filter.c 14.7 KB
Newer Older
Linus Torvalds's avatar
Linus Torvalds committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
/*
 * Linux Socket Filter - Kernel level socket filtering
 *
 * Author:
 *     Jay Schulist <jschlst@samba.org>
 *
 * Based on the design of:
 *     - The Berkeley Packet Filter
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version
 * 2 of the License, or (at your option) any later version.
 *
 * Andi Kleen - Fix a few bad bugs and races.
16
 * Kris Katterjohn - Added many additional checks in sk_chk_filter()
Linus Torvalds's avatar
Linus Torvalds committed
17
18
19
20
21
22
23
24
25
26
27
 */

#include <linux/module.h>
#include <linux/types.h>
#include <linux/mm.h>
#include <linux/fcntl.h>
#include <linux/socket.h>
#include <linux/in.h>
#include <linux/inet.h>
#include <linux/netdevice.h>
#include <linux/if_packet.h>
28
#include <linux/gfp.h>
Linus Torvalds's avatar
Linus Torvalds committed
29
30
#include <net/ip.h>
#include <net/protocol.h>
31
#include <net/netlink.h>
Linus Torvalds's avatar
Linus Torvalds committed
32
33
34
35
36
37
#include <linux/skbuff.h>
#include <net/sock.h>
#include <linux/errno.h>
#include <linux/timer.h>
#include <asm/system.h>
#include <asm/uaccess.h>
38
#include <asm/unaligned.h>
Linus Torvalds's avatar
Linus Torvalds committed
39
40
41
#include <linux/filter.h>

/* No hurry in this branch */
42
static void *__load_pointer(struct sk_buff *skb, int k)
Linus Torvalds's avatar
Linus Torvalds committed
43
44
45
46
{
	u8 *ptr = NULL;

	if (k >= SKF_NET_OFF)
47
		ptr = skb_network_header(skb) + k - SKF_NET_OFF;
Linus Torvalds's avatar
Linus Torvalds committed
48
	else if (k >= SKF_LL_OFF)
49
		ptr = skb_mac_header(skb) + k - SKF_LL_OFF;
Linus Torvalds's avatar
Linus Torvalds committed
50

51
	if (ptr >= skb->head && ptr < skb_tail_pointer(skb))
Linus Torvalds's avatar
Linus Torvalds committed
52
53
54
55
		return ptr;
	return NULL;
}

56
static inline void *load_pointer(struct sk_buff *skb, int k,
57
				 unsigned int size, void *buffer)
58
59
60
61
62
63
64
65
66
67
{
	if (k >= 0)
		return skb_header_pointer(skb, k, size, buffer);
	else {
		if (k >= SKF_AD_OFF)
			return NULL;
		return __load_pointer(skb, k);
	}
}

Stephen Hemminger's avatar
Stephen Hemminger committed
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
/**
 *	sk_filter - run a packet through a socket filter
 *	@sk: sock associated with &sk_buff
 *	@skb: buffer to filter
 *
 * Run the filter code and then cut skb->data to correct size returned by
 * sk_run_filter. If pkt_len is 0 we toss packet. If skb->len is smaller
 * than pkt_len we keep whole skb->data. This is the socket level
 * wrapper to sk_run_filter. It returns 0 if the packet should
 * be accepted or -EPERM if the packet should be tossed.
 *
 */
int sk_filter(struct sock *sk, struct sk_buff *skb)
{
	int err;
	struct sk_filter *filter;

	err = security_sock_rcv_skb(sk, skb);
	if (err)
		return err;

	rcu_read_lock_bh();
90
	filter = rcu_dereference_bh(sk->sk_filter);
Stephen Hemminger's avatar
Stephen Hemminger committed
91
	if (filter) {
92
93
		unsigned int pkt_len = sk_run_filter(skb, filter->insns, filter->len);

Stephen Hemminger's avatar
Stephen Hemminger committed
94
95
96
97
98
99
100
101
		err = pkt_len ? pskb_trim(skb, pkt_len) : -EPERM;
	}
	rcu_read_unlock_bh();

	return err;
}
EXPORT_SYMBOL(sk_filter);

