FreeBSD/Linux Kernel Cross Reference
sys/net/bpf_filter.c
1 /* $NetBSD: bpf_filter.c,v 1.32.2.2 2010/06/13 17:51:11 riz Exp $ */
2
3 /*-
4 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
5 * The Regents of the University of California. All rights reserved.
6 *
7 * This code is derived from the Stanford/CMU enet packet filter,
8 * (net/enet.c) distributed as part of 4.3BSD, and code contributed
9 * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
10 * Berkeley Laboratory.
11 *
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
14 * are met:
15 * 1. Redistributions of source code must retain the above copyright
16 * notice, this list of conditions and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in the
19 * documentation and/or other materials provided with the distribution.
20 * 3. Neither the name of the University nor the names of its contributors
21 * may be used to endorse or promote products derived from this software
22 * without specific prior written permission.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE.
35 *
36 * @(#)bpf_filter.c 8.1 (Berkeley) 6/10/93
37 */
38
39 #include <sys/cdefs.h>
40 __KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.32.2.2 2010/06/13 17:51:11 riz Exp $");
41
42 #if 0
43 #if !(defined(lint) || defined(KERNEL))
44 static const char rcsid[] =
45 "@(#) Header: bpf_filter.c,v 1.33 97/04/26 13:37:18 leres Exp (LBL)";
46 #endif
47 #endif
48
49 #include <sys/param.h>
50 #include <sys/time.h>
51
52 #if !defined(UNALIGNED_ACCESS)
53 #define BPF_ALIGN
54 #endif
55
56 #ifndef BPF_ALIGN
57 #define EXTRACT_SHORT(p) ((uint16_t)ntohs(*(uint16_t *)p))
58 #define EXTRACT_LONG(p) (ntohl(*(uint32_t *)p))
59 #else
60 #define EXTRACT_SHORT(p) \
61 ((uint16_t) \
62 ((uint16_t)*((u_char *)p+0)<<8| \
63 (uint16_t)*((u_char *)p+1)<<0))
64 #define EXTRACT_LONG(p) \
65 ((uint32_t)*((u_char *)p+0)<<24|\
66 (uint32_t)*((u_char *)p+1)<<16|\
67 (uint32_t)*((u_char *)p+2)<<8| \
68 (uint32_t)*((u_char *)p+3)<<0)
69 #endif
70
71 #ifdef _KERNEL
72 #include <sys/mbuf.h>
73 #define MINDEX(len, m, k) \
74 { \
75 len = m->m_len; \
76 while (k >= len) { \
77 k -= len; \
78 m = m->m_next; \
79 if (m == 0) \
80 return 0; \
81 len = m->m_len; \
82 } \
83 }
84
85 static int m_xword (struct mbuf *, uint32_t, int *);
86 static int m_xhalf (struct mbuf *, uint32_t, int *);
87
88 static int
89 m_xword(struct mbuf *m, uint32_t k, int *err)
90 {
91 int len;
92 u_char *cp, *np;
93 struct mbuf *m0;
94
95 *err = 1;
96 MINDEX(len, m, k);
97 cp = mtod(m, u_char *) + k;
98 if (len >= k + 4) {
99 *err = 0;
100 return EXTRACT_LONG(cp);
101 }
102 m0 = m->m_next;
103 if (m0 == 0 || m0->m_len + len - k < 4)
104 return 0;
105 *err = 0;
106 np = mtod(m0, u_char *);
107 switch (len - k) {
108
109 case 1:
110 return (cp[0] << 24) | (np[0] << 16) | (np[1] << 8) | np[2];
111
112 case 2:
113 return (cp[0] << 24) | (cp[1] << 16) | (np[0] << 8) | np[1];
114
115 default:
116 return (cp[0] << 24) | (cp[1] << 16) | (cp[2] << 8) | np[0];
117 }
118 }
119
120 static int
121 m_xhalf(struct mbuf *m, uint32_t k, int *err)
122 {
123 int len;
124 u_char *cp;
125 struct mbuf *m0;
126
127 *err = 1;
128 MINDEX(len, m, k);
129 cp = mtod(m, u_char *) + k;
130 if (len >= k + 2) {
131 *err = 0;
132 return EXTRACT_SHORT(cp);
133 }
134 m0 = m->m_next;
135 if (m0 == 0)
136 return 0;
137 *err = 0;
138 return (cp[0] << 8) | mtod(m0, u_char *)[0];
139 }
140 #else /* _KERNEL */
141 #include <stdlib.h>
142 #endif /* !_KERNEL */
143
144 #include <net/bpf.h>
145
146 /*
147 * Execute the filter program starting at pc on the packet p
148 * wirelen is the length of the original packet
149 * buflen is the amount of data present
150 */
151 u_int
152 bpf_filter(struct bpf_insn *pc, u_char *p, u_int wirelen, u_int buflen)
153 {
154 uint32_t A, X, k;
155 int32_t mem[BPF_MEMWORDS];
156
157 if (pc == 0)
158 /*
159 * No filter means accept all.
