| From foo@baz Wed 06 Nov 2019 04:08:37 PM CET |
| From: Xin Long <lucien.xin@gmail.com> |
| Date: Mon, 28 Oct 2019 23:19:35 +0800 |
| Subject: erspan: fix the tun_info options_len check for erspan |
| |
| From: Xin Long <lucien.xin@gmail.com> |
| |
| [ Upstream commit 2eb8d6d2910cfe3dc67dc056f26f3dd9c63d47cd ] |
| |
| The check for !md doens't really work for ip_tunnel_info_opts(info) which |
| only does info + 1. Also to avoid out-of-bounds access on info, it should |
| ensure options_len is not less than erspan_metadata in both erspan_xmit() |
| and ip6erspan_tunnel_xmit(). |
| |
| Fixes: 1a66a836da ("gre: add collect_md mode to ERSPAN tunnel") |
| Signed-off-by: Xin Long <lucien.xin@gmail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/ipv4/ip_gre.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| --- a/net/ipv4/ip_gre.c |
| +++ b/net/ipv4/ip_gre.c |
| @@ -592,6 +592,9 @@ static void erspan_fb_xmit(struct sk_buf |
| truncate = true; |
| } |
| |
| + if (tun_info->options_len < sizeof(*md)) |
| + goto err_free_rt; |
| + |
| md = ip_tunnel_info_opts(tun_info); |
| if (!md) |
| goto err_free_rt; |