git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Cong Wang <cong.wang@bytedance.com>
	Fri, 13 Dec 2024 03:40:54 +0000 (19:40 -0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 2 Jan 2025 09:30:48 +0000 (10:30 +0100)
commit	9a57119d1182f4d50bb3b2d868345bca6b4e00de
tree	9c49df30beaf3a1dbbb5da465005425c2e34364a	tree \| snapshot
parent	be848bde4a7ffa75a339bcead9265bc1b74b026a	commit \| diff

bpf: Check negative offsets in __bpf_skb_min_len()

[ Upstream commit 9ecc4d858b92c1bb0673ad9c327298e600c55659 ]

skb_network_offset() and skb_transport_offset() can be negative when
they are called after we pull the transport header, for example, when
we use eBPF sockmap at the point of ->sk_data_ready().

__bpf_skb_min_len() uses an unsigned int to get these offsets, this
leads to a very large number which then causes bpf_skb_change_tail()
failed unexpectedly.

Fix this by using a signed int to get these offsets and ensure the
minimum is at least zero.

Fixes: 5293efe62df8 ("bpf: add bpf_skb_change_tail helper")
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/bpf/20241213034057.246437-2-xiyou.wangcong@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>