CVE-2024-49940
- Source
- https://cve.org/CVERecord?id=CVE-2024-49940
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-49940.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-49940
- Downstream
- Related
- Published
- 2024-10-21T18:01:59.668Z
- Modified
- 2026-05-15T04:10:09.246019378Z
- Summary
- l2tp: prevent possible tunnel refcount underflow
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
l2tp: prevent possible tunnel refcount underflow
When a session is created, it sets a backpointer to its tunnel. When the session refcount drops to 0, l2tpsessionfree drops the tunnel refcount if session->tunnel is non-NULL. However, session->tunnel is set in l2tpsessioncreate, before the tunnel refcount is incremented by l2tpsessionregister, which leaves a small window where session->tunnel is non-NULL when the tunnel refcount hasn't been bumped.
Moving the assignment to l2tpsessionregister is trivial but l2tpsessioncreate calls l2tpsessionsetheaderlen which uses session->tunnel to get the tunnel's encap. Add an encap arg to l2tpsessionsetheaderlen to avoid using session->tunnel.
If l2tpv3 sessions have colliding IDs, it is possible for l2tpv3sessionget to race with l2tpsession_register and fetch a session which doesn't yet have session->tunnel set. Add a check for this case.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49940.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/24256415d18695b46da06c93135f5b51c548b950
- https://git.kernel.org/stable/c/f7415e60c25a6108cd7955a20b2e66b6251ffe02
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49940.json
- https://nvd.nist.gov/vuln/detail/CVE-2024-49940
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git