xref: /netbsd-src/sys/net/bpf_filter.c (revision 2a399c6883d870daece976daec6ffa7bb7f934ce) 
1 /*	$NetBSD: bpf_filter.c,v 1.14 1997/10/09 18:20:04 christos Exp $	*/
2 
3 /*-
4  * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
5  *	The Regents of the University of California.  All rights reserved.
6  *
7  * This code is derived from the Stanford/CMU enet packet filter,
8  * (net/enet.c) distributed as part of 4.3BSD, and code contributed
9  * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
10  * Berkeley Laboratory.
11  *
12  * Redistribution and use in source and binary forms, with or without
13  * modification, are permitted provided that the following conditions
14  * are met:
15  * 1. Redistributions of source code must retain the above copyright
16  *    notice, this list of conditions and the following disclaimer.
17  * 2. Redistributions in binary form must reproduce the above copyright
18  *    notice, this list of conditions and the following disclaimer in the
19  *    documentation and/or other materials provided with the distribution.
20  * 3. All advertising materials mentioning features or use of this software
21  *    must display the following acknowledgement:
22  *	This product includes software developed by the University of
23  *	California, Berkeley and its contributors.
24  * 4. Neither the name of the University nor the names of its contributors
25  *    may be used to endorse or promote products derived from this software
26  *    without specific prior written permission.
27  *
28  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
29  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
30  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
31  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
32  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
33  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
34  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
35  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
37  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38  * SUCH DAMAGE.
39  *
40  *	@(#)bpf_filter.c	8.1 (Berkeley) 6/10/93
41  */
42 
43 #if 0
44 #if !(defined(lint) || defined(KERNEL))
45 static const char rcsid[] =
46     "@(#) Header: bpf_filter.c,v 1.33 97/04/26 13:37:18 leres Exp  (LBL)";
47 #endif
48 #endif
49 
50 #include <sys/param.h>
51 #include <sys/types.h>
52 #include <sys/time.h>
53 
54 #ifdef sun
55 #include <netinet/in.h>
56 #endif
57 
58 #if defined(sparc) || defined(mips) || defined(ibm032) || \
59     (defined(__NetBSD__) && !defined(UNALIGNED_ACCESS))
60 #define BPF_ALIGN
61 #endif
62 
63 #ifndef BPF_ALIGN
64 #define EXTRACT_SHORT(p)	((u_int16_t)ntohs(*(u_int16_t *)p))
65 #define EXTRACT_LONG(p)		(ntohl(*(u_int32_t *)p))
66 #else
67 #define EXTRACT_SHORT(p)\
68 	((u_int16_t)\
69 		((u_int16_t)*((u_char *)p+0)<<8|\
70 		 (u_int16_t)*((u_char *)p+1)<<0))
71 #define EXTRACT_LONG(p)\
72 		((u_int32_t)*((u_char *)p+0)<<24|\
73 		 (u_int32_t)*((u_char *)p+1)<<16|\
74 		 (u_int32_t)*((u_char *)p+2)<<8|\
75 		 (u_int32_t)*((u_char *)p+3)<<0)
76 #endif
77 
78 #ifdef _KERNEL
79 #include <sys/mbuf.h>
80 #define MINDEX(len, m, k) \
81 { \
82 	len = m->m_len; \
83 	while (k >= len) { \
84 		k -= len; \
85 		m = m->m_next; \
86 		if (m == 0) \
87 			return 0; \
88 		len = m->m_len; \
89 	} \
90 }
91 
92 static int m_xword __P((struct mbuf *, int, int *));
93 static int m_xhalf __P((struct mbuf *, int, int *));
94 
95 static int
96 m_xword(m, k, err)
97 	register struct mbuf *m;
98 	register int k, *err;
99 {
100 	register int len;
101 	register u_char *cp, *np;
102 	register struct mbuf *m0;
103 
104 	MINDEX(len, m, k);
105 	cp = mtod(m, u_char *) + k;
106 	if (len - k >= 4) {
107 		*err = 0;
108 		return EXTRACT_LONG(cp);
109 	}
110 	m0 = m->m_next;
111 	if (m0 == 0 || m0->m_len + len - k < 4)
112 		goto bad;
113 	*err = 0;
114 	np = mtod(m0, u_char *);
115 	switch (len - k) {
116 
117 	case 1:
118 		return (cp[0] << 24) | (np[0] << 16) | (np[1] << 8) | np[2];
119 
120 	case 2:
121 		return (cp[0] << 24) | (cp[1] << 16) | (np[0] << 8) | np[1];
122 
123 	default:
124 		return (cp[0] << 24) | (cp[1] << 16) | (cp[2] << 8) | np[0];
125 	}
126     bad:
127 	*err = 1;
128 	return 0;
129 }
130 
131 static int
132 m_xhalf(m, k, err)
133 	register struct mbuf *m;
134 	register int k, *err;
135 {
136 	register int len;
137 	register u_char *cp;
138 	register struct mbuf *m0;
139 
140 	MINDEX(len, m, k);
141 	cp = mtod(m, u_char *) + k;
142 	if (len - k >= 2) {
143 		*err = 0;
144 		return EXTRACT_SHORT(cp);
145 	}
146 	m0 = m->m_next;
147 	if (m0 == 0)
148 		goto bad;
149 	*err = 0;
150 	return (cp[0] << 8) | mtod(m0, u_char *)[0];
151  bad:
152 	*err = 1;
153 	return 0;
154 }
155 #endif
156 
157 #include <net/bpf.h>
158 
159 /*
160  * Execute the filter program starting at pc on the packet p
161  * wirelen is the length of the original packet
162  * buflen is the amount of data present
163  */
164 u_int
165 bpf_filter(pc, p, wirelen, buflen)
166 	register struct bpf_insn *pc;
167 	register u_char *p;
168 	u_int wirelen;
169 	register u_int buflen;
170 {
171 	register u_int32_t A, X;
172 	register int k;
173 	int32_t mem[BPF_MEMWORDS];
174 
175 	if (pc == 0)
176 		/*
177 		 * No filter means accept all.
178 		 */
179 		return (u_int)-1;
180 	A = 0;
181 	X = 0;
182 	--pc;
183 	while (1) {
184 		++pc;
185 		switch (pc->code) {
186 
187 		default:
188 #ifdef _KERNEL
189 			return 0;
190 #else
191 			abort();
192 #endif
193 		case BPF_RET|BPF_K:
194 			return (u_int)pc->k;
195 
196 		case BPF_RET|BPF_A:
197 			return (u_int)A;
198 
199 		case BPF_LD|BPF_W|BPF_ABS:
200 			k = pc->k;
201 			if (k + sizeof(int32_t) > buflen) {
202 #ifdef _KERNEL
203 				int merr;
204 
205 				if (buflen != 0)
206 					return 0;
207 				A = m_xword((struct mbuf *)p, k, &merr);
208 				if (merr != 0)
209 					return 0;
210 				continue;
211 #else
212 				return 0;
213 #endif
214 			}
215 			A = EXTRACT_LONG(&p[k]);
216 			continue;
217 
218 		case BPF_LD|BPF_H|BPF_ABS:
219 			k = pc->k;
220 			if (k + sizeof(int16_t) > buflen) {
221 #ifdef _KERNEL
222 				int merr;
223 
224 				if (buflen != 0)
225 					return 0;
226 				A = m_xhalf((struct mbuf *)p, k, &merr);
227 				continue;
228 #else
229 				return 0;
230 #endif
231 			}
232 			A = EXTRACT_SHORT(&p[k]);
233 			continue;
234 
235 		case BPF_LD|BPF_B|BPF_ABS:
236 			k = pc->k;
