--- /dev/null
+From f7bd9e36ee4a4ce38e1cddd7effe6c0d9943285b Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Fri, 10 Jun 2016 21:19:07 +0200
+Subject: bpf: reject wrong sized filters earlier
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+commit f7bd9e36ee4a4ce38e1cddd7effe6c0d9943285b upstream.
+
+Add a bpf_check_basics_ok() and reject filters that are of invalid
+size much earlier, so we don't do any useless work such as invoking
+bpf_prog_alloc(). Currently, rejection happens in bpf_check_classic()
+only, but it's really unnecessarily late and they should be rejected
+at earliest point. While at it, also clean up one bpf_prog_size() to
+make it consistent with the remaining invocations.
+
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Zubin Mithra <zsm@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/filter.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -742,6 +742,17 @@ static bool chk_code_allowed(u16 code_to
+ return codes[code_to_probe];
+ }
+
++static bool bpf_check_basics_ok(const struct sock_filter *filter,
++ unsigned int flen)
++{
++ if (filter == NULL)
++ return false;
++ if (flen == 0 || flen > BPF_MAXINSNS)
++ return false;
++
++ return true;
++}
++
+ /**
+ * bpf_check_classic - verify socket filter code
+ * @filter: filter to verify
+@@ -762,9 +773,6 @@ static int bpf_check_classic(const struc
+ bool anc_found;
+ int pc;
+
+- if (flen == 0 || flen > BPF_MAXINSNS)
+- return -EINVAL;
+-
+ /* Check the filter code now */
+ for (pc = 0; pc < flen; pc++) {
+ const struct sock_filter *ftest = &filter[pc];
+@@ -1057,7 +1065,7 @@ int bpf_prog_create(struct bpf_prog **pf
+ struct bpf_prog *fp;
+
+ /* Make sure new filter is there and in the right amounts. */
+- if (fprog->filter == NULL)
++ if (!bpf_check_basics_ok(fprog->filter, fprog->len))
+ return -EINVAL;
+
+ fp = bpf_prog_alloc(bpf_prog_size(fprog->len), 0);
+@@ -1104,7 +1112,7 @@ int bpf_prog_create_from_user(struct bpf
+ int err;
+
+ /* Make sure new filter is there and in the right amounts. */
+- if (fprog->filter == NULL)
++ if (!bpf_check_basics_ok(fprog->filter, fprog->len))
+ return -EINVAL;
+
+ fp = bpf_prog_alloc(bpf_prog_size(fprog->len), 0);
+@@ -1184,7 +1192,6 @@ int __sk_attach_filter(struct sock_fprog
+ bool locked)
+ {
+ unsigned int fsize = bpf_classic_proglen(fprog);
+- unsigned int bpf_fsize = bpf_prog_size(fprog->len);
+ struct bpf_prog *prog;
+ int err;
+
+@@ -1192,10 +1199,10 @@ int __sk_attach_filter(struct sock_fprog
+ return -EPERM;
+
+ /* Make sure new filter is there and in the right amounts. */
+- if (fprog->filter == NULL)
++ if (!bpf_check_basics_ok(fprog->filter, fprog->len))
+ return -EINVAL;
+
+- prog = bpf_prog_alloc(bpf_fsize, 0);
++ prog = bpf_prog_alloc(bpf_prog_size(fprog->len), 0);
+ if (!prog)
+ return -ENOMEM;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
