netbsd-bugs: Re: kern/32198: bpf_validate() needs to do more checks

Subject: Re: kern/32198: bpf_validate() needs to do more checks
To: None <gnats-bugs@netbsd.org, guy@alum.mit.edu>
From: Rui Paulo <rpaulo@fnop.net>
List: netbsd-bugs
Date: 11/30/2005 17:16:29

On 2005.11.30 11:42:00 +0000, guy@alum.mit.edu wrote:
| >Description:
| OpenBSD's bpf_validate() in sys/net/bpf_filter.c does some additional checks to catch:
| 
|         BPF programs with no instructions or with more than BPF_MAXINSNS instructions;

This is done in bpf_setf();

|         BPF_STX and BPF_LDX|BPF_MEM instructions that have out-of-range offsets (which could be made to fetch or store into arbitrary memory locations);
| 
|         BPF_DIV instructions with a constant 0 divisor (that's a check also done at run time).

What's wrong with the current checks in bpf_validate() ?


		-- Rui Paulo