[apple/xnu.git] / bsd / net / bpf_filter.c

/*
 * Copyright (c) 2000-2017 Apple Inc. All rights reserved.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. The rights granted to you under the License
 * may not be used to create, or enable the creation or redistribution of,
 * unlawful or unlicensed copies of an Apple operating system, or to
 * circumvent, violate, or enable the circumvention or violation of, any
 * terms of an Apple operating system software license agreement.
 * 
 * Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
 */
/*
 * Copyright (c) 1990, 1991, 1993
 *	The Regents of the University of California.  All rights reserved.
 *
 * This code is derived from the Stanford/CMU enet packet filter,
 * (net/enet.c) distributed as part of 4.3BSD, and code contributed
 * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
 * Berkeley Laboratory.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *	This product includes software developed by the University of
 *	California, Berkeley and its contributors.
 * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 *      @(#)bpf_filter.c	8.1 (Berkeley) 6/10/93
 *
 * $FreeBSD: src/sys/net/bpf_filter.c,v 1.17 1999/12/29 04:38:31 peter Exp $
 */

#include <sys/param.h>
#include <string.h>

#ifdef sun
#include <netinet/in.h>
#endif

#if !defined(__i386__) && !defined(__x86_64__)
#define BPF_ALIGN 1
#else /* defined(__i386__) || defined(__x86_64__) */
#define BPF_ALIGN 0
#endif /* defined(__i386__) || defined(__x86_64__) */

#if !BPF_ALIGN
#define EXTRACT_SHORT(p)	((u_int16_t)ntohs(*(u_int16_t *)(void *)p))
#define EXTRACT_LONG(p)		(ntohl(*(u_int32_t *)(void *)p))
#else
#define EXTRACT_SHORT(p)\
	((u_int16_t)\
		((u_int16_t)*((u_char *)p+0)<<8|\
		 (u_int16_t)*((u_char *)p+1)<<0))
#define EXTRACT_LONG(p)\
		((u_int32_t)*((u_char *)p+0)<<24|\
		 (u_int32_t)*((u_char *)p+1)<<16|\
		 (u_int32_t)*((u_char *)p+2)<<8|\
		 (u_int32_t)*((u_char *)p+3)<<0)
#endif

#ifdef KERNEL
#include <sys/mbuf.h>
#endif
#include <net/bpf.h>
#ifdef KERNEL

extern unsigned int bpf_maxbufsize;

static inline u_int32_t
get_word_from_buffers(u_char * cp, u_char * np, int num_from_cp)
{
	u_int32_t	val;

	switch (num_from_cp) {
	case 1:
		val = ((u_int32_t)cp[0] << 24) |
			((u_int32_t)np[0] << 16) |
			((u_int32_t)np[1] << 8)  |
			(u_int32_t)np[2];
		break;

	case 2:
		val = ((u_int32_t)cp[0] << 24) |
			((u_int32_t)cp[1] << 16) |
			((u_int32_t)np[0] << 8) |
			(u_int32_t)np[1];
		break;
	default:
		val = ((u_int32_t)cp[0] << 24) |
			((u_int32_t)cp[1] << 16) |
			((u_int32_t)cp[2] << 8) |
			(u_int32_t)np[0];
		break;
	}
	return (val);
}

static u_char *
m_hdr_offset(struct mbuf **m_p, void * hdr, size_t hdrlen, bpf_u_int32 * k_p,
    size_t * len_p)
{
	u_char	*cp;
	bpf_u_int32 k = *k_p;
	size_t len;

	if (k >= hdrlen) {
		struct mbuf *m = *m_p;

		/* there's no header or the offset we want is past the header */
		k -= hdrlen;
		len = m->m_len;
		while (k >= len) {
			k -= len;
			m = m->m_next;
			if (m == NULL)
				return (NULL);
			len = m->m_len;
		}
		cp = mtod(m, u_char *) + k;

		/* return next mbuf, in case it's needed */
		*m_p = m->m_next;

		/* update the offset */
		*k_p = k;
	} else {
		len = hdrlen;
		cp = (u_char *)hdr + k;
	}
	*len_p = len;
	return (cp);
}

static u_int32_t
m_xword(struct mbuf *m, void * hdr, size_t hdrlen, bpf_u_int32 k, int *err)
{
	size_t len;
	u_char *cp, *np;

	cp = m_hdr_offset(&m, hdr, hdrlen, &k, &len);
	if (cp == NULL)
		goto bad;
	if (len - k >= 4) {
		*err = 0;
		return EXTRACT_LONG(cp);
	}
	if (m == 0 || m->m_len + len - k < 4)
		goto bad;
	*err = 0;
	np = mtod(m, u_char *);
	return get_word_from_buffers(cp, np, len - k);

    bad:
	*err = 1;
	return 0;
}

static u_int16_t
m_xhalf(struct mbuf *m, void * hdr, size_t hdrlen, bpf_u_int32 k, int *err)
{
	size_t len;
	u_char *cp;

	cp = m_hdr_offset(&m, hdr, hdrlen, &k, &len);
	if (cp == NULL)
		goto bad;
	if (len - k >= 2) {
		*err = 0;
		return EXTRACT_SHORT(cp);
	}
	if (m == 0)
		goto bad;
	*err = 0;
	return (cp[0] << 8) | mtod(m, u_char *)[0];
 bad:
	*err = 1;
	return 0;
}

static u_int8_t
m_xbyte(struct mbuf *m, void * hdr, size_t hdrlen, bpf_u_int32 k, int *err)
{
	size_t len;
	u_char *cp;

	cp = m_hdr_offset(&m, hdr, hdrlen, &k, &len);
	if (cp == NULL)
		goto bad;
	*err = 0;
	return (*cp);
 bad:
	*err = 1;
	return 0;

}


static u_int32_t
bp_xword(struct bpf_packet *bp, bpf_u_int32 k, int *err)
{
	void * 	hdr = bp->bpfp_header;
	size_t	hdrlen = bp->bpfp_header_length;

	switch (bp->bpfp_type) {
	case BPF_PACKET_TYPE_MBUF:
		return m_xword(bp->bpfp_mbuf, hdr, hdrlen, k, err);
	default:
		break;
	}
	*err = 1;
	return 0;

}

static u_int16_t
bp_xhalf(struct bpf_packet *bp, bpf_u_int32 k, int *err)
{
	void * 	hdr = bp->bpfp_header;
	size_t	hdrlen = bp->bpfp_header_length;

	switch (bp->bpfp_type) {
	case BPF_PACKET_TYPE_MBUF:
		return m_xhalf(bp->bpfp_mbuf, hdr, hdrlen, k, err);
	default:
		break;
	}
	*err = 1;
	return 0;

}

static u_int8_t
bp_xbyte(struct bpf_packet *bp, bpf_u_int32 k, int *err)
{
	void * 	hdr = bp->bpfp_header;
	size_t	hdrlen = bp->bpfp_header_length;

	switch (bp->bpfp_type) {
	case BPF_PACKET_TYPE_MBUF:
		return m_xbyte(bp->bpfp_mbuf, hdr, hdrlen, k, err);
	default:
		break;
	}
	*err = 1;
	return 0;

}

#endif

/*
 * Execute the filter program starting at pc on the packet p
 * wirelen is the length of the original packet
 * buflen is the amount of data present
 */
u_int
bpf_filter(const struct bpf_insn *pc, u_char *p, u_int wirelen, u_int buflen)
{
	u_int32_t A = 0, X = 0;
	bpf_u_int32 k;
	int32_t mem[BPF_MEMWORDS];
#ifdef KERNEL
	int merr;
	struct bpf_packet * bp = (struct bpf_packet *)(void *)p;
#endif /* KERNEL */

	bzero(mem, sizeof(mem));

	if (pc == 0)
		/*
		 * No filter means accept all.
		 */
		return (u_int)-1;

	--pc;
	while (1) {
		++pc;
		switch (pc->code) {

		default:
#ifdef KERNEL
			return 0;
#else /* KERNEL */
			abort();
#endif /* KERNEL */
		case BPF_RET|BPF_K:
			return (u_int)pc->k;

		case BPF_RET|BPF_A:
			return (u_int)A;

		case BPF_LD|BPF_W|BPF_ABS:
			k = pc->k;
			if (k > buflen || sizeof(int32_t) > buflen - k) {
#ifdef KERNEL
				if (buflen != 0)
					return 0;
				A = bp_xword(bp, k, &merr);
				if (merr != 0)
					return 0;
				continue;
#else /* KERNEL */
				return 0;
#endif /* KERNEL */
			}
#if BPF_ALIGN
			if (((intptr_t)(p + k) & 3) != 0)
				A = EXTRACT_LONG(&p[k]);
			else
#endif /* BPF_ALIGN */
				A = ntohl(*(int32_t *)(void *)(p + k));
			continue;

		case BPF_LD|BPF_H|BPF_ABS:
			k = pc->k;
			if (k > buflen || sizeof(int16_t) > buflen - k) {
#ifdef KERNEL
				if (buflen != 0)
					return 0;
				A = bp_xhalf(bp, k, &merr);
				if (merr != 0)
					return 0;
				continue;
#else /* KERNEL */
				return 0;
#endif /* KERNEL */
			}
			A = EXTRACT_SHORT(&p[k]);
			continue;

		case BPF_LD|BPF_B|BPF_ABS:
			k = pc->k;
			if (k >= buflen) {
#ifdef KERNEL
				if (buflen != 0)
					return 0;
				A = bp_xbyte(bp, k, &merr);
				if (merr != 0)
					return 0;
				continue;
#else /* KERNEL */
				return 0;
#endif /* KERNEL */
			}
			A = p[k];
			continue;

		case BPF_LD|BPF_W|BPF_LEN:
			A = wirelen;
			continue;

		case BPF_LDX|BPF_W|BPF_LEN:
			X = wirelen;
			continue;

		case BPF_LD|BPF_W|BPF_IND:
			k = X + pc->k;
			if (pc->k > buflen || X > buflen - pc->k ||
			    sizeof(int32_t) > buflen - k) {
#ifdef KERNEL
				if (buflen != 0)
					return 0;
				A = bp_xword(bp, k, &merr);
				if (merr != 0)
					return 0;
				continue;
#else /* KERNEL */
				return 0;
#endif /* KERNEL */
			}
#if BPF_ALIGN
			if (((intptr_t)(p + k) & 3) != 0)
				A = EXTRACT_LONG(&p[k]);
			else
#endif /* BPF_ALIGN */
				A = ntohl(*(int32_t *)(void *)(p + k));
			continue;

		case BPF_LD|BPF_H|BPF_IND:
			k = X + pc->k;
			if (X > buflen || pc->k > buflen - X ||
			    sizeof(int16_t) > buflen - k) {
#ifdef KERNEL
				if (buflen != 0)
					return 0;
				A = bp_xhalf(bp, k, &merr);
				if (merr != 0)
					return 0;
				continue;
#else /* KERNEL */
				return 0;
#endif /* KERNEL */
			}
			A = EXTRACT_SHORT(&p[k]);
			continue;

		case BPF_LD|BPF_B|BPF_IND:
			k = X + pc->k;
			if (pc->k >= buflen || X >= buflen - pc->k) {
#ifdef KERNEL
				if (buflen != 0)
					return 0;
				A = bp_xbyte(bp, k, &merr);
				if (merr != 0)
					return 0;
				continue;
#else /* KERNEL */
				return 0;
#endif /* KERNEL */
			}
			A = p[k];
			continue;

		case BPF_LDX|BPF_MSH|BPF_B:
			k = pc->k;
			if (k >= buflen) {
#ifdef KERNEL
				if (buflen != 0)
					return 0;
				X = bp_xbyte(bp, k, &merr);
				if (merr != 0)
					return 0;
				X = (X & 0xf) << 2;
				continue;
#else
				return 0;
#endif
			}
			X = (p[pc->k] & 0xf) << 2;
			continue;

		case BPF_LD|BPF_IMM:
			A = pc->k;
			continue;

		case BPF_LDX|BPF_IMM:
			X = pc->k;
			continue;

		case BPF_LD|BPF_MEM:
			A = mem[pc->k];
			continue;

		case BPF_LDX|BPF_MEM:
			X = mem[pc->k];
			continue;

		case BPF_ST:
			if (pc->k >= BPF_MEMWORDS)
				return 0;
			mem[pc->k] = A;
			continue;

		case BPF_STX:
			if (pc->k >= BPF_MEMWORDS)
				return 0;
			mem[pc->k] = X;
			continue;

		case BPF_JMP|BPF_JA:
			pc += pc->k;
			continue;

		case BPF_JMP|BPF_JGT|BPF_K:
			pc += (A > pc->k) ? pc->jt : pc->jf;
			continue;

		case BPF_JMP|BPF_JGE|BPF_K:
			pc += (A >= pc->k) ? pc->jt : pc->jf;
			continue;

		case BPF_JMP|BPF_JEQ|BPF_K:
			pc += (A == pc->k) ? pc->jt : pc->jf;
			continue;

		case BPF_JMP|BPF_JSET|BPF_K:
			pc += (A & pc->k) ? pc->jt : pc->jf;
			continue;

		case BPF_JMP|BPF_JGT|BPF_X:
			pc += (A > X) ? pc->jt : pc->jf;
			continue;

		case BPF_JMP|BPF_JGE|BPF_X:
			pc += (A >= X) ? pc->jt : pc->jf;
			continue;

		case BPF_JMP|BPF_JEQ|BPF_X:
			pc += (A == X) ? pc->jt : pc->jf;
			continue;

		case BPF_JMP|BPF_JSET|BPF_X:
			pc += (A & X) ? pc->jt : pc->jf;
			continue;

		case BPF_ALU|BPF_ADD|BPF_X:
			A += X;
			continue;

		case BPF_ALU|BPF_SUB|BPF_X:
			A -= X;
			continue;

		case BPF_ALU|BPF_MUL|BPF_X:
			A *= X;
			continue;

		case BPF_ALU|BPF_DIV|BPF_X:
			if (X == 0)
				return 0;
			A /= X;
			continue;

		case BPF_ALU|BPF_AND|BPF_X:
			A &= X;
			continue;

		case BPF_ALU|BPF_OR|BPF_X:
			A |= X;
			continue;

		case BPF_ALU|BPF_LSH|BPF_X:
			A <<= X;
			continue;

		case BPF_ALU|BPF_RSH|BPF_X:
			A >>= X;
			continue;

		case BPF_ALU|BPF_ADD|BPF_K:
			A += pc->k;
			continue;

		case BPF_ALU|BPF_SUB|BPF_K:
			A -= pc->k;
			continue;

		case BPF_ALU|BPF_MUL|BPF_K:
			A *= pc->k;
			continue;

		case BPF_ALU|BPF_DIV|BPF_K:
			A /= pc->k;
			continue;

		case BPF_ALU|BPF_AND|BPF_K:
			A &= pc->k;
			continue;

		case BPF_ALU|BPF_OR|BPF_K:
			A |= pc->k;
			continue;

		case BPF_ALU|BPF_LSH|BPF_K:
			A <<= pc->k;
			continue;

		case BPF_ALU|BPF_RSH|BPF_K:
			A >>= pc->k;
			continue;

		case BPF_ALU|BPF_NEG:
			A = -A;
			continue;

		case BPF_MISC|BPF_TAX:
			X = A;
			continue;

		case BPF_MISC|BPF_TXA:
			A = X;
			continue;
		}
	}
}

#ifdef KERNEL
/*
 * Return true if the 'fcode' is a valid filter program.
 * The constraints are that each jump be forward and to a valid
 * code, that memory accesses are within valid ranges (to the 
 * extent that this can be checked statically; loads of packet data
 * have to be, and are, also checked at run time), and that
 * the code terminates with either an accept or reject.
 *
 * The kernel needs to be able to verify an application's filter code.
 * Otherwise, a bogus program could easily crash the system.
 */
int
bpf_validate(const struct bpf_insn *f, int len)
{
	u_int i, from;
	const struct bpf_insn *p;

	if (len < 1 || len > BPF_MAXINSNS)
		return 0;
	
	for (i = 0; i < ((u_int)len); ++i) {
		p = &f[i];
		switch (BPF_CLASS(p->code)) {
			/*
			 * Check that memory operations use valid addresses
			 */
			case BPF_LD:
			case BPF_LDX:
				switch (BPF_MODE(p->code)) {
					case BPF_IMM:
						break;
					case BPF_ABS:
					case BPF_IND:
					case BPF_MSH:
						/*
						 * More strict check with actual packet length
						 * is done runtime.
						 */
						if (p->k >= bpf_maxbufsize)
							return 0;
						break;
					case BPF_MEM:
						if (p->k >= BPF_MEMWORDS)
							return 0;
						break;
					case BPF_LEN:
						break;
					default:
						return 0;
				}
				break;
			case BPF_ST:
			case BPF_STX:
				if (p->k >= BPF_MEMWORDS)
					return 0;
				break;
			case BPF_ALU:
				switch (BPF_OP(p->code)) {
					case BPF_ADD:
					case BPF_SUB:
					case BPF_MUL:
					case BPF_OR:
					case BPF_AND:
					case BPF_LSH:
					case BPF_RSH:
					case BPF_NEG:
						break;
					case BPF_DIV:
						/* 
						 * Check for constant division by 0
						 */
						if(BPF_SRC(p->code) == BPF_K && p->k == 0)
							return 0;
						break;
					default:
						return 0;
				}
				break;
			case BPF_JMP:
				/*
				 * Check that jumps are within the code block,
				 * and that unconditional branches don't go 
				 * backwards as a result of an overflow.
				 * Unconditional branches have a 32-bit offset,
				 * so they could overflow; we check to make 
				 * sure they don't. Conditional branches have 
				 * an 8-bit offset, and the from address is 
				 * less than equal to BPF_MAXINSNS, and we assume that
				 * BPF_MAXINSNS is sufficiently small that adding 255 
				 * to it won't overlflow
				 *
				 * We know that len is <= BPF_MAXINSNS, and we 
				 * assume that BPF_MAXINSNS is less than the maximum 
				 * size of a u_int, so that i+1 doesn't overflow
				 */
				from = i+1;
				switch (BPF_OP(p->code)) {
					case BPF_JA:
						if (from + p->k < from || from + p->k >= ((u_int)len))
							return 0;
						break;
					case BPF_JEQ:
					case BPF_JGT:
					case BPF_JGE:
					case BPF_JSET:
						if (from + p->jt >= ((u_int)len) || from + p->jf >= ((u_int)len))
							return 0;
						break;
					default:
						return 0;
				}
				break;
			case BPF_RET:
				break;
			case BPF_MISC:
				break;
			default:
				return 0;
		}
	}
		return BPF_CLASS(f[len - 1].code) == BPF_RET;
}
#endif
Commit	Line	Data
1c79356b	1	/*
5ba3f43e	2	* Copyright (c) 2000-2017 Apple Inc. All rights reserved.
5d5c5d0d	3	*
2d21ac55	4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
1c79356b	5	*
2d21ac55 A	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. The rights granted to you under the License
	10	* may not be used to create, or enable the creation or redistribution of,
	11	* unlawful or unlicensed copies of an Apple operating system, or to
	12	* circumvent, violate, or enable the circumvention or violation of, any
	13	* terms of an Apple operating system software license agreement.
8f6c56a5	14	*
2d21ac55 A	15	* Please obtain a copy of the License at
	16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
	17	*
	18	* The Original Code and all software distributed under the License are
	19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
8f6c56a5 A	20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
8f6c56a5 A	21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
2d21ac55 A	22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	23	* Please see the License for the specific language governing rights and
	24	* limitations under the License.
8f6c56a5	25	*
2d21ac55	26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
1c79356b A	27	*/
	28	/*
	29	* Copyright (c) 1990, 1991, 1993
	30	* The Regents of the University of California. All rights reserved.
	31	*
	32	* This code is derived from the Stanford/CMU enet packet filter,
	33	* (net/enet.c) distributed as part of 4.3BSD, and code contributed
	34	* to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
	35	* Berkeley Laboratory.
	36	*
	37	* Redistribution and use in source and binary forms, with or without
	38	* modification, are permitted provided that the following conditions
	39	* are met:
	40	* 1. Redistributions of source code must retain the above copyright
	41	* notice, this list of conditions and the following disclaimer.
	42	* 2. Redistributions in binary form must reproduce the above copyright
	43	* notice, this list of conditions and the following disclaimer in the
	44	* documentation and/or other materials provided with the distribution.
	45	* 3. All advertising materials mentioning features or use of this software
	46	* must display the following acknowledgement:
	47	* This product includes software developed by the University of
	48	* California, Berkeley and its contributors.
	49	* 4. Neither the name of the University nor the names of its contributors
	50	* may be used to endorse or promote products derived from this software
	51	* without specific prior written permission.
	52	*
	53	* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
	54	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	55	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	56	* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
	57	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	58	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	59	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	60	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	61	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	62	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	63	* SUCH DAMAGE.
	64	*
	65	* @(#)bpf_filter.c 8.1 (Berkeley) 6/10/93
	66	*
9bccf70c	67	* $FreeBSD: src/sys/net/bpf_filter.c,v 1.17 1999/12/29 04:38:31 peter Exp $
1c79356b A	68	*/
	69
	70	#include <sys/param.h>
316670eb	71	#include <string.h>
1c79356b A	72
	73	#ifdef sun
	74	#include <netinet/in.h>
	75	#endif
	76
316670eb A	77	#if !defined(__i386__) && !defined(__x86_64__)
	78	#define BPF_ALIGN 1
	79	#else /* defined(__i386__) \|\| defined(__x86_64__) */
	80	#define BPF_ALIGN 0
	81	#endif /* defined(__i386__) \|\| defined(__x86_64__) */
1c79356b	82
316670eb A	83	#if !BPF_ALIGN
	84	#define EXTRACT_SHORT(p) ((u_int16_t)ntohs((u_int16_t )(void *)p))
	85	#define EXTRACT_LONG(p) (ntohl((u_int32_t )(void *)p))
1c79356b A	86	#else
	87	#define EXTRACT_SHORT(p)\
	88	((u_int16_t)\
	89	((u_int16_t)((u_char )p+0)<<8\|\
	90	(u_int16_t)((u_char )p+1)<<0))
	91	#define EXTRACT_LONG(p)\
	92	((u_int32_t)((u_char )p+0)<<24\|\
	93	(u_int32_t)((u_char )p+1)<<16\|\
	94	(u_int32_t)((u_char )p+2)<<8\|\
	95	(u_int32_t)((u_char )p+3)<<0)
	96	#endif
	97
	98	#ifdef KERNEL
	99	#include <sys/mbuf.h>
	100	#endif
	101	#include <net/bpf.h>
	102	#ifdef KERNEL
1c79356b	103
6d2010ae A	104	extern unsigned int bpf_maxbufsize;
6d2010ae A	105
5ba3f43e A	106	static inline u_int32_t
	107	get_word_from_buffers(u_char * cp, u_char * np, int num_from_cp)
	108	{
	109	u_int32_t val;
1c79356b	110
5ba3f43e A	111	switch (num_from_cp) {
	112	case 1:
	113	val = ((u_int32_t)cp[0] << 24) \|
	114	((u_int32_t)np[0] << 16) \|
	115	((u_int32_t)np[1] << 8) \|
	116	(u_int32_t)np[2];
	117	break;
	118
	119	case 2:
	120	val = ((u_int32_t)cp[0] << 24) \|
	121	((u_int32_t)cp[1] << 16) \|
	122	((u_int32_t)np[0] << 8) \|
	123	(u_int32_t)np[1];
	124	break;
	125	default:
	126	val = ((u_int32_t)cp[0] << 24) \|
	127	((u_int32_t)cp[1] << 16) \|
	128	((u_int32_t)cp[2] << 8) \|
	129	(u_int32_t)np[0];
	130	break;
	131	}
	132	return (val);
	133	}
	134
	135	static u_char *
	136	m_hdr_offset(struct mbuf *m_p, void hdr, size_t hdrlen, bpf_u_int32 * k_p,
	137	size_t * len_p)
1c79356b	138	{
5ba3f43e A	139	u_char *cp;
5ba3f43e A	140	bpf_u_int32 k = *k_p;
39037602	141	size_t len;
5ba3f43e A	142
	143	if (k >= hdrlen) {
	144	struct mbuf m = m_p;
	145
	146	/* there's no header or the offset we want is past the header */
	147	k -= hdrlen;
1c79356b	148	len = m->m_len;
5ba3f43e A	149	while (k >= len) {
	150	k -= len;
	151	m = m->m_next;
	152	if (m == NULL)
	153	return (NULL);
	154	len = m->m_len;
	155	}
	156	cp = mtod(m, u_char *) + k;
	157
	158	/* return next mbuf, in case it's needed */
	159	*m_p = m->m_next;
	160
	161	/* update the offset */
	162	*k_p = k;
	163	} else {
	164	len = hdrlen;
	165	cp = (u_char *)hdr + k;
1c79356b	166	}
5ba3f43e A	167	*len_p = len;
	168	return (cp);
	169	}
	170
	171	static u_int32_t
	172	m_xword(struct mbuf m, void hdr, size_t hdrlen, bpf_u_int32 k, int *err)
	173	{
	174	size_t len;
	175	u_char cp, np;
	176
	177	cp = m_hdr_offset(&m, hdr, hdrlen, &k, &len);
	178	if (cp == NULL)
	179	goto bad;
1c79356b A	180	if (len - k >= 4) {
	181	*err = 0;
	182	return EXTRACT_LONG(cp);
	183	}
5ba3f43e	184	if (m == 0 \|\| m->m_len + len - k < 4)
1c79356b A	185	goto bad;
1c79356b A	186	*err = 0;
5ba3f43e A	187	np = mtod(m, u_char *);
5ba3f43e A	188	return get_word_from_buffers(cp, np, len - k);
1c79356b	189
1c79356b A	190	bad:
	191	*err = 1;
	192	return 0;
	193	}
	194
	195	static u_int16_t
5ba3f43e	196	m_xhalf(struct mbuf m, void hdr, size_t hdrlen, bpf_u_int32 k, int *err)
1c79356b	197	{
39037602 A	198	size_t len;
39037602 A	199	u_char *cp;
5ba3f43e A	200
	201	cp = m_hdr_offset(&m, hdr, hdrlen, &k, &len);
	202	if (cp == NULL)
	203	goto bad;
1c79356b A	204	if (len - k >= 2) {
	205	*err = 0;
	206	return EXTRACT_SHORT(cp);
	207	}
5ba3f43e A	208	if (m == 0)
	209	goto bad;
	210	*err = 0;
	211	return (cp[0] << 8) \| mtod(m, u_char *)[0];
	212	bad:
	213	*err = 1;
	214	return 0;
	215	}
	216
	217	static u_int8_t
	218	m_xbyte(struct mbuf m, void hdr, size_t hdrlen, bpf_u_int32 k, int *err)
	219	{
	220	size_t len;
	221	u_char *cp;
	222
	223	cp = m_hdr_offset(&m, hdr, hdrlen, &k, &len);
	224	if (cp == NULL)
1c79356b A	225	goto bad;
1c79356b A	226	*err = 0;
5ba3f43e	227	return (*cp);
1c79356b A	228	bad:
	229	*err = 1;
	230	return 0;
5ba3f43e A	231
	232	}
	233
	234
	235	static u_int32_t
	236	bp_xword(struct bpf_packet bp, bpf_u_int32 k, int err)
	237	{
	238	void * hdr = bp->bpfp_header;
	239	size_t hdrlen = bp->bpfp_header_length;
	240
	241	switch (bp->bpfp_type) {
	242	case BPF_PACKET_TYPE_MBUF:
	243	return m_xword(bp->bpfp_mbuf, hdr, hdrlen, k, err);
	244	default:
	245	break;
	246	}
	247	*err = 1;
	248	return 0;
	249
	250	}
	251
	252	static u_int16_t
	253	bp_xhalf(struct bpf_packet bp, bpf_u_int32 k, int err)
	254	{
	255	void * hdr = bp->bpfp_header;
	256	size_t hdrlen = bp->bpfp_header_length;
	257
	258	switch (bp->bpfp_type) {
	259	case BPF_PACKET_TYPE_MBUF:
	260	return m_xhalf(bp->bpfp_mbuf, hdr, hdrlen, k, err);
	261	default:
	262	break;
	263	}
	264	*err = 1;
	265	return 0;
	266
1c79356b	267	}
5ba3f43e A	268
	269	static u_int8_t
	270	bp_xbyte(struct bpf_packet bp, bpf_u_int32 k, int err)
	271	{
	272	void * hdr = bp->bpfp_header;
	273	size_t hdrlen = bp->bpfp_header_length;
	274
	275	switch (bp->bpfp_type) {
	276	case BPF_PACKET_TYPE_MBUF:
	277	return m_xbyte(bp->bpfp_mbuf, hdr, hdrlen, k, err);
	278	default:
	279	break;
	280	}
	281	*err = 1;
	282	return 0;
	283
	284	}
	285
1c79356b A	286	#endif
	287
	288	/*
	289	* Execute the filter program starting at pc on the packet p
	290	* wirelen is the length of the original packet
	291	* buflen is the amount of data present
	292	*/
	293	u_int
91447636	294	bpf_filter(const struct bpf_insn pc, u_char p, u_int wirelen, u_int buflen)
1c79356b	295	{
39037602 A	296	u_int32_t A = 0, X = 0;
39037602 A	297	bpf_u_int32 k;
1c79356b	298	int32_t mem[BPF_MEMWORDS];
5ba3f43e A	299	#ifdef KERNEL
	300	int merr;
	301	struct bpf_packet * bp = (struct bpf_packet )(void )p;
	302	#endif /* KERNEL */
1c79356b	303
316670eb A	304	bzero(mem, sizeof(mem));
316670eb A	305
1c79356b A	306	if (pc == 0)
	307	/*
	308	* No filter means accept all.
	309	*/
	310	return (u_int)-1;
	311
	312	--pc;
	313	while (1) {
	314	++pc;
	315	switch (pc->code) {
	316
	317	default:
	318	#ifdef KERNEL
	319	return 0;
5ba3f43e	320	#else /* KERNEL */
1c79356b	321	abort();
5ba3f43e	322	#endif /* KERNEL */
1c79356b A	323	case BPF_RET\|BPF_K:
	324	return (u_int)pc->k;
	325
	326	case BPF_RET\|BPF_A:
	327	return (u_int)A;
	328
	329	case BPF_LD\|BPF_W\|BPF_ABS:
	330	k = pc->k;
	331	if (k > buflen \|\| sizeof(int32_t) > buflen - k) {
	332	#ifdef KERNEL
1c79356b A	333	if (buflen != 0)
1c79356b A	334	return 0;
5ba3f43e	335	A = bp_xword(bp, k, &merr);
1c79356b A	336	if (merr != 0)
	337	return 0;
	338	continue;
5ba3f43e	339	#else /* KERNEL */
1c79356b	340	return 0;
5ba3f43e	341	#endif /* KERNEL */
1c79356b A	342	}
	343	#if BPF_ALIGN
	344	if (((intptr_t)(p + k) & 3) != 0)
	345	A = EXTRACT_LONG(&p[k]);
	346	else
5ba3f43e	347	#endif /* BPF_ALIGN */
316670eb	348	A = ntohl((int32_t )(void *)(p + k));
1c79356b A	349	continue;
	350
	351	case BPF_LD\|BPF_H\|BPF_ABS:
	352	k = pc->k;
	353	if (k > buflen \|\| sizeof(int16_t) > buflen - k) {
	354	#ifdef KERNEL
1c79356b A	355	if (buflen != 0)
1c79356b A	356	return 0;
5ba3f43e A	357	A = bp_xhalf(bp, k, &merr);
	358	if (merr != 0)
	359	return 0;
1c79356b	360	continue;
5ba3f43e	361	#else /* KERNEL */
1c79356b	362	return 0;
5ba3f43e	363	#endif /* KERNEL */
1c79356b A	364	}
	365	A = EXTRACT_SHORT(&p[k]);
	366	continue;
	367
	368	case BPF_LD\|BPF_B\|BPF_ABS:
	369	k = pc->k;
	370	if (k >= buflen) {
	371	#ifdef KERNEL
1c79356b A	372	if (buflen != 0)
1c79356b A	373	return 0;
5ba3f43e A	374	A = bp_xbyte(bp, k, &merr);
	375	if (merr != 0)
	376	return 0;
1c79356b	377	continue;
5ba3f43e	378	#else /* KERNEL */
1c79356b	379	return 0;
5ba3f43e	380	#endif /* KERNEL */
1c79356b A	381	}
	382	A = p[k];
	383	continue;
	384
	385	case BPF_LD\|BPF_W\|BPF_LEN:
	386	A = wirelen;
	387	continue;
	388
	389	case BPF_LDX\|BPF_W\|BPF_LEN:
	390	X = wirelen;
	391	continue;
	392
	393	case BPF_LD\|BPF_W\|BPF_IND:
	394	k = X + pc->k;
9bccf70c A	395	if (pc->k > buflen \|\| X > buflen - pc->k \|\|
9bccf70c A	396	sizeof(int32_t) > buflen - k) {
1c79356b	397	#ifdef KERNEL
1c79356b A	398	if (buflen != 0)
1c79356b A	399	return 0;
5ba3f43e	400	A = bp_xword(bp, k, &merr);
1c79356b A	401	if (merr != 0)
	402	return 0;
	403	continue;
5ba3f43e	404	#else /* KERNEL */
1c79356b	405	return 0;
5ba3f43e	406	#endif /* KERNEL */
1c79356b A	407	}
	408	#if BPF_ALIGN
	409	if (((intptr_t)(p + k) & 3) != 0)
	410	A = EXTRACT_LONG(&p[k]);
	411	else
5ba3f43e	412	#endif /* BPF_ALIGN */
316670eb	413	A = ntohl((int32_t )(void *)(p + k));
1c79356b A	414	continue;
	415
	416	case BPF_LD\|BPF_H\|BPF_IND:
	417	k = X + pc->k;
9bccf70c A	418	if (X > buflen \|\| pc->k > buflen - X \|\|
9bccf70c A	419	sizeof(int16_t) > buflen - k) {
1c79356b	420	#ifdef KERNEL
1c79356b A	421	if (buflen != 0)
1c79356b A	422	return 0;
5ba3f43e	423	A = bp_xhalf(bp, k, &merr);
1c79356b A	424	if (merr != 0)
	425	return 0;
	426	continue;
5ba3f43e	427	#else /* KERNEL */
1c79356b	428	return 0;
5ba3f43e	429	#endif /* KERNEL */
1c79356b A	430	}
	431	A = EXTRACT_SHORT(&p[k]);
	432	continue;
	433
	434	case BPF_LD\|BPF_B\|BPF_IND:
	435	k = X + pc->k;
	436	if (pc->k >= buflen \|\| X >= buflen - pc->k) {
	437	#ifdef KERNEL
1c79356b A	438	if (buflen != 0)
1c79356b A	439	return 0;
5ba3f43e A	440	A = bp_xbyte(bp, k, &merr);
	441	if (merr != 0)
	442	return 0;
1c79356b	443	continue;
5ba3f43e	444	#else /* KERNEL */
1c79356b	445	return 0;
5ba3f43e	446	#endif /* KERNEL */
1c79356b A	447	}
	448	A = p[k];
	449	continue;
	450
	451	case BPF_LDX\|BPF_MSH\|BPF_B:
	452	k = pc->k;
	453	if (k >= buflen) {
	454	#ifdef KERNEL
1c79356b A	455	if (buflen != 0)
1c79356b A	456	return 0;
5ba3f43e A	457	X = bp_xbyte(bp, k, &merr);
	458	if (merr != 0)
	459	return 0;
	460	X = (X & 0xf) << 2;
1c79356b A	461	continue;
	462	#else
	463	return 0;
	464	#endif
	465	}
	466	X = (p[pc->k] & 0xf) << 2;
	467	continue;
	468
	469	case BPF_LD\|BPF_IMM:
	470	A = pc->k;
	471	continue;
	472
	473	case BPF_LDX\|BPF_IMM:
	474	X = pc->k;
	475	continue;
	476
	477	case BPF_LD\|BPF_MEM:
	478	A = mem[pc->k];
	479	continue;
	480
	481	case BPF_LDX\|BPF_MEM:
	482	X = mem[pc->k];
	483	continue;
	484
	485	case BPF_ST:
39236c6e A	486	if (pc->k >= BPF_MEMWORDS)
39236c6e A	487	return 0;
1c79356b A	488	mem[pc->k] = A;
	489	continue;
	490
	491	case BPF_STX:
39236c6e A	492	if (pc->k >= BPF_MEMWORDS)
39236c6e A	493	return 0;
1c79356b A	494	mem[pc->k] = X;
	495	continue;
	496
	497	case BPF_JMP\|BPF_JA:
	498	pc += pc->k;
	499	continue;
	500
	501	case BPF_JMP\|BPF_JGT\|BPF_K:
	502	pc += (A > pc->k) ? pc->jt : pc->jf;
	503	continue;
	504
	505	case BPF_JMP\|BPF_JGE\|BPF_K:
	506	pc += (A >= pc->k) ? pc->jt : pc->jf;
	507	continue;
	508
	509	case BPF_JMP\|BPF_JEQ\|BPF_K:
	510	pc += (A == pc->k) ? pc->jt : pc->jf;
	511	continue;
	512
	513	case BPF_JMP\|BPF_JSET\|BPF_K:
	514	pc += (A & pc->k) ? pc->jt : pc->jf;
	515	continue;
	516
	517	case BPF_JMP\|BPF_JGT\|BPF_X:
	518	pc += (A > X) ? pc->jt : pc->jf;
	519	continue;
	520
	521	case BPF_JMP\|BPF_JGE\|BPF_X:
	522	pc += (A >= X) ? pc->jt : pc->jf;
	523	continue;
	524
	525	case BPF_JMP\|BPF_JEQ\|BPF_X:
	526	pc += (A == X) ? pc->jt : pc->jf;
	527	continue;
	528
	529	case BPF_JMP\|BPF_JSET\|BPF_X:
	530	pc += (A & X) ? pc->jt : pc->jf;
	531	continue;
	532
	533	case BPF_ALU\|BPF_ADD\|BPF_X:
	534	A += X;
	535	continue;
	536
	537	case BPF_ALU\|BPF_SUB\|BPF_X:
	538	A -= X;
	539	continue;
	540
	541	case BPF_ALU\|BPF_MUL\|BPF_X:
	542	A *= X;
	543	continue;
	544
	545	case BPF_ALU\|BPF_DIV\|BPF_X:
	546	if (X == 0)
	547	return 0;
	548	A /= X;
	549	continue;
	550
	551	case BPF_ALU\|BPF_AND\|BPF_X:
	552	A &= X;
	553	continue;
	554
	555	case BPF_ALU\|BPF_OR\|BPF_X:
	556	A \|= X;
	557	continue;
558
559	case BPF_ALU\|BPF_LSH\|BPF_X:
560	A <<= X;
561	continue;
562
563	case BPF_ALU\|BPF_RSH\|BPF_X:
564	A >>= X;
565	continue;
566
567	case BPF_ALU\|BPF_ADD\|BPF_K:
568	A += pc->k;
569	continue;
570
571	case BPF_ALU\|BPF_SUB\|BPF_K:
572	A -= pc->k;
573	continue;
574
575	case BPF_ALU\|BPF_MUL\|BPF_K:
576	A *= pc->k;
577	continue;
578
579	case BPF_ALU\|BPF_DIV\|BPF_K:
580	A /= pc->k;
581	continue;
582
583	case BPF_ALU\|BPF_AND\|BPF_K:
584	A &= pc->k;
585	continue;
586
587	case BPF_ALU\|BPF_OR\|BPF_K:
588	A \|= pc->k;
589	continue;
590
591	case BPF_ALU\|BPF_LSH\|BPF_K:
592	A <<= pc->k;
593	continue;
594
595	case BPF_ALU\|BPF_RSH\|BPF_K:
596	A >>= pc->k;
597	continue;
598
599	case BPF_ALU\|BPF_NEG:
600	A = -A;
601	continue;
602
603	case BPF_MISC\|BPF_TAX:
604	X = A;
605	continue;
606
607	case BPF_MISC\|BPF_TXA:
608	A = X;
609	continue;
610	}
611	}
612	}
613
614	#ifdef KERNEL
615	/*
616	* Return true if the 'fcode' is a valid filter program.
617	* The constraints are that each jump be forward and to a valid
6d2010ae A	618	* code, that memory accesses are within valid ranges (to the
	619	* extent that this can be checked statically; loads of packet data
	620	* have to be, and are, also checked at run time), and that
	621	* the code terminates with either an accept or reject.
1c79356b A	622	*
	623	* The kernel needs to be able to verify an application's filter code.
	624	* Otherwise, a bogus program could easily crash the system.
	625	*/
	626	int
91447636	627	bpf_validate(const struct bpf_insn *f, int len)
1c79356b	628	{
6d2010ae	629	u_int i, from;
9bccf70c	630	const struct bpf_insn *p;
1c79356b	631
6d2010ae A	632	if (len < 1 \|\| len > BPF_MAXINSNS)
	633	return 0;
	634
	635	for (i = 0; i < ((u_int)len); ++i) {
1c79356b	636	p = &f[i];
6d2010ae A	637	switch (BPF_CLASS(p->code)) {
	638	/*
	639	* Check that memory operations use valid addresses
	640	*/
	641	case BPF_LD:
	642	case BPF_LDX:
	643	switch (BPF_MODE(p->code)) {
	644	case BPF_IMM:
	645	break;
	646	case BPF_ABS:
	647	case BPF_IND:
	648	case BPF_MSH:
	649	/*
	650	* More strict check with actual packet length
	651	* is done runtime.
	652	*/
	653	if (p->k >= bpf_maxbufsize)
	654	return 0;
	655	break;
	656	case BPF_MEM:
	657	if (p->k >= BPF_MEMWORDS)
	658	return 0;
	659	break;
	660	case BPF_LEN:
	661	break;
	662	default:
	663	return 0;
	664	}
	665	break;
	666	case BPF_ST:
	667	case BPF_STX:
	668	if (p->k >= BPF_MEMWORDS)
1c79356b	669	return 0;
6d2010ae A	670	break;
	671	case BPF_ALU:
	672	switch (BPF_OP(p->code)) {
	673	case BPF_ADD:
	674	case BPF_SUB:
	675	case BPF_MUL:
	676	case BPF_OR:
	677	case BPF_AND:
	678	case BPF_LSH:
	679	case BPF_RSH:
	680	case BPF_NEG:
	681	break;
	682	case BPF_DIV:
	683	/*
	684	* Check for constant division by 0
	685	*/
	686	if(BPF_SRC(p->code) == BPF_K && p->k == 0)
	687	return 0;
	688	break;
	689	default:
	690	return 0;
	691	}
	692	break;
	693	case BPF_JMP:
	694	/*
	695	* Check that jumps are within the code block,
	696	* and that unconditional branches don't go
	697	* backwards as a result of an overflow.
	698	* Unconditional branches have a 32-bit offset,
	699	* so they could overflow; we check to make
	700	* sure they don't. Conditional branches have
	701	* an 8-bit offset, and the from address is
	702	* less than equal to BPF_MAXINSNS, and we assume that
	703	* BPF_MAXINSNS is sufficiently small that adding 255
	704	* to it won't overlflow
	705	*
	706	* We know that len is <= BPF_MAXINSNS, and we
	707	* assume that BPF_MAXINSNS is less than the maximum
	708	* size of a u_int, so that i+1 doesn't overflow
	709	*/
	710	from = i+1;
	711	switch (BPF_OP(p->code)) {
	712	case BPF_JA:
	713	if (from + p->k < from \|\| from + p->k >= ((u_int)len))
	714	return 0;
	715	break;
	716	case BPF_JEQ:
	717	case BPF_JGT:
	718	case BPF_JGE:
	719	case BPF_JSET:
	720	if (from + p->jt >= ((u_int)len) \|\| from + p->jf >= ((u_int)len))
	721	return 0;
	722	break;
	723	default:
	724	return 0;
	725	}
	726	break;
	727	case BPF_RET:
	728	break;
	729	case BPF_MISC:
	730	break;
	731	default:
1c79356b A	732	return 0;
1c79356b A	733	}
1c79356b	734	}
6d2010ae	735	return BPF_CLASS(f[len - 1].code) == BPF_RET;
1c79356b A	736	}
1c79356b A	737	#endif