Message ID | 36ebe969f6d13ff59912d6464a4356fe6f103766.1603231100.git.dcaratti@redhat.com |
---|---|
State | New |
Headers | show |
Series | [net] net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels | expand |
On Tue, Oct 20, 2020 at 3:03 PM Davide Caratti <dcaratti@redhat.com> wrote: > > the following command > > # tc action add action tunnel_key \ > > set src_ip 2001:db8::1 dst_ip 2001:db8::2 id 10 erspan_opts 1:6789:0:0 > > generates the following splat: ... > using IPv6 tunnels, act_tunnel_key allocates a fixed amount of memory for > the tunnel metadata, but then it expects additional bytes to store tunnel > specific metadata with tunnel_key_copy_opts(). > > Fix the arguments of __ipv6_tun_set_dst(), so that 'md_size' contains the > size previously computed by tunnel_key_get_opts_len(), like it's done for > IPv4 tunnels. Acked-by: Cong Wang <xiyou.wangcong@gmail.com> Thanks.
On Tue, 20 Oct 2020 17:33:22 -0700 Cong Wang wrote: > On Tue, Oct 20, 2020 at 3:03 PM Davide Caratti <dcaratti@redhat.com> wrote: > > > > the following command > > > > # tc action add action tunnel_key \ > > > set src_ip 2001:db8::1 dst_ip 2001:db8::2 id 10 erspan_opts 1:6789:0:0 > > > > generates the following splat: > ... > > using IPv6 tunnels, act_tunnel_key allocates a fixed amount of memory for > > the tunnel metadata, but then it expects additional bytes to store tunnel > > specific metadata with tunnel_key_copy_opts(). > > > > Fix the arguments of __ipv6_tun_set_dst(), so that 'md_size' contains the > > size previously computed by tunnel_key_get_opts_len(), like it's done for > > IPv4 tunnels. > > Acked-by: Cong Wang <xiyou.wangcong@gmail.com> Applied, thank you!
diff --git a/net/sched/act_tunnel_key.c b/net/sched/act_tunnel_key.c index a229751ee8c4..85c0d0d5b9da 100644 --- a/net/sched/act_tunnel_key.c +++ b/net/sched/act_tunnel_key.c @@ -459,7 +459,7 @@ static int tunnel_key_init(struct net *net, struct nlattr *nla, metadata = __ipv6_tun_set_dst(&saddr, &daddr, tos, ttl, dst_port, 0, flags, - key_id, 0); + key_id, opts_len); } else { NL_SET_ERR_MSG(extack, "Missing either ipv4 or ipv6 src and dst"); ret = -EINVAL;