On 4/3/23 9:24 AM, Stephen Hemminger wrote: > ted >> >> This happens because iproute2 just assumes the tunnel is ipv4, but the >> kernel "knows" it's actually ip6gre so when calling the SIOCGETTUNNEL >> ioctl it writes back a struct ip6_tnl_parm2 into the struct >> ip_tunnel_parm which is smaller, so the stack gets overwritten. Is >> there any way to tell from userspace whether a gre is v4 or v6 before >> doing an ioctl? The ioctls don't take/return a size parameter as far >> as I can see... > > Ip uses and IPv4 UDP socket when it thinks it is talking to GRE. > And a IPv6 UDP socket when it is talking to GRE6. > > So the kernel could check and error out? >
Does seem like a kernel bug and a well known design flaw in ioctl interface (assuming buffer of a specific size). The best iproute2 can do is have `old_p` be a larger size (e.g., ip6_tnl_parm2) to avoid the overrun, but then the result is nonsense with no way for it no an ipv6 struct was passed back. The crash at least indicates something is off.