kern/37663: bpf_validate rejects valid programs that use the multiply instruction

To: kern-bug-people%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
Subject: kern/37663: bpf_validate rejects valid programs that use the multiply instruction
From: guy%alum.mit.edu@localhost
Date: Wed, 2 Jan 2008 09:55:01 +0000 (UTC)

>Number:         37663
>Category:       kern
>Synopsis:       bpf_validate rejects valid programs that use the multiply 
>instruction
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jan 02 09:55:00 +0000 2008
>Originator:     Guy Harris
>Release:        4.0
>Organization:
>Environment:
NetBSD gharris-netbsd 4.0 NetBSD 4.0 (GENERIC_LAPTOP) #0: Sun Dec 16 00:27:57 
PST 2007  
builds@wb34:/home/builds/ab/netbsd-4-0-RELEASE/i386/200712160005Z-obj/home/builds/ab/netbsd-4-0-RELEASE/src/sys/arch/i386/compile/GENERIC_LAPTOP
 i386
>Description:
bpf_validate(), in sys/net/bpf/bpf_filter.c, doesn't accept the BPF_MUL 
instruction.
>How-To-Repeat:
Run tcpdump with a filter such as "tcp[0:4]*tcp[4:4] = tcp[8:4]".  It shouldn't 
report an EINVAL from BIOCSETF, but it does.
>Fix:
This patch also cleans up some comments.

*** /tmp/bpf_filter.c   Tue Jan  1 14:45:19 2008
--- bpf_filter.c        Tue Jan  1 14:46:48 2008
***************
*** 453,461 ****
  /*
   * Return true if the 'fcode' is a valid filter program.
   * The constraints are that each jump be forward and to a valid
!  * code.  The code must terminate with either an accept or reject.
!  * 'valid' is an array for use by the routine (it must be at least
!  * 'len' bytes long).
   *
   * The kernel needs to be able to verify an application's filter code.
   * Otherwise, a bogus program could easily crash the system.
--- 453,462 ----
  /*
   * Return true if the 'fcode' is a valid filter program.
   * The constraints are that each jump be forward and to a valid
!  * code, that memory accesses are within valid ranges (to the
!  * extent that this can be checked statically; loads of packet
!  * data have to be, and are, also checked at run time), and that
!  * the code terminates with either an accept or reject.
   *
   * The kernel needs to be able to verify an application's filter code.
   * Otherwise, a bogus program could easily crash the system.
***************
*** 466,472 ****
        u_int i, from;
        struct bpf_insn *p;
  
-  
        if (len < 1 || len > BPF_MAXINSNS)
                return 0;
  
--- 467,472 ----
***************
*** 502,507 ****
--- 502,508 ----
                        switch (BPF_OP(p->code)) {
                        case BPF_ADD:
                        case BPF_SUB:
+                       case BPF_MUL:
                        case BPF_OR:
                        case BPF_AND:
                        case BPF_LSH:

Prev by Date: Re: standards/36550
Next by Date: kern/37664: No audio output with recent auvia driver
Previous by Thread: Re: standards/36550
Next by Thread: kern/37664: No audio output with recent auvia driver
Indexes:

Home | Main Index | Thread Index | Old Index