Problem Description:
Each fragment of an IPv6 packet contains a fragment header which
specifies the offset of the fragment relative to the original packet,
and each fragment specifies its length in the IPv6 header. When
reassembling the packet, the kernel calculates the complete IPv6 payload
length. The payload length must fit into a 16-bit field in the IPv6
header.
Due to a bug in the kernel, a set of carefully crafted packets can
trigger an integer overflow in the calculation of the reassembled
packet's payload length field.
Impact:
Once an IPv6 packet has been reassembled, the kernel continues
processing its contents. It does so assuming that the fragmentation
layer has validated all fields of the constructed IPv6 header. This bug
violates such assumptions and can be exploited to trigger a remote
kernel panic, resulting in a denial of service.