In the Linux kernel, the following vulnerability has been resolved: nfnetlink_osf: validate individual option lengths in fingerprints nfnl_osf_add_callback() validates opt_num bounds and string NUL-termination but does not check individual option length fields. A zero-length option causes nf_osf_match_one() to enter the option matching loop even when foptsize sums to zero, which matches packets with no TCP options where ctx->optp is NULL: Oops: general protection fault KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Call Trace: nf_osf_match (net/netfilter/nfnetlink_osf.c:227) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:293) nf_hook_slow (net/netfilter/core.c:623) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) Additionally, an MSS option (kind=2) with length < 4 causes out-of-bounds reads when nf_osf_match_one() unconditionally accesses optp[2] and optp[3] for MSS value extraction. While RFC 9293 section 3.2 specifies that the MSS option is always exactly 4 bytes (Kind=2, Length=4), the check uses "< 4" rather than "!= 4" because lengths greater than 4 do not cause memory safety issues -- the buffer is guaranteed to be at least foptsize bytes by the ctx->optsize == foptsize check. Reject fingerprints where any option has zero length, or where an MSS option has length less than 4, at add time rather than trusting these values in the packet matching hot path.
En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: nfnetlink_osf: validar longitudes de opciones individuales en huellas digitales nfnl_osf_add_callback() valida los límites de opt_num y la terminación NUL de cadena, pero no verifica los campos de longitud de opciones individuales. Una opción de longitud cero hace que nf_osf_match_one() entre en el bucle de coincidencia de opciones incluso cuando foptsize suma cero, lo que coincide con paquetes sin opciones TCP donde ctx->optp es NULL: Oops: fallo de protección general KASAN: desreferencia de puntero nulo en el rango [0x0000000000000000-0x0000000000000007] RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Traza de llamada: nf_osf_match (net/netfilter/nfnetlink_osf.c:227) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:293) nf_hook_slow (net/netfilter/core.c:623) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) Además, una opción MSS (tipo=2) con longitud < 4 causa lecturas fuera de límites cuando nf_osf_match_one() accede incondicionalmente a optp[2] y optp[3] para la extracción del valor MSS. Si bien la sección 3.2 de RFC 9293 especifica que la opción MSS es siempre exactamente de 4 bytes (Tipo=2, Longitud=4), la verificación usa '< 4' en lugar de '!= 4' porque las longitudes mayores que 4 no causan problemas de seguridad de la memoria -- el búfer está garantizado para ser de al menos foptsize bytes por la verificación ctx->optsize == foptsize. Rechazar huellas digitales donde cualquier opción tenga longitud cero, o donde una opción MSS tenga longitud menor que 4, en el momento de la adición en lugar de confiar en estos valores en la ruta crítica de coincidencia de paquetes.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | NONE |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-125
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702ba7d66b80> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd6afa00> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd6ad540> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd12b580> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702ba7d66a80> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702ba7d67ac0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd6f4600> | Operating System |
| linux | linux_kernel | 2.6.31 | <built-in method update of dict object at 0x702bddc2e880> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdd6f6680> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702ba7d67080> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdc50f900> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdd6aeb80> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdd129580> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdc50efc0> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdd6af780> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.31:-:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:* |