237 			if (k >= buflen) {
238 #ifdef _KERNEL
239 				register struct mbuf *m;
240 				register int len;
241 
242 				if (buflen != 0)
243 					return 0;
244 				m = (struct mbuf *)p;
245 				MINDEX(len, m, k);
246 				A = mtod(m, u_char *)[k];
247 				continue;
248 #else
249 				return 0;
250 #endif
251 			}
252 			A = p[k];
253 			continue;
254 
255 		case BPF_LD|BPF_W|BPF_LEN:
256 			A = wirelen;
257 			continue;
258 
259 		case BPF_LDX|BPF_W|BPF_LEN:
260 			X = wirelen;
261 			continue;
262 
263 		case BPF_LD|BPF_W|BPF_IND:
264 			k = X + pc->k;
265 			if (k + sizeof(int32_t) > buflen) {
266 #ifdef _KERNEL
267 				int merr;
268 
269 				if (buflen != 0)
270 					return 0;
271 				A = m_xword((struct mbuf *)p, k, &merr);
272 				if (merr != 0)
273 					return 0;
274 				continue;
275 #else
276 				return 0;
277 #endif
278 			}
279 			A = EXTRACT_LONG(&p[k]);
280 			continue;
281 
282 		case BPF_LD|BPF_H|BPF_IND:
283 			k = X + pc->k;
284 			if (k + sizeof(int16_t) > buflen) {
285 #ifdef _KERNEL
286 				int merr;
287 
288 				if (buflen != 0)
289 					return 0;
290 				A = m_xhalf((struct mbuf *)p, k, &merr);
291 				if (merr != 0)
292 					return 0;
293 				continue;
294 #else
295 				return 0;
296 #endif
297 			}
298 			A = EXTRACT_SHORT(&p[k]);
299 			continue;
300 
301 		case BPF_LD|BPF_B|BPF_IND:
302 			k = X + pc->k;
303 			if (k >= buflen) {
304 #ifdef _KERNEL
305 				register struct mbuf *m;
306 				register int len;
307 
308 				if (buflen != 0)
309 					return 0;
310 				m = (struct mbuf *)p;
311 				MINDEX(len, m, k);
312 				A = mtod(m, u_char *)[k];
313 				continue;
314 #else
315 				return 0;
316 #endif
317 			}
318 			A = p[k];
319 			continue;
320 
321 		case BPF_LDX|BPF_MSH|BPF_B:
322 			k = pc->k;
323 			if (k >= buflen) {
324 #ifdef _KERNEL
325 				register struct mbuf *m;
326 				register int len;
327 
328 				if (buflen != 0)
329 					return 0;
330 				m = (struct mbuf *)p;
331 				MINDEX(len, m, k);
332 				X = (mtod(m, char *)[k] & 0xf) << 2;
333 				continue;
334 #else
335 				return 0;
336 #endif
337 			}
338 			X = (p[pc->k] & 0xf) << 2;
339 			continue;
340 
341 		case BPF_LD|BPF_IMM:
342 			A = pc->k;
343 			continue;
344 
345 		case BPF_LDX|BPF_IMM:
346 			X = pc->k;
347 			continue;
348 
349 		case BPF_LD|BPF_MEM:
350 			A = mem[pc->k];
351 			continue;
352 
353 		case BPF_LDX|BPF_MEM:
354 			X = mem[pc->k];
355 			continue;
356 
357 		case BPF_ST:
358 			mem[pc->k] = A;
359 			continue;
360 
361 		case BPF_STX:
362 			mem[pc->k] = X;
363 			continue;
364 
365 		case BPF_JMP|BPF_JA:
366 			pc += pc->k;
367 			continue;
368 
369 		case BPF_JMP|BPF_JGT|BPF_K:
370 			pc += (A > pc->k) ? pc->jt : pc->jf;
371 			continue;
372 
373 		case BPF_JMP|BPF_JGE|BPF_K:
374 			pc += (A >= pc->k) ? pc->jt : pc->jf;
375 			continue;
376 
377 		case BPF_JMP|BPF_JEQ|BPF_K:
378 			pc += (A == pc->k) ? pc->jt : pc->jf;
379 			continue;
380 
381 		case BPF_JMP|BPF_JSET|BPF_K:
382 			pc += (A & pc->k) ? pc->jt : pc->jf;
383 			continue;
384 
385 		case BPF_JMP|BPF_JGT|BPF_X:
386 			pc += (A > X) ? pc->jt : pc->jf;
387 			continue;
388 
389 		case BPF_JMP|BPF_JGE|BPF_X:
390 			pc += (A >= X) ? pc->jt : pc->jf;
391 			continue;
392 
