“ip maddr show ib0” causes a stack corruption because the length of the address
for Infiniband (20 see kernel doc Documentation/infiniband/ipoib.txt) does not 
fit on the 16 bytes of the field in which it gets stored.

The proposed patch increases the size of the hardware address from 4 u32 to 8 
and adds a check to avoid overriding the available size while parsing the 
hardware address.

This bug affects current upstream code and should be reported upstream.

 include/utils.h |    2 +-
 ip/ipmaddr.c    |    8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

--- iproute2-2.6.26/include/utils.h.hwaddrsize	2008-11-25 11:02:30.000000000 +0000
+++ iproute2-2.6.26/include/utils.h	2008-11-25 11:08:28.000000000 +0000
@@ -46,7 +46,7 @@
 	__u8 bytelen;
 	__s16 bitlen;
 	__u32 flags;
-	__u32 data[4];
+	__u32 data[8];
 } inet_prefix;
 
 #define PREFIXLEN_SPECIFIED 1
--- iproute2-2.6.26/ip/ipmaddr.c.hwaddrsize	2008-11-25 11:02:51.000000000 +0000
+++ iproute2-2.6.26/ip/ipmaddr.c	2008-11-25 11:08:26.000000000 +0000
@@ -43,11 +43,11 @@
 	exit(-1);
 }
 
-static int parse_hex(char *str, unsigned char *addr)
+static int parse_hex(char *str, unsigned char *addr, size_t size)
 {
 	int len=0;
 
-	while (*str) {
+	while (*str && (len < 2 * size)) {
 		int tmp;
 		if (str[1] == 0)
 			return -1;
@@ -104,7 +104,7 @@
 
 		m.addr.family = AF_PACKET;
 
-		len = parse_hex(hexa, (unsigned char*)&m.addr.data);
+		len = parse_hex(hexa, (unsigned char*)&m.addr.data, sizeof (m.addr.data));
 		if (len >= 0) {
 			struct ma_info *ma = malloc(sizeof(m));
 
@@ -176,7 +176,7 @@
 
 		m.addr.family = AF_INET6;
 
-		len = parse_hex(hexa, (unsigned char*)&m.addr.data);
+		len = parse_hex(hexa, (unsigned char*)&m.addr.data, sizeof (m.addr.data));
 		if (len >= 0) {
 			struct ma_info *ma = malloc(sizeof(m));