bpf: Enlarge offset check value to INT_MAX in bpf_skb_{load,store}_bytes
authorLiu Jian <liujian56@huawei.com>
Sat, 16 Apr 2022 10:57:59 +0000 (18:57 +0800)
committerCosmin Tanislav <demonsingur@gmail.com>
Thu, 16 May 2024 07:58:25 +0000 (10:58 +0300)
commit 45969b4152c1752089351cd6836a42a566d49bcf upstream.

The data length of skb frags + frag_list may be greater than 0xffff, and
skb_header_pointer can not handle negative offset. So, here INT_MAX is used
to check the validity of offset. Add the same change to the related function
skb_store_bytes.

Fixes: 05c74e5e53f6 ("bpf: add bpf_skb_load_bytes helper")
Signed-off-by: Liu Jian <liujian56@huawei.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Song Liu <songliubraving@fb.com>
Link: https://lore.kernel.org/bpf/20220416105801.88708-2-liujian56@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net/core/filter.c

index 6adb7969367d0156da5655aaba95564dc304be40..5c9028ac3b7aeb1fe13b90e600566156e8f99d06 100644 (file)
@@ -1443,7 +1443,7 @@ BPF_CALL_5(bpf_skb_store_bytes, struct sk_buff *, skb, u32, offset,
 
        if (unlikely(flags & ~(BPF_F_RECOMPUTE_CSUM | BPF_F_INVALIDATE_HASH)))
                return -EINVAL;
-       if (unlikely(offset > 0xffff))
+       if (unlikely(offset > INT_MAX))
                return -EFAULT;
        if (unlikely(bpf_try_make_writable(skb, offset + len)))
                return -EFAULT;
@@ -1478,7 +1478,7 @@ BPF_CALL_4(bpf_skb_load_bytes, const struct sk_buff *, skb, u32, offset,
 {
        void *ptr;
 
-       if (unlikely(offset > 0xffff))
+       if (unlikely(offset > INT_MAX))
                goto err_clear;
 
        ptr = skb_header_pointer(skb, offset, len, to);