All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH bpf] bpf: fix bpf_skb_load_bytes_relative pkt length check
@ 2018-07-28 19:04 Daniel Borkmann
  0 siblings, 0 replies; 2+ messages in thread
From: Daniel Borkmann @ 2018-07-28 19:04 UTC (permalink / raw)
  To: netdev; +Cc: kafai, Daniel Borkmann

The len > skb_headlen(skb) cannot be used as a maximum upper bound
for the packet length since it does not have any relation to the full
linear packet length when filtering is used from upper layers (e.g.
in case of reuseport BPF programs) as by then skb->data, skb->len
already got mangled through __skb_pull() and others.

Fixes: 4e1ec56cdc59 ("bpf: add skb_load_bytes_relative helper")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Martin KaFai Lau <kafai@fb.com>
---
 net/core/filter.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/net/core/filter.c b/net/core/filter.c
index 06da770..9dfd145 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1712,24 +1712,26 @@ static const struct bpf_func_proto bpf_skb_load_bytes_proto = {
 BPF_CALL_5(bpf_skb_load_bytes_relative, const struct sk_buff *, skb,
 	   u32, offset, void *, to, u32, len, u32, start_header)
 {
+	u8 *end = skb_tail_pointer(skb);
+	u8 *net = skb_network_header(skb);
+	u8 *mac = skb_mac_header(skb);
 	u8 *ptr;
 
-	if (unlikely(offset > 0xffff || len > skb_headlen(skb)))
+	if (unlikely(offset > 0xffff || len > (end - mac)))
 		goto err_clear;
 
 	switch (start_header) {
 	case BPF_HDR_START_MAC:
-		ptr = skb_mac_header(skb) + offset;
+		ptr = mac + offset;
 		break;
 	case BPF_HDR_START_NET:
-		ptr = skb_network_header(skb) + offset;
+		ptr = net + offset;
 		break;
 	default:
 		goto err_clear;
 	}
 
-	if (likely(ptr >= skb_mac_header(skb) &&
-		   ptr + len <= skb_tail_pointer(skb))) {
+	if (likely(ptr >= mac && ptr + len <= end)) {
 		memcpy(to, ptr, len);
 		return 0;
 	}
-- 
2.9.5

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH bpf] bpf: fix bpf_skb_load_bytes_relative pkt length check
@ 2018-07-29 15:41 Alexei Starovoitov
  0 siblings, 0 replies; 2+ messages in thread
From: Alexei Starovoitov @ 2018-07-29 15:41 UTC (permalink / raw)
  To: Daniel Borkmann; +Cc: Network Development, Martin KaFai Lau

On Sat, Jul 28, 2018 at 10:04 PM, Daniel Borkmann <daniel@iogearbox.net> wrote:
> The len > skb_headlen(skb) cannot be used as a maximum upper bound
> for the packet length since it does not have any relation to the full
> linear packet length when filtering is used from upper layers (e.g.
> in case of reuseport BPF programs) as by then skb->data, skb->len
> already got mangled through __skb_pull() and others.
>
> Fixes: 4e1ec56cdc59 ("bpf: add skb_load_bytes_relative helper")
> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
> Acked-by: Martin KaFai Lau <kafai@fb.com>

Great catch.
Acked-by: Alexei Starovoitov <ast@kernel.org>

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-07-29 17:12 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-28 19:04 [PATCH bpf] bpf: fix bpf_skb_load_bytes_relative pkt length check Daniel Borkmann
2018-07-29 15:41 Alexei Starovoitov

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.