Bug #1748
closed
bpf_validate() uses BPF_RVAL() when it should use BPF_SRC()
0%
Description
In bpf_validate, when it checks whether the divisor in a BPF_DIV instruction is a constant 0, it does
case BPF_DIV:
/*
* Check for constant division by 0.
*/
if (BPF_RVAL(p->code) BPF_K && p->k 0)
return 0;
break;BPF_RVAL() is the macro to get the return value of a RET instruction; it extracts the 0x18 bits. The BPF_DIV opcode is 0x30, which has the 0x10 bit set; a BPF_DIV instruction with a constant 0 as the divisor would be BPF_DIV|BPF_K, which is 0x30; BPF_RVAL(p->code) would be 0x10, which isn't equal to BPF_K, which is 0x00.
The macro to get the source argument of an arithmetic instruction is BPF_SRC(), which extracts only the 0x08 bit; BPF_SRC(p->code) would be 0x00, which is equal to BPF_K, so it should be doing
case BPF_DIV:
/*
* Check for constant division by 0.
*/
if (BPF_SRC(p->code) BPF_K && p->k 0)
return 0;
break;
Updated by swildner over 14 years ago
OpenBSD has changed this to BPF_SRC() based on a report by Guy. NetBSD still
uses BPF_RVAL (couldn't find a PR either), while FreeBSD uses this:
/*
* Check for constant division by 0.
*/
if (p->code (BPF_ALU|BPF_DIV|BPF_K) && p->k 0)
return (0);
Updated by swildner over 14 years ago
Thanks, committed! -> 3361ad4a4e7a29e045f839fbd155dbb34030f7d7