ebtables.c revision 5a0e3ad6af8660be21ca98a971cd00f331318c05
1/* 2 * ebtables 3 * 4 * Author: 5 * Bart De Schuymer <bdschuym@pandora.be> 6 * 7 * ebtables.c,v 2.0, July, 2002 8 * 9 * This code is stongly inspired on the iptables code which is 10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling 11 * 12 * This program is free software; you can redistribute it and/or 13 * modify it under the terms of the GNU General Public License 14 * as published by the Free Software Foundation; either version 15 * 2 of the License, or (at your option) any later version. 16 */ 17 18 19#include <linux/kmod.h> 20#include <linux/module.h> 21#include <linux/vmalloc.h> 22#include <linux/netfilter/x_tables.h> 23#include <linux/netfilter_bridge/ebtables.h> 24#include <linux/spinlock.h> 25#include <linux/mutex.h> 26#include <linux/slab.h> 27#include <asm/uaccess.h> 28#include <linux/smp.h> 29#include <linux/cpumask.h> 30#include <net/sock.h> 31/* needed for logical [in,out]-dev filtering */ 32#include "../br_private.h" 33 34#define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\ 35 "report to author: "format, ## args) 36/* #define BUGPRINT(format, args...) */ 37 38/* 39 * Each cpu has its own set of counters, so there is no need for write_lock in 40 * the softirq 41 * For reading or updating the counters, the user context needs to 42 * get a write_lock 43 */ 44 45/* The size of each set of counters is altered to get cache alignment */ 46#define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1)) 47#define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter))) 48#define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \ 49 COUNTER_OFFSET(n) * cpu)) 50 51 52 53static DEFINE_MUTEX(ebt_mutex); 54 55#ifdef CONFIG_COMPAT 56static void ebt_standard_compat_from_user(void *dst, const void *src) 57{ 58 int v = *(compat_int_t *)src; 59 60 if (v >= 0) 61 v += xt_compat_calc_jump(NFPROTO_BRIDGE, v); 62 memcpy(dst, &v, sizeof(v)); 63} 64 65static int ebt_standard_compat_to_user(void __user *dst, const void *src) 66{ 67 compat_int_t cv = *(int *)src; 68 69 if (cv >= 0) 70 cv -= xt_compat_calc_jump(NFPROTO_BRIDGE, cv); 71 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0; 72} 73#endif 74 75 76static struct xt_target ebt_standard_target = { 77 .name = "standard", 78 .revision = 0, 79 .family = NFPROTO_BRIDGE, 80 .targetsize = sizeof(int), 81#ifdef CONFIG_COMPAT 82 .compatsize = sizeof(compat_int_t), 83 .compat_from_user = ebt_standard_compat_from_user, 84 .compat_to_user = ebt_standard_compat_to_user, 85#endif 86}; 87 88static inline int 89ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb, 90 struct xt_target_param *par) 91{ 92 par->target = w->u.watcher; 93 par->targinfo = w->data; 94 w->u.watcher->target(skb, par); 95 /* watchers don't give a verdict */ 96 return 0; 97} 98 99static inline int ebt_do_match (struct ebt_entry_match *m, 100 const struct sk_buff *skb, struct xt_match_param *par) 101{ 102 par->match = m->u.match; 103 par->matchinfo = m->data; 104 return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH; 105} 106 107static inline int 108ebt_dev_check(const char *entry, const struct net_device *device) 109{ 110 int i = 0; 111 const char *devname; 112 113 if (*entry == '\0') 114 return 0; 115 if (!device) 116 return 1; 117 devname = device->name; 118 /* 1 is the wildcard token */ 119 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i]) 120 i++; 121 return (devname[i] != entry[i] && entry[i] != 1); 122} 123 124#define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg)) 125/* process standard matches */ 126static inline int 127ebt_basic_match(const struct ebt_entry *e, const struct ethhdr *h, 128 const struct net_device *in, const struct net_device *out) 129{ 130 int verdict, i; 131 132 if (e->bitmask & EBT_802_3) { 133 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO)) 134 return 1; 135 } else if (!(e->bitmask & EBT_NOPROTO) && 136 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO)) 137 return 1; 138 139 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN)) 140 return 1; 141 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT)) 142 return 1; 143 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check( 144 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN)) 145 return 1; 146 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check( 147 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT)) 148 return 1; 149 150 if (e->bitmask & EBT_SOURCEMAC) { 151 verdict = 0; 152 for (i = 0; i < 6; i++) 153 verdict |= (h->h_source[i] ^ e->sourcemac[i]) & 154 e->sourcemsk[i]; 155 if (FWINV2(verdict != 0, EBT_ISOURCE) ) 156 return 1; 157 } 158 if (e->bitmask & EBT_DESTMAC) { 159 verdict = 0; 160 for (i = 0; i < 6; i++) 161 verdict |= (h->h_dest[i] ^ e->destmac[i]) & 162 e->destmsk[i]; 163 if (FWINV2(verdict != 0, EBT_IDEST) ) 164 return 1; 165 } 166 return 0; 167} 168 169static inline __pure 170struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry) 171{ 172 return (void *)entry + entry->next_offset; 173} 174 175/* Do some firewalling */ 176unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb, 177 const struct net_device *in, const struct net_device *out, 178 struct ebt_table *table) 179{ 180 int i, nentries; 181 struct ebt_entry *point; 182 struct ebt_counter *counter_base, *cb_base; 183 const struct ebt_entry_target *t; 184 int verdict, sp = 0; 185 struct ebt_chainstack *cs; 186 struct ebt_entries *chaininfo; 187 const char *base; 188 const struct ebt_table_info *private; 189 bool hotdrop = false; 190 struct xt_match_param mtpar; 191 struct xt_target_param tgpar; 192 193 mtpar.family = tgpar.family = NFPROTO_BRIDGE; 194 mtpar.in = tgpar.in = in; 195 mtpar.out = tgpar.out = out; 196 mtpar.hotdrop = &hotdrop; 197 mtpar.hooknum = tgpar.hooknum = hook; 198 199 read_lock_bh(&table->lock); 200 private = table->private; 201 cb_base = COUNTER_BASE(private->counters, private->nentries, 202 smp_processor_id()); 203 if (private->chainstack) 204 cs = private->chainstack[smp_processor_id()]; 205 else 206 cs = NULL; 207 chaininfo = private->hook_entry[hook]; 208 nentries = private->hook_entry[hook]->nentries; 209 point = (struct ebt_entry *)(private->hook_entry[hook]->data); 210 counter_base = cb_base + private->hook_entry[hook]->counter_offset; 211 /* base for chain jumps */ 212 base = private->entries; 213 i = 0; 214 while (i < nentries) { 215 if (ebt_basic_match(point, eth_hdr(skb), in, out)) 216 goto letscontinue; 217 218 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0) 219 goto letscontinue; 220 if (hotdrop) { 221 read_unlock_bh(&table->lock); 222 return NF_DROP; 223 } 224 225 /* increase counter */ 226 (*(counter_base + i)).pcnt++; 227 (*(counter_base + i)).bcnt += skb->len; 228 229 /* these should only watch: not modify, nor tell us 230 what to do with the packet */ 231 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar); 232 233 t = (struct ebt_entry_target *) 234 (((char *)point) + point->target_offset); 235 /* standard target */ 236 if (!t->u.target->target) 237 verdict = ((struct ebt_standard_target *)t)->verdict; 238 else { 239 tgpar.target = t->u.target; 240 tgpar.targinfo = t->data; 241 verdict = t->u.target->target(skb, &tgpar); 242 } 243 if (verdict == EBT_ACCEPT) { 244 read_unlock_bh(&table->lock); 245 return NF_ACCEPT; 246 } 247 if (verdict == EBT_DROP) { 248 read_unlock_bh(&table->lock); 249 return NF_DROP; 250 } 251 if (verdict == EBT_RETURN) { 252letsreturn: 253#ifdef CONFIG_NETFILTER_DEBUG 254 if (sp == 0) { 255 BUGPRINT("RETURN on base chain"); 256 /* act like this is EBT_CONTINUE */ 257 goto letscontinue; 258 } 259#endif 260 sp--; 261 /* put all the local variables right */ 262 i = cs[sp].n; 263 chaininfo = cs[sp].chaininfo; 264 nentries = chaininfo->nentries; 265 point = cs[sp].e; 266 counter_base = cb_base + 267 chaininfo->counter_offset; 268 continue; 269 } 270 if (verdict == EBT_CONTINUE) 271 goto letscontinue; 272#ifdef CONFIG_NETFILTER_DEBUG 273 if (verdict < 0) { 274 BUGPRINT("bogus standard verdict\n"); 275 read_unlock_bh(&table->lock); 276 return NF_DROP; 277 } 278#endif 279 /* jump to a udc */ 280 cs[sp].n = i + 1; 281 cs[sp].chaininfo = chaininfo; 282 cs[sp].e = ebt_next_entry(point); 283 i = 0; 284 chaininfo = (struct ebt_entries *) (base + verdict); 285#ifdef CONFIG_NETFILTER_DEBUG 286 if (chaininfo->distinguisher) { 287 BUGPRINT("jump to non-chain\n"); 288 read_unlock_bh(&table->lock); 289 return NF_DROP; 290 } 291#endif 292 nentries = chaininfo->nentries; 293 point = (struct ebt_entry *)chaininfo->data; 294 counter_base = cb_base + chaininfo->counter_offset; 295 sp++; 296 continue; 297letscontinue: 298 point = ebt_next_entry(point); 299 i++; 300 } 301 302 /* I actually like this :) */ 303 if (chaininfo->policy == EBT_RETURN) 304 goto letsreturn; 305 if (chaininfo->policy == EBT_ACCEPT) { 306 read_unlock_bh(&table->lock); 307 return NF_ACCEPT; 308 } 309 read_unlock_bh(&table->lock); 310 return NF_DROP; 311} 312 313/* If it succeeds, returns element and locks mutex */ 314static inline void * 315find_inlist_lock_noload(struct list_head *head, const char *name, int *error, 316 struct mutex *mutex) 317{ 318 struct { 319 struct list_head list; 320 char name[EBT_FUNCTION_MAXNAMELEN]; 321 } *e; 322 323 *error = mutex_lock_interruptible(mutex); 324 if (*error != 0) 325 return NULL; 326 327 list_for_each_entry(e, head, list) { 328 if (strcmp(e->name, name) == 0) 329 return e; 330 } 331 *error = -ENOENT; 332 mutex_unlock(mutex); 333 return NULL; 334} 335 336static void * 337find_inlist_lock(struct list_head *head, const char *name, const char *prefix, 338 int *error, struct mutex *mutex) 339{ 340 return try_then_request_module( 341 find_inlist_lock_noload(head, name, error, mutex), 342 "%s%s", prefix, name); 343} 344 345static inline struct ebt_table * 346find_table_lock(struct net *net, const char *name, int *error, 347 struct mutex *mutex) 348{ 349 return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name, 350 "ebtable_", error, mutex); 351} 352 353static inline int 354ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par, 355 unsigned int *cnt) 356{ 357 const struct ebt_entry *e = par->entryinfo; 358 struct xt_match *match; 359 size_t left = ((char *)e + e->watchers_offset) - (char *)m; 360 int ret; 361 362 if (left < sizeof(struct ebt_entry_match) || 363 left - sizeof(struct ebt_entry_match) < m->match_size) 364 return -EINVAL; 365 366 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE, 367 m->u.name, 0), "ebt_%s", m->u.name); 368 if (IS_ERR(match)) 369 return PTR_ERR(match); 370 if (match == NULL) 371 return -ENOENT; 372 m->u.match = match; 373 374 par->match = match; 375 par->matchinfo = m->data; 376 ret = xt_check_match(par, m->match_size, 377 e->ethproto, e->invflags & EBT_IPROTO); 378 if (ret < 0) { 379 module_put(match->me); 380 return ret; 381 } 382 383 (*cnt)++; 384 return 0; 385} 386 387static inline int 388ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par, 389 unsigned int *cnt) 390{ 391 const struct ebt_entry *e = par->entryinfo; 392 struct xt_target *watcher; 393 size_t left = ((char *)e + e->target_offset) - (char *)w; 394 int ret; 395 396 if (left < sizeof(struct ebt_entry_watcher) || 397 left - sizeof(struct ebt_entry_watcher) < w->watcher_size) 398 return -EINVAL; 399 400 watcher = try_then_request_module( 401 xt_find_target(NFPROTO_BRIDGE, w->u.name, 0), 402 "ebt_%s", w->u.name); 403 if (IS_ERR(watcher)) 404 return PTR_ERR(watcher); 405 if (watcher == NULL) 406 return -ENOENT; 407 w->u.watcher = watcher; 408 409 par->target = watcher; 410 par->targinfo = w->data; 411 ret = xt_check_target(par, w->watcher_size, 412 e->ethproto, e->invflags & EBT_IPROTO); 413 if (ret < 0) { 414 module_put(watcher->me); 415 return ret; 416 } 417 418 (*cnt)++; 419 return 0; 420} 421 422static int ebt_verify_pointers(const struct ebt_replace *repl, 423 struct ebt_table_info *newinfo) 424{ 425 unsigned int limit = repl->entries_size; 426 unsigned int valid_hooks = repl->valid_hooks; 427 unsigned int offset = 0; 428 int i; 429 430 for (i = 0; i < NF_BR_NUMHOOKS; i++) 431 newinfo->hook_entry[i] = NULL; 432 433 newinfo->entries_size = repl->entries_size; 434 newinfo->nentries = repl->nentries; 435 436 while (offset < limit) { 437 size_t left = limit - offset; 438 struct ebt_entry *e = (void *)newinfo->entries + offset; 439 440 if (left < sizeof(unsigned int)) 441 break; 442 443 for (i = 0; i < NF_BR_NUMHOOKS; i++) { 444 if ((valid_hooks & (1 << i)) == 0) 445 continue; 446 if ((char __user *)repl->hook_entry[i] == 447 repl->entries + offset) 448 break; 449 } 450 451 