Validate scratch memory addresses for BPF_STX and BPF_LDX|BPF_MEM.

A badly written filter was able to reference invalid addresses, even cause kernel crash. MFC after: 3 days
author: jkim <jkim@FreeBSD.org> 2008-08-28 17:49:37 +0000
committer: jkim <jkim@FreeBSD.org> 2008-08-28 17:49:37 +0000
commit: 84b37f6437f35b292c9e33f85694b3b2487b56b9 (patch)
tree: 4a4e31d15107bcd56579eebdb26216562d583289 /sys/net
parent: 798299548896a5db3f1d2c8c9087146c427b5652 (diff)
download: FreeBSD-src-84b37f6437f35b292c9e33f85694b3b2487b56b9.zip
FreeBSD-src-84b37f6437f35b292c9e33f85694b3b2487b56b9.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/sys/net/bpf_filter.c b/sys/net/bpf_filter.c
index 38c3001..8c92490 100644
--- a/sys/net/bpf_filter.c
+++ b/sys/net/bpf_filter.c
@@ -541,7 +541,9 @@ bpf_validate(f, len)
 		 * Check that memory operations use valid addresses.
 		 */
 		if ((BPF_CLASS(p->code) == BPF_ST ||
-		     (BPF_CLASS(p->code) == BPF_LD &&
+		     BPF_CLASS(p->code) == BPF_STX ||
+		     ((BPF_CLASS(p->code) == BPF_LD ||
+		       BPF_CLASS(p->code) == BPF_LDX) &&
 		      (p->code & 0xe0) == BPF_MEM)) &&
 		    p->k >= BPF_MEMWORDS)
 			return 0;
author	jkim <jkim@FreeBSD.org>	2008-08-28 17:49:37 +0000
committer	jkim <jkim@FreeBSD.org>	2008-08-28 17:49:37 +0000
commit	84b37f6437f35b292c9e33f85694b3b2487b56b9 (patch)
tree	4a4e31d15107bcd56579eebdb26216562d583289 /sys/net
parent	798299548896a5db3f1d2c8c9087146c427b5652 (diff)
download	FreeBSD-src-84b37f6437f35b292c9e33f85694b3b2487b56b9.zip FreeBSD-src-84b37f6437f35b292c9e33f85694b3b2487b56b9.tar.gz