Home | History | Annotate | Download | only in net
History log of /src/sys/net/bpf_filter.c
RevisionDateAuthorComments
 1.73  02-Sep-2024  christos merge changes from libpcap-1.10.5
 1.72  17-Aug-2023  christos define symbols that new libpcap needs
 1.71  07-Jun-2016  pgoyette Create separate modules for i2c_bitbang and bpf_filter so these files
can be included in kernels which need them without also duplicating
them in other modules. Removes the duplicate symbols I found which
prevented loading i2c and bpf modules after having fixed PR 45125.
 1.70  11-Feb-2015  alnsn Fix the build.
 1.69  11-Feb-2015  alnsn It's not enough to check that a class of the last instruction is BPF_RET.
The opcodes in bpf_validate() must match opcodes understood by bpf_filter().

Found by afl-fuzz http://lcamtuf.coredump.cx/afl/.
 1.68  19-Nov-2014  christos branches: 1.68.2;
Add BPF_MOD/BPF_XOR, sync DLT entries and document unused bpf instructions.
From libpcap-1.6.2
 1.67  07-Jul-2014  alnsn Arithmetic overflow when calculating variable offsets (BPF_LD+BPF_IND
instructions) should be handled uniformly for contiguous buffers and mbufs.
 1.66  05-Jul-2014  alnsn Implement error checking in m_xbyte() and check for errors after m_xbyte() call.
Reuse (len - k) expression in m_xword() and m_xhalf() to give an optimization
hint to a compiler.

When m_xbyte() didn't exist, bpf_filter() handled out-of-bounds BPF_B loads
correctly because "return 0" inside MINDEX() was aborting filter programs.
After the change that added m_xbyte() zero values were passed to A or X
registers instead of aborting a filter program.
 1.65  25-Jun-2014  alnsn Check "preinited" argument of bpf_set_extmem().
 1.64  24-Jun-2014  rmind - bpf_validate_ext: fix memword validation in BPF_ST/BPF_STX case.
- bpf_set_extmem: check the number of words against BPF_MAX_MEMWORDS.
 1.63  24-Jun-2014  rmind - Improve the comments in bpf.h and KNF a little.
- Rename bpf_ctx_t member noinit to preinited (reflects the meaning better).
 1.62  24-Jun-2014  alnsn Implement copfuncs and external memory in bpfjit.
 1.61  15-Nov-2013  rmind branches: 1.61.2;
- Add bpf_args_t and convert bpf_filter_ext() to use it. This allows the
caller to initialise (and re-use) the memory store.
- Add bpf_jit_generate() and bpf_jit_freecode() wrappers.
 1.60  05-Oct-2013  rmind bpf_filter: re-use some code. No functional change intended.
 1.59  19-Sep-2013  rmind bpf_validate_ext: allow COP to modify the memstore.
 1.58  18-Sep-2013  rmind Add bpf_filter_ext() to use with BPF COP, restore bpf_filter() as it was
originally to preserve compatibility. Similarly, add bpf_validate_ext()
which takes bpf_ctx_t.
 1.57  30-Aug-2013  rmind bpf_filter: add a custom argument which can be passed to coprocessor routine.
 1.56  29-Aug-2013  rmind Implement BPF_COP/BPF_COPX instructions in the misc category (BPF_MISC)
which add a capability to call external functions in a predetermined way.

It can be thought as a BPF "coprocessor" -- a generic mechanism to offload
more complex packet inspection operations. There is no default coprocessor
and this functionality is not targeted to the /dev/bpf. This is primarily
targeted to the kernel subsystems, therefore there is no way to set a custom
coprocessor at the userlevel.

Discussed on: tech-net@
OK: core@
 1.55  27-Oct-2012  alnsn branches: 1.55.2;
Add bpfjit and enable it for amd64.
 1.54  27-Sep-2012  alnsn Remove bpf_jit which was ported from FreeBSD recently.

