From: Eric Dumazet <eric.duma...@gmail.com>
Date: Sat, 04 Feb 2017 23:18:55 -0800
> From: Eric Dumazet <eduma...@google.com>
>
> Andrey Konovalov reported out of bound accesses in ip6gre_err()
>
> If GRE flags contains GRE_KEY, the following expression
> *(((__be32 *)p) + (grehlen / 4) - 1)
>
> accesses data ~40 bytes after the expected point, since
> grehlen includes the size of IPv6 headers.
>
> Let's use a "struct gre_base_hdr *greh" pointer to make this
> code more readable.
>
> p[1] becomes greh->protocol.
> grhlen is the GRE header length.
>
> Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
> Signed-off-by: Eric Dumazet <eduma...@google.com>
> Reported-by: Andrey Konovalov <andreyk...@google.com>
So the bug is that we include offset twice in the calculation.
Applied and queued up for -stable, thanks.
