1/*	$FreeBSD: stable/11/contrib/ipfilter/bpf_filter.c 369245 2021-02-09 13:47:46Z git2svn $	*/
2
3/*-
4 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
5 *	The Regents of the University of California.  All rights reserved.
6 *
7 * This code is derived from the Stanford/CMU enet packet filter,
8 * (net/enet.c) distributed as part of 4.3BSD, and code contributed
9 * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
10 * Berkeley Laboratory.
11 *
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
14 * are met:
15 * 1. Redistributions of source code must retain the above copyright
16 *    notice, this list of conditions and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 *    notice, this list of conditions and the following disclaimer in the
19 *    documentation and/or other materials provided with the distribution.
20 * 3. All advertising materials mentioning features or use of this software
21 *    must display the following acknowledgement:
22 *	This product includes software developed by the University of
23 *	California, Berkeley and its contributors.
24 * 4. Neither the name of the University nor the names of its contributors
25 *    may be used to endorse or promote products derived from this software
26 *    without specific prior written permission.
27 *
28 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
29 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
30 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
31 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
32 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
33 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
34 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
35 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
37 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * SUCH DAMAGE.
39 *
40 *	@(#)bpf.c	7.5 (Berkeley) 7/15/91
41 */
42
43#if !(defined(lint) || defined(KERNEL) || defined(_KERNEL))
44static const char rcsid[] =
45    "@(#) $Header: /devel/CVS/IP-Filter/bpf_filter.c,v 2.2.2.3 2006/10/03 11:25:56 darrenr Exp $ (LBL)";
46#endif
47
48#include <sys/param.h>
49#include <sys/types.h>
50#include <sys/time.h>
51#include <sys/socket.h>
52
53#include <netinet/in.h>
54#include <net/if.h>
55
56#include "netinet/ip_compat.h"
57#include "bpf-ipf.h"
58
59
60#if (defined(__hpux) || SOLARIS) && (defined(_KERNEL) || defined(KERNEL))
61# include <sys/sysmacros.h>
62# include <sys/stream.h>
63#endif
64
65#include "pcap-ipf.h"
66
67#if !defined(KERNEL) && !defined(_KERNEL)
68#include <stdlib.h>
69#endif
70
71#define int32 bpf_int32
72#define u_int32 bpf_u_int32
73
74static int m_xword(mb_t *, int, int *);
75static int m_xhalf(mb_t *, int, int *);
76
77#ifndef LBL_ALIGN
78/*
79 * XXX - IA-64?  If not, this probably won't work on Win64 IA-64
80 * systems, unless LBL_ALIGN is defined elsewhere for them.
81 * XXX - SuperH?  If not, this probably won't work on WinCE SuperH
82 * systems, unless LBL_ALIGN is defined elsewhere for them.
83 */
84#if defined(sparc) || defined(__sparc__) || defined(mips) || \
85    defined(ibm032) || defined(__alpha) || defined(__hpux) || \
86    defined(__arm__)
87#define LBL_ALIGN
88#endif
89#endif
90
91#ifndef LBL_ALIGN
92
93#define EXTRACT_SHORT(p)	((u_short)ntohs(*(u_short *)p))
94#define EXTRACT_LONG(p)		(ntohl(*(u_int32 *)p))
95#else
96#define EXTRACT_SHORT(p)\
97	((u_short)\
98		((u_short)*((u_char *)p+0)<<8|\
99		 (u_short)*((u_char *)p+1)<<0))
100#define EXTRACT_LONG(p)\
101		((u_int32)*((u_char *)p+0)<<24|\
102		 (u_int32)*((u_char *)p+1)<<16|\
103		 (u_int32)*((u_char *)p+2)<<8|\