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) { 452 if (e->bitmask != 0) { 453 /* we make userspace set this right, 454 so there is no misunderstanding */ 455 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set " 456 "in distinguisher\n"); 457 return -EINVAL; 458 } 459 if (i != NF_BR_NUMHOOKS) 460 newinfo->hook_entry[i] = (struct ebt_entries *)e; 461 if (left < sizeof(struct ebt_entries)) 462 break; 463 offset += sizeof(struct ebt_entries); 464 } else { 465 if (left < sizeof(struct ebt_entry)) 466 break; 467 if (left < e->next_offset) 468 break; 469 if (e->next_offset < sizeof(struct ebt_entry)) 470 return -EINVAL; 471 offset += e->next_offset; 472 } 473 } 474 if (offset != limit) { 475 BUGPRINT("entries_size too small\n"); 476 return -EINVAL; 477 } 478 479 /* check if all valid hooks have a chain */ 480 for (i = 0; i < NF_BR_NUMHOOKS; i++) { 481 if (!newinfo->hook_entry[i] && 482 (valid_hooks & (1 << i))) { 483 BUGPRINT("Valid hook without chain\n"); 484 return -EINVAL; 485 } 486 } 487 return 0; 488} 489 490/* 491 * this one is very careful, as it is the first function 492 * to parse the userspace data 493 */ 494static inline int 495ebt_check_entry_size_and_hooks(const struct ebt_entry *e, 496 const struct ebt_table_info *newinfo, 497 unsigned int *n, unsigned int *cnt, 498 unsigned int *totalcnt, unsigned int *udc_cnt) 499{ 500 int i; 501 502 for (i = 0; i < NF_BR_NUMHOOKS; i++) { 503 if ((void *)e == (void *)newinfo->hook_entry[i]) 504 break; 505 } 506 /* beginning of a new chain 507 if i == NF_BR_NUMHOOKS it must be a user defined chain */ 508 if (i != NF_BR_NUMHOOKS || !e->bitmask) { 509 /* this checks if the previous chain has as many entries 510 as it said it has */ 511 if (*n != *cnt) { 512 BUGPRINT("nentries does not equal the nr of entries " 513 "in the chain\n"); 514 return -EINVAL; 515 } 516 if (((struct ebt_entries *)e)->policy != EBT_DROP && 517 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) { 518 /* only RETURN from udc */ 519 if (i != NF_BR_NUMHOOKS || 520 ((struct ebt_entries *)e)->policy != EBT_RETURN) { 521 BUGPRINT("bad policy\n"); 522 return -EINVAL; 523 } 524 } 525 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */ 526 (*udc_cnt)++; 527 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) { 528 BUGPRINT("counter_offset != totalcnt"); 529 return -EINVAL; 530 } 531 *n = ((struct ebt_entries *)e)->nentries; 532 *cnt = 0; 533 return 0; 534 } 535 /* a plain old entry, heh */ 536 if (sizeof(struct ebt_entry) > e->watchers_offset || 537 e->watchers_offset > e->target_offset || 538 e->target_offset >= e->next_offset) { 539 BUGPRINT("entry offsets not in right order\n"); 540 return -EINVAL; 541 } 542 /* this is not checked anywhere else */ 543 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) { 544 BUGPRINT("target size too small\n"); 545 return -EINVAL; 546 } 547 (*cnt)++; 548 (*totalcnt)++; 549 return 0; 550} 551 552struct ebt_cl_stack 553{ 554 struct ebt_chainstack cs; 555 int from; 556 unsigned int hookmask; 557}; 558 559/* 560 * we need these positions to check that the jumps to a different part of the 561 * entries is a jump to the beginning of a new chain. 562 */ 563static inline int 564ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo, 565 unsigned int *n, struct ebt_cl_stack *udc) 566{ 567 int i; 568 569 /* we're only interested in chain starts */ 570 if (e->bitmask) 571 return 0; 572 for (i = 0; i < NF_BR_NUMHOOKS; i++) { 573 if (newinfo->hook_entry[i] == (struct ebt_entries *)e) 574 break; 575 } 576 /* only care about udc */ 577 if (i != NF_BR_NUMHOOKS) 578 return 0; 579 580 udc[*n].cs.chaininfo = (struct ebt_entries *)e; 581 /* these initialisations are depended on later in check_chainloops() */ 582 udc[*n].cs.n = 0; 583 udc[*n].hookmask = 0; 584 585 (*n)++; 586 return 0; 587} 588 589static inline int 590ebt_cleanup_match(struct ebt_entry_match *m, struct net *net, unsigned int *i) 591{ 592 struct xt_mtdtor_param par; 593 594 if (i && (*i)-- == 0) 595 return 1; 596 597 par.net = net; 598 par.match = m->u.match; 599 par.matchinfo = m->data; 600 par.family = NFPROTO_BRIDGE; 601 if (par.match->destroy != NULL) 602 par.match->destroy(&par); 603 module_put(par.match->me); 604 return 0; 605} 606 607static inline int 608ebt_cleanup_watcher(struct ebt_entry_watcher *w, struct net *net, unsigned int *i) 609{ 610 struct xt_tgdtor_param par; 611 612 if (i && (*i)-- == 0) 613 return 1; 614 615 par.net = net; 616 par.target = w->u.watcher; 617 par.targinfo = w->data; 618 par.family = NFPROTO_BRIDGE; 619 if (par.target->destroy != NULL) 620 par.target->destroy(&par); 621 module_put(par.target->me); 622 return 0; 623} 624 625static inline int 626ebt_cleanup_entry(struct ebt_entry *e, struct net *net, unsigned int *cnt) 627{ 628 struct xt_tgdtor_param par; 629 struct ebt_entry_target *t; 630 631 if (e->bitmask == 0) 632 return 0; 633 /* we're done */ 634 if (cnt && (*cnt)-- == 0) 635 return 1; 636 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, NULL); 637 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, NULL); 638 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset); 639 640 par.net = net; 641 par.target = t->u.target; 642 par.targinfo = t->data; 643 par.family = NFPROTO_BRIDGE; 644 if (par.target->destroy != NULL) 645 par.target->destroy(&par); 646 module_put(par.target->me); 647 return 0; 648} 649 650static inline int 651ebt_check_entry(struct ebt_entry *e, struct net *net, 652 const struct ebt_table_info *newinfo, 653 const char *name, unsigned int *cnt, 654 struct ebt_cl_stack *cl_s, unsigned int udc_cnt) 655{ 656 struct ebt_entry_target *t; 657 struct xt_target *target; 658 unsigned int i, j, hook = 0, hookmask = 0; 659 size_t gap; 660 int ret; 661 struct xt_mtchk_param mtpar; 662 struct xt_tgchk_param tgpar; 663 664 /* don't mess with the struct ebt_entries */ 665 if (e->bitmask == 0) 666 return 0; 667 668 if (e->bitmask & ~EBT_F_MASK) { 669 BUGPRINT("Unknown flag for bitmask\n"); 670 return -EINVAL; 671 } 672 if (e->invflags & ~EBT_INV_MASK) { 673 BUGPRINT("Unknown flag for inv bitmask\n"); 674 return -EINVAL; 675 } 676 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) { 677 BUGPRINT("NOPROTO & 802_3 not allowed\n"); 678 return -EINVAL; 679 } 680 /* what hook do we belong to? */ 681 for (i = 0; i < NF_BR_NUMHOOKS; i++) { 682 if (!newinfo->hook_entry[i]) 683 continue; 684 if ((char *)newinfo->hook_entry[i] < (char *)e) 685 hook = i; 686 else 687 break; 688 } 689 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on 690 a base chain */ 691 if (i < NF_BR_NUMHOOKS) 692 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS); 693 else { 694 for (i = 0; i < udc_cnt; i++) 695 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e) 696 break; 697 if (i == 0) 698 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS); 699 else 700 hookmask = cl_s[i - 1].hookmask; 701 } 702 i = 0; 703 704 mtpar.net = tgpar.net = net; 705 mtpar.table = tgpar.table = name; 706 mtpar.entryinfo = tgpar.entryinfo = e; 707 mtpar.hook_mask = tgpar.hook_mask = hookmask; 708 mtpar.family = tgpar.family = NFPROTO_BRIDGE; 709 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i); 710 if (ret != 0) 711 goto cleanup_matches; 712 j = 0; 713 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j); 714 if (ret != 0) 715 goto cleanup_watchers; 716 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset); 717 gap = e->next_offset - e->target_offset; 718 719 target = try_then_request_module( 720 xt_find_target(NFPROTO_BRIDGE, t->u.name, 0), 721 "ebt_%s", t->u.name); 722 if (IS_ERR(target)) { 723 ret = PTR_ERR(target); 724 goto cleanup_watchers; 725 } else if (target == NULL) { 726 ret = -ENOENT; 727 goto cleanup_watchers; 728 } 729 730 t->u.target = target; 731 if (t->u.target == &ebt_standard_target) { 732 if (gap < sizeof(struct ebt_standard_target)) { 733 BUGPRINT("Standard target size too big\n"); 734 ret = -EFAULT; 735 goto cleanup_watchers; 736 } 737 if (((struct ebt_standard_target *)t)->verdict < 738 -NUM_STANDARD_TARGETS) { 739 BUGPRINT("Invalid standard target\n"); 740 ret = -EFAULT; 741 goto cleanup_watchers; 742 } 743 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) { 744 module_put(t->u.target->me); 745 ret = -EFAULT; 746 goto cleanup_watchers; 747 } 748 749 tgpar.target = target; 750 tgpar.targinfo = t->data; 751 ret = xt_check_target(&tgpar, t->target_size, 752 e->ethproto, e->invflags & EBT_IPROTO); 753 if (ret < 0) { 754 module_put(target->me); 755 goto cleanup_watchers; 756 } 757 (*cnt)++; 758 return 0; 759cleanup_watchers: 760 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, &j); 761cleanup_matches: 762 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, &i); 763 return ret; 764} 765 766/* 767 * checks for loops and sets the hook mask for udc 768 * the hook mask for udc tells us from which base chains the udc can be 769 * accessed. This mask is a parameter to the check() functions of the extensions 770 */ 771static int check_chainloops(const struct ebt_entries *chain, struct ebt_cl_stack *cl_s, 772 unsigned int udc_cnt, unsigned int hooknr, char *base) 773{ 774 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict; 775 const struct ebt_entry *e = (struct ebt_entry *)chain->data; 776 const struct ebt_entry_target *t; 777 778 while (pos < nentries || chain_nr != -1) { 779 /* end of udc, go back one 'recursion' step */ 780 if (pos == nentries) { 781 /* put back values of the time when this chain was called */ 782 e = cl_s[chain_nr].cs.e; 783 if (cl_s[chain_nr].from != -1) 784 nentries = 785 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries; 786 else 787 nentries = chain->nentries; 788 pos = cl_s[chain_nr].cs.n; 789 /* make sure we won't see a loop that isn't one */ 790 cl_s[chain_nr].cs.n = 0; 791 chain_nr = cl_s[chain_nr].from; 792 if (pos == nentries) 793 continue; 794 } 795 t = (struct ebt_entry_target *) 796 (((char *)e) + e->target_offset); 797 if (strcmp(t->u.name, EBT_STANDARD_TARGET)) 798 goto letscontinue; 799 if (e->target_offset + sizeof(struct ebt_standard_target) > 800 e->next_offset) { 801 BUGPRINT("Standard target size too big\n"); 802 return -1; 803 } 804 verdict = ((struct ebt_standard_target *)t)->verdict; 805 if (verdict >= 0) { /* jump to another chain */ 806 struct ebt_entries *hlp2 = 807 (struct ebt_entries *)(base + verdict); 808 for (i = 0; i < udc_cnt; i++) 809 if (hlp2 == cl_s[i].cs.chaininfo) 810 break; 811 /* bad destination or loop */ 812 if (i == udc_cnt) { 813 BUGPRINT("bad destination\n"); 814 return -1; 815 } 816 if (cl_s[i].cs.n) { 817 BUGPRINT("loop\n"); 818 return -1; 819 } 820 if (cl_s[i].hookmask & (1 << hooknr)) 821 goto letscontinue; 822 /* this can't be 0, so the loop test is correct */ 823 cl_s[i].cs.n = pos + 1; 824 pos = 0; 825 cl_s[i].cs.e = ebt_next_entry(e); 826 e = (struct ebt_entry *)(hlp2->data); 827 nentries = hlp2->nentries; 828 cl_s[i].from = chain_nr; 829 chain_nr = i; 830 /* this udc is accessible from the base chain for hooknr */ 831 cl_s[i].hookmask |= (1 << hooknr); 832 continue; 833 } 834letscontinue: 835 e = ebt_next_entry(e); 836 pos++; 837 } 838 return 0; 839} 840 841/* do the parsing of the table/chains/entries/matches/watchers/targets, heh */ 842static int translate_table(struct net *net, const char *name, 843 struct ebt_table_info *newinfo) 844{ 845 unsigned int i, j, k, udc_cnt; 846 int ret; 847 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */ 848 849 i = 0; 850 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i]) 851 i++; 852 if (i == NF_BR_NUMHOOKS) { 853 BUGPRINT("No valid hooks specified\n"); 854 return -EINVAL; 855 } 856 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) { 857 BUGPRINT("Chains don't start at beginning\n"); 858 return -EINVAL; 859 } 860 /* make sure chains are ordered after each other in same order 861 as their corresponding hooks */ 862 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) { 863 if (!newinfo->hook_entry[j]) 864 continue; 865 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) { 866 BUGPRINT("Hook order must be followed\n"); 867 return -EINVAL; 868 } 869 i = j; 870 } 871 872 /* do some early checkings and initialize some things */ 873 i = 0; /* holds the expected nr. of entries for the chain */ 874 j = 0; /* holds the up to now counted entries for the chain */ 875 k = 0; /* holds the total nr. of entries, should equal 876 newinfo->nentries afterwards */ 877 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */ 878 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size, 879 ebt_check_entry_size_and_hooks, newinfo, 880 &i, &j, &k, &udc_cnt); 