CVE-2024-26752
EPSS
0.04 % (14th)
Advisories
18
NVD Status
Awaiting Analysis
In the Linux kernel, the following vulnerability has been resolved:
l2tp: pass correct message length to ip6_append_data
l2tp_ip6_sendmsg needs to avoid accounting for the transport header
twice when splicing more data into an already partially-occupied skbuff.
To manage this, we check whether the skbuff contains data using
skb_queue_empty when deciding how much data to append using
ip6_append_data.
However, the code which performed the calculation was incorrect:
ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;
...due to C operator precedence, this ends up setting ulen to
transhdrlen for messages with a non-zero length, which results in
corrupted packets on the wire.
Add parentheses to correct the calculation in line with the original
intent.
- CVE Status
- PUBLISHED
- NVD Status
- Awaiting Analysis
- CNA
- kernel.org
- Published Date
-
2024-04-03 17:15:51
(5 months ago) - Updated Date
-
2024-06-27 12:15:20
(2 months ago)
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...