2 * Linux Socket Filter - Kernel level socket filtering
5 * Jay Schulist <jschlst@samba.org>
7 * Based on the design of:
8 * - The Berkeley Packet Filter
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version
13 * 2 of the License, or (at your option) any later version.
15 * Andi Kleen - Fix a few bad bugs and races.
16 * Kris Katterjohn - Added many additional checks in sk_chk_filter()
19 #include <linux/module.h>
20 #include <linux/types.h>
22 #include <linux/fcntl.h>
23 #include <linux/socket.h>
25 #include <linux/inet.h>
26 #include <linux/netdevice.h>
27 #include <linux/if_packet.h>
29 #include <net/protocol.h>
30 #include <net/netlink.h>
31 #include <linux/skbuff.h>
33 #include <linux/errno.h>
34 #include <linux/timer.h>
35 #include <asm/system.h>
36 #include <asm/uaccess.h>
37 #include <asm/unaligned.h>
38 #include <linux/filter.h>
40 /* No hurry in this branch */
41 static void *__load_pointer(struct sk_buff *skb, int k)
46 ptr = skb_network_header(skb) + k - SKF_NET_OFF;
47 else if (k >= SKF_LL_OFF)
48 ptr = skb_mac_header(skb) + k - SKF_LL_OFF;
50 if (ptr >= skb->head && ptr < skb_tail_pointer(skb))
55 static inline void *load_pointer(struct sk_buff *skb, int k,
56 unsigned int size, void *buffer)
59 return skb_header_pointer(skb, k, size, buffer);
63 return __load_pointer(skb, k);
68 * sk_filter - run a packet through a socket filter
69 * @sk: sock associated with &sk_buff
70 * @skb: buffer to filter
72 * Run the filter code and then cut skb->data to correct size returned by
73 * sk_run_filter. If pkt_len is 0 we toss packet. If skb->len is smaller
74 * than pkt_len we keep whole skb->data. This is the socket level
75 * wrapper to sk_run_filter. It returns 0 if the packet should
76 * be accepted or -EPERM if the packet should be tossed.
79 int sk_filter(struct sock *sk, struct sk_buff *skb)
82 struct sk_filter *filter;
84 err = security_sock_rcv_skb(sk, skb);
89 filter = rcu_dereference(sk->sk_filter);
91 unsigned int pkt_len = sk_run_filter(skb, filter->insns,
93 err = pkt_len ? pskb_trim(skb, pkt_len) : -EPERM;
99 EXPORT_SYMBOL(sk_filter);
102 * sk_run_filter - run a filter on a socket
103 * @skb: buffer to run the filter on
104 * @filter: filter to apply
105 * @flen: length of filter
107 * Decode and apply filter instructions to the skb->data.
108 * Return length to keep, 0 for none. skb is the data we are
109 * filtering, filter is the array of filter instructions, and
110 * len is the number of filter blocks in the array.
112 unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int flen)
114 struct sock_filter *fentry; /* We walk down these */
116 u32 A = 0; /* Accumulator */
117 u32 X = 0; /* Index Register */
118 u32 mem[BPF_MEMWORDS]; /* Scratch Memory Store */
124 * Process array of filter instructions.
