From 2293e68203ecf637bc929b02cdb3a4f9e71aac6d Mon Sep 17 00:00:00 2001 From: dlg Date: Mon, 5 Aug 2024 23:56:10 +0000 Subject: [PATCH] restrict the maximum wait time you can set via BIOCSWTIMEOUT to 5 minutes. this is avoids passing excessively large values to timeout_add_nsec. Reported-by: syzbot+f650785d4f2b3fe28284@syzkaller.appspotmail.com --- share/man/man4/bpf.4 | 5 +++-- sys/net/bpf.c | 4 +++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/share/man/man4/bpf.4 b/share/man/man4/bpf.4 index 46429f1cde5..4990dc8a109 100644 --- a/share/man/man4/bpf.4 +++ b/share/man/man4/bpf.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: bpf.4,v 1.45 2023/03/09 06:01:40 dlg Exp $ +.\" $OpenBSD: bpf.4,v 1.46 2024/08/05 23:56:10 dlg Exp $ .\" $NetBSD: bpf.4,v 1.7 1995/09/27 18:31:50 thorpej Exp $ .\" .\" Copyright (c) 1990 The Regents of the University of California. @@ -23,7 +23,7 @@ .\" This document is derived in part from the enet man page (enet.4) .\" distributed with 4.3BSD Unix. .\" -.Dd $Mdocdate: March 9 2023 $ +.Dd $Mdocdate: August 5 2024 $ .Dt BPF 4 .Os .Sh NAME @@ -315,6 +315,7 @@ the kernel buffer becoming readable. By default, or when reset, the wait timeout is infinite, meaning the age of packets in the kernel buffer does not make the buffer readable. +The maximum wait time that can be set is 5 minutes (300 seconds). .Pp .It Dv BIOCSETF Fa "struct bpf_program *" Sets the filter program used by the kernel to discard uninteresting packets. diff --git a/sys/net/bpf.c b/sys/net/bpf.c index 51a1ed66ff4..6adc594f1b3 100644 --- a/sys/net/bpf.c +++ b/sys/net/bpf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bpf.c,v 1.222 2024/01/26 21:14:08 jan Exp $ */ +/* $OpenBSD: bpf.c,v 1.223 2024/08/05 23:56:10 dlg Exp $ */ /* $NetBSD: bpf.c,v 1.33 1997/02/21 23:59:35 thorpej Exp $ */ /* @@ -731,6 +731,8 @@ bpf_set_wtimeout(struct bpf_d *d, const struct timeval *tv) return (EINVAL); nsec = TIMEVAL_TO_NSEC(tv); + if (nsec > SEC_TO_NSEC(300)) + return (EINVAL); if (nsec > MAXTSLP) return (EOVERFLOW); -- 2.20.1