diff options
author | Patrick McHardy <kaber@trash.net> | 2005-07-05 17:08:10 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2005-07-05 17:08:10 -0400 |
commit | 55820ee2f8c767a2833b21bd365e5753f50bd8ce (patch) | |
tree | fbf89b8f1365c18c5c2ee0fad15f61f6f3127af8 | |
parent | 17af691cd19765b782d891fc50c1568d0f1276b3 (diff) |
[NET]: Fix signedness issues in net/core/filter.c
This is the code to load packet data into a register:
k = fentry->k;
if (k < 0) {
...
} else {
u32 _tmp, *p;
p = skb_header_pointer(skb, k, 4, &_tmp);
if (p != NULL) {
A = ntohl(*p);
continue;
}
}
skb_header_pointer checks if the requested data is within the
linear area:
int hlen = skb_headlen(skb);
if (offset + len <= hlen)
return skb->data + offset;
When offset is within [INT_MAX-len+1..INT_MAX] the addition will
result in a negative number which is <= hlen.
I couldn't trigger a crash on my AMD64 with 2GB of memory, but a
coworker tried on his x86 machine and it crashed immediately.
This patch fixes the check in skb_header_pointer to handle large
positive offsets similar to skb_copy_bits. Invalid data can still
be accessed using negative offsets (also similar to skb_copy_bits),
anyone using negative offsets needs to verify them himself.
Thanks to Thomas Vögtle <thomas.voegtle@coreworks.de> for verifying the
problem by crashing his machine and providing me with an Oops.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | include/linux/skbuff.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 416a2e4024b2..fbcb18651970 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h | |||
@@ -1211,7 +1211,7 @@ static inline void *skb_header_pointer(const struct sk_buff *skb, int offset, | |||
1211 | { | 1211 | { |
1212 | int hlen = skb_headlen(skb); | 1212 | int hlen = skb_headlen(skb); |
1213 | 1213 | ||
1214 | if (offset + len <= hlen) | 1214 | if (hlen - offset >= len) |
1215 | return skb->data + offset; | 1215 | return skb->data + offset; |
1216 | 1216 | ||
1217 | if (skb_copy_bits(skb, offset, buffer, len) < 0) | 1217 | if (skb_copy_bits(skb, offset, buffer, len) < 0) |