diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2012-08-15 23:14:04 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2012-08-20 05:21:30 -0400 |
| commit | 5ef5d6c569f80cf716d75fa88e9b5ee72f0986b2 (patch) | |
| tree | d8d85f656645a41afa15ff5ac11cf4e5eddf841f /net/ipv6/ip6_tunnel.c | |
| parent | 56892261ed1a854db5363df8bb3fbdb2c6c28d4c (diff) | |
gre: information leak in ip6_tnl_ioctl()
There is a one byte hole between p->hop_limit and p->flowinfo where
stack memory is leaked to the user. This was introduced in c12b395a46
"gre: Support GRE over IPv6".
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Diffstat (limited to 'net/ipv6/ip6_tunnel.c')
| -rw-r--r-- | net/ipv6/ip6_tunnel.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c index 33d2a0e6712d..cb7e2ded6f08 100644 --- a/net/ipv6/ip6_tunnel.c +++ b/net/ipv6/ip6_tunnel.c | |||
| @@ -1312,6 +1312,8 @@ ip6_tnl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) | |||
| 1312 | } | 1312 | } |
| 1313 | ip6_tnl_parm_from_user(&p1, &p); | 1313 | ip6_tnl_parm_from_user(&p1, &p); |
| 1314 | t = ip6_tnl_locate(net, &p1, 0); | 1314 | t = ip6_tnl_locate(net, &p1, 0); |
| 1315 | } else { | ||
| 1316 | memset(&p, 0, sizeof(p)); | ||
| 1315 | } | 1317 | } |
| 1316 | if (t == NULL) | 1318 | if (t == NULL) |
| 1317 | t = netdev_priv(dev); | 1319 | t = netdev_priv(dev); |