In the Linux kernel, the following vulnerability has been resolved:
l2tp: pass correct message length to ip6_append_data
l2tp_ip6_sendmsg needs to avoid accounting for the transport header
twice when splicing more data into an already partially-occupied skbuff.
To manage this, we check whether the skbuff contains data using
skb_queue_empty when deciding how much data to append using
ip6_append_data.
However, the code which performed the calculation was incorrect:
ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;
...due to C operator precedence, this ends up setting ulen to
transhdrlen for messages with a non-zero length, which results in
corrupted packets on the wire.
Add parentheses to correct the calculation in line with the original
intent.
Metrics
Affected Vendors & Products
References
History
Fri, 22 Nov 2024 12:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Tue, 05 Nov 2024 10:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
MITRE
Status: PUBLISHED
Assigner: Linux
Published: 2024-04-03T17:00:37.340Z
Updated: 2024-12-19T08:46:29.156Z
Reserved: 2024-02-19T14:20:24.169Z
Link: CVE-2024-26752
Vulnrichment
Updated: 2024-08-02T00:14:13.330Z
NVD
Status : Awaiting Analysis
Published: 2024-04-03T17:15:51.910
Modified: 2024-11-21T09:02:59.473
Link: CVE-2024-26752
Redhat