On Thu, Jul 20, 2017 at 4:06 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote: > IPv6 tunnels use sizeof(struct in6_addr) as dev->addr_len, > but in many places especially bonding, we use struct sockaddr > to copy and set mac addr, this could lead to stack out-of-bounds > access. > > Fix it by using a larger address storage like bonding. > > Reported-by: Andrey Konovalov <andreyk...@google.com> > Cc: Jiri Pirko <j...@resnulli.us> > Signed-off-by: Cong Wang <xiyou.wangc...@gmail.com>
For DaveM: This patch depends on my previous patch "net: check mac address length for dev_set_mac_address()", otherwise dev_set_mac_address() doesn't accept struct sockaddr_storage. I can add a cast there if you feel this is easier for backport, but I think we need to backport both. Sorry for any confusion.