Linus Torvalds's avatar
Linus Torvalds committed
102
/**
103
 *	sk_run_filter - run a filter on a socket
Linus Torvalds's avatar
Linus Torvalds committed
104
105
106
107
108
109
110
111
112
 *	@skb: buffer to run the filter on
 *	@filter: filter to apply
 *	@flen: length of filter
 *
 * Decode and apply filter instructions to the skb->data.
 * Return length to keep, 0 for none. skb is the data we are
 * filtering, filter is the array of filter instructions, and
 * len is the number of filter blocks in the array.
 */
113
unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int flen)
Linus Torvalds's avatar
Linus Torvalds committed
114
{
115
	void *ptr;
116
117
	u32 A = 0;			/* Accumulator */
	u32 X = 0;			/* Index Register */
Linus Torvalds's avatar
Linus Torvalds committed
118
	u32 mem[BPF_MEMWORDS];		/* Scratch Memory Store */
119
	unsigned long memvalid = 0;
120
	u32 tmp;
Linus Torvalds's avatar
Linus Torvalds committed
121
122
123
	int k;
	int pc;

124
	BUILD_BUG_ON(BPF_MEMWORDS > BITS_PER_LONG);
Linus Torvalds's avatar
Linus Torvalds committed
125
126
127
128
	/*
	 * Process array of filter instructions.
	 */
	for (pc = 0; pc < flen; pc++) {
129
130
		const struct sock_filter *fentry = &filter[pc];
		u32 f_k = fentry->k;
131

