git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Cong Wang <cong.wang@bytedance.com>
	Fri, 13 Dec 2024 03:40:54 +0000 (19:40 -0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 9 Jan 2025 12:24:56 +0000 (13:24 +0100)
commit	d814eeb7faa4e8a66c433c8033b37f65631bbc58
tree	ffcf91a992c2a7d77dab4962a410f697544bfebd	tree \| snapshot
parent	1b63193b150c731e057b8b754e02d1b3df791644	commit \| diff

bpf: Check negative offsets in __bpf_skb_min_len()

[ Upstream commit 9ecc4d858b92c1bb0673ad9c327298e600c55659 ]

skb_network_offset() and skb_transport_offset() can be negative when
they are called after we pull the transport header, for example, when
we use eBPF sockmap at the point of ->sk_data_ready().

__bpf_skb_min_len() uses an unsigned int to get these offsets, this
leads to a very large number which then causes bpf_skb_change_tail()
failed unexpectedly.

Fix this by using a signed int to get these offsets and ensure the
minimum is at least zero.

Fixes: 5293efe62df8 ("bpf: add bpf_skb_change_tail helper")
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/bpf/20241213034057.246437-2-xiyou.wangcong@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>