From: Eric Dumazet <[email protected]> Date: Sat, 04 Feb 2017 23:18:55 -0800
> From: Eric Dumazet <[email protected]> > > Andrey Konovalov reported out of bound accesses in ip6gre_err() > > If GRE flags contains GRE_KEY, the following expression > *(((__be32 *)p) + (grehlen / 4) - 1) > > accesses data ~40 bytes after the expected point, since > grehlen includes the size of IPv6 headers. > > Let's use a "struct gre_base_hdr *greh" pointer to make this > code more readable. > > p[1] becomes greh->protocol. > grhlen is the GRE header length. > > Fixes: c12b395a4664 ("gre: Support GRE over IPv6") > Signed-off-by: Eric Dumazet <[email protected]> > Reported-by: Andrey Konovalov <[email protected]> So the bug is that we include offset twice in the calculation. Applied and queued up for -stable, thanks.
