Linux Kernel Netfilter nfnetlink_queue Unconfirmed Connection Tracking Check Vulnerability

A vulnerability in the Linux kernel's netfilter component, specifically within the nfnetlink_queue, has been addressed. This issue arose when an application did not activate the 'F_GSO' capability flag. In such cases, if a Generic Segmentation Offload (GSO) packet with an unconfirmed connection tracking entry was received, all packets were dropped instead of being queued. This problem occurred because the verification process was applied after the segmentation of the packet, leading to the loss of exclusive ownership of the socket buffer (skb) and its related connection tracking entry. The vulnerability primarily affected UDP packets, as TCP's unconfirmed packets are not aggregated by the Generic Receive Offload (GRO). The regression was reported by Ulrich Weber.

Impact

The vulnerability caused packets to be dropped instead of queued for processing, disrupting normal network traffic handling and potentially leading to application-level issues.

Reproduction

To reproduce this vulnerability, an application must be used that does not set the 'F_GSO' capability flag. When a GSO packet with an unconfirmed connection tracking entry is received, the packet will be dropped instead of queued. This can be tested by sending such a packet under the specified conditions.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.