Linus Torvalds's avatar
Linus Torvalds committed
132
		switch (fentry->code) {
133
		case BPF_S_ALU_ADD_X:
Linus Torvalds's avatar
Linus Torvalds committed
134
135
			A += X;
			continue;
136
		case BPF_S_ALU_ADD_K:
137
			A += f_k;
Linus Torvalds's avatar
Linus Torvalds committed
138
			continue;
139
		case BPF_S_ALU_SUB_X:
Linus Torvalds's avatar
Linus Torvalds committed
140
141
			A -= X;
			continue;
142
		case BPF_S_ALU_SUB_K:
143
			A -= f_k;
Linus Torvalds's avatar
Linus Torvalds committed
144
			continue;
145
		case BPF_S_ALU_MUL_X:
Linus Torvalds's avatar
Linus Torvalds committed
146
147
			A *= X;
			continue;
148
		case BPF_S_ALU_MUL_K:
149
			A *= f_k;
Linus Torvalds's avatar
Linus Torvalds committed
150
			continue;
151
		case BPF_S_ALU_DIV_X:
Linus Torvalds's avatar
Linus Torvalds committed
152
153
154
155
			if (X == 0)
				return 0;
			A /= X;
			continue;
156
		case BPF_S_ALU_DIV_K:
157
			A /= f_k;
Linus Torvalds's avatar
Linus Torvalds committed
158
			continue;
159
		case BPF_S_ALU_AND_X:
Linus Torvalds's avatar
Linus Torvalds committed
160
161
			A &= X;
			continue;
162
		case BPF_S_ALU_AND_K:
163
			A &= f_k;
Linus Torvalds's avatar
Linus Torvalds committed
164
			continue;
165
		case BPF_S_ALU_OR_X:
Linus Torvalds's avatar
Linus Torvalds committed
166
167
			A |= X;
			continue;
168
		case BPF_S_ALU_OR_K:
169
			A |= f_k;
Linus Torvalds's avatar
Linus Torvalds committed
170
			continue;
171
		case BPF_S_ALU_LSH_X:
Linus Torvalds's avatar
Linus Torvalds committed
172
173
			A <<= X;
			continue;
174
		case BPF_S_ALU_LSH_K:
175
			A <<= f_k;
Linus Torvalds's avatar
Linus Torvalds committed
176
			continue;
177
		case BPF_S_ALU_RSH_X:
Linus Torvalds's avatar
Linus Torvalds committed
178
179
			A >>= X;
			continue;
180
		case BPF_S_ALU_RSH_K:
181
			A >>= f_k;
Linus Torvalds's avatar
Linus Torvalds committed
182
			continue;
183
		case BPF_S_ALU_NEG:
Linus Torvalds's avatar
Linus Torvalds committed
184
185
			A = -A;
			continue;
186
		case BPF_S_JMP_JA:
187
			pc += f_k;
Linus Torvalds's avatar
Linus Torvalds committed
188
			continue;
189
		case BPF_S_JMP_JGT_K:
190
			pc += (A > f_k) ? fentry->jt : fentry->jf;
Linus Torvalds's avatar
Linus Torvalds committed
191
			continue;
192
		case BPF_S_JMP_JGE_K:
193
			pc += (A >= f_k) ? fentry->jt : fentry->jf;
Linus Torvalds's avatar
Linus Torvalds committed
194
			continue;
195
		case BPF_S_JMP_JEQ_K:
196
			pc += (A == f_k) ? fentry->jt : fentry->jf;
Linus Torvalds's avatar
Linus Torvalds committed
197
			continue;
198
		case BPF_S_JMP_JSET_K:
199
			pc += (A & f_k) ? fentry->jt : fentry->jf;
Linus Torvalds's avatar
Linus Torvalds committed
200
			continue;
201
		case BPF_S_JMP_JGT_X:
Linus Torvalds's avatar
Linus Torvalds committed
202
203
			pc += (A > X) ? fentry->jt : fentry->jf;
			continue;
204
		case BPF_S_JMP_JGE_X:
Linus Torvalds's avatar
Linus Torvalds committed
205
206
			pc += (A >= X) ? fentry->jt : fentry->jf;
			continue;
207
		case BPF_S_JMP_JEQ_X:
Linus Torvalds's avatar
Linus Torvalds committed
208
209
			pc += (A == X) ? fentry->jt : fentry->jf;
			continue;
210
		case BPF_S_JMP_JSET_X:
Linus Torvalds's avatar
Linus Torvalds committed
211
212
			pc += (A & X) ? fentry->jt : fentry->jf;
			continue;
213
		case BPF_S_LD_W_ABS:
214
			k = f_k;
215
load_w:
216
217
			ptr = load_pointer(skb, k, 4, &tmp);
			if (ptr != NULL) {
218
				A = get_unaligned_be32(ptr);
219
				continue;
Linus Torvalds's avatar
Linus Torvalds committed
220
			}
221
			break;
222
		case BPF_S_LD_H_ABS:
223
			k = f_k;
224
load_h:
225
226
			ptr = load_pointer(skb, k, 2, &tmp);
			if (ptr != NULL) {
227
				A = get_unaligned_be16(ptr);
228
				continue;
Linus Torvalds's avatar
Linus Torvalds committed
229
			}
230
			break;
231
		case BPF_S_LD_B_ABS:
232
			k = f_k;
Linus Torvalds's avatar
Linus Torvalds committed
233
load_b:
234
235
236
237
			ptr = load_pointer(skb, k, 1, &tmp);
			if (ptr != NULL) {
				A = *(u8 *)ptr;
				continue;
Linus Torvalds's avatar
Linus Torvalds committed
238
			}
239
			break;
240
		case BPF_S_LD_W_LEN:
241
			A = skb->len;
Linus Torvalds's avatar
Linus Torvalds committed
242
			continue;
243
		case BPF_S_LDX_W_LEN:
244
			X = skb->len;
Linus Torvalds's avatar
Linus Torvalds committed
245
			continue;
246
		case BPF_S_LD_W_IND:
247
			k = X + f_k;
Linus Torvalds's avatar
Linus Torvalds committed
248
			goto load_w;
249
		case BPF_S_LD_H_IND:
250
			k = X + f_k;
Linus Torvalds's avatar
Linus Torvalds committed
251
			goto load_h;
252
		case BPF_S_LD_B_IND:
253
			k = X + f_k;
Linus Torvalds's avatar
Linus Torvalds committed
254
			goto load_b;
255
		case BPF_S_LDX_B_MSH:
256
			ptr = load_pointer(skb, f_k, 1, &tmp);
257
258
259
260
261
			if (ptr != NULL) {
				X = (*(u8 *)ptr & 0xf) << 2;
				continue;
			}
			return 0;
262
		case BPF_S_LD_IMM:
263
			A = f_k;
Linus Torvalds's avatar
Linus Torvalds committed
264
			continue;
265
		case BPF_S_LDX_IMM:
266
			X = f_k;
Linus Torvalds's avatar
Linus Torvalds committed
267
			continue;
268
		case BPF_S_LD_MEM:
269
270
			A = (memvalid & (1UL << f_k)) ?
				mem[f_k] : 0;
Linus Torvalds's avatar
Linus Torvalds committed
271
			continue;
272
		case BPF_S_LDX_MEM:
273
274
			X = (memvalid & (1UL << f_k)) ?
				mem[f_k] : 0;
Linus Torvalds's avatar
Linus Torvalds committed
275
			continue;
276
		case BPF_S_MISC_TAX:
Linus Torvalds's avatar
Linus Torvalds committed
277
278
			X = A;
			continue;
279
		case BPF_S_MISC_TXA:
Linus Torvalds's avatar
Linus Torvalds committed
280
281
			A = X;
			continue;
282
		case BPF_S_RET_K:
283
			return f_k;
284
		case BPF_S_RET_A:
285
			return A;
286
		case BPF_S_ST:
287
288
			memvalid |= 1UL << f_k;
			mem[f_k] = A;
Linus Torvalds's avatar
Linus Torvalds committed
289
			continue;
290
		case BPF_S_STX:
291
292
			memvalid |= 1UL << f_k;
			mem[f_k] = X;
Linus Torvalds's avatar
Linus Torvalds committed
293
294
			continue;
		default:
295
			WARN_ON(1);
Linus Torvalds's avatar
Linus Torvalds committed
296
297
298
299
300
301
302
303
304
			return 0;
		}