126 for (pc = 0; pc < flen; pc++) {
127 fentry = &filter[pc];
129 switch (fentry->code) {
130 case BPF_ALU|BPF_ADD|BPF_X:
133 case BPF_ALU|BPF_ADD|BPF_K:
136 case BPF_ALU|BPF_SUB|BPF_X:
139 case BPF_ALU|BPF_SUB|BPF_K:
142 case BPF_ALU|BPF_MUL|BPF_X:
145 case BPF_ALU|BPF_MUL|BPF_K:
148 case BPF_ALU|BPF_DIV|BPF_X:
153 case BPF_ALU|BPF_DIV|BPF_K:
156 case BPF_ALU|BPF_AND|BPF_X:
159 case BPF_ALU|BPF_AND|BPF_K:
162 case BPF_ALU|BPF_OR|BPF_X:
165 case BPF_ALU|BPF_OR|BPF_K:
168 case BPF_ALU|BPF_LSH|BPF_X:
171 case BPF_ALU|BPF_LSH|BPF_K:
174 case BPF_ALU|BPF_RSH|BPF_X:
177 case BPF_ALU|BPF_RSH|BPF_K:
180 case BPF_ALU|BPF_NEG:
186 case BPF_JMP|BPF_JGT|BPF_K:
187 pc += (A > fentry->k) ? fentry->jt : fentry->jf;
189 case BPF_JMP|BPF_JGE|BPF_K:
190 pc += (A >= fentry->k) ? fentry->jt : fentry->jf;
192 case BPF_JMP|BPF_JEQ|BPF_K:
193 pc += (A == fentry->k) ? fentry->jt : fentry->jf;
195 case BPF_JMP|BPF_JSET|BPF_K:
196 pc += (A & fentry->k) ? fentry->jt : fentry->jf;
198 case BPF_JMP|BPF_JGT|BPF_X:
199 pc += (A > X) ? fentry->jt : fentry->jf;
201 case BPF_JMP|BPF_JGE|BPF_X:
202 pc += (A >= X) ? fentry->jt : fentry->jf;
204 case BPF_JMP|BPF_JEQ|BPF_X:
205 pc += (A == X) ? fentry->jt : fentry->jf;
207 case BPF_JMP|BPF_JSET|BPF_X:
208 pc += (A & X) ? fentry->jt : fentry->jf;
210 case BPF_LD|BPF_W|BPF_ABS:
213 ptr = load_pointer(skb, k, 4, &tmp);
215 A = get_unaligned_be32(ptr);
219 case BPF_LD|BPF_H|BPF_ABS:
222 ptr = load_pointer(skb, k, 2, &tmp);
224 A = get_unaligned_be16(ptr);
228 case BPF_LD|BPF_B|BPF_ABS:
231 ptr = load_pointer(skb, k, 1, &tmp);
237 case BPF_LD|BPF_W|BPF_LEN:
240 case BPF_LDX|BPF_W|BPF_LEN:
243 case BPF_LD|BPF_W|BPF_IND:
246 case BPF_LD|BPF_H|BPF_IND:
249 case BPF_LD|BPF_B|BPF_IND:
252 case BPF_LDX|BPF_B|BPF_MSH:
253 ptr = load_pointer(skb, fentry->k, 1, &tmp);
255 X = (*(u8 *)ptr & 0xf) << 2;
262 case BPF_LDX|BPF_IMM:
268 case BPF_LDX|BPF_MEM:
271 case BPF_MISC|BPF_TAX:
274 case BPF_MISC|BPF_TXA:
293 * Handle ancillary data, which are impossible
294 * (or very difficult) to get parsing packet contents.
296 switch (k-SKF_AD_OFF) {
297 case SKF_AD_PROTOCOL:
298 A = ntohs(skb->protocol);
304 A = skb->dev->ifindex;
306 case SKF_AD_NLATTR: {
309 if (skb_is_nonlinear(skb))
311 if (A > skb->len - sizeof(struct nlattr))
314 nla = nla_find((struct nlattr *)&skb->data[A],
317 A = (void *)nla - (void *)skb->data;
329 EXPORT_SYMBOL(sk_run_filter);
332 * sk_chk_filter - verify socket filter code
333 * @filter: filter to verify
334 * @flen: length of filter
336 * Check the user's filter code. If we let some ugly
337 * filter code slip through kaboom! The filter must contain
338 * no references or jumps that are out of range, no illegal
339 * instructions, and must end with a RET instruction.
341 * All jumps are forward as they are not signed.
343 * Returns 0 if the rule set is legal or -EINVAL if not.
345 int sk_chk_filter(struct sock_filter *filter, int flen)
347 struct sock_filter *ftest;
350 if (flen == 0 || flen > BPF_MAXINSNS)
353 /* check the filter code now */
354 for (pc = 0; pc < flen; pc++) {
357 /* Only allow valid instructions */
358 switch (ftest->code) {
359 case BPF_ALU|BPF_ADD|BPF_K:
360 case BPF_ALU|BPF_ADD|BPF_X:
361 case BPF_ALU|BPF_SUB|BPF_K:
362 case BPF_ALU|BPF_SUB|BPF_X:
363 case BPF_ALU|BPF_MUL|BPF_K:
364 case BPF_ALU|BPF_MUL|BPF_X:
365 case BPF_ALU|BPF_DIV|BPF_X:
366 case BPF_ALU|BPF_AND|BPF_K:
367 case BPF_ALU|BPF_AND|BPF_X:
368 case BPF_ALU|BPF_OR|BPF_K:
369 case BPF_ALU|BPF_OR|BPF_X:
370 case BPF_ALU|BPF_LSH|BPF_K:
371 case BPF_ALU|BPF_LSH|BPF_X:
372 case BPF_ALU|BPF_RSH|BPF_K:
373 case BPF_ALU|BPF_RSH|BPF_X:
374 case BPF_ALU|BPF_NEG:
375 case BPF_LD|BPF_W|BPF_ABS:
376 case BPF_LD|BPF_H|BPF_ABS:
377 case BPF_LD|BPF_B|BPF_ABS:
378 case BPF_LD|BPF_W|BPF_LEN:
379 case BPF_LD|BPF_W|BPF_IND:
380 case BPF_LD|BPF_H|BPF_IND:
381 case BPF_LD|BPF_B|BPF_IND:
383 case BPF_LDX|BPF_W|BPF_LEN:
384 case BPF_LDX|BPF_B|BPF_MSH:
385 case BPF_LDX|BPF_IMM:
386 case BPF_MISC|BPF_TAX:
387 case BPF_MISC|BPF_TXA:
392 /* Some instructions need special checks */
394 case BPF_ALU|BPF_DIV|BPF_K:
395 /* check for division by zero */
401 case BPF_LDX|BPF_MEM:
404 /* check for invalid memory addresses */
405 if (ftest->k >= BPF_MEMWORDS)
411 * Note, the large ftest->k might cause loops.
