Re: bpf_filter()'s bounds checks can allow out-of-bounds loads due to overflow on 32-bit platforms

Sun, 31 Aug 2014 10:10:09 -0700 

On Aug 31, 2014, at 1:40 AM, Brad Smith <b...@comstyle.com> wrote:

> You have to send any diffs as inline text.

OK:

Index: bpf_filter.c
===================================================================
RCS file: /cvs/src/sys/net/bpf_filter.c,v
retrieving revision 1.24
diff -u -r1.24 bpf_filter.c
--- bpf_filter.c        13 Feb 2011 22:41:10 -0000      1.24
+++ bpf_filter.c        31 Aug 2014 08:24:38 -0000
@@ -191,7 +191,7 @@

                case BPF_LD|BPF_W|BPF_ABS:
                        k = pc->k;
-                       if (k + sizeof(int32_t) > buflen) {
+                       if (k > buflen || sizeof(int32_t) > buflen - k) {
#ifdef _KERNEL
                                int merr;

@@ -210,7 +210,7 @@

                case BPF_LD|BPF_H|BPF_ABS:
                        k = pc->k;
-                       if (k + sizeof(int16_t) > buflen) {
+                       if (k > buflen || sizeof(int16_t) > buflen - k) {
#ifdef _KERNEL
                                int merr;

@@ -257,7 +257,7 @@

                case BPF_LD|BPF_W|BPF_IND:
                        k = X + pc->k;
-                       if (k + sizeof(int32_t) > buflen) {
+                       if (k > buflen || sizeof(int32_t) > buflen - k) {
#ifdef _KERNEL
                                int merr;

@@ -276,7 +276,7 @@

                case BPF_LD|BPF_H|BPF_IND:
                        k = X + pc->k;
-                       if (k + sizeof(int16_t) > buflen) {
+                       if (k > buflen || sizeof(int16_t) > buflen - k) {
#ifdef _KERNEL
                                int merr;

Reply via email to