PROBLEM: Using BPF_PROG_TEST_RUN with data_out != NULL is unsafe
From: Lorenz Bauer
Date: Wed Apr 04 2018 - 05:04:15 EST
Hello,
Iâve encountered an issue when using BPF_PROG_TEST_RUN and capturing the output.
The kernel copies data into user space without checking the length of
the destination buffer.
In bpf_test_finish(), size is the amount of data in the XDP buffer /
skb after the program is run. This can be larger than data_size_in due
to bpf_xdp_adjust_head() and friends.
bpf_test_finish doesnât clamp size to data_size_out, which is what I
was expecting.
What is the correct way to use this interface?
Best,
Lorenz
--
Lorenz Bauer | Systems Engineer
25 Lavington St., London SE1 0NZ
www.cloudflare.com