漏洞标题
l2tp:将正确的消息长度传递给ip6_append_data
漏洞描述信息
在Linux内核中,已解决以下漏洞:
l2tp:将正确的消息长度传递给ip6_append_data
l2tp_ip6_sendmsg需要在将更多数据拼接到已部分占用的sk_buff时,避免两次计算传输头部。
为此,我们在决定使用ip6_append_data附加多少数据时,使用skb_queue_empty检查sk_buff是否包含数据。
然而,执行计算的代码是错误的:
ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;
...由于C语言操作符的优先级问题,这会导致非零长度的消息将ulen设置为transhdrlen,从而导致线上的包被破坏。
添加括号以按照原意修正行中的计算。
CVSS信息
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
漏洞类别
跨界内存写
漏洞标题
l2tp: pass correct message length to ip6_append_data
漏洞描述信息
In the Linux kernel, the following vulnerability has been resolved:
l2tp: pass correct message length to ip6_append_data
l2tp_ip6_sendmsg needs to avoid accounting for the transport header
twice when splicing more data into an already partially-occupied skbuff.
To manage this, we check whether the skbuff contains data using
skb_queue_empty when deciding how much data to append using
ip6_append_data.
However, the code which performed the calculation was incorrect:
ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;
...due to C operator precedence, this ends up setting ulen to
transhdrlen for messages with a non-zero length, which results in
corrupted packets on the wire.
Add parentheses to correct the calculation in line with the original
intent.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Linux kernel 安全漏洞
漏洞描述信息
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于存在错误的消息长度传递。
CVSS信息
N/A
漏洞类别
其他