explain 'unnecessary' bounds checks, ensure minimum path length

kubernetes-sigs · Nov 13, 2024 · 51194af · 51194af
1 parent 79382be
commit 51194af
Show file tree

Hide file tree

Showing 2 changed files with 9,714 additions and 9,880 deletions.
diff --git a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.c b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.c
@@ -174,8 +174,12 @@ static __always_inline int register_file_event(struct file * file, u64 flags)
     }
 
     if (file->f_inode->i_mode & S_IFDIR) {
-        // overly pedantic check to make ebpf verifier happy
-        if (pathlen - 2 < sizeof(event->data) && pathlen - 1 < sizeof(event->data) && pathlen < sizeof(event->data)){
+        // more checks than necessary, but only checking each offset individually makes the ebpf verifier happy.
+        if (pathlen >= 2
+            && pathlen - 2 < sizeof(event->data)
+            && pathlen - 1 < sizeof(event->data)
+            && pathlen < sizeof(event->data)
+        ){
             if(event->data[pathlen - 2] != '/') {
                 // No trailing slash, add `/` and move null byte.
                 event->data[pathlen - 1] = '/';