{"id":"CVE-2024-35841","summary":"net: tls, fix WARNIING in __sk_msg_free","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls, fix WARNIING in __sk_msg_free\n\nA splice with MSG_SPLICE_PAGES will cause tls code to use the\ntls_sw_sendmsg_splice path in the TLS sendmsg code to move the user\nprovided pages from the msg into the msg_pl. This will loop over the\nmsg until msg_pl is full, checked by sk_msg_full(msg_pl). The user\ncan also set the MORE flag to hint stack to delay sending until receiving\nmore pages and ideally a full buffer.\n\nIf the user adds more pages to the msg than can fit in the msg_pl\nscatterlist (MAX_MSG_FRAGS) we should ignore the MORE flag and send\nthe buffer anyways.\n\nWhat actually happens though is we abort the msg to msg_pl scatterlist\nsetup and then because we forget to set 'full record' indicating we\ncan no longer consume data without a send we fallthrough to the 'continue'\npath which will check if msg_data_left(msg) has more bytes to send and\nthen attempts to fit them in the already full msg_pl. Then next\niteration of sender doing send will encounter a full msg_pl and throw\nthe warning in the syzbot report.\n\nTo fix simply check if we have a full_record in splice code path and\nif not send the msg regardless of MORE flag.","modified":"2026-04-02T11:51:16.894756Z","published":"2024-05-17T14:27:31.822Z","related":["SUSE-SU-2024:2135-1","SUSE-SU-2024:2203-1","SUSE-SU-2024:2973-1","SUSE-SU-2025:20008-1","SUSE-SU-2025:20028-1","SUSE-SU-2025:20166-1","SUSE-SU-2025:20249-1","USN-6818-2","USN-6819-2"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35841.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/02e368eb1444a4af649b73cbe2edd51780511d86"},{"type":"WEB","url":"https://git.kernel.org/stable/c/294e7ea85f34748f04e5f3f9dba6f6b911d31aa8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dc9dfc8dc629e42f2234e3327b75324ffc752bc9"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35841.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35841"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"fe1e81d4f73b6cbaed4fcc476960d26770642842"},{"fixed":"02e368eb1444a4af649b73cbe2edd51780511d86"},{"fixed":"294e7ea85f34748f04e5f3f9dba6f6b911d31aa8"},{"fixed":"dc9dfc8dc629e42f2234e3327b75324ffc752bc9"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-35841.json"}}],"schema_version":"1.7.5"}