Remove unnecessary uint wraparound checks which prohibited two's complement representation of negative number in "@" operation. It is required to test last N bytes of variable length formats and to be consistent with libxt parser which silently replaces negative number by its compliment. For example, --u32 '0&0xFFFF@-4=0' will read IPv4 total length header then add complement of -4 to test if the last 4 bytes are 0. Previously, it would never match as (total length)+0xFFFFFFFC always overflow. Signed-off-by: Takero Funaki <raphanus@xxxxxxxxx> --- net/netfilter/xt_u32.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/netfilter/xt_u32.c b/net/netfilter/xt_u32.c index a95b5034..9de339d 100644 --- a/net/netfilter/xt_u32.c +++ b/net/netfilter/xt_u32.c @@ -57,12 +57,12 @@ static bool u32_match_it(const struct xt_u32 *data, val >>= number; break; case XT_U32_AT: - if (at + val < at) - return false; at += val; pos = number; - if (at + 4 < at || skb->len < at + 4 || - pos > skb->len - at - 4) + /* unsigned integer may wraparound + * to represent negative offset + */ + if (at + pos > skb->len - 4) return false; if (skb_copy_bits(skb, at + pos, &n, -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
