[Winpcap-bugs] Some more bpf_validate bugs
Guy Harris
guy at alum.mit.edu
Wed Jan 2 03:55:04 GMT 2008
It turns out that there were two bugs in the original OpenBSD filter
validation code, one that caused it to reject all filters that used
multiply instructions, and another that caused it to reject all filters
that used divide instructions.
I've attached a patch file (with Windows line endings, some manually
added - hopefully it'll apply correctly) to patch both the Windows 9x
and Windows NT win_bpf_filter.c files with fixes for those bugs.
-------------- next part --------------
*** Packet9x/VXD/win_bpf_filter.c.dist Fri Dec 2 14:31:26 2005
--- Packet9x/VXD/win_bpf_filter.c Tue Jan 1 19:49:42 2008
***************
*** 695,700 ****
--- 695,701 ----
switch (BPF_OP(p->code)) {
case BPF_ADD:
case BPF_SUB:
+ case BPF_MUL:
case BPF_OR:
case BPF_AND:
case BPF_LSH:
***************
*** 707,712 ****
--- 708,714 ----
*/
if (BPF_RVAL(p->code) == BPF_K && p->k == 0)
return 0;
+ break;
default:
return 0;
}
*** packetNtx/driver/win_bpf_filter.c.dist Mon Nov 12 15:18:28 2007
--- packetNtx/driver/win_bpf_filter.c Tue Jan 1 19:43:54 2008
***************
*** 1084,1089 ****
--- 1084,1090 ----
switch (BPF_OP(p->code)) {
case BPF_ADD:
case BPF_SUB:
+ case BPF_MUL:
case BPF_OR:
case BPF_AND:
case BPF_LSH:
***************
*** 1096,1101 ****
--- 1097,1103 ----
*/
if (BPF_RVAL(p->code) == BPF_K && p->k == 0)
return 0;
+ break;
default:
return 0;
}
***************
*** 1144,1147 ****
}
}
return BPF_CLASS(f[len - 1].code) == BPF_RET;
! }
\ No newline at end of file
--- 1146,1149 ----
}
}
return BPF_CLASS(f[len - 1].code) == BPF_RET;
! }
More information about the Winpcap-bugs
mailing list