Linux Kernel RxRPC RESPONSE Packet Handling Vulnerability During Service Challenge

A vulnerability in the Linux kernel's RxRPC implementation has been addressed. The issue involved improper handling of RESPONSE packets during the service challenge phase of the connection. Previously, RESPONSE packets could be processed after the connection had transitioned out of the challenging state, potentially leading to duplicate or delayed packets re-executing the connection setup process. The vulnerability has been fixed by ensuring that RESPONSE packets are only processed while the connection is still in the RXRPC_CONN_SERVICE_CHALLENGING state. The state is now properly checked under a lock before verifying the response and initializing security, preventing late RESPONSE packets from disrupting the connection management.

Impact

The vulnerability could have allowed for improper connection state management in RxRPC, potentially leading to security issues by allowing delayed or duplicate RESPONSE packets to interfere with the connection setup process.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The specific commit addressing this issue is available in the Linux kernel stable tree.