The udp6_ufo_fragment function in net/ipv6/udp_offload.c in the Linux kernel up to and including 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly perform a certain size comparison before inserting a fragment header, which allows remote malicious users to cause a denial of service (panic) via a large IPv6 UDP packet, as demonstrated by use of the Token Bucket Filter (TBF) queueing discipline.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
linux linux kernel |
||
canonical ubuntu linux 13.10 |
||
canonical ubuntu linux 12.04 |