1/*
2 * Copyright (c) 2000-2021 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28/*
29 * Copyright (c) 1990, 1991, 1993
30 * The Regents of the University of California. All rights reserved.
31 *
32 * This code is derived from the Stanford/CMU enet packet filter,
33 * (net/enet.c) distributed as part of 4.3BSD, and code contributed
34 * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
35 * Berkeley Laboratory.
36 *
37 * Redistribution and use in source and binary forms, with or without
38 * modification, are permitted provided that the following conditions
39 * are met:
40 * 1. Redistributions of source code must retain the above copyright
41 * notice, this list of conditions and the following disclaimer.
42 * 2. Redistributions in binary form must reproduce the above copyright
43 * notice, this list of conditions and the following disclaimer in the
44 * documentation and/or other materials provided with the distribution.
45 * 3. All advertising materials mentioning features or use of this software
46 * must display the following acknowledgement:
47 * This product includes software developed by the University of
48 * California, Berkeley and its contributors.
49 * 4. Neither the name of the University nor the names of its contributors
50 * may be used to endorse or promote products derived from this software
51 * without specific prior written permission.
52 *
53 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
54 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
56 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
63 * SUCH DAMAGE.
64 *
65 * @(#)bpf_filter.c 8.1 (Berkeley) 6/10/93
66 *
67 * $FreeBSD: src/sys/net/bpf_filter.c,v 1.17 1999/12/29 04:38:31 peter Exp $
68 */
69
70#include <sys/param.h>
71#include <string.h>
72
73#ifdef sun
74#include <netinet/in.h>
75#endif
76
77#ifdef KERNEL
78#include <sys/mbuf.h>
79#endif
80#include <net/bpf.h>
81#ifdef KERNEL
82
83extern unsigned int bpf_maxbufsize;
84
85static inline u_int32_t
86get_word_from_buffers(u_char * cp, u_char * np, size_t num_from_cp)
87{
88 u_int32_t val;
89
90 switch (num_from_cp) {
91 case 1:
92 val = ((u_int32_t)cp[0] << 24) |
93 ((u_int32_t)np[0] << 16) |
94 ((u_int32_t)np[1] << 8) |
95 (u_int32_t)np[2];
96 break;
97
98 case 2:
99 val = ((u_int32_t)cp[0] << 24) |
100 ((u_int32_t)cp[1] << 16) |
101 ((u_int32_t)np[0] << 8) |
102 (u_int32_t)np[1];
103 break;
104 default:
105 val = ((u_int32_t)cp[0] << 24) |
106 ((u_int32_t)cp[1] << 16) |
107 ((u_int32_t)cp[2] << 8) |
108 (u_int32_t)np[0];
109 break;
110 }
111 return val;
112}
113
114static u_char *
115m_hdr_offset(struct mbuf **m_p, void * hdr, size_t hdrlen, bpf_u_int32 * k_p,
116 size_t * len_p)
117{
118 u_char *cp;
119 bpf_u_int32 k = *k_p;
120 size_t len;
121
122 if (k >= hdrlen) {
123 struct mbuf *m = *m_p;
124
125 /* there's no header or the offset we want is past the header */
126 k -= hdrlen;
127 len = m->m_len;
128 while (k >= len) {
129 k -= len;
130 m = m->m_next;
131 if (m == NULL) {
132 return NULL;
133 }
134 len = m->m_len;
135 }
136 cp = mtod(m, u_char *) + k;
137
138 /* return next mbuf, in case it's needed */
139 *m_p = m->m_next;
140
141 /* update the offset */
142 *k_p = k;
