Check invalid BPF codes from bpf_validate(9).

Note that it is not critical because bpf_filter(9) returns zero when it encounters invalid code at run time. MFC after: 1 month
svn path=/head/; revision=182412
2008-08-28 22:00:21 +00:00 · 2008-08-28 22:00:21 +00:00 · 46e4a5d582 · 2020-12-20 02:59:44 +00:00
commit 46e4a5d582
parent 003c7e36b2
1 changed files with 26 additions and 1 deletions
--- a/sys/net/bpf_filter.c
+++ b/sys/net/bpf_filter.c
@ -496,6 +496,25 @@ bpf_filter(const struct bpf_insn *pc, u_char *p, u_int wirelen, u_int buflen)
 }

 #ifdef _KERNEL
+static u_short	bpf_code_map[] = {
+	0x10ff,	/* 0x00-0x0f: 1111111100001000 */
+	0x3070,	/* 0x10-0x1f: 0000111000001100 */
+	0x3131,	/* 0x20-0x2f: 1000110010001100 */
+	0x3031,	/* 0x30-0x3f: 1000110000001100 */
+	0x3131,	/* 0x40-0x4f: 1000110010001100 */
+	0x1011,	/* 0x50-0x5f: 1000100000001000 */
+	0x1013,	/* 0x60-0x6f: 1100100000001000 */
+	0x1010,	/* 0x70-0x7f: 0000100000001000 */
+	0x0093,	/* 0x80-0x8f: 1100100100000000 */
+	0x0000,	/* 0x90-0x9f: 0000000000000000 */
+	0x0000,	/* 0xa0-0xaf: 0000000000000000 */
+	0x0002,	/* 0xb0-0xbf: 0100000000000000 */
+	0x0000,	/* 0xc0-0xcf: 0000000000000000 */
+	0x0000,	/* 0xd0-0xdf: 0000000000000000 */
+	0x0000,	/* 0xe0-0xef: 0000000000000000 */
+	0x0000	/* 0xf0-0xff: 0000000000000000 */
+};
+
 /*
 * Return true if the 'fcode' is a valid filter program.
 * The constraints are that each jump be forward and to a valid
@ -521,11 +540,17 @@ bpf_validate(f, len)
 		return 1;

 	for (i = 0; i < len; ++i) {
+		p = &f[i];
+		/*
+		 * Check that the code is valid.
+		 */
+		if ((p->code & 0xff00) ||
+		    !(bpf_code_map[p->code >> 4] & (1 << (p->code & 0xf))))
+			return 0;
 		/*
 		 * Check that that jumps are forward, and within
 		 * the code block.
 		 */
-		p = &f[i];
 		if (BPF_CLASS(p->code) == BPF_JMP) {
 			register int from = i + 1;