Linux Kernel OpenVPN TCP Stream Packet Extraction Vulnerability

A vulnerability in the Linux kernel's OpenVPN TCP stream handling has been addressed. The issue arose in the 'ovpn_tcp_recv' function, where large cloned socket buffers (skbs) from the TCP stream could contain multiple coalesced packets. This led to two main problems: First, a header offset overflow occurred when 'pskb_pull' was used with large offsets on coalesced skbs, causing the network header to become misaligned and resulting in packet drops. Second, the extraction of packets from arbitrary positions in the coalesced TCP stream created unaligned protocol headers, causing performance issues on architectures that do not handle unaligned access efficiently. Additionally, OpenVPN's 2-byte length prefix on TCP packets misaligned subsequent fields, further complicating packet processing. The vulnerability has been fixed by allocating a new skb for each OpenVPN packet, extracting only the relevant data while skipping the length prefix, and ensuring proper alignment before forwarding packets to userspace. This fix also improved TCP throughput by up to 74%.

Impact

The vulnerability could lead to packet processing errors, including drops and performance penalties due to misaligned protocol headers, especially on architectures sensitive to unaligned access.

Reproduction

The vulnerability can be reproduced by sending multiple coalesced TCP packets to an OpenVPN server running on a vulnerable Linux kernel. The 'ovpn_tcp_recv' function will process these packets incorrectly, leading to packet drops and performance issues.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.