1 | /* |
2 | * Copyright (c) 2000-2021 Apple Inc. All rights reserved. |
3 | * |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ |
5 | * |
6 | * This file contains Original Code and/or Modifications of Original Code |
7 | * as defined in and that are subject to the Apple Public Source License |
8 | * Version 2.0 (the 'License'). You may not use this file except in |
9 | * compliance with the License. The rights granted to you under the License |
10 | * may not be used to create, or enable the creation or redistribution of, |
11 | * unlawful or unlicensed copies of an Apple operating system, or to |
12 | * circumvent, violate, or enable the circumvention or violation of, any |
13 | * terms of an Apple operating system software license agreement. |
14 | * |
15 | * Please obtain a copy of the License at |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. |
17 | * |
18 | * The Original Code and all software distributed under the License are |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
23 | * Please see the License for the specific language governing rights and |
24 | * limitations under the License. |
25 | * |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ |
27 | */ |
28 | /* |
29 | * Copyright (c) 1990, 1991, 1993 |
30 | * The Regents of the University of California. All rights reserved. |
31 | * |
32 | * This code is derived from the Stanford/CMU enet packet filter, |
33 | * (net/enet.c) distributed as part of 4.3BSD, and code contributed |
34 | * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence |
35 | * Berkeley Laboratory. |
36 | * |
37 | * Redistribution and use in source and binary forms, with or without |
38 | * modification, are permitted provided that the following conditions |
39 | * are met: |
40 | * 1. Redistributions of source code must retain the above copyright |
41 | * notice, this list of conditions and the following disclaimer. |
42 | * 2. Redistributions in binary form must reproduce the above copyright |
43 | * notice, this list of conditions and the following disclaimer in the |
44 | * documentation and/or other materials provided with the distribution. |
45 | * 3. All advertising materials mentioning features or use of this software |
46 | * must display the following acknowledgement: |
47 | * This product includes software developed by the University of |
48 | * California, Berkeley and its contributors. |
49 | * 4. Neither the name of the University nor the names of its contributors |
50 | * may be used to endorse or promote products derived from this software |
51 | * without specific prior written permission. |
52 | * |
53 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND |
54 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
55 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
56 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE |
57 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
58 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
