Subject: Re: kern/32198: bpf_validate() needs to do more checks
To: None <rpaulo@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: Rui Paulo <rpaulo@fnop.net>
List: netbsd-bugs
Date: 11/30/2005 17:16:03
The following reply was made to PR kern/32198; it has been noted by GNATS.
From: Rui Paulo <rpaulo@fnop.net>
To: gnats-bugs@netbsd.org, guy@alum.mit.edu
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: Re: kern/32198: bpf_validate() needs to do more checks
Date: Wed, 30 Nov 2005 17:16:29 +0000
On 2005.11.30 11:42:00 +0000, guy@alum.mit.edu wrote:
| >Description:
| OpenBSD's bpf_validate() in sys/net/bpf_filter.c does some additional checks to catch:
|
| BPF programs with no instructions or with more than BPF_MAXINSNS instructions;
This is done in bpf_setf();
| BPF_STX and BPF_LDX|BPF_MEM instructions that have out-of-range offsets (which could be made to fetch or store into arbitrary memory locations);
|
| BPF_DIV instructions with a constant 0 divisor (that's a check also done at run time).
What's wrong with the current checks in bpf_validate() ?
-- Rui Paulo