Linux Kernel Neighbour Discovery Option Parsing Vulnerability in Bridge Component

A vulnerability exists in the Linux kernel's bridge component, specifically within the neighbour discovery (ND) option parsing of the 'br_nd_send' function. This function incorrectly assumes that ND options are always in the linear part of the request. However, since only the ICMPv6 header and target address are guaranteed to be available, the options can remain non-linear. This misalignment can lead to the parser accessing data beyond the intended buffer limit. The vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability can cause memory corruption by allowing the ND option parser to read data past the end of the linear buffer, potentially leading to undefined behavior or exploitation.

Reproduction

To reproduce this vulnerability, send a neighbour discovery packet with non-linear options to a bridge port that does not suppress ND packets. The 'br_nd_send' function will be called with the non-linear options, causing the parser to read past the end of the linear buffer.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version.