143 } else {
144 len = hdrlen;
145 cp = (u_char *)hdr + k;
146 }
147 *len_p = len;
148 return cp;
149}
150
151static u_int32_t
152m_xword(struct mbuf *m, void * hdr, size_t hdrlen, bpf_u_int32 k, int *err)
153{
154 size_t len;
155 u_char *cp, *np;
156
157 cp = m_hdr_offset(m_p: &m, hdr, hdrlen, k_p: &k, len_p: &len);
158 if (cp == NULL) {
159 goto bad;
160 }
161 if (len - k >= 4) {
162 *err = 0;
163 return EXTRACT_LONG(cp);
164 }
165 if (m == 0 || m->m_len + len - k < 4) {
166 goto bad;
167 }
168 *err = 0;
169 np = mtod(m, u_char *);
170 return get_word_from_buffers(cp, np, num_from_cp: len - k);
171
172bad:
173 *err = 1;
174 return 0;
175}
176
177static uint16_t
178m_xhalf(struct mbuf *m, void * hdr, size_t hdrlen, bpf_u_int32 k, int *err)
179{
180 size_t len;
181 u_char *cp;
182
183 cp = m_hdr_offset(m_p: &m, hdr, hdrlen, k_p: &k, len_p: &len);
184 if (cp == NULL) {
185 goto bad;
186 }
187 if (len - k >= 2) {
188 *err = 0;
189 return EXTRACT_SHORT(cp);
190 }
191 if (m == 0) {
192 goto bad;
193 }
194 *err = 0;
195 return (uint16_t)((cp[0] << 8) | mtod(m, u_char *)[0]);
196bad:
197 *err = 1;
198 return 0;
199}
200
201static u_int8_t
202m_xbyte(struct mbuf *m, void * hdr, size_t hdrlen, bpf_u_int32 k, int *err)
203{
204 size_t len;
205 u_char *cp;
206
207 cp = m_hdr_offset(m_p: &m, hdr, hdrlen, k_p: &k, len_p: &len);
208 if (cp == NULL) {
209 goto bad;
210 }
211 *err = 0;
212 return *cp;
213bad:
214 *err = 1;
215 return 0;
216}
217
218#if SKYWALK
219
220#include <skywalk/os_skywalk_private.h>
221
222static void *
223buflet_get_address(kern_buflet_t buflet)
224{
225 uint8_t *addr;
226
227 addr = kern_buflet_get_data_address(buflet);
228 if (addr == NULL) {
229 return NULL;
230 }
231 return addr + kern_buflet_get_data_offset(buflet);
232}
233
234static u_char *
235p_hdr_offset(kern_packet_t p, void * hdr, size_t hdrlen, bpf_u_int32 * k_p,
236 size_t * len_p, kern_buflet_t * buflet_p)
237{
238 u_char *cp = NULL;
239 bpf_u_int32 k = *k_p;
240 size_t len;
241 kern_buflet_t buflet = NULL;
242
243 if (k >= hdrlen) {
244 k -= hdrlen;
245 for (;;) {
246 buflet = kern_packet_get_next_buflet(p, buflet);
247 if (buflet == NULL) {
248 break;
249 }
250 len = kern_buflet_get_data_length(buflet);
251 if (k < len) {
252 break;
253 }
254 k -= len;
255 }
256 if (buflet == NULL) {
257 return NULL;
258 }
259 cp = (u_char *)buflet_get_address(buflet) + k;
260 /* update the offset */
261 *k_p = k;
262 } else {
263 len = hdrlen;
264 cp = (u_char *)hdr + k;
265 }
266 *len_p = len;
267 *buflet_p = buflet;
268 return cp;
269}
270
271static u_int32_t
272p_xword(kern_packet_t p, void * hdr, size_t hdrlen, bpf_u_int32 k, int *err)
273{
274 kern_buflet_t buflet = NULL;
275 u_char *cp;
276 size_t len = 0;
277 u_char *np;
278
279 cp = p_hdr_offset(p, hdr, hdrlen, k_p: &k, len_p: &len, buflet_p: &buflet);
280 if (cp == NULL) {
281 goto bad;
282 }
283 if ((len - k) >= 4) {
284 *err = 0;
285 return EXTRACT_LONG(cp);
286 }
287 buflet = kern_packet_get_next_buflet(p, buflet);
288 if (buflet == NULL ||
289 (kern_buflet_get_data_length(buflet) + len - k) < 4) {
290 goto bad;
291 }
292 *err = 0;
293 np = (u_char *)buflet_get_address(buflet);
