5.5

CVE-2024-26752

l2tp: pass correct message length to ip6_append_data

In the Linux kernel, the following vulnerability has been resolved:

l2tp: pass correct message length to ip6_append_data

l2tp_ip6_sendmsg needs to avoid accounting for the transport header
twice when splicing more data into an already partially-occupied skbuff.

To manage this, we check whether the skbuff contains data using
skb_queue_empty when deciding how much data to append using
ip6_append_data.

However, the code which performed the calculation was incorrect:

     ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;

...due to C operator precedence, this ends up setting ulen to
transhdrlen for messages with a non-zero length, which results in
corrupted packets on the wire.

Add parentheses to correct the calculation in line with the original
intent.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 4.19.296 < 4.19.308
LinuxLinux Kernel Version >= 5.4.258 < 5.4.270
LinuxLinux Kernel Version >= 5.10.198 < 5.10.211
LinuxLinux Kernel Version >= 5.15.135 < 5.15.150
LinuxLinux Kernel Version >= 6.1.57 < 6.1.80
LinuxLinux Kernel Version >= 6.6 < 6.6.19
LinuxLinux Kernel Version >= 6.7 < 6.7.7
LinuxLinux Kernel Version4.14.327
LinuxLinux Kernel Version6.5.7
LinuxLinux Kernel Version6.8 Updaterc1
LinuxLinux Kernel Version6.8 Updaterc2
LinuxLinux Kernel Version6.8 Updaterc3
LinuxLinux Kernel Version6.8 Updaterc4
LinuxLinux Kernel Version6.8 Updaterc5
DebianDebian Linux Version10.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.25% 0.162
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-131 Incorrect Calculation of Buffer Size

The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.

https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
Mailing List
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
Mailing List
https://git.kernel.org/stable/c/0da15a70395182ee8cb75716baf00dddc0bea38d
Patch
https://git.kernel.org/stable/c/13cd1daeea848614e585b2c6ecc11ca9c8ab2500
Patch
https://git.kernel.org/stable/c/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79
Patch
https://git.kernel.org/stable/c/4c3ce64bc9d36ca9164dd6c77ff144c121011aae
Patch
https://git.kernel.org/stable/c/804bd8650a3a2bf3432375f8c97d5049d845ce56
Patch
https://git.kernel.org/stable/c/83340c66b498e49353530e41542500fc8a4782d6
Patch
https://git.kernel.org/stable/c/c1d3a84a67db910ce28a871273c992c3d7f9efb5
Patch
https://git.kernel.org/stable/c/dcb4d14268595065c85dc5528056713928e17243
Patch