A new kernel vulnerability has been discovered—CVE-2023-42755—affecting the IPv4 Resource Reservation Protocol (RSVP) classifier in the Linux kernel. This flaw centers around the mismanagement of pointers in the rsvp_classify function and could allow a local user to crash the system. In this long-form post, we’ll break down how it works, explore the source with code snippets, show how an exploit may be crafted, and link out to key references.

1. What is the RSVP Classifier?

RSVP, or Resource Reservation Protocol, is a network protocol designed to reserve resources across a network. In Linux, it's supported by the kernel so that network applications can request guaranteed bandwidth.

The kernel implementation includes classifiers (like rsvp_classify) to handle packets. If there are bugs in how these packets (sk_buffs in Linux) are parsed, it can lead to memory errors.

2. The Vulnerability Explained (CVE-2023-42755)

- Summary: A pointer (xprt) can be moved past the "linear" part of a network buffer (skb), causing reading of memory outside the intended area.

Impact: Local users can trigger this to cause a kernel crash (Denial of Service).

- Attack Vector: Local. The attacker needs the ability to send specifically crafted network packets, possibly requiring local privileges.

3. Understanding the Code

The vulnerable code is in net/sched/cls_rsvp.c, specifically the rsvp_classify function. Here's a simplified, adapted snippet:

static int rsvp_classify(struct sk_buff *skb, const struct tcf_proto *tp, ...)
{
    struct iphdr *iph = ip_hdr(skb);

    /* ... part omitted ... */
    unsigned char *xprt = skb_network_header(skb) + ihl;

    /* Potential OOB Read: */
    xprt += 4; // Advance the pointer

    if (xprt > skb_tail_pointer(skb)) {
        // xprt is now past the end of the linear buffer!
        // Kernel may read out-of-bounds here
    }
    
    // Example usage (this can cause the OOB read):
    u8 proto = *xprt; // Dangerous if xprt is past skb
    /* ... part omitted ... */
}

The code adds an offset without enough checks: xprt += 4;

- If the data is not fully linear (common for large/skewed packets), xprt may end *past* the data.

Reading memory in this state (u8 proto = *xprt) causes an *out-of-bounds read*.

If the kernel reads memory that is not allocated or it hits unmapped pages, it will panic—meaning, the system will crash.

Impact

A local user can trigger this flaw by sending a *specifically crafted RSVP packet* to the local machine, if RSVP classifier support is enabled.

Craft a Packet: Build an IPv4 packet with the RSVP protocol header.

2. Manipulate skb: The payload size and fragmentation should be arranged so that part of the packet sits at the very end of the "linear" part of the buffer, and the RSVP classifier will try to advance the pointer past this.

Send: Deliver this packet, typically using a raw socket or similar privileged operation.

import socket

# Requires root privileges!

RSVP_PROTO = 46

sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)

# Build the IPv4 header manually and RSVP payload in such a way to challenge skb linear limits...

target_ip = '127...1'
payload = b'\x01\x02\x03\x04'  # RSVP header with correct length, then truncated

packet = ...  # Needs to be crafted to match the scenario

sock.sendto(packet, (target_ip, ))

Result: If timed and constructed perfectly, the kernel hits the OOB read and the *system crashes*.

> Note: Weaponizing this exploit requires deep knowledge of Linux network stack internals and the ability to send raw packets.

- Red Hat CVE Page: CVE-2023-42755
- Linux Kernel Patch: net: sched: cls_rsvp: Fix out-of-bounds read in rsvp_classify
- NVD CVE-2023-42755 Details
- Upstream Discussion: oss-security mailing list

Conclusion

CVE-2023-42755 is a classic but critical "pointer math" mistake in the Linux kernel’s RSVP classifier. While it "just" causes a crash, not remote code execution, it’s still a tangible denial-of-service threat. It’s a great example of how even obscure protocols can become a risk, especially in multi-user environments like servers and shared workstations.

Stay safe—keep your kernel up to date and audit unused kernel modules!

Timeline

Published on: 10/05/2023 19:15:11 UTC
Last modified on: 11/07/2023 04:21:14 UTC