinterpretation of SIP data, which could be exploited in certain communication scenarios.

Reproduction

The vulnerability can be reproduced by sending a SIP message with a Content-Length header value that exceeds 2^32, such as 4294967328. The SIP parser will truncate this value, causing it to miscalculate the message boundary. This error allows the parser to treat additional data in the TCP segment as a separate SIP message, which is then processed through the SDP parser, potentially leading to incorrect handling of the SIP communication.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.