59 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
60 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
61 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
62 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
63 | * SUCH DAMAGE. |
64 | * |
65 | * @(#)bpf_filter.c 8.1 (Berkeley) 6/10/93 |
66 | * |
67 | * $FreeBSD: src/sys/net/bpf_filter.c,v 1.17 1999/12/29 04:38:31 peter Exp $ |
68 | */ |
69 | |
70 | #include <sys/param.h> |
71 | #include <string.h> |
72 | |
73 | #ifdef sun |
74 | #include <netinet/in.h> |
75 | #endif |
76 | |
77 | #ifdef KERNEL |
78 | #include <sys/mbuf.h> |
79 | #endif |
80 | #include <net/bpf.h> |
81 | #ifdef KERNEL |
82 | |
83 | extern unsigned int bpf_maxbufsize; |
84 | |
85 | static inline u_int32_t |
86 | get_word_from_buffers(u_char * cp, u_char * np, size_t num_from_cp) |
87 | { |
88 | u_int32_t val; |
89 | |
90 | switch (num_from_cp) { |
91 | case 1: |
92 | val = ((u_int32_t)cp[0] << 24) | |
93 | ((u_int32_t)np[0] << 16) | |
94 | ((u_int32_t)np[1] << 8) | |
95 | (u_int32_t)np[2]; |
96 | break; |
97 | |
98 | case 2: |
99 | val = ((u_int32_t)cp[0] << 24) | |
100 | ((u_int32_t)cp[1] << 16) | |
101 | ((u_int32_t)np[0] << 8) | |
102 | (u_int32_t)np[1]; |
103 | break; |
104 | default: |
105 | val = ((u_int32_t)cp[0] << 24) | |
106 | ((u_int32_t)cp[1] << 16) | |
107 | ((u_int32_t)cp[2] << 8) | |
108 | (u_int32_t)np[0]; |
109 | break; |
110 | } |
111 | return val; |
112 | } |
113 | |
114 | static u_char * |
115 | m_hdr_offset(struct mbuf **m_p, void * hdr, size_t hdrlen, bpf_u_int32 * k_p, |
116 | size_t * len_p) |
117 | { |
118 | u_char *cp; |
119 | bpf_u_int32 k = *k_p; |
120 | size_t len; |
121 | |
122 | if (k >= hdrlen) { |
123 | struct mbuf *m = *m_p; |
124 | |
125 | /* there's no header or the offset we want is past the header */ |
126 | k -= hdrlen; |
127 | len = m->m_len; |
128 | while (k >= len) { |
129 | k -= len; |
130 | m = m->m_next; |
131 | if (m == NULL) { |
132 | return NULL; |
133 | } |
134 | len = m->m_len; |
135 | } |
136 | cp = mtod(m, u_char *) + k; |
137 | |
138 | /* return next mbuf, in case it's needed */ |
139 | *m_p = m->m_next; |
140 | |
141 | /* update the offset */ |
142 | *k_p = k; |
143 | } else { |
144 | len = hdrlen; |
145 | cp = (u_char *)hdr + k; |
146 | } |
147 | *len_p = len; |
148 | return cp; |
149 | } |
150 | |
151 | static u_int32_t |
152 | m_xword(struct mbuf *m, void * hdr, size_t hdrlen, bpf_u_int32 k, int *err) |
153 | { |
154 | size_t len; |
155 | u_char *cp, *np; |
156 | |
157 | cp = m_hdr_offset(m_p: &m, hdr, hdrlen, k_p: &k, len_p: &len); |
158 | if (cp == NULL) { |
159 | goto bad; |
160 | } |
161 | if (len - k >= 4) { |
162 | *err = 0; |
163 | return EXTRACT_LONG(cp); |
164 | } |
165 | if (m == 0 || m->m_len + len - k < 4) { |
166 | goto bad; |
167 | } |
168 | *err = 0; |
169 | np = mtod(m, u_char *); |
170 | return get_word_from_buffers(cp, np, num_from_cp: len - k); |
171 | |
172 | bad: |
173 | *err = 1; |
