AdamWu DD-WRT Novice
Joined: 07 Mar 2011 Posts: 26
|
Posted: Mon Mar 24, 2014 5:23 Post subject: Bug report: etherip module tunnel |
|
I came across this bug when I am trying to "borrow" some code in the etherip module for vyatta.
In the latest SVN, linux-3.14/net/ipv4/etherip.c
line 409:
if (dev == etherip_tunnel_dev) {
should be moved to before line 403.
The logic is quite subtle -- there are two kinds of removal operations: remove by device name; or remove by destination IP.
For former, the ioctl is sent directly to the corresponding device, so line 415 will directly get the reference to the data structure for removal;
For latter, the ioctl is sent to the "root" pseudo tunnel device, with destination IP in the parameter fields. Then line 403-406 should copy the parameter from user space, and 410-413 find the reference to the data structure for removal;
In the current code, line 409 came too late, so the copy of parameter from user space is performed regardless. And this will trigger EFAULT error for application that sends the first kind of removal request. |
|