bpf_filter.c revision 1.25
1 /* $NetBSD: bpf_filter.c,v 1.25 2005/12/05 21:46:00 rpaulo Exp $ */ 2 3 /*- 4 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 5 * The Regents of the University of California. All rights reserved. 6 * 7 * This code is derived from the Stanford/CMU enet packet filter, 8 * (net/enet.c) distributed as part of 4.3BSD, and code contributed 9 * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence 10 * Berkeley Laboratory. 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, this list of conditions and the following disclaimer. 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 3. Neither the name of the University nor the names of its contributors 21 * may be used to endorse or promote products derived from this software 22 * without specific prior written permission. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * SUCH DAMAGE. 35 * 36 * @(#)bpf_filter.c 8.1 (Berkeley) 6/10/93 37 */ 38 39 #include <sys/cdefs.h> 40 __KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.25 2005/12/05 21:46:00 rpaulo Exp $"); 41 42 #if 0 43 #if !(defined(lint) || defined(KERNEL)) 44 static const char rcsid[] = 45 "@(#) Header: bpf_filter.c,v 1.33 97/04/26 13:37:18 leres Exp (LBL)"; 46 #endif 47 #endif 48 49 #if defined(_KERNEL_OPT) 50 #include "bpfilter.h" 51 #endif 52 53 #ifdef NBPFILTER 54 extern int bpf_maxbufsize; 55 #else 56 #define bpf_maxbufsize BPF_MAXBUFSIZE 57 #endif 58 59 #include <sys/param.h> 60 #include <sys/time.h> 61 62 #if !defined(UNALIGNED_ACCESS) 63 #define BPF_ALIGN 64 #endif 65 66 #ifndef BPF_ALIGN 67 #define EXTRACT_SHORT(p) ((uint16_t)ntohs(*(uint16_t *)p)) 68 #define EXTRACT_LONG(p) (ntohl(*(uint32_t *)p)) 69 #else 70 #define EXTRACT_SHORT(p) \ 71 ((uint16_t) \ 72 ((uint16_t)*((u_char *)p+0)<<8| \ 73 (uint16_t)*((u_char *)p+1)<<0)) 74 #define EXTRACT_LONG(p) \ 75 ((uint32_t)*((u_char *)p+0)<<24|\ 76 (uint32_t)*((u_char *)p+1)<<16|\ 77 (uint32_t)*((u_char *)p+2)<<8| \ 78 (uint32_t)*((u_char *)p+3)<<0) 79 #endif 80 81 #ifdef _KERNEL 82 #include <sys/mbuf.h> 83 #define MINDEX(len, m, k) \ 84 { \ 85 len = m->m_len; \ 86 while (k >= len) { \ 87 k -= len; \ 88 m = m->m_next; \ 89 if (m == 0) \ 90 return 0; \ 91 len = m->m_len; \ 92 } \ 93 } 94 95 static int m_xword (struct mbuf *, uint32_t, int *); 96 static int m_xhalf (struct mbuf *, uint32_t, int *); 97 98 static int 99 m_xword(struct mbuf *m, uint32_t k, int *err) 100 { 101 int len; 102 u_char *cp, *np; 103 struct mbuf *m0; 104 105 MINDEX(len, m, k); 106 cp = mtod(m, u_char *) + k; 107 if (len >= k + 4) { 108 *err = 0; 109 return EXTRACT_LONG(cp); 110 } 111 m0 = m->m_next; 112 if (m0 == 0 || m0->m_len + len - k < 4) 113 goto bad; 114 *err = 0; 115 np = mtod(m0, u_char *); 116 switch (len - k) { 117 118 case 1: 119 return (cp[0] << 24) | (np[0] << 16) | (np[1] << 8) | np[2]; 120 121 case 2: 122 return (cp[0] << 24) | (cp[1] << 16) | (np[0] << 8) | np[1]; 123 124 default: 125 return (cp[0] << 24) | (cp[1] << 16) | (cp[2] << 8) | np[0]; 126 } 