Linux Kernel TIPC Duplicate ACK Handling Vulnerability Causes Broadcast Congestion

A vulnerability in the Linux kernel's TIPC (Transparent Inter-Process Communication) group protocol has been identified. The issue arises in the GRP_ACK_MSG handler, which incorrectly decrements the acknowledgment counter (bc_ackers) for each incoming group acknowledgment. This occurs even when the same member has already acknowledged the current broadcast round. Since bc_ackers is a 16-bit unsigned integer, a duplicate acknowledgment received after the last valid one wraps the counter to 65535. This wraparound leads to an incorrect congestion report, causing subsequent group broadcasts on the affected socket to remain blocked until the group is manually recreated. The vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability can cause a denial of service by improperly blocking group broadcasts on affected sockets, leading to disrupted communication until the group is recreated.

Reproduction

To reproduce this issue, send duplicate group acknowledgment messages in a TIPC group broadcast scenario. Ensure that the acknowledgments are received after the last legitimate acknowledgment, causing the bc_ackers counter to wrap around. Once wrapped, the tipc_group_bc_cong() function will incorrectly report congestion, blocking further group broadcasts on the affected socket.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.