Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next

[linux.git] / net / core / filter.c

diff --git a/net/core/filter.c b/net/core/filter.c
index 1d75f93222758e69d69466650c298c2a1393c4c8..acf1f4fb99d1dfdc6d1da1faf5092135c5ac2dd3 100644 (file)
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -653,11 +653,18 @@ static int bpf_convert_filter(struct sock_filter *prog, int len,
 
 #define BPF_EMIT_JMP                                                   \
        do {                                                            \
+               const s32 off_min = S16_MIN, off_max = S16_MAX;         \
+               s32 off;                                                \
+                                                                       \
                if (target >= len || target < 0)                        \
                        goto err;                                       \
-               insn->off = addrs ? addrs[target] - addrs[i] - 1 : 0;   \
+               off = addrs ? addrs[target] - addrs[i] - 1 : 0;         \
                /* Adjust pc relative offset for 2nd or 3rd insn. */    \
-               insn->off -= insn - tmp_insns;                          \
+               off -= insn - tmp_insns;                                \
+               /* Reject anything not fitting into insn->off. */       \
+               if (off < off_min || off > off_max)                     \
+                       goto err;                                       \
+               insn->off = off;                                        \
        } while (0)
 
                case BPF_JMP | BPF_JA: