[src/trunk]: src/sys/net Implement error checking in m_xbyte() and check for ...

[alnsn <alnsn%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/6b85c49be54f
branches:  trunk
changeset: 330343:6b85c49be54f
user:      alnsn <alnsn%NetBSD.org@localhost>
date:      Sat Jul 05 22:06:11 2014 +0000

description:
Implement error checking in m_xbyte() and check for errors after m_xbyte() call.
Reuse (len - k) expression in m_xword() and m_xhalf() to give an optimization
hint to a compiler.

When m_xbyte() didn't exist, bpf_filter() handled out-of-bounds BPF_B loads
correctly because "return 0" inside MINDEX() was aborting filter programs.
After the change that added m_xbyte() zero values were passed to A or X
registers instead of aborting a filter program.

diffstat:

 sys/net/bpf_filter.c |  19 +++++++++++++------
 1 files changed, 13 insertions(+), 6 deletions(-)

diffs (80 lines):

diff -r 3864fbbe38b2 -r 6b85c49be54f sys/net/bpf_filter.c
--- a/sys/net/bpf_filter.c      Sat Jul 05 20:45:49 2014 +0000
+++ b/sys/net/bpf_filter.c      Sat Jul 05 22:06:11 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: bpf_filter.c,v 1.65 2014/06/25 09:51:34 alnsn Exp $    */
+/*     $NetBSD: bpf_filter.c,v 1.66 2014/07/05 22:06:11 alnsn Exp $    */
 
 /*-
  * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.65 2014/06/25 09:51:34 alnsn Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.66 2014/07/05 22:06:11 alnsn Exp $");
 
 #if 0
 #if !(defined(lint) || defined(KERNEL))
@@ -124,12 +124,12 @@
        *err = 1;
        MINDEX(len, m, k);
        cp = mtod(m, u_char *) + k;
-       if (len >= k + 4) {
+       if (len - k >= 4) {
                *err = 0;
                return EXTRACT_LONG(cp);
        }
        m0 = m->m_next;
-       if (m0 == 0 || m0->m_len + len - k < 4)
+       if (m0 == 0 || (len - k) + m0->m_len < 4)
                return 0;
        *err = 0;
        np = mtod(m0, u_char *);
@@ -154,7 +154,7 @@
        *err = 1;
        MINDEX(len, m, k);
        cp = mtod(m, u_char *) + k;
-       if (len >= k + 2) {
+       if (len - k >= 2) {
                *err = 0;
                return EXTRACT_SHORT(cp);
        }
@@ -170,8 +170,9 @@
 {
        int len;
 
+       *err = 1;
+       MINDEX(len, m, k);
        *err = 0;
-       MINDEX(len, m, k);
        return mtod(m, u_char *)[k];
 }
 #else /* _KERNEL */
@@ -306,6 +307,8 @@
                                if (args->buflen != 0)
                                        return 0;
                                A = xbyte(args->pkt, k, &merr);
+                               if (merr != 0)
+                                       return 0;
                                continue;
 #else
                                return 0;
@@ -374,6 +377,8 @@
                                if (args->buflen != 0)
                                        return 0;
                                A = xbyte(args->pkt, k, &merr);
+                               if (merr != 0)
+                                       return 0;
                                continue;
 #else
                                return 0;
@@ -391,6 +396,8 @@
                                if (args->buflen != 0)
                                        return 0;
                                X = (xbyte(args->pkt, k, &merr) & 0xf) << 2;
+                               if (merr != 0)
+                                       return 0;
                                continue;
 #else
                                return 0;