Linux Kernel Nexthop Group Size Vulnerability in RTM_GETNEXTHOP

A vulnerability in the Linux kernel's handling of nexthop objects can lead to issues when large groups are queried via the RTM_GETNEXTHOP command. The kernel allocates a fixed-size socket buffer (skb) that is adequate for small groups but insufficient for larger ones, such as those containing 512 nexthops. This limitation triggers a warning about message size exceeding the allowed bound, indicating a potential risk of data loss or miscommunication.

Impact

The vulnerability can cause a denial of service by exceeding the message size limit, which disrupts normal operations and can lead to dropped or unprocessed messages.

Reproduction

The vulnerability cannot be reproduced using the iproute2 tool, as it currently imposes a limit on group size that prevents the command from executing successfully. However, the issue can be observed by manually sending a request that includes a large nexthop group, exceeding the fixed size allocation.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been addressed. Instructions for upgrading can be found in the official Linux kernel documentation.