		/*
		 * Handle ancillary data, which are impossible
		 * (or very difficult) to get parsing packet contents.
		 */
		switch (k-SKF_AD_OFF) {
		case SKF_AD_PROTOCOL:
Al Viro's avatar
Al Viro committed
305
			A = ntohs(skb->protocol);
Linus Torvalds's avatar
Linus Torvalds committed
306
307
308
309
310
			continue;
		case SKF_AD_PKTTYPE:
			A = skb->pkt_type;
			continue;
		case SKF_AD_IFINDEX:
311
312
			if (!skb->dev)
				return 0;
Linus Torvalds's avatar
Linus Torvalds committed
313
314
			A = skb->dev->ifindex;
			continue;
315
316
317
		case SKF_AD_MARK:
			A = skb->mark;
			continue;
318
319
320
		case SKF_AD_QUEUE:
			A = skb->queue_mapping;
			continue;
321
322
323
324
325
		case SKF_AD_HATYPE:
			if (!skb->dev)
				return 0;
			A = skb->dev->type;
			continue;
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
		case SKF_AD_NLATTR: {
			struct nlattr *nla;

			if (skb_is_nonlinear(skb))
				return 0;
			if (A > skb->len - sizeof(struct nlattr))
				return 0;

			nla = nla_find((struct nlattr *)&skb->data[A],
				       skb->len - A, X);
			if (nla)
				A = (void *)nla - (void *)skb->data;
			else
				A = 0;
			continue;
		}
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
		case SKF_AD_NLATTR_NEST: {
			struct nlattr *nla;

			if (skb_is_nonlinear(skb))
				return 0;
			if (A > skb->len - sizeof(struct nlattr))
				return 0;

			nla = (struct nlattr *)&skb->data[A];
			if (nla->nla_len > A - skb->len)
				return 0;

			nla = nla_find_nested(nla, X);
			if (nla)
				A = (void *)nla - (void *)skb->data;
			else
				A = 0;
			continue;
		}
Linus Torvalds's avatar
Linus Torvalds committed
361
362
363
364
365
366
367
		default:
			return 0;
		}
	}

	return 0;
}
368
EXPORT_SYMBOL(sk_run_filter);
Linus Torvalds's avatar
Linus Torvalds committed
369
370
371
372
373
374
375
376

