gre: information leak in ip6_tnl_ioctl()

There is a one byte hole between p->hop_limit and p->flowinfo where stack memory is leaked to the user. This was introduced in c12b395a46 "gre: Support GRE over IPv6". Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
author: Dan Carpenter 2012-08-16 05:14:04 +0200
committer: David S. Miller 2012-08-20 11:21:30 +0200
commit: 5ef5d6c569f80cf716d75fa88e9b5ee72f0986b2 (patch)
tree: d8d85f656645a41afa15ff5ac11cf4e5eddf841f /net/ipv6
parent: xfrm: Use rcu_dereference_bh to deference pointer protected by rcu_read_lock_bh (diff)
download: kernel-qcow2-linux-5ef5d6c569f80cf716d75fa88e9b5ee72f0986b2.tar.gz
kernel-qcow2-linux-5ef5d6c569f80cf716d75fa88e9b5ee72f0986b2.tar.xz
kernel-qcow2-linux-5ef5d6c569f80cf716d75fa88e9b5ee72f0986b2.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 33d2a0e6712d..cb7e2ded6f08 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1312,6 +1312,8 @@ ip6_tnl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
 			}
 			ip6_tnl_parm_from_user(&p1, &p);
 			t = ip6_tnl_locate(net, &p1, 0);
+		} else {
+			memset(&p, 0, sizeof(p));
 		}
 		if (t == NULL)
 			t = netdev_priv(dev);
author	Dan Carpenter	2012-08-16 05:14:04 +0200
committer	David S. Miller	2012-08-20 11:21:30 +0200
commit	5ef5d6c569f80cf716d75fa88e9b5ee72f0986b2 (patch)
tree	d8d85f656645a41afa15ff5ac11cf4e5eddf841f /net/ipv6
parent	xfrm: Use rcu_dereference_bh to deference pointer protected by rcu_read_lock_bh (diff)
download	kernel-qcow2-linux-5ef5d6c569f80cf716d75fa88e9b5ee72f0986b2.tar.gz kernel-qcow2-linux-5ef5d6c569f80cf716d75fa88e9b5ee72f0986b2.tar.xz kernel-qcow2-linux-5ef5d6c569f80cf716d75fa88e9b5ee72f0986b2.zip