1 /*-
2 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
4 *
5 * This code is derived from the Stanford/CMU enet packet filter,
6 * (net/enet.c) distributed as part of 4.3BSD, and code contributed
7 * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
8 * Berkeley Laboratory.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. All advertising materials mentioning features or use of this software
19 * must display the following acknowledgement:
20 * This product includes software developed by the University of
21 * California, Berkeley and its contributors.
22 * 4. Neither the name of the University nor the names of its contributors
23 * may be used to endorse or promote products derived from this software
24 * without specific prior written permission.
25 *
26 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 * SUCH DAMAGE.
37 *
38 * @(#)bpf.c 7.5 (Berkeley) 7/15/91
39 */
40
41 #if !(defined(lint) || defined(KERNEL) || defined(_KERNEL))
42 static const char rcsid[] _U_ =
43 "@(#) $Header: /tcpdump/master/libpcap/bpf/net/bpf_filter.c,v 1.44 2003/11/15 23:24:07 guy Exp $ (LBL)";
44 #endif
45
46 #ifdef HAVE_CONFIG_H
47 #include "config.h"
48 #endif
49
50 #ifdef WIN32
51
52 #include <pcap-stdinc.h>
53
54 #else /* WIN32 */
55
56 #include <sys/param.h>
57 #include <sys/types.h>
58 #include <sys/time.h>
59
60 #define SOLARIS (defined(sun) && (defined(__SVR4) || defined(__svr4__)))
61 #if defined(__hpux) || SOLARIS
62 # include <sys/sysmacros.h>
63 # include <sys/stream.h>
64 # define mbuf msgb
65 # define m_next b_cont
66 # define MLEN(m) ((m)->b_wptr - (m)->b_rptr)
67 # define mtod(m,t) ((t)(m)->b_rptr)
68 #else
69 # define MLEN(m) ((m)->m_len)
70 #endif
71
72 #endif /* WIN32 */
73
74 #include <pcap-bpf.h>
75
76 #if !defined(KERNEL) && !defined(_KERNEL)
77 #include <stdlib.h>
78 #endif
79
80 #define int32 bpf_int32
81 #define u_int32 bpf_u_int32
82
83 #ifndef LBL_ALIGN
84 /*
85 * XXX - IA-64? If not, this probably won't work on Win64 IA-64
86 * systems, unless LBL_ALIGN is defined elsewhere for them.
87 * XXX - SuperH? If not, this probably won't work on WinCE SuperH
88 * systems, unless LBL_ALIGN is defined elsewhere for them.
89 */
90 #if defined(sparc) || defined(__sparc__) || defined(mips) || \
91 defined(ibm032) || defined(__alpha) || defined(__hpux) || \
92 defined(__arm__)
93 #define LBL_ALIGN
94 #endif
95 #endif
96
97 #ifndef LBL_ALIGN
98 #ifndef WIN32
99 #include <netinet/in.h>
100 #endif
101
102 #define EXTRACT_SHORT(p) ((u_short)ntohs(*(u_short *)p))
103 #define EXTRACT_LONG(p) (ntohl(*(u_int32 *)p))
104 #else
105 #define EXTRACT_SHORT(p)\
106 ((u_short)\
107 ((u_short)*((u_char *)p+0)<<8|\
108 (u_short)*((u_char *)p+1)<<0))
109 #define EXTRACT_LONG(p)\
110 ((u_int32)*((u_char *)p+0)<<24|\
111 (u_int32)*((u_char *)p+1)<<16|\
112 (u_int32)*((u_char *)p+2)<<8|\
113 (u_int32)*((u_char *)p+3)<<0)
114 #endif
115
116 #if defined(KERNEL) || defined(_KERNEL)
117 # if !defined(__hpux) && !SOLARIS
