[src/trunk]: src/sys/net It's not enough to check that a class of the last in...

[alnsn <alnsn%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/50abc2ad590f
branches:  trunk
changeset: 336083:50abc2ad590f
user:      alnsn <alnsn%NetBSD.org@localhost>
date:      Wed Feb 11 12:03:30 2015 +0000

description:
It's not enough to check that a class of the last instruction is BPF_RET.
The opcodes in bpf_validate() must match opcodes understood by bpf_filter().

Found by afl-fuzz http://lcamtuf.coredump.cx/afl/.

diffstat:

 sys/net/bpf_filter.c |  8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diffs (30 lines):

diff -r 97a6af6d7fa3 -r 50abc2ad590f sys/net/bpf_filter.c
--- a/sys/net/bpf_filter.c      Wed Feb 11 07:51:10 2015 +0000
+++ b/sys/net/bpf_filter.c      Wed Feb 11 12:03:30 2015 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: bpf_filter.c,v 1.68 2014/11/19 19:35:21 christos Exp $ */
+/*     $NetBSD: bpf_filter.c,v 1.69 2015/02/11 12:03:30 alnsn Exp $    */
 
 /*-
  * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.68 2014/11/19 19:35:21 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.69 2015/02/11 12:03:30 alnsn Exp $");
 
 #if 0
 #if !(defined(lint) || defined(KERNEL))
@@ -628,8 +628,10 @@
        if (len > BPF_MAXINSNS)
                return 0;
 #endif
-       if (BPF_CLASS(f[len - 1].code) != BPF_RET)
+       if (f[len - 1].code != BPF_RET|BPF_K &&
+           f[len - 1].code != BPF_RET|BPF_A) {
                return 0;
+       }
 
 #if defined(KERNEL) || defined(_KERNEL)
        /* Note: only the pre-initialised is valid on startup */