174 | return 0; |
175 | } |
176 | |
177 | static uint16_t |
178 | m_xhalf(struct mbuf *m, void * hdr, size_t hdrlen, bpf_u_int32 k, int *err) |
179 | { |
180 | size_t len; |
181 | u_char *cp; |
182 | |
183 | cp = m_hdr_offset(m_p: &m, hdr, hdrlen, k_p: &k, len_p: &len); |
184 | if (cp == NULL) { |
185 | goto bad; |
186 | } |
187 | if (len - k >= 2) { |
188 | *err = 0; |
189 | return EXTRACT_SHORT(cp); |
190 | } |
191 | if (m == 0) { |
192 | goto bad; |
193 | } |
194 | *err = 0; |
195 | return (uint16_t)((cp[0] << 8) | mtod(m, u_char *)[0]); |
196 | bad: |
197 | *err = 1; |
198 | return 0; |
199 | } |
200 | |
201 | static u_int8_t |
202 | m_xbyte(struct mbuf *m, void * hdr, size_t hdrlen, bpf_u_int32 k, int *err) |
203 | { |
204 | size_t len; |
205 | u_char *cp; |
206 | |
207 | cp = m_hdr_offset(m_p: &m, hdr, hdrlen, k_p: &k, len_p: &len); |
208 | if (cp == NULL) { |
209 | goto bad; |
210 | } |
211 | *err = 0; |
212 | return *cp; |
213 | bad: |
214 | *err = 1; |
215 | return 0; |
216 | } |
217 | |
218 | #if SKYWALK |
219 | |
220 | #include <skywalk/os_skywalk_private.h> |
221 | |
222 | static void * |
223 | buflet_get_address(kern_buflet_t buflet) |
224 | { |
225 | uint8_t *addr; |
226 | |
227 | addr = kern_buflet_get_data_address(buflet); |
228 | if (addr == NULL) { |
229 | return NULL; |
230 | } |
231 | return addr + kern_buflet_get_data_offset(buflet); |
232 | } |
233 | |
234 | static u_char * |
235 | p_hdr_offset(kern_packet_t p, void * hdr, size_t hdrlen, bpf_u_int32 * k_p, |
236 | size_t * len_p, kern_buflet_t * buflet_p) |
237 | { |
238 | u_char *cp = NULL; |
239 | bpf_u_int32 k = *k_p; |
240 | size_t len; |
241 | kern_buflet_t buflet = NULL; |
242 | |
243 | if (k >= hdrlen) { |
244 | k -= hdrlen; |
245 | for (;;) { |
246 | buflet = kern_packet_get_next_buflet(p, buflet); |
247 | if (buflet == NULL) { |
248 | break; |
249 | } |
250 | len = kern_buflet_get_data_length(buflet); |
251 | if (k < len) { |
252 | break; |
253 | } |
254 | k -= len; |
255 | } |
256 | if (buflet == NULL) { |
257 | return NULL; |
258 | } |
259 | cp = (u_char *)buflet_get_address(buflet) + k; |
260 | /* update the offset */ |
261 | *k_p = k; |
262 | } else { |
263 | len = hdrlen; |
264 | cp = (u_char *)hdr + k; |
265 | } |
266 | *len_p = len; |
267 | *buflet_p = buflet; |
268 | return cp; |
269 | } |
270 | |
271 | static u_int32_t |
272 | p_xword(kern_packet_t p, void * hdr, size_t hdrlen, bpf_u_int32 k, int *err) |
273 | { |
274 | kern_buflet_t buflet = NULL; |
275 | u_char *cp; |
276 | size_t len = 0; |
277 | u_char *np; |
278 | |
279 | cp = p_hdr_offset(p, hdr, hdrlen, k_p: &k, len_p: &len, buflet_p: &buflet); |
280 | if (cp == NULL) { |
281 | goto bad; |
282 | } |
283 | if ((len - k) >= 4) { |
284 | *err = 0; |
285 | return EXTRACT_LONG(cp); |
286 | } |
287 | buflet = kern_packet_get_next_buflet(p, buflet); |
288 | if (buflet == NULL || |
289 | (kern_buflet_get_data_length(buflet) + len - k) < 4) { |
290 | goto bad; |
291 | } |