118 #include <sys/mbuf.h>
119 # endif
120 #define MINDEX(len, _m, _k) \
121 { \
122 len = MLEN(m); \
123 while ((_k) >= len) { \
124 (_k) -= len; \
125 (_m) = (_m)->m_next; \
126 if ((_m) == 0) \
127 return 0; \
128 len = MLEN(m); \
129 } \
130 }
131
132 static int
m_xword(m,k,err)133 m_xword(m, k, err)
134 register struct mbuf *m;
135 register int k, *err;
136 {
137 register int len;
138 register u_char *cp, *np;
139 register struct mbuf *m0;
140
141 MINDEX(len, m, k);
142 cp = mtod(m, u_char *) + k;
143 if (len - k >= 4) {
144 *err = 0;
145 return EXTRACT_LONG(cp);
146 }
147 m0 = m->m_next;
148 if (m0 == 0 || MLEN(m0) + len - k < 4)
149 goto bad;
150 *err = 0;
151 np = mtod(m0, u_char *);
152 switch (len - k) {
153
154 case 1:
155 return (cp[0] << 24) | (np[0] << 16) | (np[1] << 8) | np[2];
156
157 case 2:
158 return (cp[0] << 24) | (cp[1] << 16) | (np[0] << 8) | np[1];
159
160 default:
161 return (cp[0] << 24) | (cp[1] << 16) | (cp[2] << 8) | np[0];
162 }
163 bad:
164 *err = 1;
165 return 0;
166 }
167
168 static int
m_xhalf(m,k,err)169 m_xhalf(m, k, err)
170 register struct mbuf *m;
171 register int k, *err;
172 {
173 register int len;
174 register u_char *cp;
175 register struct mbuf *m0;
176
177 MINDEX(len, m, k);
178 cp = mtod(m, u_char *) + k;
179 if (len - k >= 2) {
180 *err = 0;
181 return EXTRACT_SHORT(cp);
182 }
183 m0 = m->m_next;
184 if (m0 == 0)
185 goto bad;
186 *err = 0;
187 return (cp[0] << 8) | mtod(m0, u_char *)[0];
188 bad:
189 *err = 1;
190 return 0;
191 }
192 #endif
193
194 /*
195 * Execute the filter program starting at pc on the packet p
196 * wirelen is the length of the original packet
197 * buflen is the amount of data present
198 * For the kernel, p is assumed to be a pointer to an mbuf if buflen is 0,
199 * in all other cases, p is a pointer to a buffer and buflen is its size.
200 */
201 u_int
bpf_filter(pc,p,wirelen,buflen)202 bpf_filter(pc, p, wirelen, buflen)
203 register struct bpf_insn *pc;
204 register u_char *p;
205 u_int wirelen;
206 register u_int buflen;
207 {
208 register u_int32 A, X;
209 register int k;
210 int32 mem[BPF_MEMWORDS];
211 #if defined(KERNEL) || defined(_KERNEL)
212 struct mbuf *m, *n;
213 int merr, len;
214
215 if (buflen == 0) {
216 m = (struct mbuf *)p;
217 p = mtod(m, u_char *);
218 buflen = MLEN(m);
219 } else
220 m = NULL;
221 #endif
222
223 if (pc == 0)
224 /*
225 * No filter means accept all.
226 */
227 return (u_int)-1;
228 A = 0;
229 X = 0;
230 --pc;
231 while (1) {
232 ++pc;
233 switch (pc->code) {
234
235 default:
236 #if defined(KERNEL) || defined(_KERNEL)
237 return 0;
238 #else
239 abort();
240 #endif
241 case BPF_RET|BPF_K:
242 return (u_int)pc->k;
243
244 case BPF_RET|BPF_A:
245 return (u_int)A;
246
247 case BPF_LD|BPF_W|BPF_ABS:
248 k = pc->k;
249 if (k + sizeof(int32) > buflen) {
250 #if defined(KERNEL) || defined(_KERNEL)
251 if (m == NULL)
252 return 0;
253 A = m_xword(m, k, &merr);
254 if (merr != 0)
255 return 0;
256 continue;