881 882 if (ret != 0) 883 return ret; 884 885 if (i != j) { 886 BUGPRINT("nentries does not equal the nr of entries in the " 887 "(last) chain\n"); 888 return -EINVAL; 889 } 890 if (k != newinfo->nentries) { 891 BUGPRINT("Total nentries is wrong\n"); 892 return -EINVAL; 893 } 894 895 /* get the location of the udc, put them in an array 896 while we're at it, allocate the chainstack */ 897 if (udc_cnt) { 898 /* this will get free'd in do_replace()/ebt_register_table() 899 if an error occurs */ 900 newinfo->chainstack = 901 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack))); 902 if (!newinfo->chainstack) 903 return -ENOMEM; 904 for_each_possible_cpu(i) { 905 newinfo->chainstack[i] = 906 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0]))); 907 if (!newinfo->chainstack[i]) { 908 while (i) 909 vfree(newinfo->chainstack[--i]); 910 vfree(newinfo->chainstack); 911 newinfo->chainstack = NULL; 912 return -ENOMEM; 913 } 914 } 915 916 cl_s = vmalloc(udc_cnt * sizeof(*cl_s)); 917 if (!cl_s) 918 return -ENOMEM; 919 i = 0; /* the i'th udc */ 920 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size, 921 ebt_get_udc_positions, newinfo, &i, cl_s); 922 /* sanity check */ 923 if (i != udc_cnt) { 924 BUGPRINT("i != udc_cnt\n"); 925 vfree(cl_s); 926 return -EFAULT; 927 } 928 } 929 930 /* Check for loops */ 931 for (i = 0; i < NF_BR_NUMHOOKS; i++) 932 if (newinfo->hook_entry[i]) 933 if (check_chainloops(newinfo->hook_entry[i], 934 cl_s, udc_cnt, i, newinfo->entries)) { 935 vfree(cl_s); 936 return -EINVAL; 937 } 938 939 /* we now know the following (along with E=mc²): 940 - the nr of entries in each chain is right 941 - the size of the allocated space is right 942 - all valid hooks have a corresponding chain 943 - there are no loops 944 - wrong data can still be on the level of a single entry 945 - could be there are jumps to places that are not the 946 beginning of a chain. This can only occur in chains that 947 are not accessible from any base chains, so we don't care. */ 948 949 /* used to know what we need to clean up if something goes wrong */ 950 i = 0; 951 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size, 952 ebt_check_entry, net, newinfo, name, &i, cl_s, udc_cnt); 953 if (ret != 0) { 954 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size, 955 ebt_cleanup_entry, net, &i); 956 } 957 vfree(cl_s); 958 return ret; 959} 960 961/* called under write_lock */ 962static void get_counters(const struct ebt_counter *oldcounters, 963 struct ebt_counter *counters, unsigned int nentries) 964{ 965 int i, cpu; 966 struct ebt_counter *counter_base; 967 968 /* counters of cpu 0 */ 969 memcpy(counters, oldcounters, 970 sizeof(struct ebt_counter) * nentries); 971 972 /* add other counters to those of cpu 0 */ 973 for_each_possible_cpu(cpu) { 974 if (cpu == 0) 975 continue; 976 counter_base = COUNTER_BASE(oldcounters, nentries, cpu); 977 for (i = 0; i < nentries; i++) { 978 counters[i].pcnt += counter_base[i].pcnt; 979 counters[i].bcnt += counter_base[i].bcnt; 980 } 981 } 982} 983 984static int do_replace_finish(struct net *net, struct ebt_replace *repl, 985 struct ebt_table_info *newinfo) 986{ 987 int ret, i; 988 struct ebt_counter *counterstmp = NULL; 989 /* used to be able to unlock earlier */ 990 struct ebt_table_info *table; 991 struct ebt_table *t; 992 993 /* the user wants counters back 994 the check on the size is done later, when we have the lock */ 995 if (repl->num_counters) { 996 unsigned long size = repl->num_counters * sizeof(*counterstmp); 997 counterstmp = vmalloc(size); 998 if (!counterstmp) 999 return -ENOMEM; 1000 } 1001 1002 newinfo->chainstack = NULL; 1003 ret = ebt_verify_pointers(repl, newinfo); 1004 if (ret != 0) 1005 goto free_counterstmp; 1006 1007 ret = translate_table(net, repl->name, newinfo); 1008 1009 if (ret != 0) 1010 goto free_counterstmp; 1011 1012 t = find_table_lock(net, repl->name, &ret, &ebt_mutex); 1013 if (!t) { 1014 ret = -ENOENT; 1015 goto free_iterate; 1016 } 1017 1018 /* the table doesn't like it */ 1019 if (t->check && (ret = t->check(newinfo, repl->valid_hooks))) 1020 goto free_unlock; 1021 1022 if (repl->num_counters && repl->num_counters != t->private->nentries) { 1023 BUGPRINT("Wrong nr. of counters requested\n"); 1024 ret = -EINVAL; 1025 goto free_unlock; 1026 } 1027 1028 /* we have the mutex lock, so no danger in reading this pointer */ 1029 table = t->private; 1030 /* make sure the table can only be rmmod'ed if it contains no rules */ 1031 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) { 1032 ret = -ENOENT; 1033 goto free_unlock; 1034 } else if (table->nentries && !newinfo->nentries) 1035 module_put(t->me); 1036 /* we need an atomic snapshot of the counters */ 1037 write_lock_bh(&t->lock); 1038 if (repl->num_counters) 1039 get_counters(t->private->counters, counterstmp, 1040 t->private->nentries); 1041 1042 t->private = newinfo; 1043 write_unlock_bh(&t->lock); 1044 mutex_unlock(&ebt_mutex); 1045 /* so, a user can change the chains while having messed up her counter 1046 allocation. Only reason why this is done is because this way the lock 1047 is held only once, while this doesn't bring the kernel into a 1048 dangerous state. */ 1049 if (repl->num_counters && 1050 copy_to_user(repl->counters, counterstmp, 1051 repl->num_counters * sizeof(struct ebt_counter))) { 1052 ret = -EFAULT; 1053 } 1054 else 1055 ret = 0; 1056 1057 /* decrease module count and free resources */ 1058 EBT_ENTRY_ITERATE(table->entries, table->entries_size, 1059 ebt_cleanup_entry, net, NULL); 1060 1061 vfree(table->entries); 1062 if (table->chainstack) { 1063 for_each_possible_cpu(i) 1064 vfree(table->chainstack[i]); 1065 vfree(table->chainstack); 1066 } 1067 vfree(table); 1068 1069 vfree(counterstmp); 1070 return ret; 1071 1072free_unlock: 1073 mutex_unlock(&ebt_mutex); 1074free_iterate: 1075 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size, 1076 ebt_cleanup_entry, net, NULL); 1077free_counterstmp: 1078 vfree(counterstmp); 1079 /* can be initialized in translate_table() */ 1080 if (newinfo->chainstack) { 1081 for_each_possible_cpu(i) 1082 vfree(newinfo->chainstack[i]); 1083 vfree(newinfo->chainstack); 1084 } 1085 return ret; 1086} 1087 1088/* replace the table */ 1089static int do_replace(struct net *net, const void __user *user, 1090 