CVE-2025-38622 (GCVE-0-2025-38622)
Vulnerability from cvelistv5
Published
2025-08-22 16:00
Modified
2025-08-28 14:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: drop UFO packets in udp_rcv_segment()
When sending a packet with virtio_net_hdr to tun device, if the gso_type
in virtio_net_hdr is SKB_GSO_UDP and the gso_size is less than udphdr
size, below crash may happen.
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:4572!
Oops: invalid opcode: 0000 [#1] SMP NOPTI
CPU: 0 UID: 0 PID: 62 Comm: mytest Not tainted 6.16.0-rc7 #203 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:skb_pull_rcsum+0x8e/0xa0
Code: 00 00 5b c3 cc cc cc cc 8b 93 88 00 00 00 f7 da e8 37 44 38 00 f7 d8 89 83 88 00 00 00 48 8b 83 c8 00 00 00 5b c3 cc cc cc cc <0f> 0b 0f 0b 66 66 2e 0f 1f 84 00 000
RSP: 0018:ffffc900001fba38 EFLAGS: 00000297
RAX: 0000000000000004 RBX: ffff8880040c1000 RCX: ffffc900001fb948
RDX: ffff888003e6d700 RSI: 0000000000000008 RDI: ffff88800411a062
RBP: ffff8880040c1000 R08: 0000000000000000 R09: 0000000000000001
R10: ffff888003606c00 R11: 0000000000000001 R12: 0000000000000000
R13: ffff888004060900 R14: ffff888004050000 R15: ffff888004060900
FS: 000000002406d3c0(0000) GS:ffff888084a19000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000040 CR3: 0000000004007000 CR4: 00000000000006f0
Call Trace:
<TASK>
udp_queue_rcv_one_skb+0x176/0x4b0 net/ipv4/udp.c:2445
udp_queue_rcv_skb+0x155/0x1f0 net/ipv4/udp.c:2475
udp_unicast_rcv_skb+0x71/0x90 net/ipv4/udp.c:2626
__udp4_lib_rcv+0x433/0xb00 net/ipv4/udp.c:2690
ip_protocol_deliver_rcu+0xa6/0x160 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x72/0x90 net/ipv4/ip_input.c:233
ip_sublist_rcv_finish+0x5f/0x70 net/ipv4/ip_input.c:579
ip_sublist_rcv+0x122/0x1b0 net/ipv4/ip_input.c:636
ip_list_rcv+0xf7/0x130 net/ipv4/ip_input.c:670
__netif_receive_skb_list_core+0x21d/0x240 net/core/dev.c:6067
netif_receive_skb_list_internal+0x186/0x2b0 net/core/dev.c:6210
napi_complete_done+0x78/0x180 net/core/dev.c:6580
tun_get_user+0xa63/0x1120 drivers/net/tun.c:1909
tun_chr_write_iter+0x65/0xb0 drivers/net/tun.c:1984
vfs_write+0x300/0x420 fs/read_write.c:593
ksys_write+0x60/0xd0 fs/read_write.c:686
do_syscall_64+0x50/0x1c0 arch/x86/entry/syscall_64.c:63
</TASK>
To trigger gso segment in udp_queue_rcv_skb(), we should also set option
UDP_ENCAP_ESPINUDP to enable udp_sk(sk)->encap_rcv. When the encap_rcv
hook return 1 in udp_queue_rcv_one_skb(), udp_csum_pull_header() will try
to pull udphdr, but the skb size has been segmented to gso size, which
leads to this crash.
Previous commit cf329aa42b66 ("udp: cope with UDP GRO packet misdirection")
introduces segmentation in UDP receive path only for GRO, which was never
intended to be used for UFO, so drop UFO packets in udp_rcv_segment().
