CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/05/08 18:37:45
Modified files:
sys/net : bpf_filter.c
Log message:
detect out of bound reads from an int overflow in the bpf_mem backends.
frank denis reported a problem in bpf_mem_ldw where a large indirect
load offset could have the end of buffer calculation land at UINT_MAX
and wrap, allowing a read of memory outside the buffer.
this change tweaks the buffer checks by checking if the load offset
is in range, taking that away from the buffer length, and then
checking if the size of the load is in the remaining buffer length.
this is the pattern that the bpf_mbuf_ops backend uses.
this problem also exists in bpf_mem_ldh, so this code is factored
out and used in all the bpf_mem_ops load backends.
note that this issue is specific to the bpf_mem_ops backend used
for running bpf filters against a vanilla memory buffer. this backend
is largely unused in the kernel, which almost always uses the
bpf_mbuf_ops backend to run filters against network packets in
mbufs. the bpf_mem_ops are only used by ppp(4) for the "active-filter"
and "pass-filter" config described in pppd(8). more generally, bpf
is only really usable by root.
in userland, bpf_filter is used by libpcap, and programs in base
that use it are wary of it anyway and avoid running it in a privileged
context. tcpdump is the most prominent example of this.
discussed with djm@ claudio@ deraadt@