393 		case BPF_JMP|BPF_JEQ|BPF_X:
394 			pc += (A == X) ? pc->jt : pc->jf;
395 			continue;
396 
397 		case BPF_JMP|BPF_JSET|BPF_X:
398 			pc += (A & X) ? pc->jt : pc->jf;
399 			continue;
400 
401 		case BPF_ALU|BPF_ADD|BPF_X:
402 			A += X;
403 			continue;
404 
405 		case BPF_ALU|BPF_SUB|BPF_X:
406 			A -= X;
407 			continue;
408 
409 		case BPF_ALU|BPF_MUL|BPF_X:
410 			A *= X;
411 			continue;
412 
413 		case BPF_ALU|BPF_DIV|BPF_X:
414 			if (X == 0)
415 				return 0;
416 			A /= X;
417 			continue;
418 
419 		case BPF_ALU|BPF_AND|BPF_X:
420 			A &= X;
421 			continue;
422 
423 		case BPF_ALU|BPF_OR|BPF_X:
424 			A |= X;
425 			continue;
426 
427 		case BPF_ALU|BPF_LSH|BPF_X:
428 			A <<= X;
429 			continue;
430 
431 		case BPF_ALU|BPF_RSH|BPF_X:
432 			A >>= X;
433 			continue;
434 
435 		case BPF_ALU|BPF_ADD|BPF_K:
436 			A += pc->k;
437 			continue;
438 
439 		case BPF_ALU|BPF_SUB|BPF_K:
440 			A -= pc->k;
441 			continue;
442 
443 		case BPF_ALU|BPF_MUL|BPF_K:
444 			A *= pc->k;
445 			continue;
446 
447 		case BPF_ALU|BPF_DIV|BPF_K:
448 			A /= pc->k;
449 			continue;
450 
451 		case BPF_ALU|BPF_AND|BPF_K:
452 			A &= pc->k;
453 			continue;
454 
455 		case BPF_ALU|BPF_OR|BPF_K:
456 			A |= pc->k;
457 			continue;
458 
459 		case BPF_ALU|BPF_LSH|BPF_K:
460 			A <<= pc->k;
461 			continue;
462 
463 		case BPF_ALU|BPF_RSH|BPF_K:
464 			A >>= pc->k;
465 			continue;
466 
467 		case BPF_ALU|BPF_NEG:
468 			A = -A;
469 			continue;
470 
471 		case BPF_MISC|BPF_TAX:
472 			X = A;
473 			continue;
474 
475 		case BPF_MISC|BPF_TXA:
476 			A = X;
477 			continue;
478 		}
479 	}
480 }
481 
482 #ifdef _KERNEL
483 /*
484  * Return true if the 'fcode' is a valid filter program.
485  * The constraints are that each jump be forward and to a valid
486  * code.  The code must terminate with either an accept or reject.
487  * 'valid' is an array for use by the routine (it must be at least
488  * 'len' bytes long).
489  *
490  * The kernel needs to be able to verify an application's filter code.
491  * Otherwise, a bogus program could easily crash the system.
492  */
493 int
494 bpf_validate(f, len)
495 	struct bpf_insn *f;
496 	int len;
497 {
498 	register int i;
499 	register struct bpf_insn *p;
500 
501 	for (i = 0; i < len; ++i) {
502 		/*
503 		 * Check that that jumps are forward, and within
504 		 * the code block.
505 		 */
506 		p = &f[i];
507 		if (BPF_CLASS(p->code) == BPF_JMP) {
508 			register int from = i + 1;
509 
510 			if (BPF_OP(p->code) == BPF_JA) {
511 				if ((p->k < 0) ||
512 				    (from + p->k >= len) ||
513 				    (from + p->k < 0))
514 					return 0;
515 			}
516 			else if (from + p->jt >= len || from + p->jf >= len)
517 				return 0;
518 		}
519 		/*
520 		 * Check that memory operations use valid addresses.
521 		 */
522 		if ((BPF_CLASS(p->code) == BPF_ST ||
523 		     (BPF_CLASS(p->code) == BPF_LD &&
524 		      (p->code & 0xe0) == BPF_MEM)) &&
525 		    (p->k >= BPF_MEMWORDS || p->k < 0))
526 			return 0;
527 		/*
528 		 * Check for constant division by 0.
529 		 */
530 		if (p->code == (BPF_ALU|BPF_DIV|BPF_K) && p->k == 0)
531 			return 0;
532 	}
533 	return BPF_CLASS(f[len - 1].code) == BPF_RET;
534 }
535 #endif
536