Revision 7892032cfe67f4bde6fc2ee967e45a8fbaf33756 authored by Eric Dumazet on 05 February 2017, 07:18:55 UTC, committed by David S. Miller on 05 February 2017, 22:23:04 UTC
Andrey Konovalov reported out of bound accesses in ip6gre_err()
If GRE flags contains GRE_KEY, the following expression
*(((__be32 *)p) + (grehlen / 4) - 1)
accesses data ~40 bytes after the expected point, since
grehlen includes the size of IPv6 headers.
Let's use a "struct gre_base_hdr *greh" pointer to make this
code more readable.
p[1] becomes greh->protocol.
grhlen is the GRE header length.
Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent d71b789
| File | Mode | Size |
|---|---|---|
| policy | ||
| .gitignore | -rw-r--r-- | 31 bytes |
| Kconfig | -rw-r--r-- | 2.9 KB |
| Makefile | -rw-r--r-- | 781 bytes |
| audit.c | -rw-r--r-- | 12.4 KB |
| common.c | -rw-r--r-- | 75.1 KB |
| common.h | -rw-r--r-- | 40.1 KB |
| condition.c | -rw-r--r-- | 27.1 KB |
| domain.c | -rw-r--r-- | 24.9 KB |
| environ.c | -rw-r--r-- | 3.0 KB |
| file.c | -rw-r--r-- | 28.9 KB |
| gc.c | -rw-r--r-- | 16.6 KB |
| group.c | -rw-r--r-- | 5.6 KB |
| load_policy.c | -rw-r--r-- | 2.6 KB |
| memory.c | -rw-r--r-- | 5.4 KB |
| mount.c | -rw-r--r-- | 6.7 KB |
| network.c | -rw-r--r-- | 21.3 KB |
| realpath.c | -rw-r--r-- | 7.9 KB |
| securityfs_if.c | -rw-r--r-- | 7.3 KB |
| tomoyo.c | -rw-r--r-- | 14.6 KB |
| util.c | -rw-r--r-- | 27.0 KB |
Computing file changes ...