It will soon be replaced with the new bpfjit kernel module.
 1.53  15-Aug-2012  alnsn branches: 1.53.2;
MINDEX() macro has 'return 0;' statement. It doesn't set *err to
1 before return when invoked from m_xword() and m_xhalf() functions.
The caller doesn't set it to 1 either. So, set *err to 1 before
invoking MINDEX().
 1.52  02-Aug-2012  rmind bpf_filter: remove unnecessary memset(), add a comment.
 1.51  01-Aug-2012  rmind Add BPF JIT compiler, currently supporting amd64 and i386. Code obtained
from FreeBSD. Also, make few BPF fixes and simplifications while here.
Note that bpf_jit_enable is false for now.

OK dyoung@, some feedback from matt@
 1.50  29-Dec-2011  alnsn Apply same bounds checks for BPF_LD|BPF_B|BPF_IND as for
BPF_LD|BPF_H|BPF_IND and BPF_LD|BPF_W|BPF_IND.

From FreeBSD r48548, the original r45574 had a typo.
 1.49  29-Dec-2011  christos PR/45751: Alexander Nasonov: No overflow check in BPF_LD|BPF_ABS
 1.48  14-Jul-2011  drochner branches: 1.48.2; 1.48.6;
back out previous - this should be unnecessary on NetBSD due to
the extra validation introduced in rev.1.42 (and pulled up to netbsd-5)
 1.47  14-Jul-2011  drochner clear the packet filter's scratch memory before running the filter
program, otherwise kernel memory can be leaked, from Guy Harris
per PR kern/45142
 1.46  19-Feb-2011  christos delint.
 1.45  19-Feb-2011  enami Fix userland build.
 1.44  19-Feb-2011  christos Use kmem instead of malloc. Requested by rmind.
 1.43  19-Feb-2011  matt Use __CTASSERT
 1.42  19-Feb-2011  christos Avoid stack memory disclosure by keeping track during filter validation time
of initialized memory. Idea taken from linux.
 1.41  05-Dec-2010  mrg branches: 1.41.2; 1.41.4;
revert another part of bpf_filter 1.38 that broke the check for divide
by zero while validating the bpf program.

originally spotted by skrll@, and broke atf the month-old atf test for
this exact problem: net_bpf_t_div-by-zero_div_by_zero.
 1.40  05-Dec-2010  mrg consider BPF_ABS, BPF_IND and BPF_MSH as they used to be in rev 1.37.

this fixes dhclient, and i'm told dhcpcd as well.


this patch from skrll@netbsd.org, tested by me.
 1.39  05-Dec-2010  mrg apply the smallest hack to allow this to build without warnings again.
 1.38  05-Dec-2010  christos make bpf_validate available in userland.
 1.37  05-Dec-2010  christos constify
 1.36  21-Apr-2010  drochner the correct check for BPF_K is with BPF_SRC for BPF_ALU ops, from
Guy Harris per PR kern/43185
fixes possible division-by-zero crashes by evil filter expressions
like "len / 0 = 1"
pullup candidate
 1.35  20-Aug-2008  joerg branches: 1.35.4; 1.35.10; 1.35.12; 1.35.14; 1.35.16;
As the scratch memory is only ever copied to or from A and X, make it
unsigned as well.
 1.34  02-Jan-2008  christos branches: 1.34.6; 1.34.10; 1.34.12; 1.34.16;
PR/37663: Guy Harris: bpf_validate rejects valid programs that use the multiply instruction
 1.33  27-Jan-2007  cbiere branches: 1.33.20; 1.33.26; 1.33.32;
Use be16dec() and be32dec() instead of reimplementing them.
 1.32  04-Oct-2006  oster branches: 1.32.2; 1.32.4;
It is not sufficient for MINDEX to just 'return 0' if the MINDEX macro
is going to be used from within m_xhalf() and m_xword(). In using
MINDEX in those cases, we must set *err to '1' *before* calling MINDEX
just in case MINDEX does decide to 'return', and causes the function
to return 0 with an un-set err value. A consequence of this fix is
that we can cleanup a couple of (now) unneeded goto's. Problem found
by inspection whilst searching for the cause of a different panic.

Also: pavel@ noted the following:
if (merr != 0)
return 0;
was missing from after a call to m_xhalf(), so fix that too.

src/regress/sys/net/bpf/out-of-bounds now passes the regression test.