127 bad: 128 *err = 1; 129 130 return 0; 131 } 132 133 static int 134 m_xhalf(struct mbuf *m, uint32_t k, int *err) 135 { 136 int len; 137 u_char *cp; 138 struct mbuf *m0; 139 140 MINDEX(len, m, k); 141 cp = mtod(m, u_char *) + k; 142 if (len >= k + 2) { 143 *err = 0; 144 return EXTRACT_SHORT(cp); 145 } 146 m0 = m->m_next; 147 if (m0 == 0) 148 goto bad; 149 *err = 0; 150 return (cp[0] << 8) | mtod(m0, u_char *)[0]; 151 bad: 152 *err = 1; 153 154 return 0; 155 } 156 #else /* _KERNEL */ 157 #include <stdlib.h> 158 #endif /* !_KERNEL */ 159 160 #include <net/bpf.h> 161 162 /* 163 * Execute the filter program starting at pc on the packet p 164 * wirelen is the length of the original packet 165 * buflen is the amount of data present 166 */ 167 u_int 168 bpf_filter(struct bpf_insn *pc, u_char *p, u_int wirelen, u_int buflen) 169 { 170 uint32_t A, X, k; 171 int32_t mem[BPF_MEMWORDS]; 172 173 if (pc == 0) 174 /* 175 * No filter means accept all. 176 */ 177 return (u_int)-1; 178 A = 0; 179 X = 0; 180 --pc; 181 while (1) { 182 ++pc; 183 switch (pc->code) { 184 185 default: 186 #ifdef _KERNEL 187 return 0; 188 #else 189 abort(); 190 #endif 191 case BPF_RET|BPF_K: 192 return (u_int)pc->k; 193 194 case BPF_RET|BPF_A: 195 return (u_int)A; 196 197 case BPF_LD|BPF_W|BPF_ABS: 198 k = pc->k; 199 if (k + sizeof(int32_t) > buflen) { 200 #ifdef _KERNEL 201 int merr; 202 203 if (buflen != 0) 204 return 0; 205 A = m_xword((struct mbuf *)p, k, &merr); 206 if (merr != 0) 207 return 0; 208 continue; 209 #else 210 return 0; 211 #endif 212 } 213 A = EXTRACT_LONG(&p[k]); 214 continue; 215 216 case BPF_LD|BPF_H|BPF_ABS: 217 k = pc->k; 218 if (k + sizeof(int16_t) > buflen) { 219 #ifdef _KERNEL 220 int merr; 221 222 if (buflen != 0) 223 return 0; 224 A = m_xhalf((struct mbuf *)p, k, &merr); 225 continue; 226 #else 227 return 0; 228 #endif 229 } 230 A = EXTRACT_SHORT(&p[k]); 231 continue; 232 233 case BPF_LD|BPF_B|BPF_ABS: 234 k = pc->k; 235 if (k >= buflen) { 236 #ifdef _KERNEL 237 struct mbuf *m; 238 int len; 239 240 if (buflen != 0) 241 return 0; 242 m = (struct mbuf *)p; 243 MINDEX(len, m, k); 244 A = mtod(m, u_char *)[k]; 245 continue; 246 #else 247 return 0; 248 #endif 249 } 250 A = p[k]; 251 continue; 252 253 case BPF_LD|BPF_W|BPF_LEN: 254 A = wirelen; 255 continue; 256 257 case BPF_LDX|BPF_W|BPF_LEN: 258 X = wirelen; 259 continue; 260 261 case BPF_LD|BPF_W|BPF_IND: 262 k = X + pc->k; 263 if (k + sizeof(int32_t) > buflen) { 264 #ifdef _KERNEL 265 int merr; 266 267 if (buflen != 0) 268 return 0; 269 A = m_xword((struct mbuf *)p, k, &merr); 270 if (merr != 0) 271 return 0; 272 continue; 273 #else 274 return 0; 275 #endif 276 } 277 A = EXTRACT_LONG(&p[k]); 278 continue; 279 280 case BPF_LD|BPF_H|BPF_IND: 281 k = X + pc->k; 282 if (k + sizeof(int16_t) > buflen) { 283 #ifdef _KERNEL 284 int merr; 285 286 if (buflen != 0) 287 return 0; 288 A = m_xhalf((struct mbuf *)p, k, &merr); 289 if (merr != 0) 290 return 0; 291 continue; 292 #else 293 return 0; 294 #endif 295 } 