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: cf329aa42b6659204fee865bbce0ea20462552eb Version: cf329aa42b6659204fee865bbce0ea20462552eb Version: cf329aa42b6659204fee865bbce0ea20462552eb Version: cf329aa42b6659204fee865bbce0ea20462552eb Version: cf329aa42b6659204fee865bbce0ea20462552eb Version: cf329aa42b6659204fee865bbce0ea20462552eb Version: cf329aa42b6659204fee865bbce0ea20462552eb Version: cf329aa42b6659204fee865bbce0ea20462552eb Version: cf329aa42b6659204fee865bbce0ea20462552eb |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/udp.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "72f97d3cb791e26492236b2be7fd70d2c6222555",
"status": "affected",
"version": "cf329aa42b6659204fee865bbce0ea20462552eb",
"versionType": "git"
},
{
"lessThan": "df6ad849d59256dcc0e2234844ef9f0daf885f5c",
"status": "affected",
"version": "cf329aa42b6659204fee865bbce0ea20462552eb",
"versionType": "git"
},
{
"lessThan": "4c1022220b1b6fea802175e80444923a3bbf93a5",
"status": "affected",
"version": "cf329aa42b6659204fee865bbce0ea20462552eb",
"versionType": "git"
},
{
"lessThan": "791f32c5eab33ca3a153f8f6f763aa0df1ddc320",
"status": "affected",
"version": "cf329aa42b6659204fee865bbce0ea20462552eb",
"versionType": "git"
},
{
"lessThan": "0d45954034f8edd6d4052e0190d3d6335c37e4de",
"status": "affected",
"version": "cf329aa42b6659204fee865bbce0ea20462552eb",
"versionType": "git"
},
{
"lessThan": "c0ec2e47f1e92d69b42b17a4a1e543256778393e",
"status": "affected",
"version": "cf329aa42b6659204fee865bbce0ea20462552eb",
"versionType": "git"
},
{
"lessThan": "fc45b3f9599b657d4a64bcf423d2a977b3e13a49",
"status": "affected",
"version": "cf329aa42b6659204fee865bbce0ea20462552eb",
"versionType": "git"
},
{
"lessThan": "0c639c6479ec4480372901a5fc566f7588cf5522",
"status": "affected",
"version": "cf329aa42b6659204fee865bbce0ea20462552eb",
"versionType": "git"
},
{
"lessThan": "d46e51f1c78b9ab9323610feb14238d06d46d519",
"status": "affected",
"version": "cf329aa42b6659204fee865bbce0ea20462552eb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/udp.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc1",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: drop UFO packets in udp_rcv_segment()\n\nWhen sending a packet with virtio_net_hdr to tun device, if the gso_type\nin virtio_net_hdr is SKB_GSO_UDP and the gso_size is less than udphdr\nsize, below crash may happen.\n\n ------------[ cut here ]------------\n kernel BUG at net/core/skbuff.c:4572!\n Oops: invalid opcode: 0000 [#1] SMP NOPTI\n CPU: 0 UID: 0 PID: 62 Comm: mytest Not tainted 6.16.0-rc7 #203 PREEMPT(voluntary)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:skb_pull_rcsum+0x8e/0xa0\n Code: 00 00 5b c3 cc cc cc cc 8b 93 88 00 00 00 f7 da e8 37 44 38 00 f7 d8 89 83 88 00 00 00 48 8b 83 c8 00 00 00 5b c3 cc cc cc cc \u003c0f\u003e 0b 0f 0b 66 66 2e 0f 1f 84 00 000\n RSP: 0018:ffffc900001fba38 EFLAGS: 00000297\n RAX: 0000000000000004 RBX: ffff8880040c1000 RCX: ffffc900001fb948\n RDX: ffff888003e6d700 RSI: 0000000000000008 RDI: ffff88800411a062\n RBP: ffff8880040c1000 R08: 0000000000000000 R09: 0000000000000001\n R10: ffff888003606c00 R11: 0000000000000001 R12: 0000000000000000\n