unsigned int len) 1091{ 1092 int ret, countersize; 1093 struct ebt_table_info *newinfo; 1094 struct ebt_replace tmp; 1095 1096 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0) 1097 return -EFAULT; 1098 1099 if (len != sizeof(tmp) + tmp.entries_size) { 1100 BUGPRINT("Wrong len argument\n"); 1101 return -EINVAL; 1102 } 1103 1104 if (tmp.entries_size == 0) { 1105 BUGPRINT("Entries_size never zero\n"); 1106 return -EINVAL; 1107 } 1108 /* overflow check */ 1109 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / 1110 NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter)) 1111 return -ENOMEM; 1112 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter)) 1113 return -ENOMEM; 1114 1115 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids; 1116 newinfo = vmalloc(sizeof(*newinfo) + countersize); 1117 if (!newinfo) 1118 return -ENOMEM; 1119 1120 if (countersize) 1121 memset(newinfo->counters, 0, countersize); 1122 1123 newinfo->entries = vmalloc(tmp.entries_size); 1124 if (!newinfo->entries) { 1125 ret = -ENOMEM; 1126 goto free_newinfo; 1127 } 1128 if (copy_from_user( 1129 newinfo->entries, tmp.entries, tmp.entries_size) != 0) { 1130 BUGPRINT("Couldn't copy entries from userspace\n"); 1131 ret = -EFAULT; 1132 goto free_entries; 1133 } 1134 1135 ret = do_replace_finish(net, &tmp, newinfo); 1136 if (ret == 0) 1137 return ret; 1138free_entries: 1139 vfree(newinfo->entries); 1140free_newinfo: 1141 vfree(newinfo); 1142 return ret; 1143} 1144 1145struct ebt_table * 1146ebt_register_table(struct net *net, const struct ebt_table *input_table) 1147{ 1148 struct ebt_table_info *newinfo; 1149 struct ebt_table *t, *table; 1150 struct ebt_replace_kernel *repl; 1151 int ret, i, countersize; 1152 void *p; 1153 1154 if (input_table == NULL || (repl = input_table->table) == NULL || 1155 repl->entries == 0 || repl->entries_size == 0 || 1156 repl->counters != NULL || input_table->private != NULL) { 1157 BUGPRINT("Bad table data for ebt_register_table!!!\n"); 1158 return ERR_PTR(-EINVAL); 1159 } 1160 1161 /* Don't add one table to multiple lists. */ 1162 table = kmemdup(input_table, sizeof(struct ebt_table), GFP_KERNEL); 1163 if (!table) { 1164 ret = -ENOMEM; 1165 goto out; 1166 } 1167 1168 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids; 1169 newinfo = vmalloc(sizeof(*newinfo) + countersize); 1170 ret = -ENOMEM; 1171 if (!newinfo) 1172 goto free_table; 1173 1174 p = vmalloc(repl->entries_size); 1175 if (!p) 1176 goto free_newinfo; 1177 1178 memcpy(p, repl->entries, repl->entries_size); 1179 newinfo->entries = p; 1180 1181 newinfo->entries_size = repl->entries_size; 1182 newinfo->nentries = repl->nentries; 1183 1184 if (countersize) 1185 memset(newinfo->counters, 0, countersize); 1186 1187 /* fill in newinfo and parse the entries */ 1188 newinfo->chainstack = NULL; 1189 for (i = 0; i < NF_BR_NUMHOOKS; i++) { 1190 if ((repl->valid_hooks & (1 << i)) == 0) 1191 newinfo->hook_entry[i] = NULL; 1192 else 1193 newinfo->hook_entry[i] = p + 1194 ((char *)repl->hook_entry[i] - repl->entries); 1195 } 1196 ret = translate_table(net, repl->name, newinfo); 1197 if (ret != 0) { 1198 BUGPRINT("Translate_table failed\n"); 1199 goto free_chainstack; 1200 } 1201 1202 if (table->check && table->check(newinfo, table->valid_hooks)) { 1203 BUGPRINT("The table doesn't like its own initial data, lol\n"); 1204 return ERR_PTR(-EINVAL); 1205 } 1206 1207 table->private = newinfo; 1208 rwlock_init(&table->lock); 1209 ret = mutex_lock_interruptible(&ebt_mutex); 1210 if (ret != 0) 1211 goto free_chainstack; 1212 1213 list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) { 1214 if (strcmp(t->name, table->name) == 0) { 1215 ret = -EEXIST; 1216 BUGPRINT("Table name already exists\n"); 1217 goto free_unlock; 1218 } 1219 } 1220 1221 /* Hold a reference count if the chains aren't empty */ 1222 if (newinfo->nentries && !try_module_get(table->me)) { 1223 ret = -ENOENT; 1224 goto free_unlock; 1225 } 1226 list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]); 1227 mutex_unlock(&ebt_mutex); 1228 return table; 1229free_unlock: 1230 mutex_unlock(&ebt_mutex); 1231free_chainstack: 1232 if (newinfo->chainstack) { 1233 for_each_possible_cpu(i) 1234 vfree(newinfo->chainstack[i]); 1235 vfree(newinfo->chainstack); 1236 } 1237 vfree(newinfo->entries); 1238free_newinfo: 1239 vfree(newinfo); 1240free_table: 1241 kfree(table); 1242out: 1243 return ERR_PTR(ret); 1244} 1245 1246void ebt_unregister_table(struct net *net, struct ebt_table *table) 1247{ 1248 int i; 1249 1250 if (!table) { 1251 BUGPRINT("Request to unregister NULL table!!!\n"); 1252 return; 1253 } 1254 mutex_lock(&ebt_mutex); 1255 list_del(&table->list); 1256 mutex_unlock(&ebt_mutex); 1257 EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size, 1258 ebt_cleanup_entry, net, NULL); 1259 if (table->private->nentries) 1260 module_put(table->me); 1261 vfree(table->private->entries); 1262 if (table->private->chainstack) { 1263 for_each_possible_cpu(i) 1264 vfree(table->private->chainstack[i]); 1265 vfree(table->private->chainstack); 1266 } 1267 vfree(table->private); 1268 kfree(table); 1269} 1270 1271/* userspace just supplied us with counters */ 1272static int do_update_counters(struct net *net, const char *name, 1273 struct ebt_counter __user *counters, 1274 unsigned int num_counters, 1275 const void __user *user, unsigned int len) 1276{ 1277 int i, ret; 1278 struct ebt_counter *tmp; 1279 struct ebt_table *t; 1280 1281 if (num_counters == 0) 1282 return -EINVAL; 1283 1284 tmp = vmalloc(num_counters * sizeof(*tmp)); 1285 if (!tmp) 1286 return -ENOMEM; 1287 1288 t = find_table_lock(net, name, &ret, &ebt_mutex); 1289 if (!t) 1290 goto free_tmp; 1291 1292 if (num_counters != t->private->nentries) { 1293 BUGPRINT("Wrong nr of counters\n"); 1294 ret = -EINVAL; 1295 goto unlock_mutex; 1296 } 1297 1298 if (copy_from_user(tmp, counters, num_counters * sizeof(*counters))) { 1299 ret = -EFAULT; 1300 goto unlock_mutex; 1301 } 1302 1303 /* we want an atomic add of the counters */ 1304 write_lock_bh(&t->lock); 1305 1306 /* we add to the counters of the first cpu */ 1307 for (i = 0; i < num_counters; i++) { 1308 t->private->counters[i].pcnt += tmp[i].pcnt; 1309 t->private->counters[i].bcnt += tmp[i].bcnt; 1310 } 1311 1312 write_unlock_bh(&t->lock); 1313 ret = 0; 1314unlock_mutex: 1315 mutex_unlock(&ebt_mutex); 1316free_tmp: 1317 vfree(tmp); 1318 return ret; 1319} 1320 1321static int update_counters(struct net *net, const void __user *user, 1322 unsigned int len) 1323{ 1324 struct ebt_replace hlp; 1325 1326 if (copy_from_user(&hlp, user, sizeof(hlp))) 1327 return -EFAULT; 1328 1329 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter)) 1330 return -EINVAL; 1331 1332 return do_update_counters(net, hlp.name, hlp.counters, 1333 hlp.num_counters, user, len); 1334} 1335 1336static inline int ebt_make_matchname(const struct ebt_entry_match *m, 1337 const char *base, char __user *ubase) 1338{ 1339 char __user *hlp = ubase + ((char *)m - base); 1340 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN)) 1341 return -EFAULT; 1342 return 0; 1343} 1344 1345static inline int ebt_make_watchername(const struct ebt_entry_watcher *w, 1346 const char *base, char __user *ubase) 1347{ 1348 char __user *hlp = ubase + ((char *)w - base); 1349 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN)) 1350 return -EFAULT; 1351 return 0; 1352} 1353 1354static inline int 1355ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase) 1356{ 1357 int ret; 1358 char __user *hlp; 1359 const struct ebt_entry_target *t; 1360 1361 if (e->bitmask == 0) 1362 return 0; 1363 1364 hlp = ubase + (((char *)e + e->target_offset) - base); 1365 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset); 1366 1367 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase); 1368 if (ret != 0) 1369 return ret; 1370 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase); 1371 if (ret != 0) 1372 return ret; 1373 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN)) 1374 return -EFAULT; 1375 return 0; 1376} 1377 1378static int copy_counters_to_user(struct ebt_table *t, 1379 const struct ebt_counter *oldcounters, 1380 void __user *user, unsigned int num_counters, 1381 unsigned int nentries) 1382{ 1383 struct ebt_counter *counterstmp; 1384 int ret = 0; 1385 1386 /* userspace might not need the counters */ 1387 if (num_counters == 0) 1388 return 0; 1389 1390 if (num_counters != nentries) { 1391 BUGPRINT("Num_counters wrong\n"); 1392 return -EINVAL; 1393 } 1394 1395 counterstmp = vmalloc(nentries * sizeof(*counterstmp)); 1396 if (!counterstmp) 1397 return -ENOMEM; 1398 1399 write_lock_bh(&t->lock); 1400 get_counters(oldcounters, counterstmp, nentries); 1401 write_unlock_bh(&t->lock); 1402 1403 if (copy_to_user(user, counterstmp, 1404 nentries * sizeof(struct ebt_counter))) 1405 ret = -EFAULT; 1406 vfree(counterstmp); 1407 return ret; 1408} 1409 1410/* called with ebt_mutex locked */ 1411static int copy_everything_to_user(struct ebt_table *t, void __user *user, 1412 const int *len, int cmd) 1413{ 1414 struct ebt_replace tmp; 1415 const struct ebt_counter *oldcounters; 1416 unsigned int entries_size, nentries; 1417 int ret; 1418 char *entries; 1419 1420 if (cmd == EBT_SO_GET_ENTRIES) { 1421 entries_size = t->private->entries_size; 1422 nentries = t->private->nentries; 1423 entries = t->private->entries; 1424 oldcounters = t->private->counters; 1425 } else { 1426 entries_size = t->table->entries_size; 1427 nentries = t->table->nentries; 1428 entries = t->table->entries; 1429 oldcounters = t->table->counters; 1430 } 1431 1432 if (copy_from_user(&tmp, user, sizeof(tmp))) 1433 return -EFAULT; 1434 1435 if (*len != sizeof(struct ebt_replace) + entries_size + 1436 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0)) 1437 return -EINVAL; 1438 1439 if (tmp.nentries != nentries) { 1440 BUGPRINT("Nentries wrong\n"); 1441 return -EINVAL; 1442 } 1443 1444 if (tmp.entries_size != entries_size) { 1445 BUGPRINT("Wrong size\n"); 1446 return -EINVAL; 1447 } 1448 1449 ret = copy_counters_to_user(t, oldcounters, tmp.counters, 1450 tmp.num_counters, nentries); 1451 if (ret) 1452 return ret; 1453 1454 if (copy_to_user(tmp.entries, entries, entries_size)) { 1455 BUGPRINT("Couldn't copy entries to userspace\n"); 1456 return -EFAULT; 1457 } 1458 /* set the match/watcher/target names right */ 1459 return EBT_ENTRY_ITERATE(entries, entries_size, 1460 ebt_make_names, entries, tmp.entries); 1461} 1462 1463static int do_ebt_set_ctl(struct sock *sk, 1464 int cmd, void __user *user, unsigned int len) 1465{ 1466 int ret; 1467 1468 if (!capable(CAP_NET_ADMIN)) 1469 return -EPERM; 1470 1471 switch(cmd) { 1472 case EBT_SO_SET_ENTRIES: 1473 ret = do_replace(sock_net(sk), user, len); 1474 break; 1475 case EBT_SO_SET_COUNTERS: 1476 ret = update_counters(sock_net(sk), user, len); 1477 break; 1478 default: 1479 ret = -EINVAL; 1480 } 1481 return ret; 1482} 1483 1484static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) 1485{ 1486 int ret; 1487 struct ebt_replace tmp; 1488 struct ebt_table *t; 1489 1490 if (!capable(CAP_NET_ADMIN)) 1491 return -EPERM; 1492 1493 if (copy_from_user(&tmp, user, sizeof(tmp))) 1494 return -EFAULT; 1495 1496 t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex); 1497 if (!t) 1498 return ret; 1499 1500 switch(cmd) { 1501 case EBT_SO_GET_INFO: 1502 case EBT_SO_GET_INIT_INFO: 1503 if (*len != sizeof(struct ebt_replace)){ 1504 ret = -EINVAL; 1505 mutex_unlock(&ebt_mutex); 1506 break; 1507 } 1508 if (cmd == EBT_SO_GET_INFO) { 1509 tmp.nentries = t->private->nentries; 1510 tmp.entries_size = t->private->entries_size; 1511 tmp.valid_hooks = t->valid_hooks; 1512 } else { 1513 tmp.nentries = t->table->nentries; 1514 tmp.entries_size = t->table->entries_size; 1515 tmp.valid_hooks = t->table->valid_hooks; 1516 } 1517 mutex_unlock(&ebt_mutex); 1518 if (copy_to_user(user, &tmp, *len) != 0){ 1519 BUGPRINT("c2u Didn't work\n"); 1520 ret = -EFAULT; 1521 break; 1522 } 1523 ret = 0; 1524 break; 1525 1526 case EBT_SO_GET_ENTRIES: 1527 case EBT_SO_GET_INIT_ENTRIES: 1528 ret = copy_everything_to_user(t, user, len, cmd); 1529 mutex_unlock(&ebt_mutex); 1530 break; 1531 1532 default: 1533 mutex_unlock(&ebt_mutex); 1534 ret = -EINVAL; 1535 } 1536 1537 return ret; 1538} 1539 1540#ifdef CONFIG_COMPAT 1541/* 32 bit-userspace compatibility definitions. */ 1542struct compat_ebt_replace { 1543 char name[EBT_TABLE_MAXNAMELEN]; 1544 compat_uint_t valid_hooks; 1545 compat_uint_t nentries; 1546 compat_uint_t entries_size; 1547 /* start of the chains */ 1548 compat_uptr_t hook_entry[NF_BR_NUMHOOKS]; 1549 /* nr of counters