294 return get_word_from_buffers(cp, np, num_from_cp: len - k);
295
296bad:
297 *err = 1;
298 return 0;
299}
300
301static uint16_t
302p_xhalf(kern_packet_t p, void * hdr, size_t hdrlen, bpf_u_int32 k, int *err)
303{
304 kern_buflet_t buflet = NULL;
305 u_char *cp;
306 size_t len = 0;
307 u_char *np;
308
309 cp = p_hdr_offset(p, hdr, hdrlen, k_p: &k, len_p: &len, buflet_p: &buflet);
310 if (cp == NULL) {
311 goto bad;
312 }
313 if ((len - k) >= 2) {
314 *err = 0;
315 return EXTRACT_SHORT(cp);
316 }
317 buflet = kern_packet_get_next_buflet(p, buflet);
318 if (buflet == NULL || kern_buflet_get_data_length(buflet) == 0) {
319 goto bad;
320 }
321 np = (u_char *)buflet_get_address(buflet);
322 *err = 0;
323 return (uint16_t)((cp[0] << 8) | np[0]);
324bad:
325 *err = 1;
326 return 0;
327}
328
329static u_int8_t
330p_xbyte(kern_packet_t p, void * hdr, size_t hdrlen, bpf_u_int32 k, int *err)
331{
332 kern_buflet_t buflet = NULL;
333 u_char *cp;
334 size_t len = 0;
335
336 cp = p_hdr_offset(p, hdr, hdrlen, k_p: &k, len_p: &len, buflet_p: &buflet);
337 if (cp == NULL) {
338 goto bad;
339 }
340 *err = 0;
341 return *cp;
342bad:
343 *err = 1;
344 return 0;
345}
346
347#endif /* SKYWALK */
348
349static u_int32_t
350bp_xword(struct bpf_packet *bp, bpf_u_int32 k, int *err)
351{
352 void * hdr = bp->bpfp_header;
353 size_t hdrlen = bp->bpfp_header_length;
354
355 switch (bp->bpfp_type) {
356 case BPF_PACKET_TYPE_MBUF:
357 return m_xword(m: bp->bpfp_mbuf, hdr, hdrlen, k, err);
358#if SKYWALK
359 case BPF_PACKET_TYPE_PKT:
360 return p_xword(p: bp->bpfp_pkt, hdr, hdrlen, k, err);
361#endif /* SKYWALK */
362 default:
363 break;
364 }
365 *err = 1;
366 return 0;
367}
368
369static u_int16_t
370bp_xhalf(struct bpf_packet *bp, bpf_u_int32 k, int *err)
371{
372 void * hdr = bp->bpfp_header;
373 size_t hdrlen = bp->bpfp_header_length;
374
375 switch (bp->bpfp_type) {
376 case BPF_PACKET_TYPE_MBUF:
377 return m_xhalf(m: bp->bpfp_mbuf, hdr, hdrlen, k, err);
378#if SKYWALK
379 case BPF_PACKET_TYPE_PKT:
380 return p_xhalf(p: bp->bpfp_pkt, hdr, hdrlen, k, err);
381#endif /* SKYWALK */
382 default:
383 break;
384 }
385 *err = 1;
386 return 0;
387}
388
389static u_int8_t
390bp_xbyte(struct bpf_packet *bp, bpf_u_int32 k, int *err)
391{
392 void * hdr = bp->bpfp_header;
393 size_t hdrlen = bp->bpfp_header_length;
394
395 switch (bp->bpfp_type) {
396 case BPF_PACKET_TYPE_MBUF:
397 return m_xbyte(m: bp->bpfp_mbuf, hdr, hdrlen, k, err);
398#if SKYWALK
399 case BPF_PACKET_TYPE_PKT:
400 return p_xbyte(p: bp->bpfp_pkt, hdr, hdrlen, k, err);
401#endif /* SKYWALK */
402 default:
403 break;
404 }
405 *err = 1;
406 return 0;
407}
408
409#endif
410
411/*
412 * Execute the filter program starting at pc on the packet p
413 * wirelen is the length of the original packet
414 * buflen is the amount of data present
415 */
416u_int
417bpf_filter(const struct bpf_insn *pc, u_char *p, u_int wirelen, u_int buflen)
418{
419 u_int32_t A = 0, X = 0;
420 bpf_u_int32 k;
421 int32_t mem[BPF_MEMWORDS];
422#ifdef KERNEL
423 int merr;
424 struct bpf_packet * bp = (struct bpf_packet *)(void *)p;
425#endif /* KERNEL */
426
427 bzero(s: mem, n: sizeof(mem));
428
429 if (pc == 0) {
430 /*
431 * No filter means accept all.
