xref: /dragonfly/sys/net/bpf_filter.c (revision ad9f8794) 
1 /*
2  * Copyright (c) 1990, 1991, 1993
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * This code is derived from the Stanford/CMU enet packet filter,
6  * (net/enet.c) distributed as part of 4.3BSD, and code contributed
7  * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
8  * Berkeley Laboratory.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  * 3. All advertising materials mentioning features or use of this software
19  *    must display the following acknowledgement:
20  *	This product includes software developed by the University of
21  *	California, Berkeley and its contributors.
22  * 4. Neither the name of the University nor the names of its contributors
23  *    may be used to endorse or promote products derived from this software
24  *    without specific prior written permission.
25  *
26  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
27  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
30  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36  * SUCH DAMAGE.
37  *
38  *      @(#)bpf_filter.c	8.1 (Berkeley) 6/10/93
39  *
40  * $FreeBSD: src/sys/net/bpf_filter.c,v 1.17 1999/12/29 04:38:31 peter Exp $
41  * $DragonFly: src/sys/net/bpf_filter.c,v 1.10 2008/01/02 12:30:34 sephe Exp $
42  */
43 
44 #include <sys/param.h>
45 
46 #if defined(sparc) || defined(mips) || defined(ibm032)
47 #define BPF_ALIGN
48 #endif
49 
50 #ifndef BPF_ALIGN
51 #define EXTRACT_SHORT(p)	((u_int16_t)ntohs(*(u_int16_t *)p))
52 #define EXTRACT_LONG(p)		(ntohl(*(u_int32_t *)p))
53 #else
54 #define EXTRACT_SHORT(p)\
55 	((u_int16_t)\
56 		((u_int16_t)*((u_char *)p+0)<<8|\
57 		 (u_int16_t)*((u_char *)p+1)<<0))
58 #define EXTRACT_LONG(p)\
59 		((u_int32_t)*((u_char *)p+0)<<24|\
60 		 (u_int32_t)*((u_char *)p+1)<<16|\
61 		 (u_int32_t)*((u_char *)p+2)<<8|\
62 		 (u_int32_t)*((u_char *)p+3)<<0)
63 #endif
64 
65 #ifdef _KERNEL
66 #include <sys/mbuf.h>
67 #endif
68 #include <net/bpf.h>
69 #ifdef _KERNEL
70 #define MINDEX(m, k)							\
71 {									\
72 	int len = m->m_len;						\
73 									\
74 	while (k >= len) {						\
75 		k -= len;						\
76 		m = m->m_next;						\
77 		if (m == 0)						\
78 			return 0;					\
79 		len = m->m_len;						\
80 	}								\
81 }
82 
83 extern int	bpf_maxbufsize;
84 
85 static u_int16_t	m_xhalf (struct mbuf *m, bpf_u_int32 k, int *err);
86 static u_int32_t	m_xword (struct mbuf *m, bpf_u_int32 k, int *err);
87 
88 static u_int32_t
89 m_xword(struct mbuf *m, bpf_u_int32 k, int *err)
90 {
91 	size_t len;
92 	u_char *cp, *np;
93 	struct mbuf *m0;
94 
95 	len = m->m_len;
96 	while (k >= len) {
97 		k -= len;
98 		m = m->m_next;
99 		if (m == 0)
100 			goto bad;
101 		len = m->m_len;
