bpf(4): Reject bogus timeout values before arithmetic overflows.
Reported-by: syzbot+fbd86bdf579944b64a98@syzkaller.appspotmail.com https://syzkaller.appspot.com/bug?id=60d46fd4863952897cbf67c6b1bcc8b20ec7bde6 XXX pullup-8 XXX pullup-9
This commit is contained in:
parent
770e369e23
commit
5e84044ef5
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: bpf.c,v 1.246 2022/03/15 13:00:44 riastradh Exp $ */
|
||||
/* $NetBSD: bpf.c,v 1.247 2022/09/03 10:03:20 riastradh Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1990, 1991, 1993
|
||||
|
@ -39,7 +39,7 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: bpf.c,v 1.246 2022/03/15 13:00:44 riastradh Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: bpf.c,v 1.247 2022/09/03 10:03:20 riastradh Exp $");
|
||||
|
||||
#if defined(_KERNEL_OPT)
|
||||
#include "opt_bpf.h"
|
||||
|
@ -1152,7 +1152,11 @@ bpf_ioctl(struct file *fp, u_long cmd, void *addr)
|
|||
struct timeval *tv = addr;
|
||||
|
||||
/* Compute number of ticks. */
|
||||
if (tv->tv_sec > INT_MAX/hz - 1) {
|
||||
if (tv->tv_sec < 0 ||
|
||||
tv->tv_usec < 0 || tv->tv_usec >= 1000000) {
|
||||
error = EINVAL;
|
||||
break;
|
||||
} else if (tv->tv_sec > INT_MAX/hz - 1) {
|
||||
d->bd_rtout = INT_MAX;
|
||||
} else {
|
||||
d->bd_rtout = tv->tv_sec * hz
|
||||
|
@ -1186,7 +1190,11 @@ bpf_ioctl(struct file *fp, u_long cmd, void *addr)
|
|||
struct timeval50 *tv = addr;
|
||||
|
||||
/* Compute number of ticks. */
|
||||
if (tv->tv_sec > INT_MAX/hz - 1) {
|
||||
if (tv->tv_sec < 0 ||
|
||||
tv->tv_usec < 0 || tv->tv_usec >= 1000000) {
|
||||
error = EINVAL;
|
||||
break;
|
||||
} else if (tv->tv_sec > INT_MAX/hz - 1) {
|
||||
d->bd_rtout = INT_MAX;
|
||||
} else {
|
||||
d->bd_rtout = tv->tv_sec * hz
|
||||
|
|
Loading…
Reference in New Issue