protochain, BPF_JA, and sk_chk_filter

[Robert Edmonds <edmonds () debian org>]

tcpdump produces bpf filter code for 'ip6 and protochain ipv6-frag' that
includes:

    (000) ldh      [12]
    [...]
    (021) ja       6
    [...]
    (062) ret      #0

the jump instruction decodes to:

    { 0x5, 0, 0, 0xfffffff0 }

the linux kernel returns EINVAL when tcpdump tries to load this filter
code onto the socket:

    Warning: Kernel filter failed: Invalid argument

further investigation shows that the failed check occurs in the linux
kernel's net/core/filter.c sk_chk_filter() function:

    case BPF_JMP|BPF_JA:
            /*
             * Note, the large ftest->k might cause loops.
             * Compare this with conditional jumps below,
             * where offsets are limited. --ANK (981016)
             */
            if (ftest->k >= (unsigned)(flen-pc-1))
                    return -EINVAL;
            break;

    (http://lxr.linux.no/linux+v2.6.26.5/net/core/filter.c#L409)

the comparison succeeds because the large unsigned k-value for this
instruction (0xfffffff0) is much larger than the number of remaining bpf
instructions (flen-pc-1).

is this a bug in libpcap's protochain filter generation code?

-- 
Robert Edmonds
edmonds () debian org

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.