summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorStanislav Fomichev <sdf@google.com>2018-12-06 05:40:48 +0100
committerAlexei Starovoitov <ast@kernel.org>2018-12-07 22:38:29 +0100
commitec3d837aac5dca7cb8a69c9f101690c182da79c4 (patch)
treeb4943b459ce0aa731a75f27543b536fc8ba070bd /net
parentselftests/bpf: use thoff instead of nhoff in BPF flow dissector (diff)
downloadlinux-ec3d837aac5dca7cb8a69c9f101690c182da79c4.tar.xz
linux-ec3d837aac5dca7cb8a69c9f101690c182da79c4.zip
net/flow_dissector: correctly cap nhoff and thoff in case of BPF
We want to make sure that the following condition holds: 0 <= nhoff <= thoff <= skb->len BPF program can set out-of-bounds nhoff and thoff, which is dangerous, see recent commit d0c081b49137 ("flow_dissector: properly cap thoff field")'. Signed-off-by: Stanislav Fomichev <sdf@google.com> Acked-by: Song Liu <songliubraving@fb.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Diffstat (limited to 'net')
-rw-r--r--net/core/flow_dissector.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index ff5556d80570..af68207ee56c 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -791,9 +791,12 @@ bool __skb_flow_dissect(const struct sk_buff *skb,
/* Restore state */
memcpy(cb, &cb_saved, sizeof(cb_saved));
+ flow_keys.nhoff = clamp_t(u16, flow_keys.nhoff, 0, skb->len);
+ flow_keys.thoff = clamp_t(u16, flow_keys.thoff,
+ flow_keys.nhoff, skb->len);
+
__skb_flow_bpf_to_target(&flow_keys, flow_dissector,
target_container);
- key_control->thoff = min_t(u16, key_control->thoff, skb->len);
rcu_read_unlock();
return result == BPF_OK;
}