From: Dan Carpenter Date: Thu, 16 Aug 2012 03:14:04 +0000 (+0000) Subject: gre: information leak in ip6_tnl_ioctl() X-Git-Tag: upstream/snapshot3+hdmi~6565^2~315 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=5ef5d6c569f80cf716d75fa88e9b5ee72f0986b2;p=platform%2Fadaptation%2Frenesas_rcar%2Frenesas_kernel.git gre: information leak in ip6_tnl_ioctl() There is a one byte hole between p->hop_limit and p->flowinfo where stack memory is leaked to the user. This was introduced in c12b395a46 "gre: Support GRE over IPv6". Signed-off-by: Dan Carpenter --- diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c index 33d2a0e..cb7e2de 100644 --- a/net/ipv6/ip6_tunnel.c +++ b/net/ipv6/ip6_tunnel.c @@ -1312,6 +1312,8 @@ ip6_tnl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) } ip6_tnl_parm_from_user(&p1, &p); t = ip6_tnl_locate(net, &p1, 0); + } else { + memset(&p, 0, sizeof(p)); } if (t == NULL) t = netdev_priv(dev);