257 #else
258 return 0;
259 #endif
260 }
261 A = EXTRACT_LONG(&p[k]);
262 continue;
263
264 case BPF_LD|BPF_H|BPF_ABS:
265 k = pc->k;
266 if (k + sizeof(short) > buflen) {
267 #if defined(KERNEL) || defined(_KERNEL)
268 if (m == NULL)
269 return 0;
270 A = m_xhalf(m, k, &merr);
271 if (merr != 0)
272 return 0;
273 continue;
274 #else
275 return 0;
276 #endif
277 }
278 A = EXTRACT_SHORT(&p[k]);
279 continue;
280
281 case BPF_LD|BPF_B|BPF_ABS:
282 k = pc->k;
283 if (k >= buflen) {
284 #if defined(KERNEL) || defined(_KERNEL)
285 if (m == NULL)
286 return 0;
287 n = m;
288 MINDEX(len, n, k);
289 A = mtod(n, u_char *)[k];
290 continue;
291 #else
292 return 0;
293 #endif
294 }
295 A = p[k];
296 continue;
297
298 case BPF_LD|BPF_W|BPF_LEN:
299 A = wirelen;
300 continue;
301
302 case BPF_LDX|BPF_W|BPF_LEN:
303 X = wirelen;
304 continue;
305
306 case BPF_LD|BPF_W|BPF_IND:
307 k = X + pc->k;
308 if (k + sizeof(int32) > buflen) {
309 #if defined(KERNEL) || defined(_KERNEL)
310 if (m == NULL)
311 return 0;
312 A = m_xword(m, k, &merr);
313 if (merr != 0)
314 return 0;
315 continue;
316 #else
317 return 0;
318 #endif
319 }
320 A = EXTRACT_LONG(&p[k]);
321 continue;
322
323 case BPF_LD|BPF_H|BPF_IND:
324 k = X + pc->k;
325 if (k + sizeof(short) > buflen) {
326 #if defined(KERNEL) || defined(_KERNEL)
327 if (m == NULL)
328 return 0;
329 A = m_xhalf(m, k, &merr);
330 if (merr != 0)
331 return 0;
332 continue;
333 #else
334 return 0;
335 #endif
336 }
337 A = EXTRACT_SHORT(&p[k]);
338 continue;
339
340 case BPF_LD|BPF_B|BPF_IND:
341 k = X + pc->k;
342 if (k >= buflen) {
343 #if defined(KERNEL) || defined(_KERNEL)
344 if (m == NULL)
345 return 0;
346 n = m;
347 MINDEX(len, n, k);
348 A = mtod(n, u_char *)[k];
349 continue;
350 #else
351 return 0;
352 #endif
353 }
354 A = p[k];
355 continue;
356
357 case BPF_LDX|BPF_MSH|BPF_B:
358 k = pc->k;
359 if (k >= buflen) {
360 #if defined(KERNEL) || defined(_KERNEL)
361 if (m == NULL)
362 return 0;
363 n = m;
364 MINDEX(len, n, k);
365 X = (mtod(n, char *)[k] & 0xf) << 2;
366 continue;
367 #else
368 return 0;
369 #endif
370 }
371 X = (p[pc->k] & 0xf) << 2;
372 continue;
373
374 case BPF_LD|BPF_IMM:
375 A = pc->k;
376 continue;
377
378 case BPF_LDX|BPF_IMM:
379 X = pc->k;
380 continue;
381
382 case BPF_LD|BPF_MEM:
383 A = mem[pc->k];
384 continue;
385
386 case BPF_LDX|BPF_MEM:
387 X = mem[pc->k];
388 continue;
389
390 case BPF_ST:
391 mem[pc->k] = A;
392 continue;
393
394 case BPF_STX:
395 mem[pc->k] = X;
396 continue;
397
398 case BPF_JMP|BPF_JA:
399 pc += pc->k;
400 continue;
401
402 case BPF_JMP|BPF_JGT|BPF_K:
403 pc += (A > pc->k) ? pc->jt : pc->jf;
404 continue;
405
406 case BPF_JMP|BPF_JGE|BPF_K:
407 pc += (A >= pc->k) ? pc->jt : pc->jf;
408 continue;
409
410 case BPF_JMP|BPF_JEQ|BPF_K:
411 pc += (A == pc->k) ? pc->jt : pc->jf;
412 continue;
413
414 case BPF_JMP|BPF_JSET|BPF_K:
415 pc += (A & pc->k) ? pc->jt : pc->jf;
416 continue;
417
418 case BPF_JMP|BPF_JGT|BPF_X:
