gre: information leak in ip6_tnl_ioctl()
authorDan Carpenter <dan.carpenter@oracle.com>
Thu, 16 Aug 2012 03:14:04 +0000 (03:14 +0000)
committerDavid S. Miller <davem@davemloft.net>
Mon, 20 Aug 2012 09:21:30 +0000 (02:21 -0700)
There is a one byte hole between p->hop_limit and p->flowinfo where
stack memory is leaked to the user.  This was introduced in c12b395a46
"gre: Support GRE over IPv6".

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
net/ipv6/ip6_tunnel.c

index 33d2a0e6712de084077727298d9e2353f39eb9c0..cb7e2ded6f08cce17f8fb11a7e7e119e8564d661 100644 (file)
@@ -1312,6 +1312,8 @@ ip6_tnl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
                        }
                        ip6_tnl_parm_from_user(&p1, &p);
                        t = ip6_tnl_locate(net, &p1, 0);
+               } else {
+                       memset(&p, 0, sizeof(p));
                }
                if (t == NULL)
                        t = netdev_priv(dev);