net: Enlarge offset check value from 0xffff to 0x7fffffff in bpf_skb_load_bytes

liujian56 · Nobody · commit 84e2b3379057 · 2022-03-17T14:13:42.000-07:00
The data length of skb frags + frag_list may be greater than 0xffff, and skb_header_pointer can not handle negative offset and negative len. So here 0x7ffffff is used to check the validity of offset and len. Fixes: 05c74e5 ("bpf: add bpf_skb_load_bytes helper") Signed-off-by: Liu Jian <liujian56@huawei.com>
diff --git a/net/core/filter.c b/net/core/filter.c
@@ -1722,7 +1722,7 @@ BPF_CALL_4(bpf_skb_load_bytes, const struct sk_buff *, skb, u32, offset,
 {
 	void *ptr;
 
-	if (unlikely(offset > 0xffff))
+	if (unlikely(offset > 0x7ffffffff || len > 0x7fffffff))
 		goto err_clear;
 
 	ptr = skb_header_pointer(skb, offset, len, to);

Original file line number	Diff line number	Diff line change
`@@ -1722,7 +1722,7 @@ BPF_CALL_4(bpf_skb_load_bytes, const struct sk_buff *, skb, u32, offset,`
`1722`	`1722`	`{`
`1723`	`1723`	`void *ptr;`
`1724`	`1724`
`1725`		`- if (unlikely(offset > 0xffff))`
	`1725`	`+ if (unlikely(offset > 0x7ffffffff \|\| len > 0x7fffffff))`
`1726`	`1726`	`goto err_clear;`
`1727`	`1727`
`1728`	`1728`	`ptr = skb_header_pointer(skb, offset, len, to);`