296 A = EXTRACT_SHORT(&p[k]); 297 continue; 298 299 case BPF_LD|BPF_B|BPF_IND: 300 k = X + pc->k; 301 if (k >= buflen) { 302 #ifdef _KERNEL 303 struct mbuf *m; 304 int len; 305 306 if (buflen != 0) 307 return 0; 308 m = (struct mbuf *)p; 309 MINDEX(len, m, k); 310 A = mtod(m, u_char *)[k]; 311 continue; 312 #else 313 return 0; 314 #endif 315 } 316 A = p[k]; 317 continue; 318 319 case BPF_LDX|BPF_MSH|BPF_B: 320 k = pc->k; 321 if (k >= buflen) { 322 #ifdef _KERNEL 323 struct mbuf *m; 324 int len; 325 326 if (buflen != 0) 327 return 0; 328 m = (struct mbuf *)p; 329 MINDEX(len, m, k); 330 X = (mtod(m, char *)[k] & 0xf) << 2; 331 continue; 332 #else 333 return 0; 334 #endif 335 } 336 X = (p[pc->k] & 0xf) << 2; 337 continue; 338 339 case BPF_LD|BPF_IMM: 340 A = pc->k; 341 continue; 342 343 case BPF_LDX|BPF_IMM: 344 X = pc->k; 345 continue; 346 347 case BPF_LD|BPF_MEM: 348 A = mem[pc->k]; 349 continue; 350 351 case BPF_LDX|BPF_MEM: 352 X = mem[pc->k]; 353 continue; 354 355 case BPF_ST: 356 mem[pc->k] = A; 357 continue; 358 359 case BPF_STX: 360 mem[pc->k] = X; 361 continue; 362 363 case BPF_JMP|BPF_JA: 364 pc += pc->k; 365 continue; 366 367 case BPF_JMP|BPF_JGT|BPF_K: 368 pc += (A > pc->k) ? pc->jt : pc->jf; 369 continue; 370 371 case BPF_JMP|BPF_JGE|BPF_K: 372 pc += (A >= pc->k) ? pc->jt : pc->jf; 373 continue; 374 375 case BPF_JMP|BPF_JEQ|BPF_K: 376 pc += (A == pc->k) ? pc->jt : pc->jf; 377 continue; 378 379 case BPF_JMP|BPF_JSET|BPF_K: 380 pc += (A & pc->k) ? pc->jt : pc->jf; 381 continue; 382 383 case BPF_JMP|BPF_JGT|BPF_X: 384 pc += (A > X) ? pc->jt : pc->jf; 385 continue; 386 387 case BPF_JMP|BPF_JGE|BPF_X: 388 pc += (A >= X) ? pc->jt : pc->jf; 389 continue; 390 391 case BPF_JMP|BPF_JEQ|BPF_X: 392 pc += (A == X) ? pc->jt : pc->jf; 393 continue; 394 395 case BPF_JMP|BPF_JSET|BPF_X: 396 pc += (A & X) ? pc->jt : pc->jf; 397 continue; 398 399 case BPF_ALU|BPF_ADD|BPF_X: 400 A += X; 401 continue; 402 403 case BPF_ALU|BPF_SUB|BPF_X: 404 A -= X; 405 continue; 406 407 case BPF_ALU|BPF_MUL|BPF_X: 408 A *= X; 409 continue; 410 411 case BPF_ALU|BPF_DIV|BPF_X: 412 if (X == 0) 413 return 0; 414 A /= X; 415 continue; 416 417 case BPF_ALU|BPF_AND|BPF_X: 418 A &= X; 419 continue; 420 421 case BPF_ALU|BPF_OR|BPF_X: 422 A |= X; 423 continue; 424 425 case BPF_ALU|BPF_LSH|BPF_X: 426 A <<= X; 427 continue; 428 429 case BPF_ALU|BPF_RSH|BPF_X: 430 A >>= X; 431 continue; 432 433 case BPF_ALU|BPF_ADD|BPF_K: 434 A += pc->k; 435 continue; 436 437 case BPF_ALU|BPF_SUB|BPF_K: 438 A -= pc->k; 439 continue; 440 441 case BPF_ALU|BPF_MUL|BPF_K: 442 A *= pc->k; 443 continue; 444 445 case BPF_ALU|BPF_DIV|BPF_K: 446 A /= pc->k; 447 continue; 448 449 case BPF_ALU|BPF_AND|BPF_K: 450 A &= pc->k; 451 continue; 452 453 case BPF_ALU|BPF_OR|BPF_K: 454 A |= pc->k; 455 continue; 456 457 case BPF_ALU|BPF_LSH|BPF_K: 458 A <<= pc->k; 459 continue; 460 461 case BPF_ALU|BPF_RSH|BPF_K: 462 A >>= pc->k; 463 continue; 464 465 case BPF_ALU|BPF_NEG: 466 A = -A; 467 continue; 468 469 case BPF_MISC|BPF_TAX: 470 X = A; 471 continue; 472 473 case BPF_MISC|BPF_TXA: 474 A = X; 475 continue; 476 } 477 } 478 } 479 480 #ifdef _KERNEL 481 /* 482 * Return true if the 'fcode' is a valid filter program. 