It is possible to cause a denial of service of the Linux kernel by sending a SCTP packet containing no chunks.
The Stream Control Transmission Protocol (SCTP, RFC 2960) is a transport layer protocol which provides reliable, sequential transport of message streams with congestion control. SCTP packets are made up of units of information refered to as chunks. Chunks consist of a chunk header and chunk-specific user data.
The netfilter SCTP connection tracking module contains a structure called sctp_packet which takes a variable called newconntrack as an argument. By sending a SCTP packet containing no chunks to a vulnerable system, a remote attacker can cause an unexpected value in the SCTP connection tracking module. Because the value of this variable is used to look up a pointer from an array of timeouts, if this variable contains an unexpected value an error will occur.
A remote attacker can cause a denial of service, affecting system availability.
This vulnerability was reported by George A. Theall.
This document was written by Joseph Pruszynski.
|Date First Published:||2006-07-14|
|Date Last Updated:||2006-07-17 18:45 UTC|