R13: ffff888004060900 R14: ffff888004050000 R15: ffff888004060900\n FS: 000000002406d3c0(0000) GS:ffff888084a19000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000020000040 CR3: 0000000004007000 CR4: 00000000000006f0\n Call Trace:\n \u003cTASK\u003e\n udp_queue_rcv_one_skb+0x176/0x4b0 net/ipv4/udp.c:2445\n udp_queue_rcv_skb+0x155/0x1f0 net/ipv4/udp.c:2475\n udp_unicast_rcv_skb+0x71/0x90 net/ipv4/udp.c:2626\n __udp4_lib_rcv+0x433/0xb00 net/ipv4/udp.c:2690\n ip_protocol_deliver_rcu+0xa6/0x160 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x72/0x90 net/ipv4/ip_input.c:233\n ip_sublist_rcv_finish+0x5f/0x70 net/ipv4/ip_input.c:579\n ip_sublist_rcv+0x122/0x1b0 net/ipv4/ip_input.c:636\n ip_list_rcv+0xf7/0x130 net/ipv4/ip_input.c:670\n __netif_receive_skb_list_core+0x21d/0x240 net/core/dev.c:6067\n netif_receive_skb_list_internal+0x186/0x2b0 net/core/dev.c:6210\n napi_complete_done+0x78/0x180 net/core/dev.c:6580\n tun_get_user+0xa63/0x1120 drivers/net/tun.c:1909\n tun_chr_write_iter+0x65/0xb0 drivers/net/tun.c:1984\n vfs_write+0x300/0x420 fs/read_write.c:593\n ksys_write+0x60/0xd0 fs/read_write.c:686\n do_syscall_64+0x50/0x1c0 arch/x86/entry/syscall_64.c:63\n \u003c/TASK\u003e\n\nTo trigger gso segment in udp_queue_rcv_skb(), we should also set option\nUDP_ENCAP_ESPINUDP to enable udp_sk(sk)-\u003eencap_rcv. When the encap_rcv\nhook return 1 in udp_queue_rcv_one_skb(), udp_csum_pull_header() will try\nto pull udphdr, but the skb size has been segmented to gso size, which\nleads to this crash.\n\nPrevious commit cf329aa42b66 (\"udp: cope with UDP GRO packet misdirection\")\nintroduces segmentation in UDP receive path only for GRO, which was never\nintended to be used for UFO, so drop UFO packets in udp_rcv_segment()."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:44:17.002Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/72f97d3cb791e26492236b2be7fd70d2c6222555"
},
{
"url": "https://git.kernel.org/stable/c/df6ad849d59256dcc0e2234844ef9f0daf885f5c"
},
{
"url": "https://git.kernel.org/stable/c/4c1022220b1b6fea802175e80444923a3bbf93a5"
},
{
"url": "https://git.kernel.org/stable/c/791f32c5eab33ca3a153f8f6f763aa0df1ddc320"
},
{
"url": "https://git.kernel.org/stable/c/0d45954034f8edd6d4052e0190d3d6335c37e4de"
},
{
"url": "https://git.kernel.org/stable/c/c0ec2e47f1e92d69b42b17a4a1e543256778393e"
},
{
"url": "https://git.kernel.org/stable/c/fc45b3f9599b657d4a64bcf423d2a977b3e13a49"
},
{
"url": "https://git.kernel.org/stable/c/0c639c6479ec4480372901a5fc566f7588cf5522"
},
{
"url": "https://git.kernel.org/stable/c/d46e51f1c78b9ab9323610feb14238d06d46d519"
}
],
"title": "net: drop UFO packets in udp_rcv_segment()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38622",
"datePublished": "2025-08-22T16:00:31.343Z",
"dateReserved": "2025-04-16T04:51:24.029Z",