483 * The constraints are that each jump be forward and to a valid 484 * code. The code must terminate with either an accept or reject. 485 * 'valid' is an array for use by the routine (it must be at least 486 * 'len' bytes long). 487 * 488 * The kernel needs to be able to verify an application's filter code. 489 * Otherwise, a bogus program could easily crash the system. 490 */ 491 int 492 bpf_validate(struct bpf_insn *f, int len) 493 { 494 u_int i, from; 495 struct bpf_insn *p; 496 497 498 if (len < 1 || len > BPF_MAXINSNS) 499 return 0; 500 501 for (i = 0; i < len; ++i) { 502 p = &f[i]; 503 switch (BPF_CLASS(p->code)) { 504 /* 505 * Check that memory operations use valid addresses. 506 */ 507 case BPF_LD: 508 case BPF_LDX: 509 switch (BPF_MODE(p->code)) { 510 case BPF_ABS: 511 case BPF_IND: 512 case BPF_MSH: 513 /* 514 * More strict check with actual packet length 515 * is done runtime. 516 */ 517 if (p->k >= bpf_maxbufsize) 518 return 0; 519 break; 520 case BPF_MEM: 521 if (p->k >= BPF_MEMWORDS) 522 return 0; 523 break; 524 case BPF_IMM: 525 case BPF_LEN: 526 break; 527 default: 528 return 0; 529 } 530 break; 531 case BPF_ST: 532 case BPF_STX: 533 if (p->k >= BPF_MEMWORDS) 534 return 0; 535 break; 536 case BPF_ALU: 537 switch (BPF_OP(p->code)) { 538 case BPF_ADD: 539 case BPF_SUB: 540 case BPF_OR: 541 case BPF_AND: 542 case BPF_LSH: 543 case BPF_RSH: 544 case BPF_NEG: 545 break; 546 case BPF_DIV: 547 /* 548 * Check for constant division by 0. 549 */ 550 if (BPF_RVAL(p->code) == BPF_K && p->k == 0) 551 return 0; 552 default: 553 return 0; 554 } 555 break; 556 case BPF_JMP: 557 /* 558 * Check that jumps are within the code block, 559 * and that unconditional branches don't go 560 * backwards as a result of an overflow. 561 * Unconditional branches have a 32-bit offset, 562 * so they could overflow; we check to make 563 * sure they don't. Conditional branches have 564 * an 8-bit offset, and the from address is <= 565 * BPF_MAXINSNS, and we assume that BPF_MAXINSNS 566 * is sufficiently small that adding 255 to it 567 * won't overflow. 568 * 569 * We know that len is <= BPF_MAXINSNS, and we 570 * assume that BPF_MAXINSNS is < the maximum size 571 * of a u_int, so that i + 1 doesn't overflow. 572 */ 573 from = i + 1; 574 switch (BPF_OP(p->code)) { 575 case BPF_JA: 576 if (from + p->k < from || from + p->k >= len) 577 return 0; 578 break; 579 case BPF_JEQ: 580 case BPF_JGT: 581 case BPF_JGE: 582 case BPF_JSET: 583 if (from + p->jt >= len || from + p->jf >= len) 584 return 0; 585 break; 586 default: 587 return 0; 588 } 589 break; 590 case BPF_RET: 591 break; 592 case BPF_MISC: 593 break; 594 default: 595 return 0; 596 } 597 } 598 599 return BPF_CLASS(f[len - 1].code) == BPF_RET; 600 } 601 #endif 602
Indexes created Tue Sep 30 06:09:59 GMT 2025