412 * Compare this with conditional jumps below,
413 * where offsets are limited. --ANK (981016)
415 if (ftest->k >= (unsigned)(flen-pc-1))
419 case BPF_JMP|BPF_JEQ|BPF_K:
420 case BPF_JMP|BPF_JEQ|BPF_X:
421 case BPF_JMP|BPF_JGE|BPF_K:
422 case BPF_JMP|BPF_JGE|BPF_X:
423 case BPF_JMP|BPF_JGT|BPF_K:
424 case BPF_JMP|BPF_JGT|BPF_X:
425 case BPF_JMP|BPF_JSET|BPF_K:
426 case BPF_JMP|BPF_JSET|BPF_X:
427 /* for conditionals both must be safe */
428 if (pc + ftest->jt + 1 >= flen ||
429 pc + ftest->jf + 1 >= flen)
438 return (BPF_CLASS(filter[flen - 1].code) == BPF_RET) ? 0 : -EINVAL;
440 EXPORT_SYMBOL(sk_chk_filter);
443 * sk_filter_rcu_release: Release a socket filter by rcu_head
444 * @rcu: rcu_head that contains the sk_filter to free
446 static void sk_filter_rcu_release(struct rcu_head *rcu)
448 struct sk_filter *fp = container_of(rcu, struct sk_filter, rcu);
450 sk_filter_release(fp);
453 static void sk_filter_delayed_uncharge(struct sock *sk, struct sk_filter *fp)
455 unsigned int size = sk_filter_len(fp);
457 atomic_sub(size, &sk->sk_omem_alloc);
458 call_rcu_bh(&fp->rcu, sk_filter_rcu_release);
462 * sk_attach_filter - attach a socket filter
463 * @fprog: the filter program
464 * @sk: the socket to use
466 * Attach the user's filter code. We first run some sanity checks on
467 * it to make sure it does not explode on us later. If an error
468 * occurs or there is insufficient memory for the filter a negative
469 * errno code is returned. On success the return is zero.
471 int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
473 struct sk_filter *fp, *old_fp;
474 unsigned int fsize = sizeof(struct sock_filter) * fprog->len;
477 /* Make sure new filter is there and in the right amounts. */
478 if (fprog->filter == NULL)
481 fp = sock_kmalloc(sk, fsize+sizeof(*fp), GFP_KERNEL);
484 if (copy_from_user(fp->insns, fprog->filter, fsize)) {
485 sock_kfree_s(sk, fp, fsize+sizeof(*fp));
489 atomic_set(&fp->refcnt, 1);
490 fp->len = fprog->len;
492 err = sk_chk_filter(fp->insns, fp->len);
494 sk_filter_uncharge(sk, fp);
499 old_fp = rcu_dereference(sk->sk_filter);
500 rcu_assign_pointer(sk->sk_filter, fp);
501 rcu_read_unlock_bh();
504 sk_filter_delayed_uncharge(sk, old_fp);
508 int sk_detach_filter(struct sock *sk)
511 struct sk_filter *filter;
514 filter = rcu_dereference(sk->sk_filter);
516 rcu_assign_pointer(sk->sk_filter, NULL);
517 sk_filter_delayed_uncharge(sk, filter);
520 rcu_read_unlock_bh();
git.openpandora.org / pandora-kernel.git / blob