292 | *err = 0; |
293 | np = (u_char *)buflet_get_address(buflet); |
294 | return get_word_from_buffers(cp, np, num_from_cp: len - k); |
295 | |
296 | bad: |
297 | *err = 1; |
298 | return 0; |
299 | } |
300 | |
301 | static uint16_t |
302 | p_xhalf(kern_packet_t p, void * hdr, size_t hdrlen, bpf_u_int32 k, int *err) |
303 | { |
304 | kern_buflet_t buflet = NULL; |
305 | u_char *cp; |
306 | size_t len = 0; |
307 | u_char *np; |
308 | |
309 | cp = p_hdr_offset(p, hdr, hdrlen, k_p: &k, len_p: &len, buflet_p: &buflet); |
310 | if (cp == NULL) { |
311 | goto bad; |
312 | } |
313 | if ((len - k) >= 2) { |
314 | *err = 0; |
315 | return EXTRACT_SHORT(cp); |
316 | } |
317 | buflet = kern_packet_get_next_buflet(p, buflet); |
318 | if (buflet == NULL || kern_buflet_get_data_length(buflet) == 0) { |
319 | goto bad; |
320 | } |
321 | np = (u_char *)buflet_get_address(buflet); |
322 | *err = 0; |
323 | return (uint16_t)((cp[0] << 8) | np[0]); |
324 | bad: |
325 | *err = 1; |
326 | return 0; |
327 | } |
328 | |
329 | static u_int8_t |
330 | p_xbyte(kern_packet_t p, void * hdr, size_t hdrlen, bpf_u_int32 k, int *err) |
331 | { |
332 | kern_buflet_t buflet = NULL; |
333 | u_char *cp; |
334 | size_t len = 0; |
335 | |
336 | cp = p_hdr_offset(p, hdr, hdrlen, k_p: &k, len_p: &len, buflet_p: &buflet); |
337 | if (cp == NULL) { |
338 | goto bad; |
339 | } |
340 | *err = 0; |
341 | return *cp; |
342 | bad: |
343 | *err = 1; |
344 | return 0; |
345 | } |
346 | |
347 | #endif /* SKYWALK */ |
348 | |
349 | static u_int32_t |
350 | bp_xword(struct bpf_packet *bp, bpf_u_int32 k, int *err) |
351 | { |
352 | void * hdr = bp->bpfp_header; |
353 | size_t hdrlen = bp->bpfp_header_length; |
354 | |
355 | switch (bp->bpfp_type) { |
356 | case BPF_PACKET_TYPE_MBUF: |
357 | return m_xword(m: bp->bpfp_mbuf, hdr, hdrlen, k, err); |
358 | #if SKYWALK |
359 | case BPF_PACKET_TYPE_PKT: |
360 | return p_xword(p: bp->bpfp_pkt, hdr, hdrlen, k, err); |
361 | #endif /* SKYWALK */ |
362 | default: |
363 | break; |
364 | } |
365 | *err = 1; |
366 | return 0; |
367 | } |
368 | |
369 | static u_int16_t |
370 | bp_xhalf(struct bpf_packet *bp, bpf_u_int32 k, int *err) |
371 | { |
372 | void * hdr = bp->bpfp_header; |
373 | size_t hdrlen = bp->bpfp_header_length; |
374 | |
375 | switch (bp->bpfp_type) { |
376 | case BPF_PACKET_TYPE_MBUF: |
377 | return m_xhalf(m: bp->bpfp_mbuf, hdr, hdrlen, k, err); |
378 | #if SKYWALK |
379 | case BPF_PACKET_TYPE_PKT: |
380 | return p_xhalf(p: bp->bpfp_pkt, hdr, hdrlen, k, err); |
381 | #endif /* SKYWALK */ |
382 | default: |
383 | break; |
384 | } |
385 | *err = 1; |
386 | return 0; |
387 | } |
388 | |
389 | static u_int8_t |
390 | bp_xbyte(struct bpf_packet *bp, bpf_u_int32 k, int *err) |
391 | { |
392 | void * hdr = bp->bpfp_header; |
393 | size_t hdrlen = bp->bpfp_header_length; |
394 | |
395 | switch (bp->bpfp_type) { |
396 | case BPF_PACKET_TYPE_MBUF: |
397 | return m_xbyte(m: bp->bpfp_mbuf, hdr, hdrlen, k, err); |
