A bug was found in the way headroom check was performed in udp6_ufo_fragment() function. A remote attacker could use this flaw to crash the system. Upstream patch: a9cf73ea7ff78f52662c8658d93c226effbbedde
Details (copied from 682066#c0): The kernel panic occurs if a bridge device is connected with physical NIC and UDP packets are transmitted via the bridge device. The kernel panic occurs when all the following conditions consist: - The kernel version is RHEL6(2.6.32-71.xx.el6). - The NETIF_F_HW_CSUM of the physical device connected with the bridge device is available. - The udp-fragmentation-offload function of the bridge device is available(ON). - The udp-fragmentation-offload function of the physical NIC is unavailable(OFF). - IPv6 protocol - The size of the UDP datagram exceeds MTU. (fragmentation is necessary)
Created kernel tracking bugs for this issue Affects: fedora-all [bug 755590]
Statement: This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5 as they did not provide support for UDP Fragmentation Offload (UFO) functionality. This has been addressed in Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-1465.html, and https://rhn.redhat.com/errata/RHSA-2012-0010.html.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1465 https://rhn.redhat.com/errata/RHSA-2011-1465.html
kernel-2.6.35.14-106.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2012:0010 https://rhn.redhat.com/errata/RHSA-2012-0010.html