[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1032642: iproute2: ip tunnel change ip6gre to gre crashes with stack smash

On 4/3/23 9:24 AM, Stephen Hemminger wrote:
> ted
>>
>> This happens because iproute2 just assumes the tunnel is ipv4, but the
>> kernel "knows" it's actually ip6gre so when calling the SIOCGETTUNNEL
>> ioctl it writes back a struct ip6_tnl_parm2 into the struct
>> ip_tunnel_parm which is smaller, so the stack gets overwritten. Is
>> there any way to tell from userspace whether a gre is v4 or v6 before
>> doing an ioctl? The ioctls don't take/return a size parameter as far
>> as I can see...
> 
> Ip uses and IPv4 UDP socket when it thinks it is talking to GRE.
> And a IPv6 UDP socket when it is talking to GRE6.
> 
> So the kernel could check and error out?
> 

Does seem like a kernel bug and a well known design flaw in ioctl
interface (assuming buffer of a specific size). The best iproute2 can do
is have `old_p` be a larger size (e.g., ip6_tnl_parm2) to avoid the
overrun, but then the result is nonsense with no way for it no an ipv6
struct was passed back. The crash at least indicates something is off.
Reply to: