Linux Kernel L2TP UDP Length Overflow Vulnerability

A vulnerability in the Linux kernel's L2TP (Layer 2 Tunneling Protocol) implementation has been identified, specifically within the UDP encapsulation of PPPoL2TP packets. This issue arises from a lack of proper validation for packet sizes, allowing oversized packets to overflow the 16-bit UDP length field. The vulnerability exists in the upstream code and was exposed by a patch that added a debug warning for overflow checks. The issue can be reproduced by sending a large PPPoL2TP packet over UDP, which the L2TP transmission core fails to properly handle, leading to a trimmed length value being sent out.

Impact

Exploitation of this vulnerability causes a UDP length overflow, where large packet sizes are incorrectly processed, potentially leading to unexpected behavior in packet handling.

Reproduction

The vulnerability can be reproduced by creating a socket for PPPoL2TP and another for IPv6 UDP. After establishing a connection, an oversized PPPoL2TP packet (approximately 0x34000 bytes) is sent through the UDP socket. The L2TP transmission function does not check for length overflows, allowing the packet to be transmitted with a corrupted length header.

Remediation

The vulnerability has been addressed in the Linux kernel by adding a check to drop oversized packets before they are transmitted, preventing the UDP length overflow. Users should upgrade to the latest version of the Linux kernel where this patch has been applied.