FKIE_CVE-2022-50706

Vulnerability from fkie_nvd - Published: 2025-12-24 11:15 - Updated: 2025-12-29 15:58
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net/ieee802154: don't warn zero-sized raw_sendmsg() syzbot is hitting skb_assert_len() warning at __dev_queue_xmit() [1], for PF_IEEE802154 socket's zero-sized raw_sendmsg() request is hitting __dev_queue_xmit() with skb->len == 0. Since PF_IEEE802154 socket's zero-sized raw_sendmsg() request was able to return 0, don't call __dev_queue_xmit() if packet length is 0. ---------- #include <sys/socket.h> #include <netinet/in.h> int main(int argc, char *argv[]) { struct sockaddr_in addr = { .sin_family = AF_INET, .sin_addr.s_addr = htonl(INADDR_LOOPBACK) }; struct iovec iov = { }; struct msghdr hdr = { .msg_name = &addr, .msg_namelen = sizeof(addr), .msg_iov = &iov, .msg_iovlen = 1 }; sendmsg(socket(PF_IEEE802154, SOCK_RAW, 0), &hdr, 0); return 0; } ---------- Note that this might be a sign that commit fd1894224407c484 ("bpf: Don't redirect packets with invalid pkt_len") should be reverted, for skb->len == 0 was acceptable for at least PF_IEEE802154 socket.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/34f31a2b667914ab701ca725554a0b447809d7ef
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4a36de8947794fa21435d1e916e089095f3246a8
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/791489a5c56396ddfed75fc525066d4738dace46
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9974d220c5073d035b5469d1d8ecd71da86c7afd
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b12e924a2f5b960373459c8f8a514f887adf5cac
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/df0da3fc131132b6c32a15c4da4ffa3a5aea1af2
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/ieee802154: don\u0027t warn zero-sized raw_sendmsg()\n\nsyzbot is hitting skb_assert_len() warning at __dev_queue_xmit() [1],\nfor PF_IEEE802154 socket\u0027s zero-sized raw_sendmsg() request is hitting\n__dev_queue_xmit() with skb-\u003elen == 0.\n\nSince PF_IEEE802154 socket\u0027s zero-sized raw_sendmsg() request was\nable to return 0, don\u0027t call __dev_queue_xmit() if packet length is 0.\n\n  ----------\n  #include \u003csys/socket.h\u003e\n  #include \u003cnetinet/in.h\u003e\n\n  int main(int argc, char *argv[])\n  {\n    struct sockaddr_in addr = { .sin_family = AF_INET, .sin_addr.s_addr = htonl(INADDR_LOOPBACK) };\n    struct iovec iov = { };\n    struct msghdr hdr = { .msg_name = \u0026addr, .msg_namelen = sizeof(addr), .msg_iov = \u0026iov, .msg_iovlen = 1 };\n    sendmsg(socket(PF_IEEE802154, SOCK_RAW, 0), \u0026hdr, 0);\n    return 0;\n  }\n  ----------\n\nNote that this might be a sign that commit fd1894224407c484 (\"bpf: Don\u0027t\nredirect packets with invalid pkt_len\") should be reverted, for\nskb-\u003elen == 0 was acceptable for at least PF_IEEE802154 socket."
    }
  ],
  "id": "CVE-2022-50706",
  "lastModified": "2025-12-29T15:58:56.260",
  "metrics": {},
  "published": "2025-12-24T11:15:50.780",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/34f31a2b667914ab701ca725554a0b447809d7ef"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/4a36de8947794fa21435d1e916e089095f3246a8"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/791489a5c56396ddfed75fc525066d4738dace46"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9974d220c5073d035b5469d1d8ecd71da86c7afd"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b12e924a2f5b960373459c8f8a514f887adf5cac"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/df0da3fc131132b6c32a15c4da4ffa3a5aea1af2"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.