CVE-2023-52527

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The issue is related to the handling of transhdrlen in the ip{,6} append data() function. Including transhdrlen in the length is a problem when the packet is partially filled, as it can cause the transport header to be repeated or accounted for twice. This can happen under certain circumstances, such as splicing into an L2TP socket. The symptom observed is a warning in ip6 append data() that occurs when MSG SPLICE PAGES is used to append more data to an already partially occupied skbuff. The warning occurs when 'copy' is larger than the amount of data in the message iterator, because the requested length includes the transport header length when it shouldn't. This can be triggered by, for example, creating a socket with AF INET6, SOCK DGRAM, and IPPROTO L2TP, binding it to ::1, connecting to ::1 port 7, sending data with MSG MORE, and then sending a file with sendfile(). The issue can be fixed by only adding transhdrlen into the length if the write queue is empty in l2tp ip6 sendmsg(), similar to how UDP handles things.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.