102 	}
103 	cp = mtod(m, u_char *) + k;
104 	if (len - k >= 4) {
105 		*err = 0;
106 		return EXTRACT_LONG(cp);
107 	}
108 	m0 = m->m_next;
109 	if (m0 == 0 || m0->m_len + len - k < 4)
110 		goto bad;
111 	*err = 0;
112 	np = mtod(m0, u_char *);
113 	switch (len - k) {
114 
115 	case 1:
116 		return
117 		    ((u_int32_t)cp[0] << 24) |
118 		    ((u_int32_t)np[0] << 16) |
119 		    ((u_int32_t)np[1] << 8)  |
120 		    (u_int32_t)np[2];
121 
122 	case 2:
123 		return
124 		    ((u_int32_t)cp[0] << 24) |
125 		    ((u_int32_t)cp[1] << 16) |
126 		    ((u_int32_t)np[0] << 8) |
127 		    (u_int32_t)np[1];
128 
129 	default:
130 		return
131 		    ((u_int32_t)cp[0] << 24) |
132 		    ((u_int32_t)cp[1] << 16) |
133 		    ((u_int32_t)cp[2] << 8) |
134 		    (u_int32_t)np[0];
135 	}
136     bad:
137 	*err = 1;
138 	return 0;
139 }
140 
141 static u_int16_t
142 m_xhalf(struct mbuf *m, bpf_u_int32 k, int *err)
143 {
144 	size_t len;
145 	u_char *cp;
146 	struct mbuf *m0;
147 
148 	len = m->m_len;
149 	while (k >= len) {
150 		k -= len;
151 		m = m->m_next;
152 		if (m == 0)
153 			goto bad;
154 		len = m->m_len;
155 	}
156 	cp = mtod(m, u_char *) + k;
157 	if (len - k >= 2) {
158 		*err = 0;
159 		return EXTRACT_SHORT(cp);
160 	}
161 	m0 = m->m_next;
162 	if (m0 == 0)
163 		goto bad;
164 	*err = 0;
165 	return (cp[0] << 8) | mtod(m0, u_char *)[0];
166  bad:
167 	*err = 1;
168 	return 0;
169 }
170 #endif
171 
172 /*
173  * Execute the filter program starting at pc on the packet p
174  * wirelen is the length of the original packet
175  * buflen is the amount of data present
176  */
177 u_int
178 bpf_filter(const struct bpf_insn *pc, u_char *p, u_int wirelen, u_int buflen)
179 {
180 	u_int32_t A = 0, X = 0;
181 	bpf_u_int32 k;
182 	int32_t mem[BPF_MEMWORDS];
183 
184 	if (pc == 0) {
185 		/*
186 		 * No filter means accept all.
187 		 */
188 		return (u_int)-1;
189 	}
190 
191 	--pc;
192 	while (1) {
193 		++pc;
194 		switch (pc->code) {
195 
196 		default:
197 #ifdef _KERNEL
198 			return 0;
199 #else
200 			abort();
201 #endif
202 		case BPF_RET|BPF_K:
203 			return (u_int)pc->k;
204 
205 		case BPF_RET|BPF_A:
206 			return (u_int)A;
207 
208 		case BPF_LD|BPF_W|BPF_ABS:
209 			k = pc->k;
210 			if (k > buflen || sizeof(int32_t) > buflen - k) {
211 #ifdef _KERNEL
212 				int merr;
213 
214 				if (buflen != 0)
215 					return 0;
216 				A = m_xword((struct mbuf *)p, k, &merr);
217 				if (merr != 0)
218 					return 0;
219 				continue;
220 #else
221 				return 0;
222 #endif
223 			}
224 #ifdef BPF_ALIGN
225 			if (((intptr_t)(p + k) & 3) != 0)
226 				A = EXTRACT_LONG(&p[k]);
227 			else
228 #endif
229 				A = ntohl(*(int32_t *)(p + k));
230 			continue;
231 
