From: Joanne Koong joannelkoong@gmail.com
[ Upstream commit bbd52178e249fe893ef4a9b87cde5b6c473b0a7c ]
For the case where offset + len == size, bpf_xdp_pointer should return a valid pointer to the addr because that access is permitted. We should only return NULL in the case where offset + len exceeds size.
Fixes: 3f364222d032 ("net: xdp: introduce bpf_xdp_pointer utility routine") Signed-off-by: Joanne Koong joannelkoong@gmail.com Signed-off-by: Daniel Borkmann daniel@iogearbox.net Acked-by: Martin KaFai Lau kafai@fb.com Acked-by: Lorenzo Bianconi lorenzo@kernel.org Link: https://lore.kernel.org/bpf/20220722220105.2065466-1-joannelkoong@gmail.com Signed-off-by: Sasha Levin sashal@kernel.org --- net/core/filter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/filter.c b/net/core/filter.c index 5db4fae23925..a98f34cb5aee 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -3917,7 +3917,7 @@ static void *bpf_xdp_pointer(struct xdp_buff *xdp, u32 offset, u32 len) offset -= frag_size; } out: - return offset + len < size ? addr + offset : NULL; + return offset + len <= size ? addr + offset : NULL; }
BPF_CALL_4(bpf_xdp_load_bytes, struct xdp_buff *, xdp, u32, offset,