bpf: Move skb->len == 0 checks into __bpf_redirect

To avoid potentially breaking existing users.

Both mac/no-mac cases have to be amended; mac_header >= network_header
is not enough (verified with a new test, see next patch).

Fixes: fd1894224407 ("bpf: Don't redirect packets with invalid pkt_len")
Signed-off-by: Stanislav Fomichev <sdf@google.com>
Link: https://lore.kernel.org/r/20221121180340.1983627-1-sdf@google.com
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>

diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 13d578ce2a096a85c62f22d6bc728552d4746e33..6fba440efc40d7114d4f21f8fc0573f8788f7852 100644 (file)
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -979,9 +979,6 @@ static int convert___skb_to_skb(struct sk_buff *skb, struct __sk_buff *__skb)
 {
        struct qdisc_skb_cb *cb = (struct qdisc_skb_cb *)skb->cb;
 
-       if (!skb->len)
-               return -EINVAL;
-
        if (!__skb)
                return 0;
 

diff --git a/net/core/filter.c b/net/core/filter.c
index 2a105fb1ceb2759b151dac45004dc90929fe48e0..b6e1b81cdfae41e6f49e7f87edce365dc6141dd1 100644 (file)
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2124,12 +2124,13 @@ static int __bpf_redirect_no_mac(struct sk_buff *skb, struct net_device *dev,
 {
        unsigned int mlen = skb_network_offset(skb);
 
+       if (unlikely(skb->len <= mlen)) {
+               kfree_skb(skb);
+               return -ERANGE;
+       }
+
        if (mlen) {
                __skb_pull(skb, mlen);
-               if (unlikely(!skb->len)) {
-                       kfree_skb(skb);
-                       return -ERANGE;
-               }
 
                /* At ingress, the mac header has already been pulled once.
                 * At egress, skb_pospull_rcsum has to be done in case that
@@ -2149,7 +2150,7 @@ static int __bpf_redirect_common(struct sk_buff *skb, struct net_device *dev,
                                 u32 flags)
 {
        /* Verify that a link layer header is carried */
-       if (unlikely(skb->mac_header >= skb->network_header)) {
+       if (unlikely(skb->mac_header >= skb->network_header || skb->len == 0)) {
                kfree_skb(skb);
                return -ERANGE;
        }