CVE-2004-0592

Step 1: Packet Crafting: The attacker crafts a malicious IPv6 packet containing a TCP option with a specifically crafted, large length value. This value is designed to cause an integer overflow when cast to a char type. Step 2: Packet Transmission: The attacker sends the crafted packet to the vulnerable SUSE Linux system. Step 3: Netfilter Processing: The packet is received and processed by the netfilter subsystem, specifically the tcp_find_option function. Step 4: Option Length Calculation: The tcp_find_option function attempts to process the TCP option, using the attacker-supplied length. Step 5: Integer Overflow: The large length value, when cast to a char, results in a negative integer due to the overflow. Step 6: Infinite Loop: The negative integer is used in a loop condition within tcp_find_option. Because the condition is based on the negative value, the loop never terminates. Step 7: CPU Exhaustion: The infinite loop consumes all available CPU resources, leading to a denial-of-service condition, making the system unresponsive.

The vulnerability lies within the tcp_find_option function of the netfilter subsystem, specifically in how it handles TCP options in IPv6 packets when used with iptables. The flaw occurs when processing a TCP option with a crafted length. A large option length, when cast to a char type, results in a negative integer. This negative value is then used in a loop condition, causing the loop to never terminate, leading to an infinite loop and CPU exhaustion. The root cause is an integer overflow vulnerability due to improper input validation of the TCP option length. The absence of bounds checking allows an attacker to provide a malicious length value, triggering the overflow and subsequent denial-of-service.