2 * Linux Socket Filter - Kernel level socket filtering
5 * Jay Schulist <jschlst@samba.org>
7 * Based on the design of:
8 * - The Berkeley Packet Filter
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version
13 * 2 of the License, or (at your option) any later version.
15 * Andi Kleen - Fix a few bad bugs and races.
16 * Kris Katterjohn - Added many additional checks in sk_chk_filter()
19 #include <linux/module.h>
20 #include <linux/types.h>
22 #include <linux/fcntl.h>
23 #include <linux/socket.h>
25 #include <linux/inet.h>
26 #include <linux/netdevice.h>
27 #include <linux/if_packet.h>
29 #include <net/protocol.h>
30 #include <net/netlink.h>
31 #include <linux/skbuff.h>
33 #include <linux/errno.h>
34 #include <linux/timer.h>
35 #include <asm/system.h>
36 #include <asm/uaccess.h>
37 #include <asm/unaligned.h>
38 #include <linux/filter.h>
40 /* No hurry in this branch */
41 static void *__load_pointer(struct sk_buff *skb, int k)
46 ptr = skb_network_header(skb) + k - SKF_NET_OFF;
47 else if (k >= SKF_LL_OFF)
48 ptr = skb_mac_header(skb) + k - SKF_LL_OFF;
50 if (ptr >= skb->head && ptr < skb_tail_pointer(skb))
55 static inline void *load_pointer(struct sk_buff *skb, int k,
56 unsigned int size, void *buffer)
59 return skb_header_pointer(skb, k, size, buffer);
63 return __load_pointer(skb, k);
68 * sk_filter - run a packet through a socket filter
69 * @sk: sock associated with &sk_buff
70 * @skb: buffer to filter
72 * Run the filter code and then cut skb->data to correct size returned by
73 * sk_run_filter. If pkt_len is 0 we toss packet. If skb->len is smaller
74 * than pkt_len we keep whole skb->data. This is the socket level
75 * wrapper to sk_run_filter. It returns 0 if the packet should
76 * be accepted or -EPERM if the packet should be tossed.
79 int sk_filter(struct sock *sk, struct sk_buff *skb)
82 struct sk_filter *filter;
84 err = security_sock_rcv_skb(sk, skb);
89 filter = rcu_dereference_bh(sk->sk_filter);
91 unsigned int pkt_len = sk_run_filter(skb, filter->insns,
93 err = pkt_len ? pskb_trim(skb, pkt_len) : -EPERM;
99 EXPORT_SYMBOL(sk_filter);
102 * sk_run_filter - run a filter on a socket
103 * @skb: buffer to run the filter on
104 * @filter: filter to apply
105 * @flen: length of filter
107 * Decode and apply filter instructions to the skb->data.
108 * Return length to keep, 0 for none. skb is the data we are
109 * filtering, filter is the array of filter instructions, and
110 * len is the number of filter blocks in the array.
112 unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int flen)
114 struct sock_filter *fentry; /* We walk down these */
116 u32 A = 0; /* Accumulator */
117 u32 X = 0; /* Index Register */
118 u32 mem[BPF_MEMWORDS]; /* Scratch Memory Store */
124 * Process array of filter instructions.
126 for (pc = 0; pc < flen; pc++) {
127 fentry = &filter[pc];
129 switch (fentry->code) {
130 case BPF_ALU|BPF_ADD|BPF_X:
133 case BPF_ALU|BPF_ADD|BPF_K:
136 case BPF_ALU|BPF_SUB|BPF_X:
139 case BPF_ALU|BPF_SUB|BPF_K:
142 case BPF_ALU|BPF_MUL|BPF_X:
145 case BPF_ALU|BPF_MUL|BPF_K:
148 case BPF_ALU|BPF_DIV|BPF_X:
153 case BPF_ALU|BPF_DIV|BPF_K:
156 case BPF_ALU|BPF_AND|BPF_X:
159 case BPF_ALU|BPF_AND|BPF_K:
162 case BPF_ALU|BPF_OR|BPF_X:
165 case BPF_ALU|BPF_OR|BPF_K:
168 case BPF_ALU|BPF_LSH|BPF_X:
171 case BPF_ALU|BPF_LSH|BPF_K:
174 case BPF_ALU|BPF_RSH|BPF_X:
177 case BPF_ALU|BPF_RSH|BPF_K:
180 case BPF_ALU|BPF_NEG:
186 case BPF_JMP|BPF_JGT|BPF_K:
187 pc += (A > fentry->k) ? fentry->jt : fentry->jf;
189 case BPF_JMP|BPF_JGE|BPF_K:
190 pc += (A >= fentry->k) ? fentry->jt : fentry->jf;
192 case BPF_JMP|BPF_JEQ|BPF_K:
193 pc += (A == fentry->k) ? fentry->jt : fentry->jf;
195 case BPF_JMP|BPF_JSET|BPF_K:
196 pc += (A & fentry->k) ? fentry->jt : fentry->jf;
198 case BPF_JMP|BPF_JGT|BPF_X:
199 pc += (A > X) ? fentry->jt : fentry->jf;
201 case BPF_JMP|BPF_JGE|BPF_X:
202 pc += (A >= X) ? fentry->jt : fentry->jf;
204 case BPF_JMP|BPF_JEQ|BPF_X:
205 pc += (A == X) ? fentry->jt : fentry->jf;
207 case BPF_JMP|BPF_JSET|BPF_X:
208 pc += (A & X) ? fentry->jt : fentry->jf;
210 case BPF_LD|BPF_W|BPF_ABS:
213 ptr = load_pointer(skb, k, 4, &tmp);
215 A = get_unaligned_be32(ptr);
219 case BPF_LD|BPF_H|BPF_ABS:
222 ptr = load_pointer(skb, k, 2, &tmp);
224 A = get_unaligned_be16(ptr);
228 case BPF_LD|BPF_B|BPF_ABS:
231 ptr = load_pointer(skb, k, 1, &tmp);
237 case BPF_LD|BPF_W|BPF_LEN:
240 case BPF_LDX|BPF_W|BPF_LEN:
243 case BPF_LD|BPF_W|BPF_IND:
246 case BPF_LD|BPF_H|BPF_IND:
249 case BPF_LD|BPF_B|BPF_IND:
252 case BPF_LDX|BPF_B|BPF_MSH:
253 ptr = load_pointer(skb, fentry->k, 1, &tmp);
255 X = (*(u8 *)ptr & 0xf) << 2;
262 case BPF_LDX|BPF_IMM:
268 case BPF_LDX|BPF_MEM:
271 case BPF_MISC|BPF_TAX:
274 case BPF_MISC|BPF_TXA:
293 * Handle ancillary data, which are impossible
294 * (or very difficult) to get parsing packet contents.
296 switch (k-SKF_AD_OFF) {
297 case SKF_AD_PROTOCOL:
298 A = ntohs(skb->protocol);
304 A = skb->dev->ifindex;
310 A = skb->queue_mapping;
312 case SKF_AD_NLATTR: {
315 if (skb_is_nonlinear(skb))
317 if (A > skb->len - sizeof(struct nlattr))
320 nla = nla_find((struct nlattr *)&skb->data[A],
323 A = (void *)nla - (void *)skb->data;
328 case SKF_AD_NLATTR_NEST: {
331 if (skb_is_nonlinear(skb))
333 if (A > skb->len - sizeof(struct nlattr))
336 nla = (struct nlattr *)&skb->data[A];
337 if (nla->nla_len > A - skb->len)
340 nla = nla_find_nested(nla, X);
342 A = (void *)nla - (void *)skb->data;
354 EXPORT_SYMBOL(sk_run_filter);
357 * sk_chk_filter - verify socket filter code
358 * @filter: filter to verify
359 * @flen: length of filter
361 * Check the user's filter code. If we let some ugly
362 * filter code slip through kaboom! The filter must contain
363 * no references or jumps that are out of range, no illegal
364 * instructions, and must end with a RET instruction.
366 * All jumps are forward as they are not signed.
368 * Returns 0 if the rule set is legal or -EINVAL if not.
