svn commit: r235746 - head/sys/net

[Jung-uk Kim]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2012-05-21 18:19:20 -0400, Alexander V. Chernikov wrote:
> Author: melifaro Date: Mon May 21 22:19:19 2012 New Revision:
> 235746 URL: http://svn.freebsd.org/changeset/base/235746
> 
> Log: Call bpf_jitter() before acquiring BPF global lock due to
> malloc() being used inside bpf_jitter.
> 
> Eliminate bpf_buffer_alloc() and allocate BPF buffers on descriptor
> creation and BIOCSBLEN ioctl. This permits us not to allocate
> buffers inside bpf_attachd() which is protected by global lock.
> 
> Approved by:      kib(mentor) MFC in:            4 weeks
> 
> Modified: head/sys/net/bpf.c head/sys/net/bpf_buffer.c 
> head/sys/net/bpf_buffer.h
> 
> Modified: head/sys/net/bpf.c 
> ==============================================================================
>
> 
- --- head/sys/net/bpf.c	Mon May 21 22:17:29 2012	(r235745)
> +++ head/sys/net/bpf.c	Mon May 21 22:19:19 2012	(r235746)
...
> @@ -1664,7 +1668,7 @@ bpf_setf(struct bpf_d *d, struct bpf_pro 
> struct bpf_insn *fcode, *old; u_int wfilter, flen, size; #ifdef
> BPF_JITTER -	bpf_jit_filter *ofunc; +	bpf_jit_filter *ofunc,
> *jfunc; #endif int need_upgrade; #ifdef COMPAT_FREEBSD32 @@ -1695,6
> +1699,13 @@ bpf_setf(struct bpf_d *d, struct bpf_pro else fcode =
> NULL; /* Make compiler happy */
> 
> +#ifdef BPF_JITTER +	if (fp->bf_insns != NULL) +		jfunc =
> bpf_jitter(fcode, flen); +	else +		jfunc = NULL; /* Make compiler
> happy */ +#endif + BPF_LOCK();
> 
> if (cmd == BIOCSETWF) {
...

This is completely wrong.  First, fcode has not been initialized with
copyin().  Second, you must not compile random filter code without
validation, i.e., bpf_validate().

Jung-uk Kim
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+9fmUACgkQmlay1b9qnVOlBACgtljVNwOiFb7Ds7GgeoQMyRRr
jU4An3b43yEND8yPs8GSn20ZeCRrI9pu
=z4sw
-----END PGP SIGNATURE-----