398 | #if SKYWALK |
399 | case BPF_PACKET_TYPE_PKT: |
400 | return p_xbyte(p: bp->bpfp_pkt, hdr, hdrlen, k, err); |
401 | #endif /* SKYWALK */ |
402 | default: |
403 | break; |
404 | } |
405 | *err = 1; |
406 | return 0; |
407 | } |
408 | |
409 | #endif |
410 | |
411 | /* |
412 | * Execute the filter program starting at pc on the packet p |
413 | * wirelen is the length of the original packet |
414 | * buflen is the amount of data present |
415 | */ |
416 | u_int |
417 | bpf_filter(const struct bpf_insn *pc, u_char *p, u_int wirelen, u_int buflen) |
418 | { |
419 | u_int32_t A = 0, X = 0; |
420 | bpf_u_int32 k; |
421 | int32_t mem[BPF_MEMWORDS]; |
422 | #ifdef KERNEL |
423 | int merr; |
424 | struct bpf_packet * bp = (struct bpf_packet *)(void *)p; |
425 | #endif /* KERNEL */ |
426 | |
427 | bzero(s: mem, n: sizeof(mem)); |
428 | |
429 | if (pc == 0) { |
430 | /* |
431 | * No filter means accept all. |
432 | */ |
433 | return (u_int) - 1; |
434 | } |
435 | |
436 | --pc; |
437 | while (1) { |
438 | ++pc; |
439 | switch (pc->code) { |
440 | default: |
441 | #ifdef KERNEL |
442 | return 0; |
443 | #else /* KERNEL */ |
444 | abort(); |
445 | #endif /* KERNEL */ |
446 | case BPF_RET | BPF_K: |
447 | return (u_int)pc->k; |
448 | |
449 | case BPF_RET | BPF_A: |
450 | return (u_int)A; |
451 | |
452 | case BPF_LD | BPF_W | BPF_ABS: |
453 | k = pc->k; |
454 | if (k > buflen || sizeof(int32_t) > buflen - k) { |
455 | #ifdef KERNEL |
456 | if (buflen != 0) { |
457 | return 0; |
458 | } |
459 | A = bp_xword(bp, k, err: &merr); |
460 | if (merr != 0) { |
461 | return 0; |
462 | } |
463 | continue; |
464 | #else /* KERNEL */ |
465 | return 0; |
466 | #endif /* KERNEL */ |
467 | } |
468 | #if BPF_ALIGN |
469 | if (((intptr_t)(p + k) & 3) != 0) { |
470 | A = EXTRACT_LONG(&p[k]); |
471 | } else |
472 | #endif /* BPF_ALIGN */ |
473 | A = ntohl(*(int32_t *)(void *)(p + k)); |
474 | continue; |
475 | |
476 | case BPF_LD | BPF_H | BPF_ABS: |
477 | k = pc->k; |
478 | if (k > buflen || sizeof(int16_t) > buflen - k) { |
479 | #ifdef KERNEL |
480 | if (buflen != 0) { |
481 | return 0; |
482 | } |
483 | A = bp_xhalf(bp, k, err: &merr); |
484 | if (merr != 0) { |
485 | return 0; |
486 | } |
487 | continue; |
488 | #else /* KERNEL */ |
489 | return 0; |
490 | #endif /* KERNEL */ |
491 | } |
492 | A = EXTRACT_SHORT(&p[k]); |
493 | continue; |
494 | |
495 | case BPF_LD | BPF_B | BPF_ABS: |
496 | k = pc->k; |
497 | if (k >= buflen) { |
498 | #ifdef KERNEL |
499 | if (buflen != 0) { |
500 | return 0; |
501 | } |
502 | A = bp_xbyte(bp, k, err: &merr); |
503 | if (merr != 0) { |
504 | return 0; |
505 | } |
506 | continue; |
507 | #else /* KERNEL */ |
508 | return 0; |
509 | #endif /* KERNEL */ |
510 | } |
511 | A = p[k]; |
512 | continue; |
513 | |
514 | case BPF_LD | BPF_W | BPF_LEN: |
515 | A = wirelen; |
516 | continue; |
517 | |
518 | case BPF_LDX | BPF_W | BPF_LEN: |
519 | X = wirelen; |
520 | continue; |
521 | |
522 | case BPF_LD | BPF_W | BPF_IND: |
