@@ -6632,11 +6632,14 @@ static bool flow_dissector_is_valid_access(int off, int size,
case bpf_ctx_range_ptr(struct __sk_buff, flow_keys):
info->reg_type = PTR_TO_FLOW_KEYS;
break;
- case bpf_ctx_range(struct __sk_buff, tc_classid):
- case bpf_ctx_range(struct __sk_buff, data_meta):
- case bpf_ctx_range_till(struct __sk_buff, family, local_port):
- case bpf_ctx_range(struct __sk_buff, tstamp):
- case bpf_ctx_range(struct __sk_buff, wire_len):
+ case bpf_ctx_range(struct __sk_buff, len):
+ case bpf_ctx_range(struct __sk_buff, protocol):
+ case bpf_ctx_range(struct __sk_buff, vlan_present):
+ case bpf_ctx_range(struct __sk_buff, vlan_tci):
+ case bpf_ctx_range(struct __sk_buff, vlan_proto):
+ case bpf_ctx_range_till(struct __sk_buff, cb[0], cb[4]):
+ break;
+ default:
return false;
}
Use whitelist instead of a blacklist and allow only a small set of fields that might be relevant in the context of flow dissector: * len * protocol * vlan_present * vlan_tci * vlan_proto * cb This is required for the eth_get_headlen case where we construct temporary skb which might not have full/consistent state to let flow dissector programs access all the fields (which are irrelevant in for flow dissector program type). Signed-off-by: Stanislav Fomichev <sdf@google.com> --- net/core/filter.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)