CVE-2024-49940

When a session is created, it sets a backpointer to its tunnel. When the session refcount drops to 0, l2tpsessionfree drops the tunnel refcount if session->tunnel is non-NULL. However, session->tunnel is set in l2tpsessioncreate, before the tunnel refcount is incremented by l2tpsessionregister, which leaves a small window where session->tunnel is non-NULL when the tunnel refcount hasn't been bumped.

Moving the assignment to l2tpsessionregister is trivial but l2tpsessioncreate calls l2tpsessionsetheaderlen which uses session->tunnel to get the tunnel's encap. Add an encap arg to l2tpsessionsetheaderlen to avoid using session->tunnel.

If l2tpv3 sessions have colliding IDs, it is possible for l2tpv3sessionget to race with l2tpsession_register and fetch a session which doesn't yet have session->tunnel set. Add a check for this case.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49940.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

3953ae7b218df4d1e544b98a393666f9ae58a78c

Fixed

f7415e60c25a6108cd7955a20b2e66b6251ffe02

Fixed

24256415d18695b46da06c93135f5b51c548b950

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

b102bfc2a90d14f342580285782a9a51c74f7369

Last affected

10c15ddabbcf888922adbdd44ca3fecf6eab19d9

Last affected

8d1c650d452c53fcb3f02a7b1d772741639f89a4

Last affected

12b5fb58ac993c24210cf8cbc72d407d3a4e6490

Last affected

aef37401b467a0b1a9517c69924a1d66937e0789

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-49940.json"