From: Kees Cook <keescook@chromium.org>
Date: Wed, 18 Jun 2014 22:34:57 +0000 (-0700)
Subject: net: filter: fix upper BPF instruction limit
X-Git-Tag: v4.9.8~6183^2~26
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=6f9a093b66ce7cacc110d8737c03686e80ecfda6;p=platform%2Fkernel%2Flinux-rpi3.git

net: filter: fix upper BPF instruction limit

The original checks (via sk_chk_filter) for instruction count uses ">",
not ">=", so changing this in sk_convert_filter has the potential to break
existing seccomp filters that used exactly BPF_MAXINSNS many instructions.

Fixes: bd4cf0ed331a ("net: filter: rework/optimize internal BPF interpreter's instruction set")
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org # v3.15+
Acked-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/core/filter.c b/net/core/filter.c
index 735fad8..a44e12c 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -840,7 +840,7 @@ int sk_convert_filter(struct sock_filter *prog, int len,
 	BUILD_BUG_ON(BPF_MEMWORDS * sizeof(u32) > MAX_BPF_STACK);
 	BUILD_BUG_ON(BPF_REG_FP + 1 != MAX_BPF_REG);
 
-	if (len <= 0 || len >= BPF_MAXINSNS)
+	if (len <= 0 || len > BPF_MAXINSNS)
 		return -EINVAL;
 
 	if (new_prog) {