ip6_gre: fix ip6gre_err() invalid reads

commit 7892032cfe67f4bde6fc2ee967e45a8fbaf33756 upstream. Andrey Konovalov reported out of bound accesses in ip6gre_err() If GRE flags contains GRE_KEY, the following expression *(((__be32 *)p) + (grehlen / 4) - 1) accesses data ~40 bytes after the expected point, since grehlen includes the size of IPv6 headers. Let's use a "struct gre_base_hdr *greh" pointer to make this code more readable. p[1] becomes greh->protocol. grhlen is the GRE header length. Fixes: c12b395a4664 ("gre: Support GRE over IPv6") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Willy Tarreau <w@1wt.eu>
author: Eric Dumazet <edumazet@google.com> 2017-02-04 23:18:55 -0800
committer: Moyster <oysterized@gmail.com> 2017-06-17 15:51:15 +0200
commit: 7a8e765624746ace1df5a7d093e3b4419fb4dade (patch)
tree: 173c817d0870596086db325c8e115b07d915bcb5 /net
parent: 04b7b0292c6bccb52bf806b23de9400372909ff6 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 577f01139..31a6b7193 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -55,6 +55,7 @@
 #include <net/ip6_fib.h>
 #include <net/ip6_route.h>
 #include <net/ip6_tunnel.h>
+#include <net/gre.h>
 
 
 static bool log_ecn_error = true;
author	Eric Dumazet <edumazet@google.com>	2017-02-04 23:18:55 -0800
committer	Moyster <oysterized@gmail.com>	2017-06-17 15:51:15 +0200
commit	7a8e765624746ace1df5a7d093e3b4419fb4dade (patch)
tree	173c817d0870596086db325c8e115b07d915bcb5 /net
parent	04b7b0292c6bccb52bf806b23de9400372909ff6 (diff)