"dateUpdated": "2025-08-28T14:44:17.002Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-38622\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-08-22T16:15:35.603\",\"lastModified\":\"2025-08-28T15:15:56.197\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: drop UFO packets in udp_rcv_segment()\\n\\nWhen sending a packet with virtio_net_hdr to tun device, if the gso_type\\nin virtio_net_hdr is SKB_GSO_UDP and the gso_size is less than udphdr\\nsize, below crash may happen.\\n\\n ------------[ cut here ]------------\\n kernel BUG at net/core/skbuff.c:4572!\\n Oops: invalid opcode: 0000 [#1] SMP NOPTI\\n CPU: 0 UID: 0 PID: 62 Comm: mytest Not tainted 6.16.0-rc7 #203 PREEMPT(voluntary)\\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\\n RIP: 0010:skb_pull_rcsum+0x8e/0xa0\\n Code: 00 00 5b c3 cc cc cc cc 8b 93 88 00 00 00 f7 da e8 37 44 38 00 f7 d8 89 83 88 00 00 00 48 8b 83 c8 00 00 00 5b c3 cc cc cc cc \u003c0f\u003e 0b 0f 0b 66 66 2e 0f 1f 84 00 000\\n RSP: 0018:ffffc900001fba38 EFLAGS: 00000297\\n RAX: 0000000000000004 RBX: ffff8880040c1000 RCX: ffffc900001fb948\\n RDX: ffff888003e6d700 RSI: 0000000000000008 RDI: ffff88800411a062\\n RBP: ffff8880040c1000 R08: 0000000000000000 R09: 0000000000000001\\n R10: ffff888003606c00 R11: 0000000000000001 R12: 0000000000000000\\n R13: ffff888004060900 R14: ffff888004050000 R15: ffff888004060900\\n FS: 000000002406d3c0(0000) GS:ffff888084a19000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 0000000020000040 CR3: 0000000004007000 CR4: 00000000000006f0\\n Call Trace:\\n \u003cTASK\u003e\\n udp_queue_rcv_one_skb+0x176/0x4b0 net/ipv4/udp.c:2445\\n udp_queue_rcv_skb+0x155/0x1f0 net/ipv4/udp.c:2475\\n udp_unicast_rcv_skb+0x71/0x90 net/ipv4/udp.c:2626\\n __udp4_lib_rcv+0x433/0xb00 net/ipv4/udp.c:2690\\n ip_protocol_deliver_rcu+0xa6/0x160 net/ipv4/ip_input.c:205\\n ip_local_deliver_finish+0x72/0x90 net/ipv4/ip_input.c:233\\n ip_sublist_rcv_finish+0x5f/0x70 net/ipv4/ip_input.c:579\\n ip_sublist_rcv+0x122/0x1b0 net/ipv4/ip_input.c:636\\n ip_list_rcv+0xf7/0x130 net/ipv4/ip_input.c:670\\n __netif_receive_skb_list_core+0x21d/0x240 net/core/dev.c:6067\\n netif_receive_skb_list_internal+0x186/0x2b0 net/core/dev.c:6210\\n napi_complete_done+0x78/0x180 net/core/dev.c:6580\\n tun_get_user+0xa63/0x1120 drivers/net/tun.c:1909\\n tun_chr_write_iter+0x65/0xb0 drivers/net/tun.c:1984\\n vfs_write+0x300/0x420 fs/read_write.c:593\\n ksys_write+0x60/0xd0 fs/read_write.c:686\\n do_syscall_64+0x50/0x1c0 arch/x86/entry/syscall_64.c:63\\n \u003c/TASK\u003e\\n\\nTo trigger gso segment in udp_queue_rcv_skb(), we should also set option\\nUDP_ENCAP_ESPINUDP to enable udp_sk(sk)-\u003eencap_rcv. When the encap_rcv\\nhook return 1 in udp_queue_rcv_one_skb(), udp_csum_pull_header() will try\\nto pull udphdr, but the skb size has been segmented to gso size, which\\nleads to this crash.\\n\\nPrevious commit cf329aa42b66 (\\\"udp: cope with UDP GRO packet misdirection\\\")\\nintroduces segmentation in UDP receive path only for GRO, which was never\\nintended to be used for UFO, so drop UFO packets in udp_rcv_segment().