232 		case BPF_LD|BPF_H|BPF_ABS:
233 			k = pc->k;
234 			if (k > buflen || sizeof(int16_t) > buflen - k) {
235 #ifdef _KERNEL
236 				int merr;
237 
238 				if (buflen != 0)
239 					return 0;
240 				A = m_xhalf((struct mbuf *)p, k, &merr);
241 				continue;
242 #else
243 				return 0;
244 #endif
245 			}
246 			A = EXTRACT_SHORT(&p[k]);
247 			continue;
248 
249 		case BPF_LD|BPF_B|BPF_ABS:
250 			k = pc->k;
251 			if (k >= buflen) {
252 #ifdef _KERNEL
253 				struct mbuf *m;
254 
255 				if (buflen != 0)
256 					return 0;
257 				m = (struct mbuf *)p;
258 				MINDEX(m, k);
259 				A = mtod(m, u_char *)[k];
260 				continue;
261 #else
262 				return 0;
263 #endif
264 			}
265 			A = p[k];
266 			continue;
267 
268 		case BPF_LD|BPF_W|BPF_LEN:
269 			A = wirelen;
270 			continue;
271 
272 		case BPF_LDX|BPF_W|BPF_LEN:
273 			X = wirelen;
274 			continue;
275 
276 		case BPF_LD|BPF_W|BPF_IND:
277 			k = X + pc->k;
278 			if (pc->k > buflen || X > buflen - pc->k ||
279 			    sizeof(int32_t) > buflen - k) {
280 #ifdef _KERNEL
281 				int merr;
282 
283 				if (buflen != 0)
284 					return 0;
285 				A = m_xword((struct mbuf *)p, k, &merr);
286 				if (merr != 0)
287 					return 0;
288 				continue;
289 #else
290 				return 0;
291 #endif
292 			}
293 #ifdef BPF_ALIGN
294 			if (((intptr_t)(p + k) & 3) != 0)
295 				A = EXTRACT_LONG(&p[k]);
296 			else
297 #endif
298 				A = ntohl(*(int32_t *)(p + k));
299 			continue;
300 
301 		case BPF_LD|BPF_H|BPF_IND:
302 			k = X + pc->k;
303 			if (X > buflen || pc->k > buflen - X ||
304 			    sizeof(int16_t) > buflen - k) {
305 #ifdef _KERNEL
306 				int merr;
307 
308 				if (buflen != 0)
309 					return 0;
310 				A = m_xhalf((struct mbuf *)p, k, &merr);
311 				if (merr != 0)
312 					return 0;
313 				continue;
314 #else
315 				return 0;
316 #endif
317 			}
318 			A = EXTRACT_SHORT(&p[k]);
319 			continue;
320 
321 		case BPF_LD|BPF_B|BPF_IND:
322 			k = X + pc->k;
323 			if (pc->k >= buflen || X >= buflen - pc->k) {
324 #ifdef _KERNEL
325 				struct mbuf *m;
326 
327 				if (buflen != 0)
328 					return 0;
329 				m = (struct mbuf *)p;
330 				MINDEX(m, k);
331 				A = mtod(m, u_char *)[k];
332 				continue;
333 #else
334 				return 0;
335 #endif
336 			}
337 			A = p[k];
338 			continue;
339 
340 		case BPF_LDX|BPF_MSH|BPF_B:
341 			k = pc->k;
342 			if (k >= buflen) {
343 #ifdef _KERNEL
344 				struct mbuf *m;
345 
346 				if (buflen != 0)
347 					return 0;
348 				m = (struct mbuf *)p;
349 				MINDEX(m, k);
350 				X = (mtod(m, char *)[k] & 0xf) << 2;
351 				continue;
352 #else
353 				return 0;
354 #endif
355 			}
356 			X = (p[pc->k] & 0xf) << 2;
357 			continue;
358 
359 		case BPF_LD|BPF_IMM:
360 			A = pc->k;
361 			continue;
362 
363 		case BPF_LDX|BPF_IMM:
364 			X = pc->k;
365 			continue;
366 
367 		case BPF_LD|BPF_MEM:
368 			A = mem[pc->k];
369 			continue;
370 
371 		case BPF_LDX|BPF_MEM:
372 			X = mem[pc->k];
373 			continue;
374 
375 		case BPF_ST:
376 			mem[pc->k] = A;
377 			continue;
378 
379 		case BPF_STX:
380 			mem[pc->k] = X;
381 			continue;
382 
383 		case BPF_JMP|BPF_JA:
384 			pc += pc->k;
385 			continue;
386 
387 		case BPF_JMP|BPF_JGT|BPF_K:
388 			pc += (A > pc->k) ? pc->jt : pc->jf;
389 			continue;
390 
391 		case BPF_JMP|BPF_JGE|BPF_K:
392 			pc += (A >= pc->k) ? pc->jt : pc->jf;
393 			continue;
394 
395 		case BPF_JMP|BPF_JEQ|BPF_K:
396 			pc += (A == pc->k) ? pc->jt : pc->jf;
397 			continue;
398 
399 		case BPF_JMP|BPF_JSET|BPF_K:
400 			pc += (A & pc->k) ? pc->jt : pc->jf;
401 			continue;
402 
403 		case BPF_JMP|BPF_JGT|BPF_X:
404 			pc += (A > X) ? pc->jt : pc->jf;
405 			continue;
406 
407 		case BPF_JMP|BPF_JGE|BPF_X:
408 			pc += (A >= X) ? pc->jt : pc->jf;
409 			continue;
410 
411 		case BPF_JMP|BPF_JEQ|BPF_X:
412 			pc += (A == X) ? pc->jt : pc->jf;
413 			continue;
414 
415 		case BPF_JMP|BPF_JSET|BPF_X:
416 			pc += (A & X) ? pc->jt : pc->jf;
417 			continue;
418 
419 		case BPF_ALU|BPF_ADD|BPF_X:
420 			A += X;
421 			continue;
422 
423 		case BPF_ALU|BPF_SUB|BPF_X:
424 			A -= X;
425 			continue;
426 
427 		case BPF_ALU|BPF_MUL|BPF_X:
428 			A *= X;
429 			continue;
430 
431 		case BPF_ALU|BPF_DIV|BPF_X:
432 			if (X == 0)
433 				return 0;
434 			A /= X;
435 			continue;
436 
437 		case BPF_ALU|BPF_AND|BPF_X:
438 			A &= X;
439 			continue;
440 
441 		case BPF_ALU|BPF_OR|BPF_X:
442 			A |= X;
443 			continue;
444 
445 		case BPF_ALU|BPF_LSH|BPF_X:
446 			A <<= X;
447 			continue;
448 
449 		case BPF_ALU|BPF_RSH|BPF_X:
450 			A >>= X;
451 			continue;
452 
453 		case BPF_ALU|BPF_ADD|BPF_K:
454 			A += pc->k;
455 			continue;
456 
457 		case BPF_ALU|BPF_SUB|BPF_K:
458 			A -= pc->k;
459 			continue;
460 
461 		case BPF_ALU|BPF_MUL|BPF_K:
462 			A *= pc->k;
463 			continue;
464 
465 		case BPF_ALU|BPF_DIV|BPF_K:
466 			A /= pc->k;
467 			continue;
468 
469 		case BPF_ALU|BPF_AND|BPF_K:
470 			A &= pc->k;
471 			continue;
472 
473 		case BPF_ALU|BPF_OR|BPF_K:
474 			A |= pc->k;
475 			continue;
476 
477 		case BPF_ALU|BPF_LSH|BPF_K:
478 			A <<= pc->k;
479 			continue;
480 
481 		case BPF_ALU|BPF_RSH|BPF_K:
482 			A >>= pc->k;
483 			continue;
484 
485 		case BPF_ALU|BPF_NEG:
486 			A = -A;
487 			continue;
488 
489 		case BPF_MISC|BPF_TAX:
490 			X = A;
491 			continue;
492 
493 		case BPF_MISC|BPF_TXA:
494 			A = X;
495 			continue;
496 		}
497 	}
498 }
499 
500 #ifdef _KERNEL
501 /*
502  * Return true if the 'fcode' is a valid filter program.