104		 (u_int32)*((u_char *)p+3)<<0)
105#endif
106
107#define MINDEX(len, _m, _k) \
108{ \
109	len = M_LEN(m); \
110	while ((_k) >= len) { \
111		(_k) -= len; \
112		(_m) = (_m)->m_next; \
113		if ((_m) == 0) \
114			return 0; \
115		len = M_LEN(m); \
116	} \
117}
118
119static int
120m_xword(m, k, err)
121	register mb_t *m;
122	register int k, *err;
123{
124	register int len;
125	register u_char *cp, *np;
126	register mb_t *m0;
127
128	MINDEX(len, m, k);
129	cp = MTOD(m, u_char *) + k;
130	if (len - k >= 4) {
131		*err = 0;
132		return EXTRACT_LONG(cp);
133	}
134	m0 = m->m_next;
135	if (m0 == NULL || M_LEN(m0) + len - k < 4)
136		goto bad;
137	*err = 0;
138	np = MTOD(m0, u_char *);
139	switch (len - k) {
140
141	case 1:
142		return (cp[0] << 24) | (np[0] << 16) | (np[1] << 8) | np[2];
143
144	case 2:
145		return (cp[0] << 24) | (cp[1] << 16) | (np[0] << 8) | np[1];
146
147	default:
148		return (cp[0] << 24) | (cp[1] << 16) | (cp[2] << 8) | np[0];
149	}
150    bad:
151	*err = 1;
152	return 0;
153}
154
155static int
156m_xhalf(m, k, err)
157	register mb_t *m;
158	register int k, *err;
159{
160	register int len;
161	register u_char *cp;
162	register mb_t *m0;
163
164	MINDEX(len, m, k);
165	cp = MTOD(m, u_char *) + k;
166	if (len - k >= 2) {
167		*err = 0;
168		return EXTRACT_SHORT(cp);
169	}
170	m0 = m->m_next;
171	if (m0 == NULL)
172		goto bad;
173	*err = 0;
174	return (cp[0] << 8) | MTOD(m0, u_char *)[0];
175 bad:
176	*err = 1;
177	return 0;
178}
179
180/*
181 * Execute the filter program starting at pc on the packet p
182 * wirelen is the length of the original packet
183 * buflen is the amount of data present
184 * For the kernel, p is assumed to be a pointer to an mbuf if buflen is 0,
185 * in all other cases, p is a pointer to a buffer and buflen is its size.
186 */
187u_int
188bpf_filter(pc, p, wirelen, buflen)
189	register struct bpf_insn *pc;
190	register u_char *p;
191	u_int wirelen;
192	register u_int buflen;
193{
194	register u_int32 A, X;
195	register int k;
196	int32 mem[BPF_MEMWORDS];
197	mb_t *m, *n;
198	int merr = 0;	/* XXX: GCC */
199	int len;
200
201	if (buflen == 0) {
202		m = (mb_t *)p;
203		p = MTOD(m, u_char *);
204		buflen = M_LEN(m);
205	} else
206		m = NULL;
207
208	if (pc == NULL)
209		/*
210		 * No filter means accept all.
211		 */
212		return (u_int)-1;
213	A = 0;
214	X = 0;
215	--pc;
216	while (1) {
217		++pc;
218		switch (pc->code) {
219
220		default:
221			return 0;
222		case BPF_RET|BPF_K:
223			return (u_int)pc->k;
224
225		case BPF_RET|BPF_A:
226			return (u_int)A;
227
228		case BPF_LD|BPF_W|BPF_ABS:
229			k = pc->k;
230			if (k + sizeof(int32) > buflen) {
231				if (m == NULL)
232					return 0;
233				A = m_xword(m, k, &merr);
234				if (merr != 0)
235					return 0;
236				continue;
237			}
238			A = EXTRACT_LONG(&p[k]);
239			continue;
240
241		case BPF_LD|BPF_H|BPF_ABS:
242			k = pc->k;
243			if (k + sizeof(short) > buflen) {
244				if (m == NULL)
245					return 0;
246				A = m_xhalf(m, k, &merr);
247				if (merr != 0)
248					return 0;
249				continue;
250			}
251			A = EXTRACT_SHORT(&p[k]);
252			continue;
253
254		case BPF_LD|BPF_B|BPF_ABS:
255			k = pc->k;
256			if (k >= buflen) {
257				if (m == NULL)
258					return 0;
259				n = m;
260				MINDEX(len, n, k);
261				A = MTOD(n, u_char *)[k];
262				continue;
263			}
264			A = p[k];
265			continue;
266
267		case BPF_LD|BPF_W|BPF_LEN:
268			A = wirelen;
269			continue;
270
271		case BPF_LDX|BPF_W|BPF_LEN:
272			X = wirelen;
273			continue;
274
275		case BPF_LD|BPF_W|BPF_IND:
276			k = X + pc->k;
277			if (k + sizeof(int32) > buflen) {
278				if (m == NULL)