160 */
161 return (u_int)-1;
162 A = 0;
163 X = 0;
164 --pc;
165 /* CONSTCOND */
166 while (1) {
167 ++pc;
168 switch (pc->code) {
169
170 default:
171 #ifdef _KERNEL
172 return 0;
173 #else
174 abort();
175 #endif
176 case BPF_RET|BPF_K:
177 return (u_int)pc->k;
178
179 case BPF_RET|BPF_A:
180 return (u_int)A;
181
182 case BPF_LD|BPF_W|BPF_ABS:
183 k = pc->k;
184 if (k + sizeof(int32_t) > buflen) {
185 #ifdef _KERNEL
186 int merr = 0; /* XXX: GCC */
187
188 if (buflen != 0)
189 return 0;
190 A = m_xword((struct mbuf *)p, k, &merr);
191 if (merr != 0)
192 return 0;
193 continue;
194 #else
195 return 0;
196 #endif
197 }
198 A = EXTRACT_LONG(&p[k]);
199 continue;
200
201 case BPF_LD|BPF_H|BPF_ABS:
202 k = pc->k;
203 if (k + sizeof(int16_t) > buflen) {
204 #ifdef _KERNEL
205 int merr;
206
207 if (buflen != 0)
208 return 0;
209 A = m_xhalf((struct mbuf *)p, k, &merr);
210 if (merr != 0)
211 return 0;
212 continue;
213 #else
214 return 0;
215 #endif
216 }
217 A = EXTRACT_SHORT(&p[k]);
218 continue;
219
220 case BPF_LD|BPF_B|BPF_ABS:
221 k = pc->k;
222 if (k >= buflen) {
223 #ifdef _KERNEL
224 struct mbuf *m;
225 int len;
226
227 if (buflen != 0)
228 return 0;
229 m = (struct mbuf *)p;
230 MINDEX(len, m, k);
231 A = mtod(m, u_char *)[k];
232 continue;
233 #else
234 return 0;
235 #endif
236 }
237 A = p[k];
238 continue;
239
240 case BPF_LD|BPF_W|BPF_LEN:
241 A = wirelen;
242 continue;
243
244 case BPF_LDX|BPF_W|BPF_LEN:
245 X = wirelen;
246 continue;
247
248 case BPF_LD|BPF_W|BPF_IND:
249 k = X + pc->k;
250 if (k + sizeof(int32_t) > buflen) {
251 #ifdef _KERNEL
252 int merr = 0; /* XXX: GCC */
253
254 if (buflen != 0)
255 return 0;
256 A = m_xword((struct mbuf *)p, k, &merr);
257 if (merr != 0)
258 return 0;
259 continue;
260 #else
261 return 0;
262 #endif
263 }
264 A = EXTRACT_LONG(&p[k]);
265 continue;
266
267 case BPF_LD|BPF_H|BPF_IND:
268 k = X + pc->k;
269 if (k + sizeof(int16_t) > buflen) {
270 #ifdef _KERNEL
271 int merr = 0; /* XXX: GCC */
272
273 if (buflen != 0)
274 return 0;
275 A = m_xhalf((struct mbuf *)p, k, &merr);
276 if (merr != 0)
277 return 0;
278 continue;
279 #else
280 return 0;
281 #endif
282 }
283 A = EXTRACT_SHORT(&p[k]);
284 continue;
285
286 case BPF_LD|BPF_B|BPF_IND:
287 k = X + pc->k;
288 if (k >= buflen) {
289 #ifdef _KERNEL
290 struct mbuf *m;
291 int len;
292
293 if (buflen != 0)
294 return 0;
295 m = (struct mbuf *)p;
296 MINDEX(len, m, k);
297 A = mtod(m, u_char *)[k];
298 continue;
299 #else
300 return 0;
301 #endif
302 }
303 A = p[k];
304 continue;
305
306 case BPF_LDX|BPF_MSH|BPF_B:
307 k = pc->k;
308 if (k >= buflen) {
309 #ifdef _KERNEL
310 struct mbuf *m;
311 int len;
312
313 if (buflen != 0)
