| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20191108174752.161636977@linuxfoundation.org>
Date: Fri, 8 Nov 2019 19:50:35 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org, Xin Long <lucien.xin@...il.com>,
"David S. Miller" <davem@...emloft.net>
Subject: [PATCH 4.14 47/62] erspan: fix the tun_info options_len check for erspan
From: Xin Long <lucien.xin@...il.com>
[ Upstream commit 2eb8d6d2910cfe3dc67dc056f26f3dd9c63d47cd ]
The check for !md doens't really work for ip_tunnel_info_opts(info) which
only does info + 1. Also to avoid out-of-bounds access on info, it should
ensure options_len is not less than erspan_metadata in both erspan_xmit()
and ip6erspan_tunnel_xmit().
Fixes: 1a66a836da ("gre: add collect_md mode to ERSPAN tunnel")
Signed-off-by: Xin Long <lucien.xin@...il.com>
Signed-off-by: David S. Miller <davem@...emloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
net/ipv4/ip_gre.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -592,6 +592,9 @@ static void erspan_fb_xmit(struct sk_buf
truncate = true;
}
+ if (tun_info->options_len < sizeof(*md))
+ goto err_free_rt;
+
md = ip_tunnel_info_opts(tun_info);
if (!md)
goto err_free_rt;
Powered by blists - more mailing lists