Linux Kernel SMB Server Active Connection Leak Vulnerability Allowing Denial-of-Service

A vulnerability in the Linux kernel's SMB server component can lead to a denial-of-service condition by causing a leak of active connection counts. This issue arises when the server's transport allocation fails, a scenario that can be triggered pre-authentication through any TCP connection to port 445. The vulnerability was reproduced in a user-mode Linux environment with a small number of forced allocation failures, which caused the server to reject all subsequent connection attempts for the rest of the boot cycle. The problem stems from the server incrementing the active connection count before properly handling allocation failures, leading to a permanent consumption of connection slots. Once the maximum connection limit is reached, the server starts rejecting new connections, a state that can only be reset by reloading the SMB module.

Impact

Exploitation of this vulnerability causes the SMB server to reject new connection attempts after a certain threshold of allocation failures is reached, effectively denying service to users or applications trying to connect.

Reproduction

The vulnerability can be reproduced by initiating TCP connections to port 445 while holding those connections open with large RFC1002 lengths, which creates memory pressure and forces allocation failures. This can be done manually or through a script. Once a few allocation failures have been forced, the server will begin rejecting all new connection attempts, even after the failure-inducing conditions have been removed.

Remediation

Users can apply the patch included in the Linux kernel commit 283027aa93380380a0994f35dde3ec95318f2654 to address this vulnerability.