/**
 *	sk_chk_filter - verify socket filter code
 *	@filter: filter to verify
 *	@flen: length of filter
 *
 * Check the user's filter code. If we let some ugly
 * filter code slip through kaboom! The filter must contain
377
378
 * no references or jumps that are out of range, no illegal
 * instructions, and must end with a RET instruction.
Linus Torvalds's avatar
Linus Torvalds committed
379
 *
380
381
382
 * All jumps are forward as they are not signed.
 *
 * Returns 0 if the rule set is legal or -EINVAL if not.
Linus Torvalds's avatar
Linus Torvalds committed
383
384
385
386
387
388
 */
int sk_chk_filter(struct sock_filter *filter, int flen)
{
	struct sock_filter *ftest;
	int pc;

389
	if (flen == 0 || flen > BPF_MAXINSNS)
Linus Torvalds's avatar
Linus Torvalds committed
390
391
392
393
394
395
		return -EINVAL;

	/* check the filter code now */
	for (pc = 0; pc < flen; pc++) {
		ftest = &filter[pc];

396
397
398
		/* Only allow valid instructions */
		switch (ftest->code) {
		case BPF_ALU|BPF_ADD|BPF_K:
399
400
			ftest->code = BPF_S_ALU_ADD_K;
			break;
401
		case BPF_ALU|BPF_ADD|BPF_X:
402
403
			ftest->code = BPF_S_ALU_ADD_X;
			break;
404
		case BPF_ALU|BPF_SUB|BPF_K:
405
406
			ftest->code = BPF_S_ALU_SUB_K;
			break;
407
		case BPF_ALU|BPF_SUB|BPF_X:
408
409
			ftest->code = BPF_S_ALU_SUB_X;
			break;
410
		case BPF_ALU|BPF_MUL|BPF_K:
411
412
			ftest->code = BPF_S_ALU_MUL_K;
			break;
413
		case BPF_ALU|BPF_MUL|BPF_X:
414
415
			ftest->code = BPF_S_ALU_MUL_X;
			break;
416
		case BPF_ALU|BPF_DIV|BPF_X:
417
418
			ftest->code = BPF_S_ALU_DIV_X;
			break;
419
		case BPF_ALU|BPF_AND|BPF_K:
420
421
			ftest->code = BPF_S_ALU_AND_K;
			break;
422
		case BPF_ALU|BPF_AND|BPF_X:
423
424
			ftest->code = BPF_S_ALU_AND_X;
			break;
425
		case BPF_ALU|BPF_OR|BPF_K:
426
427
			ftest->code = BPF_S_ALU_OR_K;
			break;
428
		case BPF_ALU|BPF_OR|BPF_X:
429
430
			ftest->code = BPF_S_ALU_OR_X;
			break;
431
		case BPF_ALU|BPF_LSH|BPF_K:
432
433
			ftest->code = BPF_S_ALU_LSH_K;
			break;
434
		case BPF_ALU|BPF_LSH|BPF_X:
435
436
			ftest->code = BPF_S_ALU_LSH_X;
			break;
437
		case BPF_ALU|BPF_RSH|BPF_K:
438
439
			ftest->code = BPF_S_ALU_RSH_K;
			break;
440
		case BPF_ALU|BPF_RSH|BPF_X:
441
442
			ftest->code = BPF_S_ALU_RSH_X;
			break;
443
		case BPF_ALU|BPF_NEG:
444
445
			ftest->code = BPF_S_ALU_NEG;
			break;
446
		case BPF_LD|BPF_W|BPF_ABS:
447
448
			ftest->code = BPF_S_LD_W_ABS;
			break;
449
		case BPF_LD|BPF_H|BPF_ABS:
450
451
			ftest->code = BPF_S_LD_H_ABS;
			break;
452
		case BPF_LD|BPF_B|BPF_ABS:
453
454
			ftest->code = BPF_S_LD_B_ABS;
			break;
455
		case BPF_LD|BPF_W|BPF_LEN:
456
457
			ftest->code = BPF_S_LD_W_LEN;
			break;
458
		case BPF_LD|BPF_W|BPF_IND:
459
460
			ftest->code = BPF_S_LD_W_IND;
			break;
461
		case BPF_LD|BPF_H|BPF_IND:
462
463
			ftest->code = BPF_S_LD_H_IND;
			break;
464
		case BPF_LD|BPF_B|BPF_IND:
465
466
			ftest->code = BPF_S_LD_B_IND;
			break;
467
		case BPF_LD|BPF_IMM:
468
469
			ftest->code = BPF_S_LD_IMM;
			break;
470
		case BPF_LDX|BPF_W|BPF_LEN:
471
472
			ftest->code = BPF_S_LDX_W_LEN;
			break;
473
		case BPF_LDX|BPF_B|BPF_MSH:
474
475
			ftest->code = BPF_S_LDX_B_MSH;
			break;
476
		case BPF_LDX|BPF_IMM:
477
478
			ftest->code = BPF_S_LDX_IMM;
			break;
479
		case BPF_MISC|BPF_TAX:
480
481
			ftest->code = BPF_S_MISC_TAX;
			break;
482
		case BPF_MISC|BPF_TXA:
483
484
			ftest->code = BPF_S_MISC_TXA;
			break;
485
		case BPF_RET|BPF_K:
486
487
			ftest->code = BPF_S_RET_K;
			break;
488
		case BPF_RET|BPF_A:
489
			ftest->code = BPF_S_RET_A;
490
491
492
			break;