314 return 0;
315 m = (struct mbuf *)p;
316 MINDEX(len, m, k);
317 X = (mtod(m, char *)[k] & 0xf) << 2;
318 continue;
319 #else
320 return 0;
321 #endif
322 }
323 X = (p[pc->k] & 0xf) << 2;
324 continue;
325
326 case BPF_LD|BPF_IMM:
327 A = pc->k;
328 continue;
329
330 case BPF_LDX|BPF_IMM:
331 X = pc->k;
332 continue;
333
334 case BPF_LD|BPF_MEM:
335 A = mem[pc->k];
336 continue;
337
338 case BPF_LDX|BPF_MEM:
339 X = mem[pc->k];
340 continue;
341
342 case BPF_ST:
343 mem[pc->k] = A;
344 continue;
345
346 case BPF_STX:
347 mem[pc->k] = X;
348 continue;
349
350 case BPF_JMP|BPF_JA:
351 pc += pc->k;
352 continue;
353
354 case BPF_JMP|BPF_JGT|BPF_K:
355 pc += (A > pc->k) ? pc->jt : pc->jf;
356 continue;
357
358 case BPF_JMP|BPF_JGE|BPF_K:
359 pc += (A >= pc->k) ? pc->jt : pc->jf;
360 continue;
361
362 case BPF_JMP|BPF_JEQ|BPF_K:
363 pc += (A == pc->k) ? pc->jt : pc->jf;
364 continue;
365
366 case BPF_JMP|BPF_JSET|BPF_K:
367 pc += (A & pc->k) ? pc->jt : pc->jf;
368 continue;
369
370 case BPF_JMP|BPF_JGT|BPF_X:
371 pc += (A > X) ? pc->jt : pc->jf;
372 continue;
373
374 case BPF_JMP|BPF_JGE|BPF_X:
375 pc += (A >= X) ? pc->jt : pc->jf;
376 continue;
377
378 case BPF_JMP|BPF_JEQ|BPF_X:
379 pc += (A == X) ? pc->jt : pc->jf;
380 continue;
381
382 case BPF_JMP|BPF_JSET|BPF_X:
383 pc += (A & X) ? pc->jt : pc->jf;
384 continue;
385
386 case BPF_ALU|BPF_ADD|BPF_X:
387 A += X;
388 continue;
389
390 case BPF_ALU|BPF_SUB|BPF_X:
391 A -= X;
392 continue;
393
394 case BPF_ALU|BPF_MUL|BPF_X:
395 A *= X;
396 continue;
397
398 case BPF_ALU|BPF_DIV|BPF_X:
399 if (X == 0)
400 return 0;
401 A /= X;
402 continue;
403
404 case BPF_ALU|BPF_AND|BPF_X:
405 A &= X;
406 continue;
407
408 case BPF_ALU|BPF_OR|BPF_X:
409 A |= X;
410 continue;
411
412 case BPF_ALU|BPF_LSH|BPF_X:
413 A <<= X;
414 continue;
415
416 case BPF_ALU|BPF_RSH|BPF_X:
417 A >>= X;
418 continue;
419
420 case BPF_ALU|BPF_ADD|BPF_K:
421 A += pc->k;
422 continue;
423
424 case BPF_ALU|BPF_SUB|BPF_K:
425 A -= pc->k;
426 continue;
427
428 case BPF_ALU|BPF_MUL|BPF_K:
429 A *= pc->k;
430 continue;
431
432 case BPF_ALU|BPF_DIV|BPF_K:
433 A /= pc->k;
434 continue;
435
436 case BPF_ALU|BPF_AND|BPF_K:
437 A &= pc->k;
438 continue;
439
440 case BPF_ALU|BPF_OR|BPF_K:
441 A |= pc->k;
442 continue;
443
444 case BPF_ALU|BPF_LSH|BPF_K:
445 A <<= pc->k;
446 continue;
447
448 case BPF_ALU|BPF_RSH|BPF_K:
449 A >>= pc->k;
450 continue;
451
452 case BPF_ALU|BPF_NEG:
453 A = -A;
454 continue;
455
456 case BPF_MISC|BPF_TAX:
457 X = A;
458 continue;
459
460 case BPF_MISC|BPF_TXA:
461 A = X;
462 continue;
463 }
464 }
465 }
466
467 #ifdef _KERNEL
468 /*
469 * Return true if the 'fcode' is a valid filter program.
