CVS commit: src/sys/net

Thu, 29 Dec 2011 12:50:14 -0800 

Module Name:    src
Committed By:   christos
Date:           Thu Dec 29 20:50:06 UTC 2011

Modified Files:
        src/sys/net: bpf_filter.c

Log Message:
PR/45751: Alexander Nasonov: No overflow check in BPF_LD|BPF_ABS


To generate a diff of this commit:
cvs rdiff -u -r1.48 -r1.49 src/sys/net/bpf_filter.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/net/bpf_filter.c
diff -u src/sys/net/bpf_filter.c:1.48 src/sys/net/bpf_filter.c:1.49
--- src/sys/net/bpf_filter.c:1.48	Thu Jul 14 08:44:10 2011
+++ src/sys/net/bpf_filter.c	Thu Dec 29 15:50:06 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: bpf_filter.c,v 1.48 2011/07/14 12:44:10 drochner Exp $	*/
+/*	$NetBSD: bpf_filter.c,v 1.49 2011/12/29 20:50:06 christos Exp $	*/
 
 /*-
  * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.48 2011/07/14 12:44:10 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.49 2011/12/29 20:50:06 christos Exp $");
 
 #if 0
 #if !(defined(lint) || defined(KERNEL))
@@ -168,7 +168,7 @@ bpf_filter(const struct bpf_insn *pc, co
 
 		case BPF_LD|BPF_W|BPF_ABS:
 			k = pc->k;
-			if (k + sizeof(int32_t) > buflen) {
+			if (k > buflen || sizeof(int32_t) > buflen - k) {
 #ifdef _KERNEL
 				int merr = 0;	/* XXX: GCC */
 
@@ -187,7 +187,7 @@ bpf_filter(const struct bpf_insn *pc, co
 
 		case BPF_LD|BPF_H|BPF_ABS:
 			k = pc->k;
-			if (k + sizeof(int16_t) > buflen) {
+			if (k > buflen || sizeof(int16_t) > buflen - k) {
 #ifdef _KERNEL
 				int merr;
 
@@ -234,7 +234,8 @@ bpf_filter(const struct bpf_insn *pc, co
 
 		case BPF_LD|BPF_W|BPF_IND:
 			k = X + pc->k;
-			if (k + sizeof(int32_t) > buflen) {
+			if (pc->k > buflen || X > buflen - pc->k ||
+			    sizeof(int32_t) > buflen - k) {
 #ifdef _KERNEL
 				int merr = 0;	/* XXX: GCC */
 
@@ -253,7 +254,8 @@ bpf_filter(const struct bpf_insn *pc, co
 
 		case BPF_LD|BPF_H|BPF_IND:
 			k = X + pc->k;
-			if (k + sizeof(int16_t) > buflen) {
+			if (pc->k > buflen || X > buflen - pc->k ||
+			    sizeof(int16_t) > buflen - k) {
 #ifdef _KERNEL
 				int merr = 0;	/* XXX: GCC */

Reply via email to