279					return 0;
280				A = m_xword(m, k, &merr);
281				if (merr != 0)
282					return 0;
283				continue;
284			}
285			A = EXTRACT_LONG(&p[k]);
286			continue;
287
288		case BPF_LD|BPF_H|BPF_IND:
289			k = X + pc->k;
290			if (k + sizeof(short) > buflen) {
291				if (m == NULL)
292					return 0;
293				A = m_xhalf(m, k, &merr);
294				if (merr != 0)
295					return 0;
296				continue;
297			}
298			A = EXTRACT_SHORT(&p[k]);
299			continue;
300
301		case BPF_LD|BPF_B|BPF_IND:
302			k = X + pc->k;
303			if (k >= buflen) {
304				if (m == NULL)
305					return 0;
306				n = m;
307				MINDEX(len, n, k);
308				A = MTOD(n, u_char *)[k];
309				continue;
310			}
311			A = p[k];
312			continue;
313
314		case BPF_LDX|BPF_MSH|BPF_B:
315			k = pc->k;
316			if (k >= buflen) {
317				if (m == NULL)
318					return 0;
319				n = m;
320				MINDEX(len, n, k);
321				X = (MTOD(n, char *)[k] & 0xf) << 2;
322				continue;
323			}
324			X = (p[pc->k] & 0xf) << 2;
325			continue;
326
327		case BPF_LD|BPF_IMM:
328			A = pc->k;
329			continue;
330
331		case BPF_LDX|BPF_IMM:
332			X = pc->k;
333			continue;
334
335		case BPF_LD|BPF_MEM:
336			A = mem[pc->k];
337			continue;
338
339		case BPF_LDX|BPF_MEM:
340			X = mem[pc->k];
341			continue;
342
343		case BPF_ST:
344			mem[pc->k] = A;
345			continue;
346
347		case BPF_STX:
348			mem[pc->k] = X;
349			continue;
350
351		case BPF_JMP|BPF_JA:
352			pc += pc->k;
353			continue;
354
355		case BPF_JMP|BPF_JGT|BPF_K:
356			pc += (A > pc->k) ? pc->jt : pc->jf;
357			continue;
358
359		case BPF_JMP|BPF_JGE|BPF_K:
360			pc += (A >= pc->k) ? pc->jt : pc->jf;
361			continue;
362
363		case BPF_JMP|BPF_JEQ|BPF_K:
364			pc += (A == pc->k) ? pc->jt : pc->jf;
365			continue;
366
367		case BPF_JMP|BPF_JSET|BPF_K:
368			pc += (A & pc->k) ? pc->jt : pc->jf;
369			continue;
370
371		case BPF_JMP|BPF_JGT|BPF_X:
372			pc += (A > X) ? pc->jt : pc->jf;
373			continue;
374
375		case BPF_JMP|BPF_JGE|BPF_X:
376			pc += (A >= X) ? pc->jt : pc->jf;
377			continue;
378
379		case BPF_JMP|BPF_JEQ|BPF_X:
380			pc += (A == X) ? pc->jt : pc->jf;
381			continue;
382
383		case BPF_JMP|BPF_JSET|BPF_X:
384			pc += (A & X) ? pc->jt : pc->jf;
385			continue;
386
387		case BPF_ALU|BPF_ADD|BPF_X:
388			A += X;
389			continue;
390
391		case BPF_ALU|BPF_SUB|BPF_X:
392			A -= X;
393			continue;
394
395		case BPF_ALU|BPF_MUL|BPF_X:
396			A *= X;
397			continue;
398
399		case BPF_ALU|BPF_DIV|BPF_X:
400			if (X == 0)
401				return 0;
402			A /= X;
403			continue;
404
405		case BPF_ALU|BPF_AND|BPF_X:
406			A &= X;
407			continue;
408
409		case BPF_ALU|BPF_OR|BPF_X:
410			A |= X;
411			continue;
412
413		case BPF_ALU|BPF_LSH|BPF_X:
414			A <<= X;
415			continue;
416
417		case BPF_ALU|BPF_RSH|BPF_X:
418			A >>= X;
419			continue;
420
421		case BPF_ALU|BPF_ADD|BPF_K:
422			A += pc->k;
423			continue;
424
425		case BPF_ALU|BPF_SUB|BPF_K:
426			A -= pc->k;
427			continue;
428
429		case BPF_ALU|BPF_MUL|BPF_K:
430			A *= pc->k;
431			continue;
432
433		case BPF_ALU|BPF_DIV|BPF_K:
434			A /= pc->k;
435			continue;
436
437		case BPF_ALU|BPF_AND|BPF_K:
438			A &= pc->k;
439			continue;
440
441		case BPF_ALU|BPF_OR|BPF_K:
442			A |= pc->k;
443			continue;
444
445		case BPF_ALU|BPF_LSH|BPF_K:
446			A <<= pc->k;
447			continue;
448
449		case BPF_ALU|BPF_RSH|BPF_K:
450			A >>= pc->k;
451			continue;
452
453		case BPF_ALU|BPF_NEG:
454			A = -A;
455			continue;
456
457		case BPF_MISC|BPF_TAX:
458			X = A;
459			continue;
460
461		case BPF_MISC|BPF_TXA:
462			A = X;
463			continue;
464		}
465	}
466}
467
468
469/*
470 * Return true if the 'fcode' is a valid filter program.