419 pc += (A > X) ? pc->jt : pc->jf;
420 continue;
421
422 case BPF_JMP|BPF_JGE|BPF_X:
423 pc += (A >= X) ? pc->jt : pc->jf;
424 continue;
425
426 case BPF_JMP|BPF_JEQ|BPF_X:
427 pc += (A == X) ? pc->jt : pc->jf;
428 continue;
429
430 case BPF_JMP|BPF_JSET|BPF_X:
431 pc += (A & X) ? pc->jt : pc->jf;
432 continue;
433
434 case BPF_ALU|BPF_ADD|BPF_X:
435 A += X;
436 continue;
437
438 case BPF_ALU|BPF_SUB|BPF_X:
439 A -= X;
440 continue;
441
442 case BPF_ALU|BPF_MUL|BPF_X:
443 A *= X;
444 continue;
445
446 case BPF_ALU|BPF_DIV|BPF_X:
447 if (X == 0)
448 return 0;
449 A /= X;
450 continue;
451
452 case BPF_ALU|BPF_AND|BPF_X:
453 A &= X;
454 continue;
455
456 case BPF_ALU|BPF_OR|BPF_X:
457 A |= X;
458 continue;
459
460 case BPF_ALU|BPF_LSH|BPF_X:
461 A <<= X;
462 continue;
463
464 case BPF_ALU|BPF_RSH|BPF_X:
465 A >>= X;
466 continue;
467
468 case BPF_ALU|BPF_ADD|BPF_K:
469 A += pc->k;
470 continue;
471
472 case BPF_ALU|BPF_SUB|BPF_K:
473 A -= pc->k;
474 continue;
475
476 case BPF_ALU|BPF_MUL|BPF_K:
477 A *= pc->k;
478 continue;
479
480 case BPF_ALU|BPF_DIV|BPF_K:
481 A /= pc->k;
482 continue;
483
484 case BPF_ALU|BPF_AND|BPF_K:
485 A &= pc->k;
486 continue;
487
488 case BPF_ALU|BPF_OR|BPF_K:
489 A |= pc->k;
490 continue;
491
492 case BPF_ALU|BPF_LSH|BPF_K:
493 A <<= pc->k;
494 continue;
495
496 case BPF_ALU|BPF_RSH|BPF_K:
497 A >>= pc->k;
498 continue;
499
500 case BPF_ALU|BPF_NEG:
501 A = -A;
502 continue;
503
504 case BPF_MISC|BPF_TAX:
505 X = A;
506 continue;
507
508 case BPF_MISC|BPF_TXA:
509 A = X;
510 continue;
511 }
512 }
513 }
514
515
516 /*
517 * Return true if the 'fcode' is a valid filter program.
518 * The constraints are that each jump be forward and to a valid
519 * code. The code must terminate with either an accept or reject.
520 * 'valid' is an array for use by the routine (it must be at least
521 * 'len' bytes long).
522 *
523 * The kernel needs to be able to verify an application's filter code.
524 * Otherwise, a bogus program could easily crash the system.
525 */
526 int
bpf_validate(f,len)527 bpf_validate(f, len)
528 struct bpf_insn *f;
529 int len;
530 {
531 register int i;
532 register struct bpf_insn *p;
533
534 for (i = 0; i < len; ++i) {
535 /*
536 * Check that that jumps are forward, and within
537 * the code block.
538 */
539 p = &f[i];
540 if (BPF_CLASS(p->code) == BPF_JMP) {
541 register int from = i + 1;
542
543 if (BPF_OP(p->code) == BPF_JA) {
544 if (from + p->k >= (unsigned)len)
545 return 0;
546 }
547 else if (from + p->jt >= len || from + p->jf >= len)
548 return 0;
549 }
550 /*
551 * Check that memory operations use valid addresses.
552 */
553 if ((BPF_CLASS(p->code) == BPF_ST ||
554 (BPF_CLASS(p->code) == BPF_LD &&
555 (p->code & 0xe0) == BPF_MEM)) &&
556 (p->k >= BPF_MEMWORDS || p->k < 0))
557 return 0;
558 /*
559 * Check for constant division by 0.
560 */
561 if (p->code == (BPF_ALU|BPF_DIV|BPF_K) && p->k == 0)
562 return 0;
563 }
564 return BPF_CLASS(f[len - 1].code) == BPF_RET;
565 }
566