The data length of skb frags + frag_list may be greater than 0xffff,
so here use skb->len to check the validity of the parameters.
And modify bpf_flow_dissector_load_bytes and bpf_skb_load_bytes_relative
in the same way.
Fixes: 05c74e5e53f6 ("bpf: add bpf_skb_load_bytes helper")
Fixes: 4e1ec56cdc59 ("bpf: add skb_load_bytes_relative helper")
Fixes: 089b19a9204f ("flow_dissector: switch kernel context to struct bpf_flow_dissector")
Signed-off-by: Liu Jian <liujian56@xxxxxxxxxx>
---
net/core/filter.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index 9eb785842258..61c353caf141 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1722,7 +1722,7 @@ BPF_CALL_4(bpf_skb_load_bytes, const struct sk_buff *, skb, u32, offset,
{
void *ptr;
- if (unlikely(offset > 0xffff))
+ if (unlikely(offset >= skb->len))
goto err_clear;
ptr = skb_header_pointer(skb, offset, len, to);
@@ -1753,10 +1753,10 @@ BPF_CALL_4(bpf_flow_dissector_load_bytes,
{
void *ptr;
- if (unlikely(offset > 0xffff))
+ if (unlikely(!ctx->skb))
goto err_clear;
- if (unlikely(!ctx->skb))
+ if (unlikely(offset >= ctx->skb->len))
goto err_clear;
ptr = skb_header_pointer(ctx->skb, offset, len, to);
@@ -1787,7 +1787,7 @@ BPF_CALL_5(bpf_skb_load_bytes_relative, const struct sk_buff *, skb,
u8 *end = skb_tail_pointer(skb);
u8 *start, *ptr;
- if (unlikely(offset > 0xffff))
+ if (unlikely(offset >= skb->len))
goto err_clear;
switch (start_header) {
--
2.17.1