471 * The constraints are that each jump be forward and to a valid
472 * code, that memory accesses are within valid ranges (to the
473 * extent that this can be checked statically; loads of packet
474 * data have to be, and are, also checked at run time), and that
475 * the code terminates with either an accept or reject.
476 *
477 * The kernel needs to be able to verify an application's filter code.
478 * Otherwise, a bogus program could easily crash the system.
479 */
480int
481bpf_validate(f, len)
482	struct bpf_insn *f;
483	int len;
484{
485	u_int i, from;
486	const struct bpf_insn *p;
487
488	if (len == 0)
489		return 1;
490
491	if (len < 1 || len > BPF_MAXINSNS)
492		return 0;
493
494	for (i = 0; i < len; ++i) {
495		p = &f[i];
496		switch (BPF_CLASS(p->code)) {
497		/*
498		 * Check that memory operations use valid addresses.
499		 */
500		case BPF_LD:
501		case BPF_LDX:
502			switch (BPF_MODE(p->code)) {
503			case BPF_IMM:
504				break;
505			case BPF_ABS:
506			case BPF_IND:
507			case BPF_MSH:
508				/*
509				 * More strict check with actual packet length
510				 * is done runtime.
511				 */
512#if 0
513				if (p->k >= bpf_maxbufsize)
514					return 0;
515#endif
516				break;
517			case BPF_MEM:
518				if (p->k >= BPF_MEMWORDS)
519					return 0;
520				break;
521			case BPF_LEN:
522				break;
523			default:
524				return 0;
525			}
526			break;
527		case BPF_ST:
528		case BPF_STX:
529			if (p->k >= BPF_MEMWORDS)
530				return 0;
531			break;
532		case BPF_ALU:
533			switch (BPF_OP(p->code)) {
534			case BPF_ADD:
535			case BPF_SUB:
536			case BPF_OR:
537			case BPF_AND:
538			case BPF_LSH:
539			case BPF_RSH:
540			case BPF_NEG:
541				break;
542			case BPF_DIV:
543				/*
544				 * Check for constant division by 0.
545				 */
546				if (BPF_RVAL(p->code) == BPF_K && p->k == 0)
547					return 0;
548			default:
549				return 0;
550			}
551			break;
552		case BPF_JMP:
553			/*
554			 * Check that jumps are within the code block,
555			 * and that unconditional branches don't go
556			 * backwards as a result of an overflow.
557			 * Unconditional branches have a 32-bit offset,
558			 * so they could overflow; we check to make
559			 * sure they don't.  Conditional branches have
560			 * an 8-bit offset, and the from address is <=
561			 * BPF_MAXINSNS, and we assume that BPF_MAXINSNS
562			 * is sufficiently small that adding 255 to it
563			 * won't overflow.
564			 *
565			 * We know that len is <= BPF_MAXINSNS, and we
566			 * assume that BPF_MAXINSNS is < the maximum size
567			 * of a u_int, so that i + 1 doesn't overflow.
568			 */
569			from = i + 1;
570			switch (BPF_OP(p->code)) {
571			case BPF_JA:
572				if (from + p->k < from || from + p->k >= len)
573					return 0;
574				break;
575			case BPF_JEQ:
576			case BPF_JGT:
577			case BPF_JGE:
578			case BPF_JSET:
579				if (from + p->jt >= len || from + p->jf >= len)
580					return 0;
581				break;
582			default:
583				return 0;
584			}
585			break;
586		case BPF_RET:
587			break;
588		case BPF_MISC:
589			break;
590		default:
591			return 0;
592		}
593	}
594	return BPF_CLASS(f[len - 1].code) == BPF_RET;
595}
596