370 int sk_chk_filter(struct sock_filter *filter, int flen)
372 struct sock_filter *ftest;
375 if (flen == 0 || flen > BPF_MAXINSNS)
378 /* check the filter code now */
379 for (pc = 0; pc < flen; pc++) {
382 /* Only allow valid instructions */
383 switch (ftest->code) {
384 case BPF_ALU|BPF_ADD|BPF_K:
385 case BPF_ALU|BPF_ADD|BPF_X:
386 case BPF_ALU|BPF_SUB|BPF_K:
387 case BPF_ALU|BPF_SUB|BPF_X:
388 case BPF_ALU|BPF_MUL|BPF_K:
389 case BPF_ALU|BPF_MUL|BPF_X:
390 case BPF_ALU|BPF_DIV|BPF_X:
391 case BPF_ALU|BPF_AND|BPF_K:
392 case BPF_ALU|BPF_AND|BPF_X:
393 case BPF_ALU|BPF_OR|BPF_K:
394 case BPF_ALU|BPF_OR|BPF_X:
395 case BPF_ALU|BPF_LSH|BPF_K:
396 case BPF_ALU|BPF_LSH|BPF_X:
397 case BPF_ALU|BPF_RSH|BPF_K:
398 case BPF_ALU|BPF_RSH|BPF_X:
399 case BPF_ALU|BPF_NEG:
400 case BPF_LD|BPF_W|BPF_ABS:
401 case BPF_LD|BPF_H|BPF_ABS:
402 case BPF_LD|BPF_B|BPF_ABS:
403 case BPF_LD|BPF_W|BPF_LEN:
404 case BPF_LD|BPF_W|BPF_IND:
405 case BPF_LD|BPF_H|BPF_IND:
406 case BPF_LD|BPF_B|BPF_IND:
408 case BPF_LDX|BPF_W|BPF_LEN:
409 case BPF_LDX|BPF_B|BPF_MSH:
410 case BPF_LDX|BPF_IMM:
411 case BPF_MISC|BPF_TAX:
412 case BPF_MISC|BPF_TXA:
417 /* Some instructions need special checks */
419 case BPF_ALU|BPF_DIV|BPF_K:
420 /* check for division by zero */
426 case BPF_LDX|BPF_MEM:
429 /* check for invalid memory addresses */
430 if (ftest->k >= BPF_MEMWORDS)
436 * Note, the large ftest->k might cause loops.
437 * Compare this with conditional jumps below,
438 * where offsets are limited. --ANK (981016)
440 if (ftest->k >= (unsigned)(flen-pc-1))
444 case BPF_JMP|BPF_JEQ|BPF_K:
445 case BPF_JMP|BPF_JEQ|BPF_X:
446 case BPF_JMP|BPF_JGE|BPF_K:
447 case BPF_JMP|BPF_JGE|BPF_X:
448 case BPF_JMP|BPF_JGT|BPF_K:
449 case BPF_JMP|BPF_JGT|BPF_X:
450 case BPF_JMP|BPF_JSET|BPF_K:
451 case BPF_JMP|BPF_JSET|BPF_X:
452 /* for conditionals both must be safe */
453 if (pc + ftest->jt + 1 >= flen ||
454 pc + ftest->jf + 1 >= flen)
463 return (BPF_CLASS(filter[flen - 1].code) == BPF_RET) ? 0 : -EINVAL;
465 EXPORT_SYMBOL(sk_chk_filter);
468 * sk_filter_rcu_release: Release a socket filter by rcu_head
469 * @rcu: rcu_head that contains the sk_filter to free
471 static void sk_filter_rcu_release(struct rcu_head *rcu)
473 struct sk_filter *fp = container_of(rcu, struct sk_filter, rcu);
475 sk_filter_release(fp);
478 static void sk_filter_delayed_uncharge(struct sock *sk, struct sk_filter *fp)
480 unsigned int size = sk_filter_len(fp);
482 atomic_sub(size, &sk->sk_omem_alloc);
483 call_rcu_bh(&fp->rcu, sk_filter_rcu_release);
487 * sk_attach_filter - attach a socket filter
488 * @fprog: the filter program
489 * @sk: the socket to use
491 * Attach the user's filter code. We first run some sanity checks on
492 * it to make sure it does not explode on us later. If an error
493 * occurs or there is insufficient memory for the filter a negative
494 * errno code is returned. On success the return is zero.
496 int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
498 struct sk_filter *fp, *old_fp;
499 unsigned int fsize = sizeof(struct sock_filter) * fprog->len;
502 /* Make sure new filter is there and in the right amounts. */
503 if (fprog->filter == NULL)
506 fp = sock_kmalloc(sk, fsize+sizeof(*fp), GFP_KERNEL);
509 if (copy_from_user(fp->insns, fprog->filter, fsize)) {
510 sock_kfree_s(sk, fp, fsize+sizeof(*fp));
514 atomic_set(&fp->refcnt, 1);
515 fp->len = fprog->len;
517 err = sk_chk_filter(fp->insns, fp->len);
519 sk_filter_uncharge(sk, fp);
524 old_fp = rcu_dereference_bh(sk->sk_filter);
525 rcu_assign_pointer(sk->sk_filter, fp);
526 rcu_read_unlock_bh();
529 sk_filter_delayed_uncharge(sk, old_fp);
532 EXPORT_SYMBOL_GPL(sk_attach_filter);
534 int sk_detach_filter(struct sock *sk)
537 struct sk_filter *filter;
540 filter = rcu_dereference_bh(sk->sk_filter);
542 rcu_assign_pointer(sk->sk_filter, NULL);
543 sk_filter_delayed_uncharge(sk, filter);
546 rcu_read_unlock_bh();
549 EXPORT_SYMBOL_GPL(sk_detach_filter);
git://ftp.safe.ca / safe / jmp / linux-2.6 / blob