It is not sufficient for MINDEX to just 'return 0' if the MINDEX macro
is going to be used from within m_xhalf() and m_xword(). In using MINDEX in those cases, we must set *err to '1' *before* calling MINDEX just in case MINDEX does decide to 'return', and causes the function to return 0 with an un-set err value. A consequence of this fix is that we can cleanup a couple of (now) unneeded goto's. Problem found by inspection whilst searching for the cause of a different panic. Also: pavel@ noted the following: if (merr != 0) return 0; was missing from after a call to m_xhalf(), so fix that too. src/regress/sys/net/bpf/out-of-bounds now passes the regression test. Ok'ed by pavel@.
This commit is contained in:
parent
342d35797b
commit
75642ab7ae
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: bpf_filter.c,v 1.31 2006/05/14 05:30:31 christos Exp $ */
|
||||
/* $NetBSD: bpf_filter.c,v 1.32 2006/10/04 20:47:43 oster Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
|
||||
|
@ -37,7 +37,7 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.31 2006/05/14 05:30:31 christos Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.32 2006/10/04 20:47:43 oster Exp $");
|
||||
|
||||
#if 0
|
||||
#if !(defined(lint) || defined(KERNEL))
|
||||
|
@ -92,6 +92,7 @@ m_xword(struct mbuf *m, uint32_t k, int *err)
|
|||
u_char *cp, *np;
|
||||
struct mbuf *m0;
|
||||
|
||||
*err = 1;
|
||||
MINDEX(len, m, k);
|
||||
cp = mtod(m, u_char *) + k;
|
||||
if (len >= k + 4) {
|
||||
|
@ -100,7 +101,7 @@ m_xword(struct mbuf *m, uint32_t k, int *err)
|
|||
}
|
||||
m0 = m->m_next;
|
||||
if (m0 == 0 || m0->m_len + len - k < 4)
|
||||
goto bad;
|
||||
return 0;
|
||||
*err = 0;
|
||||
np = mtod(m0, u_char *);
|
||||
switch (len - k) {
|
||||
|
@ -114,10 +115,6 @@ m_xword(struct mbuf *m, uint32_t k, int *err)
|
|||
default:
|
||||
return (cp[0] << 24) | (cp[1] << 16) | (cp[2] << 8) | np[0];
|
||||
}
|
||||
bad:
|
||||
*err = 1;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int
|
||||
|
@ -127,6 +124,7 @@ m_xhalf(struct mbuf *m, uint32_t k, int *err)
|
|||
u_char *cp;
|
||||
struct mbuf *m0;
|
||||
|
||||
*err = 1;
|
||||
MINDEX(len, m, k);
|
||||
cp = mtod(m, u_char *) + k;
|
||||
if (len >= k + 2) {
|
||||
|
@ -135,13 +133,9 @@ m_xhalf(struct mbuf *m, uint32_t k, int *err)
|
|||
}
|
||||
m0 = m->m_next;
|
||||
if (m0 == 0)
|
||||
goto bad;
|
||||
return 0;
|
||||
*err = 0;
|
||||
return (cp[0] << 8) | mtod(m0, u_char *)[0];
|
||||
bad:
|
||||
*err = 1;
|
||||
|
||||
return 0;
|
||||
}
|
||||
#else /* _KERNEL */
|
||||
#include <stdlib.h>
|
||||
|
@ -213,6 +207,8 @@ bpf_filter(struct bpf_insn *pc, u_char *p, u_int wirelen, u_int buflen)
|
|||
if (buflen != 0)
|
||||
return 0;
|
||||
A = m_xhalf((struct mbuf *)p, k, &merr);
|
||||
if (merr != 0)
|
||||
return 0;
|
||||
continue;
|
||||
#else
|
||||
return 0;
|
||||
|
|
Loading…
Reference in New Issue