[src/trunk]: src/sys/net Don't emit wrapped-around reads. They're dead code b...

[alnsn <alnsn%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/ceeffdb73de1
branches:  trunk
changeset: 336111:ceeffdb73de1
user:      alnsn <alnsn%NetBSD.org@localhost>
date:      Fri Feb 13 15:59:17 2015 +0000

description:
Don't emit wrapped-around reads. They're dead code but dead code elimination
logic isn't smart enough to figure it out.

Found by afl fuzzer http://lcamtuf.coredump.cx/afl/.

diffstat:

 sys/net/bpfjit.c |  39 +++++++++++++++++++++++----------------
 1 files changed, 23 insertions(+), 16 deletions(-)

diffs (63 lines):

diff -r df3092317465 -r ceeffdb73de1 sys/net/bpfjit.c
--- a/sys/net/bpfjit.c  Fri Feb 13 15:52:29 2015 +0000
+++ b/sys/net/bpfjit.c  Fri Feb 13 15:59:17 2015 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: bpfjit.c,v 1.39 2015/02/12 23:09:55 alnsn Exp $        */
+/*     $NetBSD: bpfjit.c,v 1.40 2015/02/13 15:59:17 alnsn Exp $        */
 
 /*-
  * Copyright (c) 2011-2014 Alexander Nasonov.
@@ -31,9 +31,9 @@
 
 #include <sys/cdefs.h>
 #ifdef _KERNEL
-__KERNEL_RCSID(0, "$NetBSD: bpfjit.c,v 1.39 2015/02/12 23:09:55 alnsn Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bpfjit.c,v 1.40 2015/02/13 15:59:17 alnsn Exp $");
 #else
-__RCSID("$NetBSD: bpfjit.c,v 1.39 2015/02/12 23:09:55 alnsn Exp $");
+__RCSID("$NetBSD: bpfjit.c,v 1.40 2015/02/13 15:59:17 alnsn Exp $");
 #endif
 
 #include <sys/types.h>
@@ -868,21 +868,28 @@
                        return SLJIT_ERR_ALLOC_FAILED;
        }
 
-       switch (width) {
-       case 4:
-               status = emit_read32(compiler, ld_reg, k);
-               break;
-       case 2:
-               status = emit_read16(compiler, ld_reg, k);
-               break;
-       case 1:
-               status = emit_read8(compiler, ld_reg, k);
-               break;
+       /*
+        * Don't emit wrapped-around reads. They're dead code but
+        * dead code elimination logic isn't smart enough to figure
+        * it out.
+        */
+       if (k <= UINT32_MAX - width + 1) {
+               switch (width) {
+               case 4:
+                       status = emit_read32(compiler, ld_reg, k);
+                       break;
+               case 2:
+                       status = emit_read16(compiler, ld_reg, k);
+                       break;
+               case 1:
+                       status = emit_read8(compiler, ld_reg, k);
+                       break;
+               }
+
+               if (status != SLJIT_SUCCESS)
+                       return status;
        }
 
-       if (status != SLJIT_SUCCESS)
-               return status;
-
 #ifdef _KERNEL
        over_mchain_jump = sljit_emit_jump(compiler, SLJIT_JUMP);
        if (over_mchain_jump == NULL)