CVE-2024-26752 | THREATINT

Description

In the Linux kernel, the following vulnerability has been resolved: l2tp: pass correct message length to ip6_append_data l2tp_ip6_sendmsg needs to avoid accounting for the transport header twice when splicing more data into an already partially-occupied skbuff. To manage this, we check whether the skbuff contains data using skb_queue_empty when deciding how much data to append using ip6_append_data. However, the code which performed the calculation was incorrect: ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0; ...due to C operator precedence, this ends up setting ulen to transhdrlen for messages with a non-zero length, which results in corrupted packets on the wire. Add parentheses to correct the calculation in line with the original intent.

PUBLISHED Reserved 2024-02-19 | Published 2024-04-03 | Updated 2025-05-04 | Assigner Linux

Product status

Default status

unaffected

559d697c5d072593d22b3e0bd8b8081108aeaf59 (git) before 4c3ce64bc9d36ca9164dd6c77ff144c121011aae

affected

1fc793d68d50dee4782ef2e808913d5dd880bcc6 (git) before c1d3a84a67db910ce28a871273c992c3d7f9efb5

affected

96b2e1090397217839fcd6c9b6d8f5d439e705ed (git) before dcb4d14268595065c85dc5528056713928e17243

affected

cd1189956393bf850b2e275e37411855d3bd86bb (git) before 0da15a70395182ee8cb75716baf00dddc0bea38d

affected

f6a7182179c0ed788e3755ee2ed18c888ddcc33f (git) before 13cd1daeea848614e585b2c6ecc11ca9c8ab2500

affected

9d4c75800f61e5d75c1659ba201b6c0c7ead3070 (git) before 804bd8650a3a2bf3432375f8c97d5049d845ce56

affected

9d4c75800f61e5d75c1659ba201b6c0c7ead3070 (git) before 83340c66b498e49353530e41542500fc8a4782d6

affected

9d4c75800f61e5d75c1659ba201b6c0c7ead3070 (git) before 359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79

affected

7626b9fed53092aa2147978070e610ecb61af844 (git)

affected

fe80658c08e3001c80c5533cd41abfbb0e0e28fd (git)

affected

Default status

affected

6.6

affected

Any version before 6.6

unaffected

4.19.308 (semver)

unaffected

5.4.270 (semver)

unaffected

5.10.211 (semver)

unaffected

5.15.150 (semver)

unaffected

6.1.80 (semver)

unaffected

6.6.19 (semver)

unaffected

6.7.7 (semver)

unaffected

6.8 (original_commit_for_fix)

unaffected

References

git.kernel.org/...c/4c3ce64bc9d36ca9164dd6c77ff144c121011aae

git.kernel.org/...c/c1d3a84a67db910ce28a871273c992c3d7f9efb5

git.kernel.org/...c/dcb4d14268595065c85dc5528056713928e17243

git.kernel.org/...c/0da15a70395182ee8cb75716baf00dddc0bea38d

git.kernel.org/...c/13cd1daeea848614e585b2c6ecc11ca9c8ab2500

git.kernel.org/...c/804bd8650a3a2bf3432375f8c97d5049d845ce56

git.kernel.org/...c/83340c66b498e49353530e41542500fc8a4782d6

git.kernel.org/...c/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79

lists.debian.org/debian-lts-announce/2024/06/msg00017.html

lists.debian.org/debian-lts-announce/2024/06/msg00020.html

git.kernel.org/...c/4c3ce64bc9d36ca9164dd6c77ff144c121011aae

git.kernel.org/...c/c1d3a84a67db910ce28a871273c992c3d7f9efb5

git.kernel.org/...c/dcb4d14268595065c85dc5528056713928e17243

git.kernel.org/...c/0da15a70395182ee8cb75716baf00dddc0bea38d

git.kernel.org/...c/13cd1daeea848614e585b2c6ecc11ca9c8ab2500

git.kernel.org/...c/804bd8650a3a2bf3432375f8c97d5049d845ce56

git.kernel.org/...c/83340c66b498e49353530e41542500fc8a4782d6

git.kernel.org/...c/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79

cve.org (CVE-2024-26752)

nvd.nist.gov (CVE-2024-26752)

Download JSON

help @ threatint.eu