Re: CVS commit: src/sys/net

To: source-changes-d%NetBSD.org@localhost
Subject: Re: CVS commit: src/sys/net
From: Alexander Nasonov <alnsn%yandex.ru@localhost>
Date: Thu, 29 Dec 2011 22:09:50 +0000

Christos Zoulas wrote:
> Module Name:  src
> Committed By: christos
> Date:         Thu Dec 29 20:50:06 UTC 2011
> 
> Modified Files:
>       src/sys/net: bpf_filter.c
> 
> Log Message:
> PR/45751: Alexander Nasonov: No overflow check in BPF_LD|BPF_ABS
> 
> 
> To generate a diff of this commit:
> cvs rdiff -u -r1.48 -r1.49 src/sys/net/bpf_filter.c
...  
> @@ -253,7 +254,8 @@ bpf_filter(const struct bpf_insn *pc, co
>  
>               case BPF_LD|BPF_H|BPF_IND:
>                       k = X + pc->k;
> -                     if (k + sizeof(int16_t) > buflen) {
> +                     if (pc->k > buflen || X > buflen - pc->k ||
> +                         sizeof(int16_t) > buflen - k) {
>  #ifdef _KERNEL
>                               int merr = 0;   /* XXX: GCC */

Not sure FreeBSD got BPF_IND case right. They basically disabled using
big positive values of pc->k for small negative values. They could just
copy code from BPF_ABS case:

> +                     if (k > buflen || sizeof(int16_t) > buflen - k) {

but they didn't. Can we assume that loads with negative offsets relative
to X (e.g. P[X-1:4]) are not allowed by bpf?

Alex

Follow-Ups:
- Re: CVS commit: src/sys/net
  - From: Christos Zoulas

Prev by Date: Re: CVS commit: src/lib/libperfuse
Next by Date: Re: CVS commit: src/sys/net
Previous by Thread: Re: CVS commit: src/lib/libperfuse
Next by Thread: Re: CVS commit: src/sys/net
Indexes:

Home | Main Index | Thread Index | Old Index