Ok'ed by pavel@.
 1.31  14-May-2006  christos branches: 1.31.8; 1.31.10;
XXX: GCC uninitialized.
 1.30  27-Feb-2006  drochner branches: 1.30.2; 1.30.6;
fix bpf_validate():
a missing "break" caused any bpf filter containing
a division to be rejected
 1.29  07-Feb-2006  wiz Add a /* CONSTCOND */ for lint.
 1.28  14-Dec-2005  rpaulo branches: 1.28.2; 1.28.4; 1.28.6;
Fix previous commit: ABS, IND and MSH are valid codes.
 1.27  13-Dec-2005  rpaulo In bpf_validate(), get rid of bpf_maxbufsize test as there are other
clients of bpf_filter(), like if_ppp, that are not limited by
bpf_maxbufsize. The same check is done at the run time, so there is no
problem created.

Noticed by Guy Harris in private email.
 1.26  05-Dec-2005  rpaulo Oops, the previous revision had a wrong pre-processor #if clause.
 1.25  05-Dec-2005  rpaulo Make the bpf_maxbufsize a constant when bpfilter pseudo-device is not
present in the kernel config, thus fixing the build. Problem reported
by Havard Eidnes. Solution proposed by Christos, thanks.
 1.24  30-Nov-2005  rpaulo PR 32198: bpf_validate() needs to do more checks, from Otto Moerbeek/OpenBSD
via Guy Harris.
Problems like out-of-bounds read/write in filter machine operations
were fixed.
 1.23  30-Nov-2005  rpaulo More KNF. C99 uintXX_t types.
 1.22  30-Nov-2005  rpaulo KNF. ANSYfy. de-P().
 1.21  26-Feb-2005  perry branches: 1.21.2; 1.21.4; 1.21.12;
nuke trailing whitespace
 1.20  07-Aug-2003  agc branches: 1.20.8; 1.20.10;
Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22364, verified by myself.
 1.19  15-Nov-2001  lukem branches: 1.19.16;
don't need <sys/types.h> when including <sys/param.h>
 1.18  12-Nov-2001  lukem add RCSIDs
 1.17  22-Jul-2000  matt branches: 1.17.2; 1.17.4;
Add a missing include when using this in user space.
 1.16  12-Apr-2000  chs remove sunos stuff.
 1.15  30-Mar-2000  augustss Kill some more register declarations.
 1.14  09-Oct-1997  christos branches: 1.14.16;
bpf_filter.c:
- update copyright
- add their rcsid
- initialize some variables later later for consistency
with the current code.
- change char to u_char to match the current code.
 1.13  07-Jul-1997  phil branches: 1.13.2;
Provide better filter validation. PR 3366.
 1.12  13-Feb-1996  christos Net prototypes
 1.11  22-Apr-1995  cgd copy routines should take size_t lengths for prototype consistency.
don't assume that tick is >= 1000; loses badly on alpha (div. by zero)
only try unaligned copies if NetBSD's UNALIGNED_ACCESS symbol is defined.
various misc type size cleanups, mostly short -> int16_t.
 1.10  01-Apr-1995  mycroft Fix bogus buffer indexing when a value is split across a mbuf boundary,
as suggested by Greg Ansley. Also, redefine MINDEX() slightly to avoid
duplicating code.
 1.9  28-Mar-1995  jtc KERNEL -> _KERNEL
 1.8  06-Mar-1995  mycroft Undo an #include ordering change.
 1.7  06-Mar-1995  mycroft Make this more type-safe for the Alpha. From the libpcap 0.0 distribution.
(Needs more work.)
 1.6  29-Jun-1994  cgd New RCS ID's, take two. they're more aesthecially pleasant, and use 'NetBSD'
 1.5  13-May-1994  mycroft Update to 4.4-Lite networking code, with a few local changes.
 1.4  18-Dec-1993  mycroft Canonicalize all #includes.
 1.3  20-May-1993  cgd add rcs ids to everything, and clean up headers
 1.2  25-Mar-1993  cgd added BPF support, as provided by David Greenman (davidg@implode.rain.com)
 1.1  21-Mar-1993  cgd branches: 1.1.1;
Initial revision
 1.1.1.2  01-Mar-1998  fvdl Import 4.4BSD-Lite for reference
 1.1.1.1  21-Mar-1993  cgd initial import of 386bsd-0.1 sources
 1.13.2.1  14-Oct-1997  thorpej Update marc-pcmcia branch from trunk.
 1.14.16.1  20-Nov-2000  bouyer Update thorpej_scsipi to -current as of a month ago
 1.17.4.1  10-Jan-2002  thorpej Sync kqueue branch with -current.
 1.17.2.2  08-Jan-2002  nathanw Catch up to -current.
 1.17.2.1  14-Nov-2001  nathanw Catch up to -current.
 1.19.16.5  11-Dec-2005  christos Sync with head.
 1.19.16.4  04-Mar-2005  skrll Sync with HEAD.

