CVE-2024-45016
- Source
- https://cve.org/CVERecord?id=CVE-2024-45016
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-45016.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-45016
- Downstream
- Related
- Published
- 2024-09-11T15:13:52.053Z
- Modified
- 2026-03-20T12:38:57.610236Z
- Summary
- netem: fix return value if duplicate enqueue fails
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
netem: fix return value if duplicate enqueue fails
There is a bug in netemenqueue() introduced by commit 5845f706388a ("net: netem: fix skb length BUGON in __skbtosgvec") that can lead to a use-after-free.
This commit made netemenqueue() always return NETXMITSUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlennotify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR.
There are two ways for the bug happen:
- If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped.
- If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped.
In both cases NETXMITSUCCESS is returned even though no packets are enqueued at the netem qdisc.
The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NETXMITSUCCESS.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/45xxx/CVE-2024-45016.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/0486d31dd8198e22b63a4730244b38fffce6d469
- https://git.kernel.org/stable/c/52d99a69f3d556c6426048c9d481b912205919d8
- https://git.kernel.org/stable/c/577d6c0619467fe90f7e8e57e45cb5bd9d936014
- https://git.kernel.org/stable/c/759e3e8c4a6a6b4e52ebc4547123a457f0ce90d4
- https://git.kernel.org/stable/c/c07ff8592d57ed258afee5a5e04991a48dbaf382
- https://git.kernel.org/stable/c/c414000da1c2ea1ba9a5e5bb1a4ba774e51e202d
- https://git.kernel.org/stable/c/e5bb2988a310667abed66c7d3ffa28880cf0f883
- https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/45xxx/CVE-2024-45016.json
- https://nvd.nist.gov/vuln/detail/CVE-2024-45016
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced5845f706388a4cde0f6b80f9e5d33527e942b7d9Fixed759e3e8c4a6a6b4e52ebc4547123a457f0ce90d4Fixedc414000da1c2ea1ba9a5e5bb1a4ba774e51e202dFixed52d99a69f3d556c6426048c9d481b912205919d8Fixed0486d31dd8198e22b63a4730244b38fffce6d469Fixed577d6c0619467fe90f7e8e57e45cb5bd9d936014Fixede5bb2988a310667abed66c7d3ffa28880cf0f883Fixedc07ff8592d57ed258afee5a5e04991a48dbaf382
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affecteda550a01b8af856f2684b0f79d552f5119eb5006cLast affected009510a90e230bb495f3fe25c7db956679263b07Last affected4de7d30668cb8b06330992e1cd336f91700a2ce7Last affectedd1dd2e15c85e890a1cc9bde5ba07ae63331e5c73Last affected0148fe458b5705e2fea7cb88294fed7e36066ca2