In the Linux kernel, the following vulnerability has been resolved: l2tp: pass correct message length to ip6_append_data l2tp_ip6_sendmsg needs to avoid accounting for the transport header twice when splicing more data into an already partially-occupied skbuff. To manage this, we check whether the skbuff contains data using skb_queue_empty when deciding how much data to append using ip6_append_data. However, the code which performed the calculation was incorrect: ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0; ...due to C operator precedence, this ends up setting ulen to transhdrlen for messages with a non-zero length, which results in corrupted packets on the wire. Add parentheses to correct the calculation in line with the original intent.
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-04-03T17:00:37.340Z

Updated: 2024-12-19T08:46:29.156Z

Reserved: 2024-02-19T14:20:24.169Z

Link: CVE-2024-26752

cve-icon Vulnrichment

Updated: 2024-08-02T00:14:13.330Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-04-03T17:15:51.910

Modified: 2024-11-21T09:02:59.473

Link: CVE-2024-26752

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-04-03T00:00:00Z

Links: CVE-2024-26752 - Bugzilla