Title: Linux kernel 2.6.38: Remote NULL pointer dereference
Release date: 11/05/2011
Last update: 11/05/2011
Credits:
Aristide Fattori, Università degli Studi di Milano (joystick (at) security.dico.unimi (dot) it [email concealed])
Roberto Paleari, Emaze Networks S.p.A (roberto.paleari (at) emaze (dot) net [email concealed])
[Vulnerability Information]
Class: Remote NULL pointer dereference
CVE:
[Affected Software]
We confirm the presence of this vulnerability in the following kernel versions:
- Linux kernel 2.6.38.6 (vanilla)
- Linux kernel 2.6.38.4 (vanilla)
- Linux kernel 2.6.38.3 (vanilla)
- Debian kernel image 2.6.38-2-686
Other Linux kernel versions could be also affected by this issue.
[Vulnerability Details]
In function icmp_send() (net/ipv4/icmp.c), the parameter passed to dev_net()
function is not properly validated. This can lead to a NULL pointer dereference
that crashes the kernel.
An attacker can exploit this bug and cause a DoS, both on a specific target or
on any 2.6.38.x machine connected to the local network. To cause the crash, the
attacker must flood the target with fragmented IPv4 packets. Important fields
in the IP packet are:
Read more: SecurityFocus