{"id":"CVE-2024-49979","summary":"net: gso: fix tcp fraglist segmentation after pull from frag_list","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gso: fix tcp fraglist segmentation after pull from frag_list\n\nDetect tcp gso fraglist skbs with corrupted geometry (see below) and\npass these to skb_segment instead of skb_segment_list, as the first\ncan segment them correctly.\n\nValid SKB_GSO_FRAGLIST skbs\n- consist of two or more segments\n- the head_skb holds the protocol headers plus first gso_size\n- one or more frag_list skbs hold exactly one segment\n- all but the last must be gso_size\n\nOptional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can\nmodify these skbs, breaking these invariants.\n\nIn extreme cases they pull all data into skb linear. For TCP, this\ncauses a NULL ptr deref in __tcpv4_gso_segment_list_csum at\ntcp_hdr(seg-\u003enext).\n\nDetect invalid geometry due to pull, by checking head_skb size.\nDon't just drop, as this may blackhole a destination. Convert to be\nable to pass to regular skb_segment.\n\nApproach and description based on a patch by Willem de Bruijn.","modified":"2026-03-26T04:18:18.029678Z","published":"2024-10-21T18:02:25.819Z","related":["USN-7276-1","USN-7277-1","openSUSE-SU-2024:14500-1","openSUSE-SU-2025:14705-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49979.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2d4a83a44428de45bfe9dccb0192a3711d1097e0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3fdd8c83e83fa5e82f1b5585245c51e0355c9f46"},{"type":"WEB","url":"https://git.kernel.org/stable/c/75733986fcb0725c0033cde94764389e287b331e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e19201b0c67da5146eaac06fd3d44bd7945c3448"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49979.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49979"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c2ea8cab368b9f25b5937a7f07ab1a66e90b8064"},{"fixed":"75733986fcb0725c0033cde94764389e287b331e"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1f2b859225eb8d1ec974214ce4a581f8c528ae57"},{"fixed":"e19201b0c67da5146eaac06fd3d44bd7945c3448"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"bee88cd5bd83d40b8aec4d6cb729378f707f6197"},{"fixed":"3fdd8c83e83fa5e82f1b5585245c51e0355c9f46"},{"fixed":"2d4a83a44428de45bfe9dccb0192a3711d1097e0"},{"fixed":"17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-49979.json"}}],"schema_version":"1.7.5"}