git.karo-electronics.de Git - karo-tx-linux.git/commit

author	Patrick McHardy <kaber@trash.net>
	Mon, 18 Jul 2005 04:52:50 +0000 (06:52 +0200)
committer	Chris Wright <chrisw@osdl.org>
	Fri, 5 Aug 2005 07:04:17 +0000 (00:04 -0700)
commit	4717ecd49ce5c556d38e8c7b6fdc9fac5d35c00e
tree	a5a1af74cebd51b07a461ab4a0f1d9edcb653a53	tree \| snapshot
parent	691162d638928856e23f21d122aa39de47a494e4	commit \| diff

[PATCH] Fix signedness issues in net/core/filter.c

This is the code to load packet data into a register:

                        k = fentry->k;
                        if (k < 0) {
...
                        } else {
                                u32 _tmp, *p;
                                p = skb_header_pointer(skb, k, 4, &_tmp);
                                if (p != NULL) {
                                        A = ntohl(*p);
                                        continue;
                                }
                        }

skb_header_pointer checks if the requested data is within the
linear area:

        int hlen = skb_headlen(skb);

        if (offset + len <= hlen)
                return skb->data + offset;

When offset is within [INT_MAX-len+1..INT_MAX] the addition will
result in a negative number which is <= hlen.

I couldn't trigger a crash on my AMD64 with 2GB of memory, but a
coworker tried on his x86 machine and it crashed immediately.

This patch fixes the check in skb_header_pointer to handle large
positive offsets similar to skb_copy_bits. Invalid data can still
be accessed using negative offsets (also similar to skb_copy_bits),
anyone using negative offsets needs to verify them himself.

Thanks to Thomas Vögtle <thomas.voegtle@coreworks.de> for verifying the
problem by crashing his machine and providing me with an Oops.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>