CVE-2024-36016

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified)

Description: The issue is related to a possible out-of-bounds condition in the gsm0 receive() function. This can occur when side A configures the n gsm in basic option mode, and side B sends a header with a data length of 1, then side A switches to advanced option mode, and side B sends 2 data bytes that exceed gsm->len. The reason for this is that gsm->len is not used in advanced option mode. Additionally, when side A switches back to basic option mode, and side B continues sending data, gsm0 receive() can write past gsm->buf because neither gsm->state nor gsm->len has been reset after reconfiguration. The fix involves changing the comparison from equal to less than for gsm->count and gsm->len, and adding upper limit checks against the constant MAX MRU in gsm0 receive() and gsm1 receive() to prevent memory corruption of gsm->len and gsm->mru.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.