432 */
433 return (u_int) - 1;
434 }
435
436 --pc;
437 while (1) {
438 ++pc;
439 switch (pc->code) {
440 default:
441#ifdef KERNEL
442 return 0;
443#else /* KERNEL */
444 abort();
445#endif /* KERNEL */
446 case BPF_RET | BPF_K:
447 return (u_int)pc->k;
448
449 case BPF_RET | BPF_A:
450 return (u_int)A;
451
452 case BPF_LD | BPF_W | BPF_ABS:
453 k = pc->k;
454 if (k > buflen || sizeof(int32_t) > buflen - k) {
455#ifdef KERNEL
456 if (buflen != 0) {
457 return 0;
458 }
459 A = bp_xword(bp, k, err: &merr);
460 if (merr != 0) {
461 return 0;
462 }
463 continue;
464#else /* KERNEL */
465 return 0;
466#endif /* KERNEL */
467 }
468#if BPF_ALIGN
469 if (((intptr_t)(p + k) & 3) != 0) {
470 A = EXTRACT_LONG(&p[k]);
471 } else
472#endif /* BPF_ALIGN */
473 A = ntohl(*(int32_t *)(void *)(p + k));
474 continue;
475
476 case BPF_LD | BPF_H | BPF_ABS:
477 k = pc->k;
478 if (k > buflen || sizeof(int16_t) > buflen - k) {
479#ifdef KERNEL
480 if (buflen != 0) {
481 return 0;
482 }
483 A = bp_xhalf(bp, k, err: &merr);
484 if (merr != 0) {
485 return 0;
486 }
487 continue;
488#else /* KERNEL */
489 return 0;
490#endif /* KERNEL */
491 }
492 A = EXTRACT_SHORT(&p[k]);
493 continue;
494
495 case BPF_LD | BPF_B | BPF_ABS:
496 k = pc->k;
497 if (k >= buflen) {
498#ifdef KERNEL
499 if (buflen != 0) {
500 return 0;
501 }
502 A = bp_xbyte(bp, k, err: &merr);
503 if (merr != 0) {
504 return 0;
505 }
506 continue;
507#else /* KERNEL */
508 return 0;
509#endif /* KERNEL */
510 }
511 A = p[k];
512 continue;
513
514 case BPF_LD | BPF_W | BPF_LEN:
515 A = wirelen;
516 continue;
517
518 case BPF_LDX | BPF_W | BPF_LEN:
519 X = wirelen;
520 continue;
521
522 case BPF_LD | BPF_W | BPF_IND:
523 k = X + pc->k;
524 if (pc->k > buflen || X > buflen - pc->k ||
525 sizeof(int32_t) > buflen - k) {
526#ifdef KERNEL
527 if (buflen != 0) {
528 return 0;
529 }
530 A = bp_xword(bp, k, err: &merr);
531 if (merr != 0) {
532 return 0;
533 }
534 continue;
535#else /* KERNEL */
536 return 0;
537#endif /* KERNEL */
538 }
539#if BPF_ALIGN
540 if (((intptr_t)(p + k) & 3) != 0) {
541 A = EXTRACT_LONG(&p[k]);
542 } else
543#endif /* BPF_ALIGN */
544 A = ntohl(*(int32_t *)(void *)(p + k));
545 continue;
546
547 case BPF_LD | BPF_H | BPF_IND:
548 k = X + pc->k;
549 if (X > buflen || pc->k > buflen - X ||
550 sizeof(int16_t) > buflen - k) {
551#ifdef KERNEL
552 if (buflen != 0) {
553 return 0;
554 }
555 A = bp_xhalf(bp, k, err: &merr);
556 if (merr != 0) {
557 return 0;
558 }
559 continue;
560#else /* KERNEL */
561 return 0;
562#endif /* KERNEL */
563 }
564 A = EXTRACT_SHORT(&p[k]);
565 continue;
566
567 case BPF_LD | BPF_B | BPF_IND:
568 k = X + pc->k;
569 if (pc->k >= buflen || X >= buflen - pc->k) {
570#ifdef KERNEL
571 if (buflen != 0) {
572 return 0;
573 }
574 A = bp_xbyte(bp, k, err: &merr);
575 if (merr != 0) {
576 return 0;
577 }
578 continue;
579#else /* KERNEL */
580 return 0;
581#endif /* KERNEL */
582 }
583 A = p[k];
584 continue;
585
586 case BPF_LDX | BPF_MSH | BPF_B:
587 k = pc->k;
588 if (k >= buflen) {
589#ifdef KERNEL