523 | k = X + pc->k; |
524 | if (pc->k > buflen || X > buflen - pc->k || |
525 | sizeof(int32_t) > buflen - k) { |
526 | #ifdef KERNEL |
527 | if (buflen != 0) { |
528 | return 0; |
529 | } |
530 | A = bp_xword(bp, k, err: &merr); |
531 | if (merr != 0) { |
532 | return 0; |
533 | } |
534 | continue; |
535 | #else /* KERNEL */ |
536 | return 0; |
537 | #endif /* KERNEL */ |
538 | } |
539 | #if BPF_ALIGN |
540 | if (((intptr_t)(p + k) & 3) != 0) { |
541 | A = EXTRACT_LONG(&p[k]); |
542 | } else |
543 | #endif /* BPF_ALIGN */ |
544 | A = ntohl(*(int32_t *)(void *)(p + k)); |
545 | continue; |
546 | |
547 | case BPF_LD | BPF_H | BPF_IND: |
548 | k = X + pc->k; |
549 | if (X > buflen || pc->k > buflen - X || |
550 | sizeof(int16_t) > buflen - k) { |
551 | #ifdef KERNEL |
552 | if (buflen != 0) { |
553 | return 0; |
554 | } |
555 | A = bp_xhalf(bp, k, err: &merr); |
556 | if (merr != 0) { |
557 | return 0; |
558 | } |
559 | continue; |
560 | #else /* KERNEL */ |
561 | return 0; |
562 | #endif /* KERNEL */ |
563 | } |
564 | A = EXTRACT_SHORT(&p[k]); |
565 | continue; |
566 | |
567 | case BPF_LD | BPF_B | BPF_IND: |
568 | k = X + pc->k; |
569 | if (pc->k >= buflen || X >= buflen - pc->k) { |
570 | #ifdef KERNEL |
571 | if (buflen != 0) { |
572 | return 0; |
573 | } |
574 | A = bp_xbyte(bp, k, err: &merr); |
575 | if (merr != 0) { |
576 | return 0; |
577 | } |
578 | continue; |
579 | #else /* KERNEL */ |
580 | return 0; |
581 | #endif /* KERNEL */ |
582 | } |
583 | A = p[k]; |
584 | continue; |
585 | |
586 | case BPF_LDX | BPF_MSH | BPF_B: |
587 | k = pc->k; |
588 | if (k >= buflen) { |
589 | #ifdef KERNEL |
590 | if (buflen != 0) { |
591 | return 0; |
592 | } |
593 | X = bp_xbyte(bp, k, err: &merr); |
594 | if (merr != 0) { |
595 | return 0; |
596 | } |
597 | X = (X & 0xf) << 2; |
598 | continue; |
599 | #else |
600 | return 0; |
601 | #endif |
602 | } |
603 | X = (p[pc->k] & 0xf) << 2; |
604 | continue; |
605 | |
606 | case BPF_LD | BPF_IMM: |
607 | A = pc->k; |
608 | continue; |
609 | |
610 | case BPF_LDX | BPF_IMM: |
611 | X = pc->k; |
612 | continue; |
613 | |
614 | case BPF_LD | BPF_MEM: |
615 | if (pc->k >= BPF_MEMWORDS) { |
616 | return 0; |
617 | } |
618 | A = mem[pc->k]; |
619 | continue; |
620 | |
621 | case BPF_LDX | BPF_MEM: |
622 | if (pc->k >= BPF_MEMWORDS) { |
623 | return 0; |
624 | } |
625 | X = mem[pc->k]; |
626 | continue; |
627 | |
628 | case BPF_ST: |
629 | if (pc->k >= BPF_MEMWORDS) { |
630 | return 0; |
631 | } |
632 | mem[pc->k] = A; |
633 | continue; |
634 | |
635 | case BPF_STX: |
636 | if (pc->k >= BPF_MEMWORDS) { |
637 | return 0; |
638 | } |
639 | mem[pc->k] = X; |
640 | continue; |
641 | |
642 | case BPF_JMP | BPF_JA: |
643 | pc += pc->k; |
644 | continue; |
645 | |
646 | case BPF_JMP | BPF_JGT | BPF_K: |
647 | pc += (A > pc->k) ? pc->jt : pc->jf; |
648 | continue; |
649 | |
650 | case BPF_JMP | BPF_JGE | BPF_K: |
651 | pc += (A >= pc->k) ? pc->jt : pc->jf; |
652 | continue; |