		/* Some instructions need special checks */
493

494
			/* check for division by zero */
495
		case BPF_ALU|BPF_DIV|BPF_K:
496
			if (ftest->k == 0)
Linus Torvalds's avatar
Linus Torvalds committed
497
				return -EINVAL;
498
			ftest->code = BPF_S_ALU_DIV_K;
499
500
			break;

501
		/* check for invalid memory addresses */
502
		case BPF_LD|BPF_MEM:
503
504
505
506
			if (ftest->k >= BPF_MEMWORDS)
				return -EINVAL;
			ftest->code = BPF_S_LD_MEM;
			break;
507
		case BPF_LDX|BPF_MEM:
508
509
510
511
			if (ftest->k >= BPF_MEMWORDS)
				return -EINVAL;
			ftest->code = BPF_S_LDX_MEM;
			break;
512
		case BPF_ST:
513
514
515
516
			if (ftest->k >= BPF_MEMWORDS)
				return -EINVAL;
			ftest->code = BPF_S_ST;
			break;
517
518
519
		case BPF_STX:
			if (ftest->k >= BPF_MEMWORDS)
				return -EINVAL;
520
			ftest->code = BPF_S_STX;
521
522
523
524
525
526
527
528
529
530
			break;

		case BPF_JMP|BPF_JA:
			/*
			 * Note, the large ftest->k might cause loops.
			 * Compare this with conditional jumps below,
			 * where offsets are limited. --ANK (981016)
			 */
			if (ftest->k >= (unsigned)(flen-pc-1))
				return -EINVAL;
531
			ftest->code = BPF_S_JMP_JA;
532
533
534
			break;

		case BPF_JMP|BPF_JEQ|BPF_K:
535
536
			ftest->code = BPF_S_JMP_JEQ_K;
			break;
537
		case BPF_JMP|BPF_JEQ|BPF_X:
538
539
			ftest->code = BPF_S_JMP_JEQ_X;
			break;
540
		case BPF_JMP|BPF_JGE|BPF_K:
541
542
			ftest->code = BPF_S_JMP_JGE_K;
			break;
543
		case BPF_JMP|BPF_JGE|BPF_X:
544
545
			ftest->code = BPF_S_JMP_JGE_X;
			break;
546
		case BPF_JMP|BPF_JGT|BPF_K:
547
548
			ftest->code = BPF_S_JMP_JGT_K;
			break;
549
		case BPF_JMP|BPF_JGT|BPF_X:
550
551
			ftest->code = BPF_S_JMP_JGT_X;
			break;
552
		case BPF_JMP|BPF_JSET|BPF_K:
553
554
			ftest->code = BPF_S_JMP_JSET_K;
			break;
555
		case BPF_JMP|BPF_JSET|BPF_X:
556
557
558
559
560
561
562
			ftest->code = BPF_S_JMP_JSET_X;
			break;

		default:
			return -EINVAL;
		}

563
			/* for conditionals both must be safe */
564
565
566
567
568
569
570
571
572
		switch (ftest->code) {
		case BPF_S_JMP_JEQ_K:
		case BPF_S_JMP_JEQ_X:
		case BPF_S_JMP_JGE_K:
		case BPF_S_JMP_JGE_X:
		case BPF_S_JMP_JGT_K:
		case BPF_S_JMP_JGT_X:
		case BPF_S_JMP_JSET_X:
		case BPF_S_JMP_JSET_K:
573
			if (pc + ftest->jt + 1 >= flen ||
574
575
			    pc + ftest->jf + 1 >= flen)
				return -EINVAL;
576
577
		}
	}
578

