Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/net Arithmetic overflow when calculating variable offset...



details:   https://anonhg.NetBSD.org/src/rev/5efabca01fe7
branches:  trunk
changeset: 330408:5efabca01fe7
user:      alnsn <alnsn%NetBSD.org@localhost>
date:      Mon Jul 07 19:56:03 2014 +0000

description:
Arithmetic overflow when calculating variable offsets (BPF_LD+BPF_IND
instructions) should be handled uniformly for contiguous buffers and mbufs.

diffstat:

 sys/net/bpf_filter.c |  19 ++++++++-----------
 1 files changed, 8 insertions(+), 11 deletions(-)

diffs (65 lines):

diff -r 4e5099c80761 -r 5efabca01fe7 sys/net/bpf_filter.c
--- a/sys/net/bpf_filter.c      Mon Jul 07 19:41:22 2014 +0000
+++ b/sys/net/bpf_filter.c      Mon Jul 07 19:56:03 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: bpf_filter.c,v 1.66 2014/07/05 22:06:11 alnsn Exp $    */
+/*     $NetBSD: bpf_filter.c,v 1.67 2014/07/07 19:56:03 alnsn Exp $    */
 
 /*-
  * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.66 2014/07/05 22:06:11 alnsn Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.67 2014/07/07 19:56:03 alnsn Exp $");
 
 #if 0
 #if !(defined(lint) || defined(KERNEL))
@@ -327,13 +327,12 @@
 
                case BPF_LD|BPF_W|BPF_IND:
                        k = X + pc->k;
-                       if (pc->k > args->buflen ||
-                           X > args->buflen - pc->k ||
+                       if (k < X || k >= args->buflen ||
                            sizeof(int32_t) > args->buflen - k) {
 #ifdef _KERNEL
                                int merr;
 
-                               if (args->buflen != 0)
+                               if (k < X || args->buflen != 0)
                                        return 0;
                                A = xword(args->pkt, k, &merr);
                                if (merr != 0)
@@ -348,13 +347,12 @@
 
                case BPF_LD|BPF_H|BPF_IND:
                        k = X + pc->k;
-                       if (pc->k > args->buflen ||
-                           X > args->buflen - pc->k ||
+                       if (k < X || k >= args->buflen ||
                            sizeof(int16_t) > args->buflen - k) {
 #ifdef _KERNEL
                                int merr;
 
-                               if (args->buflen != 0)
+                               if (k < X || args->buflen != 0)
                                        return 0;
                                A = xhalf(args->pkt, k, &merr);
                                if (merr != 0)
@@ -369,12 +367,11 @@
 
                case BPF_LD|BPF_B|BPF_IND:
                        k = X + pc->k;
-                       if (pc->k >= args->buflen ||
-                           X >= args->buflen - pc->k) {
+                       if (k < X || k >= args->buflen) {
 #ifdef _KERNEL
                                int merr;
 
-                               if (args->buflen != 0)
+                               if (k < X || args->buflen != 0)
                                        return 0;
                                A = xbyte(args->pkt, k, &merr);
                                if (merr != 0)



Home | Main Index | Thread Index | Old Index