Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 75a5bf8e authored by Stanislav Fomichev's avatar Stanislav Fomichev Committed by Greg Kroah-Hartman
Browse files

bpf: Move skb->len == 0 checks into __bpf_redirect 



[ Upstream commit 114039b342014680911c35bd6b72624180fd669a ]

To avoid potentially breaking existing users.

Both mac/no-mac cases have to be amended; mac_header >= network_header
is not enough (verified with a new test, see next patch).

Fixes: fd1894224407 ("bpf: Don't redirect packets with invalid pkt_len")
Signed-off-by: default avatarStanislav Fomichev <sdf@google.com>
Link: https://lore.kernel.org/r/20221121180340.1983627-1-sdf@google.com


Signed-off-by: default avatarMartin KaFai Lau <martin.lau@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 61688b88

net/bpf/test_run.c

+0 −3
Original line number Diff line number Diff line
@@ -201,9 +201,6 @@ static int convert___skb_to_skb(struct sk_buff *skb, struct __sk_buff *__skb) 
{

	struct qdisc_skb_cb *cb = (struct qdisc_skb_cb *)skb->cb;



	if (!skb->len)

		return -EINVAL;



	if (!__skb)

		return 0;

net/core/filter.c

+6 −1
Original line number Diff line number Diff line
@@ -2071,6 +2071,11 @@ static int __bpf_redirect_no_mac(struct sk_buff *skb, struct net_device *dev, 
{

	unsigned int mlen = skb_network_offset(skb);



	if (unlikely(skb->len <= mlen)) {

		kfree_skb(skb);

		return -ERANGE;

	}



	if (mlen) {

		__skb_pull(skb, mlen);
@@ -2092,7 +2097,7 @@ static int __bpf_redirect_common(struct sk_buff *skb, struct net_device *dev, 
				 u32 flags)

{

	/* Verify that a link layer header is carried */

	if (unlikely(skb->mac_header >= skb->network_header)) {

	if (unlikely(skb->mac_header >= skb->network_header || skb->len == 0)) {

		kfree_skb(skb);

		return -ERANGE;

	}