DragonFly BSD
DragonFly bugs List (threaded) for 2010-04
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

bpf_validate() uses BPF_RVAL() when it should use BPF_SRC()


From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 20 Apr 2010 17:34:31 -0700

In bpf_validate, when it checks whether the divisor in a BPF_DIV instruction is a constant 0, it does

			case BPF_DIV:
				/*
				 * Check for constant division by 0.
				 */
				if (BPF_RVAL(p->code) == BPF_K && p->k == 0)
					return 0;
				break;

BPF_RVAL() is the macro to get the return value of a RET instruction; it extracts the 0x18 bits.  The BPF_DIV opcode is 0x30, which has the 0x10 bit set; a BPF_DIV instruction with a constant 0 as the divisor would be BPF_DIV|BPF_K, which is 0x30; BPF_RVAL(p->code) would be 0x10, which isn't equal to BPF_K, which is 0x00.

The macro to get the source argument of an arithmetic instruction is BPF_SRC(), which extracts only the 0x08 bit; BPF_SRC(p->code) would be 0x00, which is equal to BPF_K, so it should be doing

			case BPF_DIV:
				/*
				 * Check for constant division by 0.
				 */
				if (BPF_SRC(p->code) == BPF_K && p->k == 0)
					return 0;
				break;



[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]