CVS commit: src/sys/net

Fri, 13 Feb 2015 08:02:00 -0800 

Module Name:    src
Committed By:   alnsn
Date:           Fri Feb 13 15:59:17 UTC 2015

Modified Files:
        src/sys/net: bpfjit.c

Log Message:
Don't emit wrapped-around reads. They're dead code but dead code elimination
logic isn't smart enough to figure it out.

Found by afl fuzzer http://lcamtuf.coredump.cx/afl/.


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.40 src/sys/net/bpfjit.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/net/bpfjit.c
diff -u src/sys/net/bpfjit.c:1.39 src/sys/net/bpfjit.c:1.40
--- src/sys/net/bpfjit.c:1.39	Thu Feb 12 23:09:55 2015
+++ src/sys/net/bpfjit.c	Fri Feb 13 15:59:17 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: bpfjit.c,v 1.39 2015/02/12 23:09:55 alnsn Exp $	*/
+/*	$NetBSD: bpfjit.c,v 1.40 2015/02/13 15:59:17 alnsn Exp $	*/
 
 /*-
  * Copyright (c) 2011-2014 Alexander Nasonov.
@@ -31,9 +31,9 @@
 
 #include <sys/cdefs.h>
 #ifdef _KERNEL
-__KERNEL_RCSID(0, "$NetBSD: bpfjit.c,v 1.39 2015/02/12 23:09:55 alnsn Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bpfjit.c,v 1.40 2015/02/13 15:59:17 alnsn Exp $");
 #else
-__RCSID("$NetBSD: bpfjit.c,v 1.39 2015/02/12 23:09:55 alnsn Exp $");
+__RCSID("$NetBSD: bpfjit.c,v 1.40 2015/02/13 15:59:17 alnsn Exp $");
 #endif
 
 #include <sys/types.h>
@@ -868,20 +868,27 @@ emit_pkt_read(struct sljit_compiler *com
 			return SLJIT_ERR_ALLOC_FAILED;
 	}
 
-	switch (width) {
-	case 4:
-		status = emit_read32(compiler, ld_reg, k);
-		break;
-	case 2:
-		status = emit_read16(compiler, ld_reg, k);
-		break;
-	case 1:
-		status = emit_read8(compiler, ld_reg, k);
-		break;
-	}
+	/*
+	 * Don't emit wrapped-around reads. They're dead code but
+	 * dead code elimination logic isn't smart enough to figure
+	 * it out.
+	 */
+	if (k <= UINT32_MAX - width + 1) {
+		switch (width) {
+		case 4:
+			status = emit_read32(compiler, ld_reg, k);
+			break;
+		case 2:
+			status = emit_read16(compiler, ld_reg, k);
+			break;
+		case 1:
+			status = emit_read8(compiler, ld_reg, k);
+			break;
+		}
 
-	if (status != SLJIT_SUCCESS)
-		return status;
+		if (status != SLJIT_SUCCESS)
+			return status;
+	}
 
 #ifdef _KERNEL
 	over_mchain_jump = sljit_emit_jump(compiler, SLJIT_JUMP);

Reply via email to