\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: descartar paquetes UFO en udp_rcv_segment() Al enviar un paquete con virtio_net_hdr a un dispositivo tun, si gso_type en virtio_net_hdr es SKB_GSO_UDP y gso_size es menor que el tama\u00f1o de udphdr, puede ocurrir el siguiente bloqueo. ------------[ cortar aqu\u00ed ]------------ \u00a1ERROR del kernel en net/core/skbuff.c:4572! Oops: c\u00f3digo de operaci\u00f3n no v\u00e1lido: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 62 Comm: mytest No contaminado 6.16.0-rc7 #203 PREEMPT(voluntario) Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:skb_pull_rcsum+0x8e/0xa0 C\u00f3digo: 00 00 5b c3 cc cc cc cc 8b 93 88 00 00 00 f7 da e8 37 44 38 00 f7 d8 89 83 88 00 00 00 48 8b 83 c8 00 00 00 5b c3 cc cc cc cc \u0026lt;0f\u0026gt; 0b 0f 0b 66 66 2e 0f 1f 84 00 000 RSP: 0018:ffffc900001fba38 EFLAGS: 00000297 RAX: 0000000000000004 RBX: ffff8880040c1000 RCX: ffffc900001fb948 RDX: ffff888003e6d700 RSI: 0000000000000008 RDI: ffff88800411a062 RBP: ffff8880040c1000 R08: 000000000000000 R09: 0000000000000001 R10: ffff888003606c00 R11: 0000000000000001 R12: 0000000000000000 R13: ffff888004060900 R14: ffff888004050000 R15: ffff888004060900 FS: 000000002406d3c0(0000) GS:ffff888084a19000(0000) knlGS:000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000080050033 CR2: 0000000020000040 CR3: 0000000004007000 CR4: 00000000000006f0 Rastreo de llamadas: udp_queue_rcv_one_skb+0x176/0x4b0 net/ipv4/udp.c:2445 udp_queue_rcv_skb+0x155/0x1f0 net/ipv4/udp.c:2475 udp_unicast_rcv_skb+0x71/0x90 net/ipv4/udp.c:2626 __udp4_lib_rcv+0x433/0xb00 net/ipv4/udp.c:2690 ip_protocol_deliver_rcu+0xa6/0x160 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x72/0x90 net/ipv4/ip_input.c:233 ip_sublist_rcv_finish+0x5f/0x70 net/ipv4/ip_input.c:579 ip_sublist_rcv+0x122/0x1b0 net/ipv4/ip_input.c:636 ip_list_rcv+0xf7/0x130 net/ipv4/ip_input.c:670 __netif_receive_skb_list_core+0x21d/0x240 net/core/dev.c:6067 netif_receive_skb_list_internal+0x186/0x2b0 net/core/dev.c:6210 Para activar el segmento gso en udp_queue_rcv_skb(), tambi\u00e9n debemos configurar la opci\u00f3n UDP_ENCAP_ESPINUDP para habilitarla udp_sk(sk)-\u0026gt;encap_rcv. Cuando el gancho encap_rcv devuelve 1 en udp_queue_rcv_one_skb(), udp_csum_pull_header() intentar\u00e1 extraer udphdr, pero el tama\u00f1o de skb se ha segmentado al tama\u00f1o de gso, lo que provoca este fallo. El commit anterior cf329aa42b66 (\\\"udp: lidiar con la redirecci\u00f3n de paquetes UDP GRO\\\") introduce la segmentaci\u00f3n en la ruta de recepci\u00f3n UDP solo para GRO, que nunca se concibi\u00f3 para UFO, por lo que se descartan los paquetes UFO en udp_rcv_segment().\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0c639c6479ec4480372901a5fc566f7588cf5522\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/0d45954034f8edd6d4052e0190d3d6335c37e4de\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4c1022220b1b6fea802175e80444923a3bbf93a5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/72f97d3cb791e26492236b2be7fd70d2c6222555\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/791f32c5eab33ca3a153f8f6f763aa0df1ddc320\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c0ec2e47f1e92d69b42b17a4a1e543256778393e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d46e51f1c78b9ab9323610feb14238d06d46d519\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/df6ad849d59256dcc0e2234844ef9f0daf885f5c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fc45b3f9599b657d4a64bcf423d2a977b3e13a49\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…