Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit cbea811a authored by Eric Dumazet's avatar Eric Dumazet Committed by Gerrit - the friendly Code Review server
Browse files

ip6_gre: fix ip6gre_err() invalid reads 



Andrey Konovalov reported out of bound accesses in ip6gre_err()

If GRE flags contains GRE_KEY, the following expression
*(((__be32 *)p) + (grehlen / 4) - 1)

accesses data ~40 bytes after the expected point, since
grehlen includes the size of IPv6 headers.

Let's use a "struct gre_base_hdr *greh" pointer to make this
code more readable.

p[1] becomes greh->protocol.
grhlen is the GRE header length.

Change-Id: I5e0ff2b03734a0251e5b687fe2630bea84a1e163
Fixes: c12b395a ("gre: Support GRE over IPv6")
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Git-commit: 7892032cfe67f4bde6fc2ee967e45a8fbaf33756
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git


Signed-off-by: default avatarSrinivasa Rao Kuppala <srkupp@codeaurora.org>
parent 6991fa00
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment