Thu Dec 29 23:47:21 2011 UTC ()
Apply same bounds checks for BPF_LD|BPF_B|BPF_IND as for
BPF_LD|BPF_H|BPF_IND and BPF_LD|BPF_W|BPF_IND.

From FreeBSD r48548, the original r45574 had a typo.


(alnsn)
diff -r1.49 -r1.50 src/sys/net/bpf_filter.c
cvs diff -r1.49 -r1.50 src/sys/net/bpf_filter.c (expand / switch to unified diff)

--- src/sys/net/bpf_filter.c 2011/12/29 20:50:06 1.49
+++ src/sys/net/bpf_filter.c 2011/12/29 23:47:21 1.50
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: bpf_filter.c,v 1.49 2011/12/29 20:50:06 christos Exp $ */ 1/* $NetBSD: bpf_filter.c,v 1.50 2011/12/29 23:47:21 alnsn Exp $ */
2 2
3/*- 3/*-
4 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 4 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
5 * The Regents of the University of California. All rights reserved. 5 * The Regents of the University of California. All rights reserved.
6 * 6 *
7 * This code is derived from the Stanford/CMU enet packet filter, 7 * This code is derived from the Stanford/CMU enet packet filter,
8 * (net/enet.c) distributed as part of 4.3BSD, and code contributed 8 * (net/enet.c) distributed as part of 4.3BSD, and code contributed
9 * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence 9 * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
10 * Berkeley Laboratory. 10 * Berkeley Laboratory.
11 * 11 *
12 * Redistribution and use in source and binary forms, with or without 12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions 13 * modification, are permitted provided that the following conditions
14 * are met: 14 * are met:
@@ -27,27 +27,27 @@ @@ -27,27 +27,27 @@
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE. 34 * SUCH DAMAGE.
35 * 35 *
36 * @(#)bpf_filter.c 8.1 (Berkeley) 6/10/93 36 * @(#)bpf_filter.c 8.1 (Berkeley) 6/10/93
37 */ 37 */
38 38
39#include <sys/cdefs.h> 39#include <sys/cdefs.h>
40__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.49 2011/12/29 20:50:06 christos Exp $"); 40__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.50 2011/12/29 23:47:21 alnsn Exp $");
41 41
42#if 0 42#if 0
43#if !(defined(lint) || defined(KERNEL)) 43#if !(defined(lint) || defined(KERNEL))
44static const char rcsid[] = 44static const char rcsid[] =
45 "@(#) Header: bpf_filter.c,v 1.33 97/04/26 13:37:18 leres Exp (LBL)"; 45 "@(#) Header: bpf_filter.c,v 1.33 97/04/26 13:37:18 leres Exp (LBL)";
46#endif 46#endif
47#endif 47#endif
48 48
49#include <sys/param.h> 49#include <sys/param.h>
50#include <sys/time.h> 50#include <sys/time.h>
51#include <sys/kmem.h> 51#include <sys/kmem.h>
52#include <sys/endian.h> 52#include <sys/endian.h>
53 53
@@ -264,27 +264,27 @@ bpf_filter(const struct bpf_insn *pc, co @@ -264,27 +264,27 @@ bpf_filter(const struct bpf_insn *pc, co
264 A = m_xhalf((const struct mbuf *)p, k, &merr); 264 A = m_xhalf((const struct mbuf *)p, k, &merr);
265 if (merr != 0) 265 if (merr != 0)
266 return 0; 266 return 0;
267 continue; 267 continue;
268#else 268#else
269 return 0; 269 return 0;
270#endif 270#endif
271 } 271 }
272 A = EXTRACT_SHORT(&p[k]); 272 A = EXTRACT_SHORT(&p[k]);
273 continue; 273 continue;
274 274
275 case BPF_LD|BPF_B|BPF_IND: 275 case BPF_LD|BPF_B|BPF_IND:
276 k = X + pc->k; 276 k = X + pc->k;
277 if (k >= buflen) { 277 if (pc->k >= buflen || X >= buflen - pc->k) {
278#ifdef _KERNEL 278#ifdef _KERNEL
279 const struct mbuf *m; 279 const struct mbuf *m;
280 int len; 280 int len;
281 281
282 if (buflen != 0) 282 if (buflen != 0)
283 return 0; 283 return 0;
284 m = (const struct mbuf *)p; 284 m = (const struct mbuf *)p;
285 MINDEX(len, m, k); 285 MINDEX(len, m, k);
286 A = mtod(m, u_char *)[k]; 286 A = mtod(m, u_char *)[k];
287 continue; 287 continue;
288#else 288#else
289 return 0; 289 return 0;
290#endif 290#endif