653 | |
654 | case BPF_JMP | BPF_JEQ | BPF_K: |
655 | pc += (A == pc->k) ? pc->jt : pc->jf; |
656 | continue; |
657 | |
658 | case BPF_JMP | BPF_JSET | BPF_K: |
659 | pc += (A & pc->k) ? pc->jt : pc->jf; |
660 | continue; |
661 | |
662 | case BPF_JMP | BPF_JGT | BPF_X: |
663 | pc += (A > X) ? pc->jt : pc->jf; |
664 | continue; |
665 | |
666 | case BPF_JMP | BPF_JGE | BPF_X: |
667 | pc += (A >= X) ? pc->jt : pc->jf; |
668 | continue; |
669 | |
670 | case BPF_JMP | BPF_JEQ | BPF_X: |
671 | pc += (A == X) ? pc->jt : pc->jf; |
672 | continue; |
673 | |
674 | case BPF_JMP | BPF_JSET | BPF_X: |
675 | pc += (A & X) ? pc->jt : pc->jf; |
676 | continue; |
677 | |
678 | case BPF_ALU | BPF_ADD | BPF_X: |
679 | A += X; |
680 | continue; |
681 | |
682 | case BPF_ALU | BPF_SUB | BPF_X: |
683 | A -= X; |
684 | continue; |
685 | |
686 | case BPF_ALU | BPF_MUL | BPF_X: |
687 | A *= X; |
688 | continue; |
689 | |
690 | case BPF_ALU | BPF_DIV | BPF_X: |
691 | if (X == 0) { |
692 | return 0; |
693 | } |
694 | A /= X; |
695 | continue; |
696 | |
697 | case BPF_ALU | BPF_AND | BPF_X: |
698 | A &= X; |
699 | continue; |
700 | |
701 | case BPF_ALU | BPF_OR | BPF_X: |
702 | A |= X; |
703 | continue; |
704 | |
705 | case BPF_ALU | BPF_LSH | BPF_X: |
706 | A <<= X; |
707 | continue; |
708 | |
709 | case BPF_ALU | BPF_RSH | BPF_X: |
710 | A >>= X; |
711 | continue; |
712 | |
713 | case BPF_ALU | BPF_ADD | BPF_K: |
714 | A += pc->k; |
715 | continue; |
716 | |
717 | case BPF_ALU | BPF_SUB | BPF_K: |
718 | A -= pc->k; |
719 | continue; |
720 | |
721 | case BPF_ALU | BPF_MUL | BPF_K: |
722 | A *= pc->k; |
723 | continue; |
724 | |
725 | case BPF_ALU | BPF_DIV | BPF_K: |
726 | A /= pc->k; |
727 | continue; |
728 | |
729 | case BPF_ALU | BPF_AND | BPF_K: |
730 | A &= pc->k; |
731 | continue; |
732 | |
733 | case BPF_ALU | BPF_OR | BPF_K: |
734 | A |= pc->k; |
735 | continue; |
736 | |
737 | case BPF_ALU | BPF_LSH | BPF_K: |
738 | A <<= pc->k; |
739 | continue; |
740 | |
741 | case BPF_ALU | BPF_RSH | BPF_K: |
742 | A >>= pc->k; |
743 | continue; |
744 | |
745 | case BPF_ALU | BPF_NEG: |
746 | A = -A; |
747 | continue; |
748 | |
749 | case BPF_MISC | BPF_TAX: |
750 | X = A; |
751 | continue; |
752 | |
753 | case BPF_MISC | BPF_TXA: |
754 | A = X; |
755 | continue; |
756 | } |
757 | } |
758 | } |
759 | |
760 | #ifdef KERNEL |
761 | /* |
762 | * Return true if the 'fcode' is a valid filter program. |
763 | * The constraints are that each jump be forward and to a valid |
764 | * code, that memory accesses are within valid ranges (to the |
765 | * extent that this can be checked statically; loads of packet data |
766 | * have to be, and are, also checked at run time), and that |
767 | * the code terminates with either an accept or reject. |
768 | * |
769 | * The kernel needs to be able to verify an application's filter code. |
770 | * Otherwise, a bogus program could easily crash the system. |
771 | */ |
772 | int |