470 * The constraints are that each jump be forward and to a valid
471 * code, that memory accesses are within valid ranges (to the
472 * extent that this can be checked statically; loads of packet
473 * data have to be, and are, also checked at run time), and that
474 * the code terminates with either an accept or reject.
475 *
476 * The kernel needs to be able to verify an application's filter code.
477 * Otherwise, a bogus program could easily crash the system.
478 */
479 int
480 bpf_validate(struct bpf_insn *f, int len)
481 {
482 u_int i, from;
483 struct bpf_insn *p;
484
485 if (len < 1 || len > BPF_MAXINSNS)
486 return 0;
487
488 for (i = 0; i < len; ++i) {
489 p = &f[i];
490 switch (BPF_CLASS(p->code)) {
491 /*
492 * Check that memory operations use valid addresses.
493 */
494 case BPF_LD:
495 case BPF_LDX:
496 switch (BPF_MODE(p->code)) {
497 case BPF_MEM:
498 if (p->k >= BPF_MEMWORDS)
499 return 0;
500 break;
501 case BPF_ABS:
502 case BPF_IND:
503 case BPF_MSH:
504 case BPF_IMM:
505 case BPF_LEN:
506 break;
507 default:
508 return 0;
509 }
510 break;
511 case BPF_ST:
512 case BPF_STX:
513 if (p->k >= BPF_MEMWORDS)
514 return 0;
515 break;
516 case BPF_ALU:
517 switch (BPF_OP(p->code)) {
518 case BPF_ADD:
519 case BPF_SUB:
520 case BPF_MUL:
521 case BPF_OR:
522 case BPF_AND:
523 case BPF_LSH:
524 case BPF_RSH:
525 case BPF_NEG:
526 break;
527 case BPF_DIV:
528 /*
529 * Check for constant division by 0.
530 */
531 if (BPF_SRC(p->code) == BPF_K && p->k == 0)
532 return 0;
533 break;
534 default:
535 return 0;
536 }
537 break;
538 case BPF_JMP:
539 /*
540 * Check that jumps are within the code block,
541 * and that unconditional branches don't go
542 * backwards as a result of an overflow.
543 * Unconditional branches have a 32-bit offset,
544 * so they could overflow; we check to make
545 * sure they don't. Conditional branches have
546 * an 8-bit offset, and the from address is <=
547 * BPF_MAXINSNS, and we assume that BPF_MAXINSNS
548 * is sufficiently small that adding 255 to it
549 * won't overflow.
550 *
551 * We know that len is <= BPF_MAXINSNS, and we
552 * assume that BPF_MAXINSNS is < the maximum size
553 * of a u_int, so that i + 1 doesn't overflow.
554 */
555 from = i + 1;
556 switch (BPF_OP(p->code)) {
557 case BPF_JA:
558 if (from + p->k < from || from + p->k >= len)
559 return 0;
560 break;
561 case BPF_JEQ:
562 case BPF_JGT:
563 case BPF_JGE:
564 case BPF_JSET:
565 if (from + p->jt >= len || from + p->jf >= len)
566 return 0;
567 break;
568 default:
569 return 0;
570 }
571 break;
572 case BPF_RET:
573 break;
574 case BPF_MISC:
575 break;
576 default:
577 return 0;
578 }
579 }
580
581 return BPF_CLASS(f[len - 1].code) == BPF_RET;
582 }
583 #endif
Cache object: 8d337de1d5cb09f63941053f788fbf12
|