Commit 5ef5d6c5 authored Aug 16, 2012 by Dan Carpenter Committed by David S. Miller Aug 20, 2012

gre: information leak in ip6_tnl_ioctl()



There is a one byte hole between p->hop_limit and p->flowinfo where
stack memory is leaked to the user.  This was introduced in c12b395a
"gre: Support GRE over IPv6".

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

parent 56892261

net/ipv6/ip6_tunnel.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -1312,6 +1312,8 @@ ip6_tnl_ioctl(struct net_device dev, struct ifreq ifr, int cmd)
		}
		ip6_tnl_parm_from_user(&p1, &p);
		t = ip6_tnl_locate(net, &p1, 0);
		} else {
		memset(&p, 0, sizeof(p));
		}
		if (t == NULL)
		t = netdev_priv(dev);