773 | bpf_validate(const struct bpf_insn *f, int len) |
774 | { |
775 | u_int i, from; |
776 | const struct bpf_insn *p; |
777 | |
778 | if (len < 1 || len > BPF_MAXINSNS) { |
779 | return 0; |
780 | } |
781 | |
782 | for (i = 0; i < ((u_int)len); ++i) { |
783 | p = &f[i]; |
784 | switch (BPF_CLASS(p->code)) { |
785 | /* |
786 | * Check that memory operations use valid addresses |
787 | */ |
788 | case BPF_LD: |
789 | case BPF_LDX: |
790 | switch (BPF_MODE(p->code)) { |
791 | case BPF_IMM: |
792 | break; |
793 | case BPF_ABS: |
794 | case BPF_IND: |
795 | case BPF_MSH: |
796 | /* |
797 | * More strict check with actual packet length |
798 | * is done runtime. |
799 | */ |
800 | if (p->k >= bpf_maxbufsize) { |
801 | return 0; |
802 | } |
803 | break; |
804 | case BPF_MEM: |
805 | if (p->k >= BPF_MEMWORDS) { |
806 | return 0; |
807 | } |
808 | break; |
809 | case BPF_LEN: |
810 | break; |
811 | default: |
812 | return 0; |
813 | } |
814 | break; |
815 | case BPF_ST: |
816 | case BPF_STX: |
817 | if (p->k >= BPF_MEMWORDS) { |
818 | return 0; |
819 | } |
820 | break; |
821 | case BPF_ALU: |
822 | switch (BPF_OP(p->code)) { |
823 | case BPF_ADD: |
824 | case BPF_SUB: |
825 | case BPF_MUL: |
826 | case BPF_OR: |
827 | case BPF_AND: |
828 | case BPF_LSH: |
829 | case BPF_RSH: |
830 | case BPF_NEG: |
831 | break; |
832 | case BPF_DIV: |
833 | /* |
834 | * Check for constant division by 0 |
835 | */ |
836 | if (BPF_SRC(p->code) == BPF_K && p->k == 0) { |
837 | return 0; |
838 | } |
839 | break; |
840 | default: |
841 | return 0; |
842 | } |
843 | break; |
844 | case BPF_JMP: |
845 | /* |
846 | * Check that jumps are within the code block, |
847 | * and that unconditional branches don't go |
848 | * backwards as a result of an overflow. |
849 | * Unconditional branches have a 32-bit offset, |
850 | * so they could overflow; we check to make |
851 | * sure they don't. Conditional branches have |
852 | * an 8-bit offset, and the from address is |
853 | * less than equal to BPF_MAXINSNS, and we assume that |
854 | * BPF_MAXINSNS is sufficiently small that adding 255 |
855 | * to it won't overlflow |
856 | * |
857 | * We know that len is <= BPF_MAXINSNS, and we |
858 | * assume that BPF_MAXINSNS is less than the maximum |
859 | * size of a u_int, so that i+1 doesn't overflow |
860 | */ |
861 | from = i + 1; |
862 | switch (BPF_OP(p->code)) { |
863 | case BPF_JA: |
864 | if (from + p->k < from || from + p->k >= ((u_int)len)) { |
865 | return 0; |
866 | } |
867 | break; |
868 | case BPF_JEQ: |
869 | case BPF_JGT: |
870 | case BPF_JGE: |
871 | case BPF_JSET: |
872 | if (from + p->jt >= ((u_int)len) || from + p->jf >= ((u_int)len)) { |
873 | return 0; |
874 | } |
875 | break; |
876 | default: |
877 | return 0; |
878 | } |
879 | break; |
880 | case BPF_RET: |
881 | break; |
882 | case BPF_MISC: |
883 | break; |
884 | default: |
885 | return 0; |
886 | } |
887 | } |
888 | return BPF_CLASS(f[len - 1].code) == BPF_RET; |
889 | } |
890 | #endif |
891 | |