diff options
| author | Stanislav Fomichev <sdf@google.com> | 2018-12-05 20:40:48 -0800 |
|---|---|---|
| committer | Alexei Starovoitov <ast@kernel.org> | 2018-12-07 13:38:29 -0800 |
| commit | ec3d837aac5dca7cb8a69c9f101690c182da79c4 (patch) | |
| tree | b4943b459ce0aa731a75f27543b536fc8ba070bd /net | |
| parent | 13e56ec2cc9860aa22e01ffc7a3160f35a96b728 (diff) | |
| download | linux-ec3d837aac5dca7cb8a69c9f101690c182da79c4.tar.gz linux-ec3d837aac5dca7cb8a69c9f101690c182da79c4.tar.bz2 linux-ec3d837aac5dca7cb8a69c9f101690c182da79c4.zip | |
net/flow_dissector: correctly cap nhoff and thoff in case of BPF
We want to make sure that the following condition holds:
0 <= nhoff <= thoff <= skb->len
BPF program can set out-of-bounds nhoff and thoff, which is dangerous, see
recent commit d0c081b49137 ("flow_dissector: properly cap thoff field")'.
Signed-off-by: Stanislav Fomichev <sdf@google.com>
Acked-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/core/flow_dissector.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c index ff5556d80570..af68207ee56c 100644 --- a/net/core/flow_dissector.c +++ b/net/core/flow_dissector.c @@ -791,9 +791,12 @@ bool __skb_flow_dissect(const struct sk_buff *skb, /* Restore state */ memcpy(cb, &cb_saved, sizeof(cb_saved)); + flow_keys.nhoff = clamp_t(u16, flow_keys.nhoff, 0, skb->len); + flow_keys.thoff = clamp_t(u16, flow_keys.thoff, + flow_keys.nhoff, skb->len); + __skb_flow_bpf_to_target(&flow_keys, flow_dissector, target_container); - key_control->thoff = min_t(u16, key_control->thoff, skb->len); rcu_read_unlock(); return result == BPF_OK; } |