erspan: fix the tun_info options_len check for erspan

[ Upstream commit 2eb8d6d2910cfe3dc67dc056f26f3dd9c63d47cd ]

The check for !md doens't really work for ip_tunnel_info_opts(info) which
only does info + 1. Also to avoid out-of-bounds access on info, it should
ensure options_len is not less than erspan_metadata in both erspan_xmit()
and ip6erspan_tunnel_xmit().

Fixes: 1a66a836da ("gre: add collect_md mode to ERSPAN tunnel")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 347be2ea78d4a4c9facecb084aeddaccff49612c..71ff2531d973cca123f0c728adc05c1bc5167312 100644 (file)
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -592,6 +592,9 @@ static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev,
                truncate = true;
        }
 
+       if (tun_info->options_len < sizeof(*md))
+               goto err_free_rt;
+
        md = ip_tunnel_info_opts(tun_info);
        if (!md)
                goto err_free_rt;