Date: Fri, 31 Aug 2001 13:51:21 -0700 From: "Jin Guojun[ITG]" <j_guojun@lbl.gov> To: mike@FreeBSD.org Cc: freebsd-bugs@FreeBSD.org Subject: Re: kern/16644: Bad comparsion expression in bpf_filter.c Message-ID: <3B8FF8C9.1A3996C6@lbl.gov> References: <200107212001.f6LK1mD68694@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
mike@FreeBSD.org wrote: > > Synopsis: Bad comparsion expression in bpf_filter.c > > State-Changed-From-To: open->feedback > State-Changed-By: mike > State-Changed-When: Sat Jul 21 13:01:31 PDT 2001 > State-Changed-Why: > > Does this problem still occur in newer versions of FreeBSD, > such as 4.3-RELEASE? > > http://www.FreeBSD.org/cgi/query-pr.cgi?pr=16644 It is still there. I have replied this to the discussion and got no response. For example, in line 220, ">" line is equal to if (k > buflen || k + sizeof(int32_t) > buflen) { or if (k > buflen || k > buflen - sizeof(int32_t)) { if K > BUFLEN then K must > BUFLEN - 4 so we only want to judge if (k > buflen - sizeof(int32_t)) { which is the "<" of line 220 -- if (k + sizeof(int32_t) > buflen) { Right? rests are ditto. The original design is correct. The real problem is at line 550. K is outside 0-BPF_MEMWORDS, not just >. The completed patch can be found at http:/www.itg.lbl.gov/~jin/cgi-bin/code/patches/bpf-1.2a1.tbz2 316 /sys/net: diff bpf_filter.c* 220c220 < if (k + sizeof(int32_t) > buflen) { --- > if (k > buflen || sizeof(int32_t) > buflen - k) { 244c244 < if (k + sizeof(int16_t) > buflen) { --- > if (k > buflen || sizeof(int16_t) > buflen - k) { 288c288,289 < if (k + sizeof(int32_t) > buflen) { --- > if (pc->k > buflen || X > buflen - pc->k || > sizeof(int32_t) > buflen - k) { 312c313,314 < if (k + sizeof(int16_t) > buflen) { --- > if (X > buflen || pc->k > buflen - X || > sizeof(int16_t) > buflen - k) { 331c333 < if (k >= buflen) { --- > if (pc->k >= buflen || X >= buflen - pc->k) { 535c537 < if (from + p->k >= len) --- > if (from >= len || p->k >= len - from) 538c540,541 < else if (from + p->jt >= len || from + p->jf >= len) --- > else if (from >= len || p->jt >= len - from || > p->jf >= len - from) 547c550 < (p->k >= BPF_MEMWORDS || p->k < 0)) --- > p->k >= BPF_MEMWORDS) -- ------------ Jin Guojun ----------- v --- j_guojun@lbl.gov --- Distributed Systems Department http://www.itg.lbl.gov/~jin M/S 50B-2239 Ph#:(510) 486-7531 Fax: 486-6363 Lawrence Berkeley National Laboratory, Berkeley, CA 94720 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B8FF8C9.1A3996C6>