Linux Kernel Tunnel Traffic Handling Vulnerability on IPV6_CSUM GSO Fallback

A vulnerability in the Linux kernel's handling of tunneled traffic can lead to improper checksum offloading for IPv6 packets with extension headers. This issue affects the Linux kernel stable tree. The vulnerability arises because the NETIF_F_IPV6_CSUM feature only supports checksum offloading for packets without extension headers. When extension headers are present, packets must revert to software checksumming. However, this fallback is not correctly applied to tunneled packets, particularly those without an inner IP protocol, such as RFC 6951 SCTP in UDP, which do not conform to standard IPv6 header expectations.

Impact

Exploitation of this vulnerability can cause incorrect checksum handling, potentially leading to data corruption or transmission errors in networked applications.

Reproduction

The vulnerability can be reproduced by sending tunneled IPv6 packets with extension headers over a network interface that only supports IPv6 checksum offloading for packets without extensions. This can be done using protocols that encapsulate IPv6 traffic, such as SCTP over UDP, which bypass standard IPv6 header processing.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.