CVE-2024-49948

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: add more sanity checks to qdisc_pkt_len_init()<br /> <br /> One path takes care of SKB_GSO_DODGY, assuming<br /> skb-&gt;len is bigger than hdr_len.<br /> <br /> virtio_net_hdr_to_skb() does not fully dissect TCP headers,<br /> it only make sure it is at least 20 bytes.<br /> <br /> It is possible for an user to provide a malicious &amp;#39;GSO&amp;#39; packet,<br /> total length of 80 bytes.<br /> <br /> - 20 bytes of IPv4 header<br /> - 60 bytes TCP header<br /> - a small gso_size like 8<br /> <br /> virtio_net_hdr_to_skb() would declare this packet as a normal<br /> GSO packet, because it would see 40 bytes of payload,<br /> bigger than gso_size.<br /> <br /> We need to make detect this case to not underflow<br /> qdisc_skb_cb(skb)-&gt;pkt_len.