503  * The constraints are that each jump be forward and to a valid
504  * code, that memory accesses are within valid ranges (to the
505  * extent that this can be checked statically; loads of packet
506  * data have to be, and are, also checked at run time), and that
507  * the code terminates with either an accept or reject.
508  *
509  * The kernel needs to be able to verify an application's filter code.
510  * Otherwise, a bogus program could easily crash the system.
511  */
512 int
513 bpf_validate(const struct bpf_insn *f, int len)
514 {
515 	u_int i, from;
516 	const struct bpf_insn *p;
517 
518 	if (len < 1 || len > BPF_MAXINSNS)
519 		return 0;
520 
521 	for (i = 0; i < len; ++i) {
522 		p = &f[i];
523 		switch (BPF_CLASS(p->code)) {
524 		/*
525 		 * Check that memory operations use valid addresses.
526 		 */
527 		case BPF_LD:
528 		case BPF_LDX:
529 			switch (BPF_MODE(p->code)) {
530 			case BPF_IMM:
531 				break;
532 			case BPF_ABS:
533 			case BPF_IND:
534 			case BPF_MSH:
535 				/*
536 				 * More strict check with actual packet length
537 				 * is done runtime.
538 				 */
539 				if (p->k >= bpf_maxbufsize)
540 					return 0;
541 				break;
542 			case BPF_MEM:
543 				if (p->k >= BPF_MEMWORDS)
544 					return 0;
545 				break;
546 			case BPF_LEN:
547 				break;
548 			default:
549 				return 0;
550 			}
551 			break;
552 		case BPF_ST:
553 		case BPF_STX:
554 			if (p->k >= BPF_MEMWORDS)
555 				return 0;
556 			break;
557 		case BPF_ALU:
558 			switch (BPF_OP(p->code)) {
559 			case BPF_ADD:
560 			case BPF_SUB:
561 			case BPF_MUL:
562 			case BPF_OR:
563 			case BPF_AND:
564 			case BPF_LSH:
565 			case BPF_RSH:
566 			case BPF_NEG:
567 				break;
568 			case BPF_DIV:
569 				/*
570 				 * Check for constant division by 0.
571 				 */
572 				if (BPF_SRC(p->code) == BPF_K && p->k == 0)
573 					return 0;
574 				break;
575 			default:
576 				return 0;
577 			}
578 			break;
579 		case BPF_JMP:
580 			/*
581 			 * Check that jumps are within the code block,
582 			 * and that unconditional branches don't go
583 			 * backwards as a result of an overflow.
584 			 * Unconditional branches have a 32-bit offset,
585 			 * so they could overflow; we check to make
586 			 * sure they don't.  Conditional branches have
587 			 * an 8-bit offset, and the from address is <=
588 			 * BPF_MAXINSNS, and we assume that BPF_MAXINSNS
589 			 * is sufficiently small that adding 255 to it
590 			 * won't overflow.
591 			 *
592 			 * We know that len is <= BPF_MAXINSNS, and we
593 			 * assume that BPF_MAXINSNS is < the maximum size
594 			 * of a u_int, so that i + 1 doesn't overflow.
595 			 */
596 			from = i + 1;
597 			switch (BPF_OP(p->code)) {
598 			case BPF_JA:
599 				if (from + p->k < from || from + p->k >= len)
600 					return 0;
601 				break;
602 			case BPF_JEQ:
603 			case BPF_JGT:
604 			case BPF_JGE:
605 			case BPF_JSET:
606 				if (from + p->jt >= len || from + p->jf >= len)
607 					return 0;
608 				break;
609 			default:
610 				return 0;
611 			}
612 			break;
613 		case BPF_RET:
614 			break;
615 		case BPF_MISC:
616 			break;
617 		default:
618 			return 0;
619 		}
620 	}
621 	return BPF_CLASS(f[len - 1].code) == BPF_RET;
622 }
623 #endif
624