590 if (buflen != 0) {
591 return 0;
592 }
593 X = bp_xbyte(bp, k, err: &merr);
594 if (merr != 0) {
595 return 0;
596 }
597 X = (X & 0xf) << 2;
598 continue;
599#else
600 return 0;
601#endif
602 }
603 X = (p[pc->k] & 0xf) << 2;
604 continue;
605
606 case BPF_LD | BPF_IMM:
607 A = pc->k;
608 continue;
609
610 case BPF_LDX | BPF_IMM:
611 X = pc->k;
612 continue;
613
614 case BPF_LD | BPF_MEM:
615 if (pc->k >= BPF_MEMWORDS) {
616 return 0;
617 }
618 A = mem[pc->k];
619 continue;
620
621 case BPF_LDX | BPF_MEM:
622 if (pc->k >= BPF_MEMWORDS) {
623 return 0;
624 }
625 X = mem[pc->k];
626 continue;
627
628 case BPF_ST:
629 if (pc->k >= BPF_MEMWORDS) {
630 return 0;
631 }
632 mem[pc->k] = A;
633 continue;
634
635 case BPF_STX:
636 if (pc->k >= BPF_MEMWORDS) {
637 return 0;
638 }
639 mem[pc->k] = X;
640 continue;
641
642 case BPF_JMP | BPF_JA:
643 pc += pc->k;
644 continue;
645
646 case BPF_JMP | BPF_JGT | BPF_K:
647 pc += (A > pc->k) ? pc->jt : pc->jf;
648 continue;
649
650 case BPF_JMP | BPF_JGE | BPF_K:
651 pc += (A >= pc->k) ? pc->jt : pc->jf;
652 continue;
653
654 case BPF_JMP | BPF_JEQ | BPF_K:
655 pc += (A == pc->k) ? pc->jt : pc->jf;
656 continue;
657
658 case BPF_JMP | BPF_JSET | BPF_K:
659 pc += (A & pc->k) ? pc->jt : pc->jf;
660 continue;
661
662 case BPF_JMP | BPF_JGT | BPF_X:
663 pc += (A > X) ? pc->jt : pc->jf;
664 continue;
665
666 case BPF_JMP | BPF_JGE | BPF_X:
667 pc += (A >= X) ? pc->jt : pc->jf;
668 continue;
669
670 case BPF_JMP | BPF_JEQ | BPF_X:
671 pc += (A == X) ? pc->jt : pc->jf;
672 continue;
673
674 case BPF_JMP | BPF_JSET | BPF_X:
675 pc += (A & X) ? pc->jt : pc->jf;
676 continue;
677
678 case BPF_ALU | BPF_ADD | BPF_X:
679 A += X;
680 continue;
681
682 case BPF_ALU | BPF_SUB | BPF_X:
683 A -= X;
684 continue;
685
686 case BPF_ALU | BPF_MUL | BPF_X:
687 A *= X;
688 continue;
689
690 case BPF_ALU | BPF_DIV | BPF_X:
691 if (X == 0) {
692 return 0;
693 }
694 A /= X;
695 continue;
696
697 case BPF_ALU | BPF_AND | BPF_X:
698 A &= X;
699 continue;
700
701 case BPF_ALU | BPF_OR | BPF_X:
702 A |= X;
703 continue;
704
705 case BPF_ALU | BPF_LSH | BPF_X:
706 A <<= X;
707 continue;
708
709 case BPF_ALU | BPF_RSH | BPF_X:
710 A >>= X;
711 continue;
712
713 case BPF_ALU | BPF_ADD | BPF_K:
714 A += pc->k;
715 continue;
716
717 case BPF_ALU | BPF_SUB | BPF_K:
718 A -= pc->k;
719 continue;
720
721 case BPF_ALU | BPF_MUL | BPF_K:
722 A *= pc->k;
723 continue;
724
725 case BPF_ALU | BPF_DIV | BPF_K:
726 A /= pc->k;
727 continue;
728
729 case BPF_ALU | BPF_AND | BPF_K:
730 A &= pc->k;
731 continue;
732
733 case BPF_ALU | BPF_OR | BPF_K:
734 A |= pc->k;
735 continue;
736
737 case BPF_ALU | BPF_LSH | BPF_K:
738 A <<= pc->k;
739 continue;
740
741 case BPF_ALU | BPF_RSH | BPF_K:
742 A >>= pc->k;
743 continue;
744
745 case BPF_ALU | BPF_NEG:
746 A = -A;
747 continue;
748
749 case BPF_MISC | BPF_TAX:
750 X = A;
751 continue;
752
753 case BPF_MISC | BPF_TXA:
754 A = X;
755 continue;
756 }
757 }
758}
759
760#ifdef KERNEL
761/*
762 * Return true if the 'fcode' is a valid filter program.
