gre: information leak in ip6_tnl_ioctl()
There is a one byte hole between p->hop_limit and p->flowinfo where
stack memory is leaked to the user. This was introduced in c12b395a46
"gre: Support GRE over IPv6".
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
This commit is contained in:
parent
56892261ed
commit
5ef5d6c569
1 changed files with 2 additions and 0 deletions
|
@ -1312,6 +1312,8 @@ ip6_tnl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
|
|||
}
|
||||
ip6_tnl_parm_from_user(&p1, &p);
|
||||
t = ip6_tnl_locate(net, &p1, 0);
|
||||
} else {
|
||||
memset(&p, 0, sizeof(p));
|
||||
}
|
||||
if (t == NULL)
|
||||
t = netdev_priv(dev);
|
||||
|
|
Loading…
Reference in a new issue