{"id":"CVE-2024-26752","summary":"l2tp: pass correct message length to ip6_append_data","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: pass correct message length to ip6_append_data\n\nl2tp_ip6_sendmsg needs to avoid accounting for the transport header\ntwice when splicing more data into an already partially-occupied skbuff.\n\nTo manage this, we check whether the skbuff contains data using\nskb_queue_empty when deciding how much data to append using\nip6_append_data.\n\nHowever, the code which performed the calculation was incorrect:\n\n     ulen = len + skb_queue_empty(&sk-\u003esk_write_queue) ? transhdrlen : 0;\n\n...due to C operator precedence, this ends up setting ulen to\ntranshdrlen for messages with a non-zero length, which results in\ncorrupted packets on the wire.\n\nAdd parentheses to correct the calculation in line with the original\nintent.","modified":"2026-04-02T10:05:47.425295Z","published":"2024-04-03T17:00:37.340Z","related":["SUSE-SU-2024:1979-1","SUSE-SU-2024:1983-1","SUSE-SU-2024:2184-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26752.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0da15a70395182ee8cb75716baf00dddc0bea38d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/13cd1daeea848614e585b2c6ecc11ca9c8ab2500"},{"type":"WEB","url":"https://git.kernel.org/stable/c/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4c3ce64bc9d36ca9164dd6c77ff144c121011aae"},{"type":"WEB","url":"https://git.kernel.org/stable/c/804bd8650a3a2bf3432375f8c97d5049d845ce56"},{"type":"WEB","url":"https://git.kernel.org/stable/c/83340c66b498e49353530e41542500fc8a4782d6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c1d3a84a67db910ce28a871273c992c3d7f9efb5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dcb4d14268595065c85dc5528056713928e17243"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26752.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26752"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"559d697c5d072593d22b3e0bd8b8081108aeaf59"},{"fixed":"4c3ce64bc9d36ca9164dd6c77ff144c121011aae"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1fc793d68d50dee4782ef2e808913d5dd880bcc6"},{"fixed":"c1d3a84a67db910ce28a871273c992c3d7f9efb5"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"96b2e1090397217839fcd6c9b6d8f5d439e705ed"},{"fixed":"dcb4d14268595065c85dc5528056713928e17243"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"cd1189956393bf850b2e275e37411855d3bd86bb"},{"fixed":"0da15a70395182ee8cb75716baf00dddc0bea38d"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f6a7182179c0ed788e3755ee2ed18c888ddcc33f"},{"fixed":"13cd1daeea848614e585b2c6ecc11ca9c8ab2500"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"9d4c75800f61e5d75c1659ba201b6c0c7ead3070"},{"fixed":"804bd8650a3a2bf3432375f8c97d5049d845ce56"},{"fixed":"83340c66b498e49353530e41542500fc8a4782d6"},{"fixed":"359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"7626b9fed53092aa2147978070e610ecb61af844"},{"last_affected":"fe80658c08e3001c80c5533cd41abfbb0e0e28fd"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26752.json"}}],"schema_version":"1.7.5"}