From owner-freebsd-bugs Fri Aug 31 13:51:27 2001 Delivered-To: freebsd-bugs@freebsd.org Received: from george.lbl.gov (george.lbl.gov [131.243.2.12]) by hub.freebsd.org (Postfix) with ESMTP id D97AE37B409; Fri, 31 Aug 2001 13:51:22 -0700 (PDT) Received: from lbl.gov (gracie.lbl.gov [131.243.2.175]) by george.lbl.gov (8.11.6/8.11.6) with ESMTP id f7VKpMC20915; Fri, 31 Aug 2001 13:51:22 -0700 (PDT) Message-ID: <3B8FF8C9.1A3996C6@lbl.gov> Date: Fri, 31 Aug 2001 13:51:21 -0700 From: "Jin Guojun[ITG]" X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-RELEASE i386) X-Accept-Language: zh, zh-CN, en MIME-Version: 1.0 To: mike@FreeBSD.org Cc: freebsd-bugs@FreeBSD.org Subject: Re: kern/16644: Bad comparsion expression in bpf_filter.c References: <200107212001.f6LK1mD68694@freefall.freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org mike@FreeBSD.org wrote: > > Synopsis: Bad comparsion expression in bpf_filter.c > > State-Changed-From-To: open->feedback > State-Changed-By: mike > State-Changed-When: Sat Jul 21 13:01:31 PDT 2001 > State-Changed-Why: > > Does this problem still occur in newer versions of FreeBSD, > such as 4.3-RELEASE? > > http://www.FreeBSD.org/cgi/query-pr.cgi?pr=16644 It is still there. I have replied this to the discussion and got no response. For example, in line 220, ">" line is equal to if (k > buflen || k + sizeof(int32_t) > buflen) { or if (k > buflen || k > buflen - sizeof(int32_t)) { if K > BUFLEN then K must > BUFLEN - 4 so we only want to judge if (k > buflen - sizeof(int32_t)) { which is the "<" of line 220 -- if (k + sizeof(int32_t) > buflen) { Right? rests are ditto. The original design is correct. The real problem is at line 550. K is outside 0-BPF_MEMWORDS, not just >. The completed patch can be found at http:/www.itg.lbl.gov/~jin/cgi-bin/code/patches/bpf-1.2a1.tbz2 316 /sys/net: diff bpf_filter.c* 220c220 < if (k + sizeof(int32_t) > buflen) { --- > if (k > buflen || sizeof(int32_t) > buflen - k) { 244c244 < if (k + sizeof(int16_t) > buflen) { --- > if (k > buflen || sizeof(int16_t) > buflen - k) { 288c288,289 < if (k + sizeof(int32_t) > buflen) { --- > if (pc->k > buflen || X > buflen - pc->k || > sizeof(int32_t) > buflen - k) { 312c313,314 < if (k + sizeof(int16_t) > buflen) { --- > if (X > buflen || pc->k > buflen - X || > sizeof(int16_t) > buflen - k) { 331c333 < if (k >= buflen) { --- > if (pc->k >= buflen || X >= buflen - pc->k) { 535c537 < if (from + p->k >= len) --- > if (from >= len || p->k >= len - from) 538c540,541 < else if (from + p->jt >= len || from + p->jf >= len) --- > else if (from >= len || p->jt >= len - from || > p->jf >= len - from) 547c550 < (p->k >= BPF_MEMWORDS || p->k < 0)) --- > p->k >= BPF_MEMWORDS) -- ------------ Jin Guojun ----------- v --- j_guojun@lbl.gov --- Distributed Systems Department http://www.itg.lbl.gov/~jin M/S 50B-2239 Ph#:(510) 486-7531 Fax: 486-6363 Lawrence Berkeley National Laboratory, Berkeley, CA 94720 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message