Linux Kernel IPTFS Inner IPv4 Header Validation Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the Linux kernel's IPTFS (IP in IP Tunnel File System) implementation. The issue arises from the lack of proper validation of the inner IPv4 header length in decrypted IPTFS payloads. Specifically, a crafted ESP packet can be created with an inner IPv4 header that has a total length of zero. This malformed packet causes the kernel to enter an infinite loop, as the processing routine fails to advance the data offset, leading to a perpetual softirq context spin. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability causes an infinite loop in the kernel's softirq context, disrupting normal processing and potentially leading to a denial-of-service condition.

Reproduction

To reproduce this vulnerability, send an ESP packet with a crafted inner IPv4 header that includes a total length of zero. This can be done by manipulating the packet's header fields to create a malformed packet that bypasses normal validation checks. Once the packet is received, the kernel will enter an infinite loop while processing the IPTFS payload, effectively causing a denial-of-service condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the patched version are available on the Linux Kernel Archives.