Module Name: src
Committed By: alnsn
Date: Fri May 23 19:51:16 UTC 2014
Modified Files:
src/sys/net: bpfjit.c
Log Message:
Loads at offsets UINT32_MAX or greater are unreachable.
To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 src/sys/net/bpfjit.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/bpfjit.c
diff -u src/sys/net/bpfjit.c:1.9 src/sys/net/bpfjit.c:1.10
--- src/sys/net/bpfjit.c:1.9 Fri May 23 19:11:22 2014
+++ src/sys/net/bpfjit.c Fri May 23 19:51:16 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: bpfjit.c,v 1.9 2014/05/23 19:11:22 alnsn Exp $ */
+/* $NetBSD: bpfjit.c,v 1.10 2014/05/23 19:51:16 alnsn Exp $ */
/*-
* Copyright (c) 2011-2014 Alexander Nasonov.
@@ -31,9 +31,9 @@
#include <sys/cdefs.h>
#ifdef _KERNEL
-__KERNEL_RCSID(0, "$NetBSD: bpfjit.c,v 1.9 2014/05/23 19:11:22 alnsn Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bpfjit.c,v 1.10 2014/05/23 19:51:16 alnsn Exp $");
#else
-__RCSID("$NetBSD: bpfjit.c,v 1.9 2014/05/23 19:11:22 alnsn Exp $");
+__RCSID("$NetBSD: bpfjit.c,v 1.10 2014/05/23 19:51:16 alnsn Exp $");
#endif
#include <sys/types.h>
@@ -945,6 +945,7 @@ optimize_pass1(const struct bpf_insn *in
struct bpfjit_jump *jtf;
size_t i;
uint32_t jt, jf;
+ bpfjit_abc_length_t length;
bpfjit_init_mask_t invalid; /* borrowed from bpf_filter() */
bool unreachable;
@@ -964,6 +965,9 @@ optimize_pass1(const struct bpf_insn *in
invalid |= insn_dat[i].invalid;
+ if (read_pkt_insn(&insns[i], &length) && length > UINT32_MAX)
+ unreachable = true;
+
switch (BPF_CLASS(insns[i].code)) {
case BPF_RET:
if (BPF_RVAL(insns[i].code) == BPF_A)
