CVS commit: src/sys/net

Mon, 07 Jul 2014 12:56:32 -0700 

Module Name:    src
Committed By:   alnsn
Date:           Mon Jul  7 19:56:03 UTC 2014

Modified Files:
        src/sys/net: bpf_filter.c

Log Message:
Arithmetic overflow when calculating variable offsets (BPF_LD+BPF_IND
instructions) should be handled uniformly for contiguous buffers and mbufs.


To generate a diff of this commit:
cvs rdiff -u -r1.66 -r1.67 src/sys/net/bpf_filter.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/net/bpf_filter.c
diff -u src/sys/net/bpf_filter.c:1.66 src/sys/net/bpf_filter.c:1.67
--- src/sys/net/bpf_filter.c:1.66	Sat Jul  5 22:06:11 2014
+++ src/sys/net/bpf_filter.c	Mon Jul  7 19:56:03 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: bpf_filter.c,v 1.66 2014/07/05 22:06:11 alnsn Exp $	*/
+/*	$NetBSD: bpf_filter.c,v 1.67 2014/07/07 19:56:03 alnsn Exp $	*/
 
 /*-
  * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.66 2014/07/05 22:06:11 alnsn Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.67 2014/07/07 19:56:03 alnsn Exp $");
 
 #if 0
 #if !(defined(lint) || defined(KERNEL))
@@ -327,13 +327,12 @@ bpf_filter(const struct bpf_insn *pc, co
 
 		case BPF_LD|BPF_W|BPF_IND:
 			k = X + pc->k;
-			if (pc->k > args->buflen ||
-			    X > args->buflen - pc->k ||
+			if (k < X || k >= args->buflen ||
 			    sizeof(int32_t) > args->buflen - k) {
 #ifdef _KERNEL
 				int merr;
 
-				if (args->buflen != 0)
+				if (k < X || args->buflen != 0)
 					return 0;
 				A = xword(args->pkt, k, &merr);
 				if (merr != 0)
@@ -348,13 +347,12 @@ bpf_filter(const struct bpf_insn *pc, co
 
 		case BPF_LD|BPF_H|BPF_IND:
 			k = X + pc->k;
-			if (pc->k > args->buflen ||
-			    X > args->buflen - pc->k ||
+			if (k < X || k >= args->buflen ||
 			    sizeof(int16_t) > args->buflen - k) {
 #ifdef _KERNEL
 				int merr;
 
-				if (args->buflen != 0)
+				if (k < X || args->buflen != 0)
 					return 0;
 				A = xhalf(args->pkt, k, &merr);
 				if (merr != 0)
@@ -369,12 +367,11 @@ bpf_filter(const struct bpf_insn *pc, co
 
 		case BPF_LD|BPF_B|BPF_IND:
 			k = X + pc->k;
-			if (pc->k >= args->buflen ||
-			    X >= args->buflen - pc->k) {
+			if (k < X || k >= args->buflen) {
 #ifdef _KERNEL
 				int merr;
 
-				if (args->buflen != 0)
+				if (k < X || args->buflen != 0)
 					return 0;
 				A = xbyte(args->pkt, k, &merr);
 				if (merr != 0)

Reply via email to