Total vulnerabilities in the database
In the Linux kernel, the following vulnerability has been resolved:
l2tp: pass correct message length to ip6_append_data
l2tp_ip6_sendmsg needs to avoid accounting for the transport header twice when splicing more data into an already partially-occupied skbuff.
To manage this, we check whether the skbuff contains data using skb_queue_empty when deciding how much data to append using ip6_append_data.
However, the code which performed the calculation was incorrect:
ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;
...due to C operator precedence, this ends up setting ulen to transhdrlen for messages with a non-zero length, which results in corrupted packets on the wire.
Add parentheses to correct the calculation in line with the original intent.
| Software | From | Fixed in |
|---|---|---|
| linux / linux_kernel | 6.8-rc1 | 6.8-rc1.x |
| linux / linux_kernel | 6.8-rc3 | 6.8-rc3.x |
| linux / linux_kernel | 6.8-rc4 | 6.8-rc4.x |
| linux / linux_kernel | 6.8-rc2 | 6.8-rc2.x |
| linux / linux_kernel | 6.8-rc5 | 6.8-rc5.x |
| linux / linux_kernel | 6.7 | 6.7.7 |
| linux / linux_kernel | 4.19.296 | 4.19.308 |
| linux / linux_kernel | 5.4.258 | 5.4.270 |
| linux / linux_kernel | 5.10.198 | 5.10.211 |
| linux / linux_kernel | 5.15.135 | 5.15.150 |
| linux / linux_kernel | 6.1.57 | 6.1.80 |
| linux / linux_kernel | 6.6 | 6.6.19 |
| linux / linux_kernel | 4.14.327 | 4.14.327.x |
| linux / linux_kernel | 6.5.7 | 6.5.7.x |
| debian / debian_linux | 10.0 | 10.0.x |