[PATCH bpf-next] net: Use skb->len to check the validity of the parameters in bpf_skb_load_bytes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The data length of skb frags + frag_list may be greater than 0xffff,
so here use skb->len to check the validity of the parameters.

And modify bpf_flow_dissector_load_bytes and bpf_skb_load_bytes_relative
in the same way.

Fixes: 05c74e5e53f6 ("bpf: add bpf_skb_load_bytes helper")
Fixes: 4e1ec56cdc59 ("bpf: add skb_load_bytes_relative helper")
Fixes: 089b19a9204f ("flow_dissector: switch kernel context to struct bpf_flow_dissector")
Signed-off-by: Liu Jian <liujian56@xxxxxxxxxx>
---
 net/core/filter.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/core/filter.c b/net/core/filter.c
index 9eb785842258..61c353caf141 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1722,7 +1722,7 @@ BPF_CALL_4(bpf_skb_load_bytes, const struct sk_buff *, skb, u32, offset,
 {
 	void *ptr;
 
-	if (unlikely(offset > 0xffff))
+	if (unlikely(offset >= skb->len))
 		goto err_clear;
 
 	ptr = skb_header_pointer(skb, offset, len, to);
@@ -1753,10 +1753,10 @@ BPF_CALL_4(bpf_flow_dissector_load_bytes,
 {
 	void *ptr;
 
-	if (unlikely(offset > 0xffff))
+	if (unlikely(!ctx->skb))
 		goto err_clear;
 
-	if (unlikely(!ctx->skb))
+	if (unlikely(offset >= ctx->skb->len))
 		goto err_clear;
 
 	ptr = skb_header_pointer(ctx->skb, offset, len, to);
@@ -1787,7 +1787,7 @@ BPF_CALL_5(bpf_skb_load_bytes_relative, const struct sk_buff *, skb,
 	u8 *end = skb_tail_pointer(skb);
 	u8 *start, *ptr;
 
-	if (unlikely(offset > 0xffff))
+	if (unlikely(offset >= skb->len))
 		goto err_clear;
 
 	switch (start_header) {
-- 
2.17.1




[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux