]> git.saurik.com Git - apple/xnu.git/blob - bsd/net/bpf_filter.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-7195.101.1.tar.gz
[apple/xnu.git] / bsd / net / bpf_filter.c
1 /*
2 * Copyright (c) 2000-2017 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28 /*
29 * Copyright (c) 1990, 1991, 1993
30 * The Regents of the University of California. All rights reserved.
31 *
32 * This code is derived from the Stanford/CMU enet packet filter,
33 * (net/enet.c) distributed as part of 4.3BSD, and code contributed
34 * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
35 * Berkeley Laboratory.
36 *
37 * Redistribution and use in source and binary forms, with or without
38 * modification, are permitted provided that the following conditions
39 * are met:
40 * 1. Redistributions of source code must retain the above copyright
41 * notice, this list of conditions and the following disclaimer.
42 * 2. Redistributions in binary form must reproduce the above copyright
43 * notice, this list of conditions and the following disclaimer in the
44 * documentation and/or other materials provided with the distribution.
45 * 3. All advertising materials mentioning features or use of this software
46 * must display the following acknowledgement:
47 * This product includes software developed by the University of
48 * California, Berkeley and its contributors.
49 * 4. Neither the name of the University nor the names of its contributors
50 * may be used to endorse or promote products derived from this software
51 * without specific prior written permission.
52 *
53 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
54 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
56 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
63 * SUCH DAMAGE.
64 *
65 * @(#)bpf_filter.c 8.1 (Berkeley) 6/10/93
66 *
67 * $FreeBSD: src/sys/net/bpf_filter.c,v 1.17 1999/12/29 04:38:31 peter Exp $
68 */
69
70 #include <sys/param.h>
71 #include <string.h>
72
73 #ifdef sun
74 #include <netinet/in.h>
75 #endif
76
77 #ifdef KERNEL
78 #include <sys/mbuf.h>
79 #endif
80 #include <net/bpf.h>
81 #ifdef KERNEL
82
83 extern unsigned int bpf_maxbufsize;
84
85 static inline u_int32_t
86 get_word_from_buffers(u_char * cp, u_char * np, size_t num_from_cp)
87 {
88 u_int32_t val;
89
90 switch (num_from_cp) {
91 case 1:
92 val = ((u_int32_t)cp[0] << 24) |
93 ((u_int32_t)np[0] << 16) |
94 ((u_int32_t)np[1] << 8) |
95 (u_int32_t)np[2];
96 break;
97
98 case 2:
99 val = ((u_int32_t)cp[0] << 24) |
100 ((u_int32_t)cp[1] << 16) |
101 ((u_int32_t)np[0] << 8) |
102 (u_int32_t)np[1];
103 break;
104 default:
105 val = ((u_int32_t)cp[0] << 24) |
106 ((u_int32_t)cp[1] << 16) |
107 ((u_int32_t)cp[2] << 8) |
108 (u_int32_t)np[0];
109 break;
110 }
111 return val;
112 }
113
114 static u_char *
115 m_hdr_offset(struct mbuf **m_p, void * hdr, size_t hdrlen, bpf_u_int32 * k_p,
116 size_t * len_p)
117 {
118 u_char *cp;
119 bpf_u_int32 k = *k_p;
120 size_t len;
121
122 if (k >= hdrlen) {
123 struct mbuf *m = *m_p;
124
125 /* there's no header or the offset we want is past the header */
126 k -= hdrlen;
127 len = m->m_len;
128 while (k >= len) {
129 k -= len;
130 m = m->m_next;
131 if (m == NULL) {
132 return NULL;
133 }
134 len = m->m_len;
135 }
136 cp = mtod(m, u_char *) + k;
137
138 /* return next mbuf, in case it's needed */
139 *m_p = m->m_next;
140
141 /* update the offset */
142 *k_p = k;
143 } else {
144 len = hdrlen;
145 cp = (u_char *)hdr + k;
146 }
147 *len_p = len;
148 return cp;
149 }
150
151 static u_int32_t
152 m_xword(struct mbuf *m, void * hdr, size_t hdrlen, bpf_u_int32 k, int *err)
153 {
154 size_t len;
155 u_char *cp, *np;
156
157 cp = m_hdr_offset(&m, hdr, hdrlen, &k, &len);
158 if (cp == NULL) {
159 goto bad;
160 }
161 if (len - k >= 4) {
162 *err = 0;
163 return EXTRACT_LONG(cp);
164 }
165 if (m == 0 || m->m_len + len - k < 4) {
166 goto bad;
167 }
168 *err = 0;
169 np = mtod(m, u_char *);
170 return get_word_from_buffers(cp, np, len - k);
171
172 bad:
173 *err = 1;
174 return 0;
175 }
176
177 static uint16_t
178 m_xhalf(struct mbuf *m, void * hdr, size_t hdrlen, bpf_u_int32 k, int *err)
179 {
180 size_t len;
181 u_char *cp;
182
183 cp = m_hdr_offset(&m, hdr, hdrlen, &k, &len);
184 if (cp == NULL) {
185 goto bad;
186 }
187 if (len - k >= 2) {
188 *err = 0;
189 return EXTRACT_SHORT(cp);
190 }
191 if (m == 0) {
192 goto bad;
193 }
194 *err = 0;
195 return (uint16_t)((cp[0] << 8) | mtod(m, u_char *)[0]);
196 bad:
197 *err = 1;
198 return 0;
199 }
200
201 static u_int8_t
202 m_xbyte(struct mbuf *m, void * hdr, size_t hdrlen, bpf_u_int32 k, int *err)
203 {
204 size_t len;
205 u_char *cp;
206
207 cp = m_hdr_offset(&m, hdr, hdrlen, &k, &len);
208 if (cp == NULL) {
209 goto bad;
210 }
211 *err = 0;
212 return *cp;
213 bad:
214 *err = 1;
215 return 0;
216 }
217
218
219 static u_int32_t
220 bp_xword(struct bpf_packet *bp, bpf_u_int32 k, int *err)
221 {
222 void * hdr = bp->bpfp_header;
223 size_t hdrlen = bp->bpfp_header_length;
224
225 switch (bp->bpfp_type) {
226 case BPF_PACKET_TYPE_MBUF:
227 return m_xword(bp->bpfp_mbuf, hdr, hdrlen, k, err);
228 default:
229 break;
230 }
231 *err = 1;
232 return 0;
233 }
234
235 static u_int16_t
236 bp_xhalf(struct bpf_packet *bp, bpf_u_int32 k, int *err)
237 {
238 void * hdr = bp->bpfp_header;
239 size_t hdrlen = bp->bpfp_header_length;
240
241 switch (bp->bpfp_type) {
242 case BPF_PACKET_TYPE_MBUF:
243 return m_xhalf(bp->bpfp_mbuf, hdr, hdrlen, k, err);
244 default:
245 break;
246 }
247 *err = 1;
248 return 0;
249 }
250
251 static u_int8_t
252 bp_xbyte(struct bpf_packet *bp, bpf_u_int32 k, int *err)
253 {
254 void * hdr = bp->bpfp_header;
255 size_t hdrlen = bp->bpfp_header_length;
256
257 switch (bp->bpfp_type) {
258 case BPF_PACKET_TYPE_MBUF:
259 return m_xbyte(bp->bpfp_mbuf, hdr, hdrlen, k, err);
260 default:
261 break;
262 }
263 *err = 1;
264 return 0;
265 }
266
267 #endif
268
269 /*
270 * Execute the filter program starting at pc on the packet p
271 * wirelen is the length of the original packet
272 * buflen is the amount of data present
273 */
274 u_int
275 bpf_filter(const struct bpf_insn *pc, u_char *p, u_int wirelen, u_int buflen)
276 {
277 u_int32_t A = 0, X = 0;
278 bpf_u_int32 k;
279 int32_t mem[BPF_MEMWORDS];
280 #ifdef KERNEL
281 int merr;
282 struct bpf_packet * bp = (struct bpf_packet *)(void *)p;
283 #endif /* KERNEL */
284
285 bzero(mem, sizeof(mem));
286
287 if (pc == 0) {
288 /*
289 * No filter means accept all.
290 */
291 return (u_int) - 1;
292 }
293
294 --pc;
295 while (1) {
296 ++pc;
297 switch (pc->code) {
298 default:
299 #ifdef KERNEL
300 return 0;
301 #else /* KERNEL */
302 abort();
303 #endif /* KERNEL */
304 case BPF_RET | BPF_K:
305 return (u_int)pc->k;
306
307 case BPF_RET | BPF_A:
308 return (u_int)A;
309
310 case BPF_LD | BPF_W | BPF_ABS:
311 k = pc->k;
312 if (k > buflen || sizeof(int32_t) > buflen - k) {
313 #ifdef KERNEL
314 if (buflen != 0) {
315 return 0;
316 }
317 A = bp_xword(bp, k, &merr);
318 if (merr != 0) {
319 return 0;
320 }
321 continue;
322 #else /* KERNEL */
323 return 0;
324 #endif /* KERNEL */
325 }
326 #if BPF_ALIGN
327 if (((intptr_t)(p + k) & 3) != 0) {
328 A = EXTRACT_LONG(&p[k]);
329 } else
330 #endif /* BPF_ALIGN */
331 A = ntohl(*(int32_t *)(void *)(p + k));
332 continue;
333
334 case BPF_LD | BPF_H | BPF_ABS:
335 k = pc->k;
336 if (k > buflen || sizeof(int16_t) > buflen - k) {
337 #ifdef KERNEL
338 if (buflen != 0) {
339 return 0;
340 }
341 A = bp_xhalf(bp, k, &merr);
342 if (merr != 0) {
343 return 0;
344 }
345 continue;
346 #else /* KERNEL */
347 return 0;
348 #endif /* KERNEL */
349 }
350 A = EXTRACT_SHORT(&p[k]);
351 continue;
352
353 case BPF_LD | BPF_B | BPF_ABS:
354 k = pc->k;
355 if (k >= buflen) {
356 #ifdef KERNEL
357 if (buflen != 0) {
358 return 0;
359 }
360 A = bp_xbyte(bp, k, &merr);
361 if (merr != 0) {
362 return 0;
363 }
364 continue;
365 #else /* KERNEL */
366 return 0;
367 #endif /* KERNEL */
368 }
369 A = p[k];
370 continue;
371
372 case BPF_LD | BPF_W | BPF_LEN:
373 A = wirelen;
374 continue;
375
376 case BPF_LDX | BPF_W | BPF_LEN:
377 X = wirelen;
378 continue;
379
380 case BPF_LD | BPF_W | BPF_IND:
381 k = X + pc->k;
382 if (pc->k > buflen || X > buflen - pc->k ||
383 sizeof(int32_t) > buflen - k) {
384 #ifdef KERNEL
385 if (buflen != 0) {
386 return 0;
387 }
388 A = bp_xword(bp, k, &merr);
389 if (merr != 0) {
390 return 0;
391 }
392 continue;
393 #else /* KERNEL */
394 return 0;
395 #endif /* KERNEL */
396 }
397 #if BPF_ALIGN
398 if (((intptr_t)(p + k) & 3) != 0) {
399 A = EXTRACT_LONG(&p[k]);
400 } else
401 #endif /* BPF_ALIGN */
402 A = ntohl(*(int32_t *)(void *)(p + k));
403 continue;
404
405 case BPF_LD | BPF_H | BPF_IND:
406 k = X + pc->k;
407 if (X > buflen || pc->k > buflen - X ||
408 sizeof(int16_t) > buflen - k) {
409 #ifdef KERNEL
410 if (buflen != 0) {
411 return 0;
412 }
413 A = bp_xhalf(bp, k, &merr);
414 if (merr != 0) {
415 return 0;
416 }
417 continue;
418 #else /* KERNEL */
419 return 0;
420 #endif /* KERNEL */
421 }
422 A = EXTRACT_SHORT(&p[k]);
423 continue;
424
425 case BPF_LD | BPF_B | BPF_IND:
426 k = X + pc->k;
427 if (pc->k >= buflen || X >= buflen - pc->k) {
428 #ifdef KERNEL
429 if (buflen != 0) {
430 return 0;
431 }
432 A = bp_xbyte(bp, k, &merr);
433 if (merr != 0) {
434 return 0;
435 }
436 continue;
437 #else /* KERNEL */
438 return 0;
439 #endif /* KERNEL */
440 }
441 A = p[k];
442 continue;
443
444 case BPF_LDX | BPF_MSH | BPF_B:
445 k = pc->k;
446 if (k >= buflen) {
447 #ifdef KERNEL
448 if (buflen != 0) {
449 return 0;
450 }
451 X = bp_xbyte(bp, k, &merr);
452 if (merr != 0) {
453 return 0;
454 }
455 X = (X & 0xf) << 2;
456 continue;
457 #else
458 return 0;
459 #endif
460 }
461 X = (p[pc->k] & 0xf) << 2;
462 continue;
463
464 case BPF_LD | BPF_IMM:
465 A = pc->k;
466 continue;
467
468 case BPF_LDX | BPF_IMM:
469 X = pc->k;
470 continue;
471
472 case BPF_LD | BPF_MEM:
473 if (pc->k >= BPF_MEMWORDS) {
474 return 0;
475 }
476 A = mem[pc->k];
477 continue;
478
479 case BPF_LDX | BPF_MEM:
480 if (pc->k >= BPF_MEMWORDS) {
481 return 0;
482 }
483 X = mem[pc->k];
484 continue;
485
486 case BPF_ST:
487 if (pc->k >= BPF_MEMWORDS) {
488 return 0;
489 }
490 mem[pc->k] = A;
491 continue;
492
493 case BPF_STX:
494 if (pc->k >= BPF_MEMWORDS) {
495 return 0;
496 }
497 mem[pc->k] = X;
498 continue;
499
500 case BPF_JMP | BPF_JA:
501 pc += pc->k;
502 continue;
503
504 case BPF_JMP | BPF_JGT | BPF_K:
505 pc += (A > pc->k) ? pc->jt : pc->jf;
506 continue;
507
508 case BPF_JMP | BPF_JGE | BPF_K:
509 pc += (A >= pc->k) ? pc->jt : pc->jf;
510 continue;
511
512 case BPF_JMP | BPF_JEQ | BPF_K:
513 pc += (A == pc->k) ? pc->jt : pc->jf;
514 continue;
515
516 case BPF_JMP | BPF_JSET | BPF_K:
517 pc += (A & pc->k) ? pc->jt : pc->jf;
518 continue;
519
520 case BPF_JMP | BPF_JGT | BPF_X:
521 pc += (A > X) ? pc->jt : pc->jf;
522 continue;
523
524 case BPF_JMP | BPF_JGE | BPF_X:
525 pc += (A >= X) ? pc->jt : pc->jf;
526 continue;
527
528 case BPF_JMP | BPF_JEQ | BPF_X:
529 pc += (A == X) ? pc->jt : pc->jf;
530 continue;
531
532 case BPF_JMP | BPF_JSET | BPF_X:
533 pc += (A & X) ? pc->jt : pc->jf;
534 continue;
535
536 case BPF_ALU | BPF_ADD | BPF_X:
537 A += X;
538 continue;
539
540 case BPF_ALU | BPF_SUB | BPF_X:
541 A -= X;
542 continue;
543
544 case BPF_ALU | BPF_MUL | BPF_X:
545 A *= X;
546 continue;
547
548 case BPF_ALU | BPF_DIV | BPF_X:
549 if (X == 0) {
550 return 0;
551 }
552 A /= X;
553 continue;
554
555 case BPF_ALU | BPF_AND | BPF_X:
556 A &= X;
557 continue;
558
559 case BPF_ALU | BPF_OR | BPF_X:
560 A |= X;
561 continue;
562
563 case BPF_ALU | BPF_LSH | BPF_X:
564 A <<= X;
565 continue;
566
567 case BPF_ALU | BPF_RSH | BPF_X:
568 A >>= X;
569 continue;
570
571 case BPF_ALU | BPF_ADD | BPF_K:
572 A += pc->k;
573 continue;
574
575 case BPF_ALU | BPF_SUB | BPF_K:
576 A -= pc->k;
577 continue;
578
579 case BPF_ALU | BPF_MUL | BPF_K:
580 A *= pc->k;
581 continue;
582
583 case BPF_ALU | BPF_DIV | BPF_K:
584 A /= pc->k;
585 continue;
586
587 case BPF_ALU | BPF_AND | BPF_K:
588 A &= pc->k;
589 continue;
590
591 case BPF_ALU | BPF_OR | BPF_K:
592 A |= pc->k;
593 continue;
594
595 case BPF_ALU | BPF_LSH | BPF_K:
596 A <<= pc->k;
597 continue;
598
599 case BPF_ALU | BPF_RSH | BPF_K:
600 A >>= pc->k;
601 continue;
602
603 case BPF_ALU | BPF_NEG:
604 A = -A;
605 continue;
606
607 case BPF_MISC | BPF_TAX:
608 X = A;
609 continue;
610
611 case BPF_MISC | BPF_TXA:
612 A = X;
613 continue;
614 }
615 }
616 }
617
618 #ifdef KERNEL
619 /*
620 * Return true if the 'fcode' is a valid filter program.
621 * The constraints are that each jump be forward and to a valid
622 * code, that memory accesses are within valid ranges (to the
623 * extent that this can be checked statically; loads of packet data
624 * have to be, and are, also checked at run time), and that
625 * the code terminates with either an accept or reject.
626 *
627 * The kernel needs to be able to verify an application's filter code.
628 * Otherwise, a bogus program could easily crash the system.
629 */
630 int
631 bpf_validate(const struct bpf_insn *f, int len)
632 {
633 u_int i, from;
634 const struct bpf_insn *p;
635
636 if (len < 1 || len > BPF_MAXINSNS) {
637 return 0;
638 }
639
640 for (i = 0; i < ((u_int)len); ++i) {
641 p = &f[i];
642 switch (BPF_CLASS(p->code)) {
643 /*
644 * Check that memory operations use valid addresses
645 */
646 case BPF_LD:
647 case BPF_LDX:
648 switch (BPF_MODE(p->code)) {
649 case BPF_IMM:
650 break;
651 case BPF_ABS:
652 case BPF_IND:
653 case BPF_MSH:
654 /*
655 * More strict check with actual packet length
656 * is done runtime.
657 */
658 if (p->k >= bpf_maxbufsize) {
659 return 0;
660 }
661 break;
662 case BPF_MEM:
663 if (p->k >= BPF_MEMWORDS) {
664 return 0;
665 }
666 break;
667 case BPF_LEN:
668 break;
669 default:
670 return 0;
671 }
672 break;
673 case BPF_ST:
674 case BPF_STX:
675 if (p->k >= BPF_MEMWORDS) {
676 return 0;
677 }
678 break;
679 case BPF_ALU:
680 switch (BPF_OP(p->code)) {
681 case BPF_ADD:
682 case BPF_SUB:
683 case BPF_MUL:
684 case BPF_OR:
685 case BPF_AND:
686 case BPF_LSH:
687 case BPF_RSH:
688 case BPF_NEG:
689 break;
690 case BPF_DIV:
691 /*
692 * Check for constant division by 0
693 */
694 if (BPF_SRC(p->code) == BPF_K && p->k == 0) {
695 return 0;
696 }
697 break;
698 default:
699 return 0;
700 }
701 break;
702 case BPF_JMP:
703 /*
704 * Check that jumps are within the code block,
705 * and that unconditional branches don't go
706 * backwards as a result of an overflow.
707 * Unconditional branches have a 32-bit offset,
708 * so they could overflow; we check to make
709 * sure they don't. Conditional branches have
710 * an 8-bit offset, and the from address is
711 * less than equal to BPF_MAXINSNS, and we assume that
712 * BPF_MAXINSNS is sufficiently small that adding 255
713 * to it won't overlflow
714 *
715 * We know that len is <= BPF_MAXINSNS, and we
716 * assume that BPF_MAXINSNS is less than the maximum
717 * size of a u_int, so that i+1 doesn't overflow
718 */
719 from = i + 1;
720 switch (BPF_OP(p->code)) {
721 case BPF_JA:
722 if (from + p->k < from || from + p->k >= ((u_int)len)) {
723 return 0;
724 }
725 break;
726 case BPF_JEQ:
727 case BPF_JGT:
728 case BPF_JGE:
729 case BPF_JSET:
730 if (from + p->jt >= ((u_int)len) || from + p->jf >= ((u_int)len)) {
731 return 0;
732 }
733 break;
734 default:
735 return 0;
736 }
737 break;
738 case BPF_RET:
739 break;
740 case BPF_MISC:
741 break;
742 default:
743 return 0;
744 }
745 }
746 return BPF_CLASS(f[len - 1].code) == BPF_RET;
747 }
748 #endif
mirror of XNU