On Mon, 12 Oct 2020 16:17:21 -0700 Cong Wang wrote: > GRE tunnel has its own header_ops, ipgre_header_ops, and sets it > conditionally. When it is set, it assumes the outer IP header is > already created before ipgre_xmit(). > > This is not true when we send packets through a raw packet socket, > where L2 headers are supposed to be constructed by user. Packet > socket calls dev_validate_header() to validate the header. But > GRE tunnel does not set dev->hard_header_len, so that check can > be simply bypassed, therefore uninit memory could be passed down > to ipgre_xmit(). Similar for dev->needed_headroom. > > dev->hard_header_len is supposed to be the length of the header > created by dev->header_ops->create(), so it should be used whenever > header_ops is set, and dev->needed_headroom should be used when it > is not set. > > Reported-and-tested-by: syzbot+4a2c52677a8a1aa28...@syzkaller.appspotmail.com > Cc: Xie He <xie.he.0...@gmail.com> > Cc: William Tu <u9012...@gmail.com> > Acked-by: Willem de Bruijn <will...@google.com> > Signed-off-by: Cong Wang <xiyou.wangc...@gmail.com>
Applied, thank you!