763 * The constraints are that each jump be forward and to a valid
764 * code, that memory accesses are within valid ranges (to the
765 * extent that this can be checked statically; loads of packet data
766 * have to be, and are, also checked at run time), and that
767 * the code terminates with either an accept or reject.
768 *
769 * The kernel needs to be able to verify an application's filter code.
770 * Otherwise, a bogus program could easily crash the system.
771 */
772int
773bpf_validate(const struct bpf_insn *f, int len)
774{
775 u_int i, from;
776 const struct bpf_insn *p;
777
778 if (len < 1 || len > BPF_MAXINSNS) {
779 return 0;
780 }
781
782 for (i = 0; i < ((u_int)len); ++i) {
783 p = &f[i];
784 switch (BPF_CLASS(p->code)) {
785 /*
786 * Check that memory operations use valid addresses
787 */
788 case BPF_LD:
789 case BPF_LDX:
790 switch (BPF_MODE(p->code)) {
791 case BPF_IMM:
792 break;
793 case BPF_ABS:
794 case BPF_IND:
795 case BPF_MSH:
796 /*
797 * More strict check with actual packet length
798 * is done runtime.
799 */
800 if (p->k >= bpf_maxbufsize) {
801 return 0;
802 }
803 break;
804 case BPF_MEM:
805 if (p->k >= BPF_MEMWORDS) {
806 return 0;
807 }
808 break;
809 case BPF_LEN:
810 break;
811 default:
812 return 0;
813 }
814 break;
815 case BPF_ST:
816 case BPF_STX:
817 if (p->k >= BPF_MEMWORDS) {
818 return 0;
819 }
820 break;
821 case BPF_ALU:
822 switch (BPF_OP(p->code)) {
823 case BPF_ADD:
824 case BPF_SUB:
825 case BPF_MUL:
826 case BPF_OR:
827 case BPF_AND:
828 case BPF_LSH:
829 case BPF_RSH:
830 case BPF_NEG:
831 break;
832 case BPF_DIV:
833 /*
834 * Check for constant division by 0
835 */
836 if (BPF_SRC(p->code) == BPF_K && p->k == 0) {
837 return 0;
838 }
839 break;
840 default:
841 return 0;
842 }
843 break;
844 case BPF_JMP:
845 /*
846 * Check that jumps are within the code block,
847 * and that unconditional branches don't go
848 * backwards as a result of an overflow.
849 * Unconditional branches have a 32-bit offset,
850 * so they could overflow; we check to make
851 * sure they don't. Conditional branches have
852 * an 8-bit offset, and the from address is
853 * less than equal to BPF_MAXINSNS, and we assume that
854 * BPF_MAXINSNS is sufficiently small that adding 255
855 * to it won't overlflow
856 *
857 * We know that len is <= BPF_MAXINSNS, and we
858 * assume that BPF_MAXINSNS is less than the maximum
859 * size of a u_int, so that i+1 doesn't overflow
860 */
861 from = i + 1;
862 switch (BPF_OP(p->code)) {
863 case BPF_JA:
864 if (from + p->k < from || from + p->k >= ((u_int)len)) {
865 return 0;
866 }
867 break;
868 case BPF_JEQ:
869 case BPF_JGT:
870 case BPF_JGE:
871 case BPF_JSET:
872 if (from + p->jt >= ((u_int)len) || from + p->jf >= ((u_int)len)) {
873 return 0;
874 }
875 break;
876 default:
877 return 0;
878 }
879 break;
880 case BPF_RET:
881 break;
882 case BPF_MISC:
883 break;
884 default:
885 return 0;
886 }
887 }
888 return BPF_CLASS(f[len - 1].code) == BPF_RET;
889}
890#endif
891