inet_diag: fix inet_diag_bc_audit() (eeb14972) · Commits · e / devices / android_kernel_fairphone_FP3

net/ipv4/inet_diag.c

+6 −8

Original line number	Diff line number	Diff line
		@@ -437,7 +437,7 @@ static int valid_cc(const void *bc, int len, int cc)
		return 0;
		if (cc == len)
		return 1;
		if (op->yes < 4)
		if (op->yes < 4 \|\| op->yes & 3)
		return 0;
		len -= op->yes;
		bc += op->yes;
		@@ -447,11 +447,11 @@ static int valid_cc(const void *bc, int len, int cc)

		static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
		{
		const unsigned char *bc = bytecode;
		const void *bc = bytecode;
		int len = bytecode_len;

		while (len > 0) {
		struct inet_diag_bc_op op = (struct inet_diag_bc_op )bc;
		const struct inet_diag_bc_op *op = bc;

		//printk("BC: %d %d %d {%d} / %d\n", op->code, op->yes, op->no, op[1].no, len);
		switch (op->code) {
		@@ -462,22 +462,20 @@ static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
		case INET_DIAG_BC_S_LE:
		case INET_DIAG_BC_D_GE:
		case INET_DIAG_BC_D_LE:
		if (op->yes < 4 \|\| op->yes > len + 4)
		return -EINVAL;
		case INET_DIAG_BC_JMP:
		if (op->no < 4 \|\| op->no > len + 4)
		if (op->no < 4 \|\| op->no > len + 4 \|\| op->no & 3)
		return -EINVAL;
		if (op->no < len &&
		!valid_cc(bytecode, bytecode_len, len - op->no))
		return -EINVAL;
		break;
		case INET_DIAG_BC_NOP:
		if (op->yes < 4 \|\| op->yes > len + 4)
		return -EINVAL;
		break;
		default:
		return -EINVAL;
		}
		if (op->yes < 4 \|\| op->yes > len + 4 \|\| op->yes & 3)
		return -EINVAL;
		bc += op->yes;
		len -= op->yes;
		}