Hi Perry!
 1.19.16.3  21-Sep-2004  skrll Fix the sync with head I botched.
 1.19.16.2  18-Sep-2004  skrll Sync with HEAD.
 1.19.16.1  03-Aug-2004  skrll Sync with HEAD
 1.20.10.1  19-Mar-2005  yamt sync with head. xen and whitespace. xen part is not finished.
 1.20.8.1  29-Apr-2005  kent sync with -current
 1.21.12.1  23-Oct-2006  ghen Pull up following revision(s) (requested by oster in ticket #1539):
sys/net/bpf_filter.c: revision 1.32
It is not sufficient for MINDEX to just 'return 0' if the MINDEX macro
is going to be used from within m_xhalf() and m_xword(). In using
MINDEX in those cases, we must set *err to '1' *before* calling MINDEX
just in case MINDEX does decide to 'return', and causes the function
to return 0 with an un-set err value. A consequence of this fix is
that we can cleanup a couple of (now) unneeded goto's. Problem found
by inspection whilst searching for the cause of a different panic.
Also: pavel@ noted the following:
if (merr != 0)
return 0;
was missing from after a call to m_xhalf(), so fix that too.
src/regress/sys/net/bpf/out-of-bounds now passes the regression test.
Ok'ed by pavel@.
 1.21.4.4  21-Jan-2008  yamt sync with head
 1.21.4.3  26-Feb-2007  yamt sync with head.
 1.21.4.2  30-Dec-2006  yamt sync with head.
 1.21.4.1  21-Jun-2006  yamt sync with head.
 1.21.2.1  23-Oct-2006  ghen Pull up following revision(s) (requested by oster in ticket #1539):
sys/net/bpf_filter.c: revision 1.32
It is not sufficient for MINDEX to just 'return 0' if the MINDEX macro
is going to be used from within m_xhalf() and m_xword(). In using
MINDEX in those cases, we must set *err to '1' *before* calling MINDEX
just in case MINDEX does decide to 'return', and causes the function
to return 0 with an un-set err value. A consequence of this fix is
that we can cleanup a couple of (now) unneeded goto's. Problem found
by inspection whilst searching for the cause of a different panic.
Also: pavel@ noted the following:
if (merr != 0)
return 0;
was missing from after a call to m_xhalf(), so fix that too.
src/regress/sys/net/bpf/out-of-bounds now passes the regression test.
Ok'ed by pavel@.
 1.28.6.2  01-Jun-2006  kardel Sync with head.
 1.28.6.1  22-Apr-2006  simonb Sync with head.
 1.28.4.1  09-Sep-2006  rpaulo sync with head
 1.28.2.2  01-Mar-2006  yamt sync with head.
 1.28.2.1  18-Feb-2006  yamt sync with head.
 1.30.6.1  24-May-2006  tron Merge 2006-05-24 NetBSD-current into the "peter-altq" branch.
 1.30.2.1  24-May-2006  yamt sync with head.
 1.31.10.1  22-Oct-2006  yamt sync with head
 1.31.8.2  01-Feb-2007  ad Sync with head.
 1.31.8.1  18-Nov-2006  ad Sync with head.
 1.32.4.1  03-Jun-2008  skrll Sync with netbsd-4.
 1.32.2.2  13-Jun-2010  riz Pull up following revision(s) (requested by drochner in ticket #1393):
sys/net/bpf_filter.c: revision 1.36
the correct check for BPF_K is with BPF_SRC for BPF_ALU ops, from
Guy Harris per PR kern/43185
fixes possible division-by-zero crashes by evil filter expressions
like "len / 0 =3D 1"
pullup candidate
 1.32.2.1  03-Feb-2008  riz Pull up following revision(s) (requested by christos in ticket #1032):
