Skip to content

Commit

Permalink
bpf(4): Reject bogus timeout values before arithmetic overflows.
Browse files Browse the repository at this point in the history 
Reported-by: syzbot+fbd86bdf579944b64a98@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=60d46fd4863952897cbf67c6b1bcc8b20ec7bde6

XXX pullup-8
XXX pullup-9
  • Loading branch information
riastradh authored and riastradh committed Sep 3, 2022
1 parent 770e369 commit 5e84044
Showing 1 changed file with 12 additions and 4 deletions.
16 changes: 12 additions & 4 deletions sys/net/bpf.c
View file
@@ -1,4 +1,4 @@
/* $NetBSD: bpf.c,v 1.246 2022/03/15 13:00:44 riastradh Exp $ */
/* $NetBSD: bpf.c,v 1.247 2022/09/03 10:03:20 riastradh Exp $ */

/*
* Copyright (c) 1990, 1991, 1993
Expand Down Expand Up @@ -39,7 +39,7 @@
*/

#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: bpf.c,v 1.246 2022/03/15 13:00:44 riastradh Exp $");
__KERNEL_RCSID(0, "$NetBSD: bpf.c,v 1.247 2022/09/03 10:03:20 riastradh Exp $");

#if defined(_KERNEL_OPT)
#include "opt_bpf.h"
Expand Down Expand Up @@ -1152,7 +1152,11 @@ bpf_ioctl(struct file *fp, u_long cmd, void *addr)
struct timeval *tv = addr;

/* Compute number of ticks. */
if (tv->tv_sec > INT_MAX/hz - 1) {
if (tv->tv_sec < 0 ||
tv->tv_usec < 0 || tv->tv_usec >= 1000000) {
error = EINVAL;
break;
} else if (tv->tv_sec > INT_MAX/hz - 1) {
d->bd_rtout = INT_MAX;
} else {
d->bd_rtout = tv->tv_sec * hz
Expand Down Expand Up @@ -1186,7 +1190,11 @@ bpf_ioctl(struct file *fp, u_long cmd, void *addr)
struct timeval50 *tv = addr;

/* Compute number of ticks. */
if (tv->tv_sec > INT_MAX/hz - 1) {
if (tv->tv_sec < 0 ||
tv->tv_usec < 0 || tv->tv_usec >= 1000000) {
error = EINVAL;
break;
} else if (tv->tv_sec > INT_MAX/hz - 1) {
d->bd_rtout = INT_MAX;
} else {
d->bd_rtout = tv->tv_sec * hz
Expand Down

0 comments on commit 5e84044

Please sign in to comment.