{"id":"CVE-2017-1000112","details":"Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb-\u003elen becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev-\u003elen - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\") on Oct 18 2005.","modified":"2026-03-15T22:13:03.269139Z","published":"2017-10-05T01:29:04.477Z","related":["MGASA-2017-0278","MGASA-2017-0279","MGASA-2017-0287","MGASA-2017-0288","MGASA-2017-0296","MGASA-2017-0309","SUSE-SU-2017:2131-1","SUSE-SU-2017:2142-1","SUSE-SU-2017:2150-1","SUSE-SU-2017:2286-1","SUSE-SU-2017:2423-1","SUSE-SU-2017:2424-1","SUSE-SU-2017:2436-1","SUSE-SU-2017:2437-1","SUSE-SU-2017:2438-1","SUSE-SU-2017:2438-2","SUSE-SU-2017:2439-1","SUSE-SU-2017:2440-1","SUSE-SU-2017:2441-1","SUSE-SU-2017:2442-1","SUSE-SU-2017:2443-1","SUSE-SU-2017:2446-1","SUSE-SU-2017:2447-1","SUSE-SU-2017:2448-1","SUSE-SU-2017:2454-1","SUSE-SU-2017:2455-1","SUSE-SU-2017:2456-1","SUSE-SU-2017:2457-1","SUSE-SU-2017:2458-1","SUSE-SU-2017:2464-1","SUSE-SU-2017:2465-1","SUSE-SU-2017:2467-1","SUSE-SU-2017:2469-1","SUSE-SU-2017:2471-1","SUSE-SU-2017:2472-1","SUSE-SU-2017:2473-1","SUSE-SU-2017:2474-1","SUSE-SU-2017:2475-1","SUSE-SU-2017:2476-1","SUSE-SU-2017:2497-1","SUSE-SU-2017:2498-1","SUSE-SU-2017:2499-1","SUSE-SU-2017:2500-1","SUSE-SU-2017:2506-1","SUSE-SU-2017:2508-1","SUSE-SU-2017:2509-1","SUSE-SU-2017:2510-1","SUSE-SU-2017:2511-1","SUSE-SU-2017:2525-1","SUSE-SU-2017:2694-1","SUSE-SU-2017:2775-1","SUSE-SU-2017:2791-1","SUSE-SU-2017:2813-1","SUSE-SU-2017:2956-1","SUSE-SU-2017:3265-1"],"references":[{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1039162"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:2930"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:2931"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:1931"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:1932"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:2918"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3200"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:4159"},{"type":"ADVISORY","url":"https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-1000112"},{"type":"ADVISORY","url":"https://www.exploit-db.com/exploits/45147/"},{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3981"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/100262"},{"type":"FIX","url":"http://seclists.org/oss-sec/2017/q3/277"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-1000112.json","unresolved_ranges":[{"events":[{"introduced":"2.6.15"},{"fixed":"3.10.108"}]},{"events":[{"introduced":"3.11"},{"fixed":"3.16.47"}]},{"events":[{"introduced":"3.17"},{"fixed":"3.18.65"}]},{"events":[{"introduced":"3.19"},{"fixed":"4.4.82"}]},{"events":[{"introduced":"4.5"},{"fixed":"4.9.43"}]},{"events":[{"introduced":"4.10"},{"fixed":"4.12.7"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}