579
580
581
582
583
584
	/* last instruction must be a RET code */
	switch (filter[flen - 1].code) {
	case BPF_S_RET_K:
	case BPF_S_RET_A:
		return 0;
		break;
585
586
		default:
			return -EINVAL;
Linus Torvalds's avatar
Linus Torvalds committed
587
588
		}
}
589
EXPORT_SYMBOL(sk_chk_filter);
Linus Torvalds's avatar
Linus Torvalds committed
590

591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
/**
 * 	sk_filter_rcu_release: Release a socket filter by rcu_head
 *	@rcu: rcu_head that contains the sk_filter to free
 */
static void sk_filter_rcu_release(struct rcu_head *rcu)
{
	struct sk_filter *fp = container_of(rcu, struct sk_filter, rcu);

	sk_filter_release(fp);
}

static void sk_filter_delayed_uncharge(struct sock *sk, struct sk_filter *fp)
{
	unsigned int size = sk_filter_len(fp);

	atomic_sub(size, &sk->sk_omem_alloc);
	call_rcu_bh(&fp->rcu, sk_filter_rcu_release);
}

Linus Torvalds's avatar
Linus Torvalds committed
610
611
612
613
614
615
616
617
618
619
620
621
/**
 *	sk_attach_filter - attach a socket filter
 *	@fprog: the filter program
 *	@sk: the socket to use
 *
 * Attach the user's filter code. We first run some sanity checks on
 * it to make sure it does not explode on us later. If an error
 * occurs or there is insufficient memory for the filter a negative
 * errno code is returned. On success the return is zero.
 */
int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
{
622
	struct sk_filter *fp, *old_fp;
Linus Torvalds's avatar
Linus Torvalds committed
623
624
625
626
	unsigned int fsize = sizeof(struct sock_filter) * fprog->len;
	int err;

	/* Make sure new filter is there and in the right amounts. */
627
628
	if (fprog->filter == NULL)
		return -EINVAL;
Linus Torvalds's avatar
Linus Torvalds committed
629
630
631
632
633

	fp = sock_kmalloc(sk, fsize+sizeof(*fp), GFP_KERNEL);
	if (!fp)
		return -ENOMEM;
	if (copy_from_user(fp->insns, fprog->filter, fsize)) {
634
		sock_kfree_s(sk, fp, fsize+sizeof(*fp));
Linus Torvalds's avatar
Linus Torvalds committed
635
636
637
638
639
640
641
		return -EFAULT;
	}

	atomic_set(&fp->refcnt, 1);
	fp->len = fprog->len;

	err = sk_chk_filter(fp->insns, fp->len);
642
643
644
	if (err) {
		sk_filter_uncharge(sk, fp);
		return err;
Linus Torvalds's avatar
Linus Torvalds committed
645
646
	}

647
648
	old_fp = rcu_dereference_protected(sk->sk_filter,
					   sock_owned_by_user(sk));
649
650
	rcu_assign_pointer(sk->sk_filter, fp);

651
652
	if (old_fp)
		sk_filter_delayed_uncharge(sk, old_fp);
653
	return 0;
Linus Torvalds's avatar
Linus Torvalds committed
654
}
655
EXPORT_SYMBOL_GPL(sk_attach_filter);
Linus Torvalds's avatar
Linus Torvalds committed
656

657
658
659
660
661
int sk_detach_filter(struct sock *sk)
{
	int ret = -ENOENT;
	struct sk_filter *filter;

662
663
	filter = rcu_dereference_protected(sk->sk_filter,
					   sock_owned_by_user(sk));
664
665
	if (filter) {
		rcu_assign_pointer(sk->sk_filter, NULL);
666
		sk_filter_delayed_uncharge(sk, filter);
667
668
669
670
		ret = 0;
	}
	return ret;
}
671
EXPORT_SYMBOL_GPL(sk_detach_filter);