sys/net/bpf_filter.c: revision 1.34
PR/37663: Guy Harris: bpf_validate rejects valid programs that use the
multiply instruction
 1.33.32.1  02-Jan-2008  bouyer Sync with HEAD
 1.33.26.1  18-Feb-2008  mjf Sync with HEAD.
 1.33.20.1  09-Jan-2008  matt sync with HEAD
 1.34.16.1  19-Oct-2008  haad Sync with HEAD.
 1.34.12.1  18-Sep-2008  wrstuden Sync with wrstuden-revivesa-base-2.
 1.34.10.2  11-Aug-2010  yamt sync with head.
 1.34.10.1  04-May-2009  yamt sync with head.
 1.34.6.1  28-Sep-2008  mjf Sync with HEAD.
 1.35.16.2  05-Mar-2011  rmind sync with head
 1.35.16.1  30-May-2010  rmind sync with head
 1.35.14.1  30-Apr-2010  uebayasi Sync with HEAD.
 1.35.12.1  20-May-2011  matt bring matt-nb5-mips64 up to date with netbsd-5-1-RELEASE (except compat).
 1.35.10.1  22-Mar-2011  bouyer Pull up following revision(s) (requested by spz in ticket #1571):
sys/net/bpf_filter.c: revision 1.36, 1.42 -> 1.46 via patch
Avoid stack memory disclosure by keeping track during filter validation time
of initialized memory. Idea taken from linux.
Use __CTASSERT
Use kmem instead of malloc. Requested by rmind.
Fix userland build.
delint.
the correct check for BPF_K is with BPF_SRC for BPF_ALU ops, from
Guy Harris per PR kern/43185
fixes possible division-by-zero crashes by evil filter expressions
like "len / 0 = 1"
pullup candidate
 1.35.4.2  20-Mar-2011  bouyer Pull up following revision(s) (requested by spz in ticket #1571):
sys/net/bpf_filter.c: revision 1.42 - 1.46 via patch
Avoid stack memory disclosure by keeping track during filter validation time
of initialized memory. Idea taken from linux.
Use __CTASSERT
Use kmem instead of malloc. Requested by rmind.
Fix userland build.
delint.
 1.35.4.1  20-May-2010  snj branches: 1.35.4.1.2;
Pull up following revision(s) (requested by drochner in ticket #1381):
sys/net/bpf_filter.c: revision 1.36
the correct check for BPF_K is with BPF_SRC for BPF_ALU ops, from
Guy Harris per PR kern/43185
fixes possible division-by-zero crashes by evil filter expressions
like "len / 0 = 1"
 1.35.4.1.2.1  20-Mar-2011  bouyer Pull up following revision(s) (requested by spz in ticket #1571):
sys/net/bpf_filter.c: revision 1.42 - 1.46 via patch
Avoid stack memory disclosure by keeping track during filter validation time
of initialized memory. Idea taken from linux.
Use __CTASSERT
Use kmem instead of malloc. Requested by rmind.
Fix userland build.
delint.
 1.41.4.1  05-Mar-2011  bouyer Sync with HEAD
 1.41.2.1  06-Jun-2011  jruoho Sync with HEAD.
 1.48.6.1  18-Feb-2012  mrg merge to -current.
 1.48.2.3  22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.48.2.2  30-Oct-2012  yamt sync with head
 1.48.2.1  17-Apr-2012  yamt sync with head
 1.53.2.3  03-Dec-2017  jdolecek update from HEAD
 1.53.2.2  20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.53.2.1  20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.55.2.1  18-May-2014  rmind sync with head
 1.61.2.1  10-Aug-2014  tls Rebase.
 1.68.2.2  09-Jul-2016  skrll Sync with HEAD
 1.68.2.1  06-Apr-2015  skrll Sync with HEAD

RSS XML Feed