userspace expects back */ 1550 compat_uint_t num_counters; 1551 /* where the kernel will put the old counters. */ 1552 compat_uptr_t counters; 1553 compat_uptr_t entries; 1554}; 1555 1556/* struct ebt_entry_match, _target and _watcher have same layout */ 1557struct compat_ebt_entry_mwt { 1558 union { 1559 char name[EBT_FUNCTION_MAXNAMELEN]; 1560 compat_uptr_t ptr; 1561 } u; 1562 compat_uint_t match_size; 1563 compat_uint_t data[0]; 1564}; 1565 1566/* account for possible padding between match_size and ->data */ 1567static int ebt_compat_entry_padsize(void) 1568{ 1569 BUILD_BUG_ON(XT_ALIGN(sizeof(struct ebt_entry_match)) < 1570 COMPAT_XT_ALIGN(sizeof(struct compat_ebt_entry_mwt))); 1571 return (int) XT_ALIGN(sizeof(struct ebt_entry_match)) - 1572 COMPAT_XT_ALIGN(sizeof(struct compat_ebt_entry_mwt)); 1573} 1574 1575static int ebt_compat_match_offset(const struct xt_match *match, 1576 unsigned int userlen) 1577{ 1578 /* 1579 * ebt_among needs special handling. The kernel .matchsize is 1580 * set to -1 at registration time; at runtime an EBT_ALIGN()ed 1581 * value is expected. 1582 * Example: userspace sends 4500, ebt_among.c wants 4504. 1583 */ 1584 if (unlikely(match->matchsize == -1)) 1585 return XT_ALIGN(userlen) - COMPAT_XT_ALIGN(userlen); 1586 return xt_compat_match_offset(match); 1587} 1588 1589static int compat_match_to_user(struct ebt_entry_match *m, void __user **dstptr, 1590 unsigned int *size) 1591{ 1592 const struct xt_match *match = m->u.match; 1593 struct compat_ebt_entry_mwt __user *cm = *dstptr; 1594 int off = ebt_compat_match_offset(match, m->match_size); 1595 compat_uint_t msize = m->match_size - off; 1596 1597 BUG_ON(off >= m->match_size); 1598 1599 if (copy_to_user(cm->u.name, match->name, 1600 strlen(match->name) + 1) || put_user(msize, &cm->match_size)) 1601 return -EFAULT; 1602 1603 if (match->compat_to_user) { 1604 if (match->compat_to_user(cm->data, m->data)) 1605 return -EFAULT; 1606 } else if (copy_to_user(cm->data, m->data, msize)) 1607 return -EFAULT; 1608 1609 *size -= ebt_compat_entry_padsize() + off; 1610 *dstptr = cm->data; 1611 *dstptr += msize; 1612 return 0; 1613} 1614 1615static int compat_target_to_user(struct ebt_entry_target *t, 1616 void __user **dstptr, 1617 unsigned int *size) 1618{ 1619 const struct xt_target *target = t->u.target; 1620 struct compat_ebt_entry_mwt __user *cm = *dstptr; 1621 int off = xt_compat_target_offset(target); 1622 compat_uint_t tsize = t->target_size - off; 1623 1624 BUG_ON(off >= t->target_size); 1625 1626 if (copy_to_user(cm->u.name, target->name, 1627 strlen(target->name) + 1) || put_user(tsize, &cm->match_size)) 1628 return -EFAULT; 1629 1630 if (target->compat_to_user) { 1631 if (target->compat_to_user(cm->data, t->data)) 1632 return -EFAULT; 1633 } else if (copy_to_user(cm->data, t->data, tsize)) 1634 return -EFAULT; 1635 1636 *size -= ebt_compat_entry_padsize() + off; 1637 *dstptr = cm->data; 1638 *dstptr += tsize; 1639 return 0; 1640} 1641 1642static int compat_watcher_to_user(struct ebt_entry_watcher *w, 1643 void __user **dstptr, 1644 unsigned int *size) 1645{ 1646 return compat_target_to_user((struct ebt_entry_target *)w, 1647 dstptr, size); 1648} 1649 1650static int compat_copy_entry_to_user(struct ebt_entry *e, void __user **dstptr, 1651 unsigned int *size) 1652{ 1653 struct ebt_entry_target *t; 1654 struct ebt_entry __user *ce; 1655 u32 watchers_offset, target_offset, next_offset; 1656 compat_uint_t origsize; 1657 int ret; 1658 1659 if (e->bitmask == 0) { 1660 if (*size < sizeof(struct ebt_entries)) 1661 return -EINVAL; 1662 if (copy_to_user(*dstptr, e, sizeof(struct ebt_entries))) 1663 return -EFAULT; 1664 1665 *dstptr += sizeof(struct ebt_entries); 1666 *size -= sizeof(struct ebt_entries); 1667 return 0; 1668 } 1669 1670 if (*size < sizeof(*ce)) 1671 return -EINVAL; 1672 1673 ce = (struct ebt_entry __user *)*dstptr; 1674 if (copy_to_user(ce, e, sizeof(*ce))) 1675 return -EFAULT; 1676 1677 origsize = *size; 1678 *dstptr += sizeof(*ce); 1679 1680 ret = EBT_MATCH_ITERATE(e, compat_match_to_user, dstptr, size); 1681 if (ret) 1682 return ret; 1683 watchers_offset = e->watchers_offset - (origsize - *size); 1684 1685 ret = EBT_WATCHER_ITERATE(e, compat_watcher_to_user, dstptr, size); 1686 if (ret) 1687 return ret; 1688 target_offset = e->target_offset - (origsize - *size); 1689 1690 t = (struct ebt_entry_target *) ((char *) e + e->target_offset); 1691 1692 ret = compat_target_to_user(t, dstptr, size); 1693 if (ret) 1694 return ret; 1695 next_offset = e->next_offset - (origsize - *size); 1696 1697 if (put_user(watchers_offset, &ce->watchers_offset) || 1698 put_user(target_offset, &ce->target_offset) || 1699 put_user(next_offset, &ce->next_offset)) 1700 return -EFAULT; 1701 1702 *size -= sizeof(*ce); 1703 return 0; 1704} 1705 1706static int compat_calc_match(struct ebt_entry_match *m, int *off) 1707{ 1708 *off += ebt_compat_match_offset(m->u.match, m->match_size); 1709 *off += ebt_compat_entry_padsize(); 1710 return 0; 1711} 1712 1713static int compat_calc_watcher(struct ebt_entry_watcher *w, int *off) 1714{ 1715 *off += xt_compat_target_offset(w->u.watcher); 1716 *off += ebt_compat_entry_padsize(); 1717 return 0; 1718} 1719 1720static int compat_calc_entry(const struct ebt_entry *e, 1721 const struct ebt_table_info *info, 1722 const void *base, 1723 struct compat_ebt_replace *newinfo) 1724{ 1725 const struct ebt_entry_target *t; 1726 unsigned int entry_offset; 1727 int off, ret, i; 1728 1729 if (e->bitmask == 0) 1730 return 0; 1731 1732 off = 0; 1733 entry_offset = (void *)e - base; 1734 1735 EBT_MATCH_ITERATE(e, compat_calc_match, &off); 1736 EBT_WATCHER_ITERATE(e, compat_calc_watcher, &off); 1737 1738 t = (const struct ebt_entry_target *) ((char *) e + e->target_offset); 1739 1740 off += xt_compat_target_offset(t->u.target); 1741 off += ebt_compat_entry_padsize(); 1742 1743 newinfo->entries_size -= off; 1744 1745 ret = xt_compat_add_offset(NFPROTO_BRIDGE, entry_offset, off); 1746 if (ret) 1747 return ret; 1748 1749 for (i = 0; i < NF_BR_NUMHOOKS; i++) { 1750 const void *hookptr = info->hook_entry[i]; 1751 if (info->hook_entry[i] && 1752 (e < (struct ebt_entry *)(base - hookptr))) { 1753 newinfo->hook_entry[i] -= off; 1754 pr_debug("0x%08X -> 0x%08X\n", 1755 newinfo->hook_entry[i] + off, 1756 newinfo->hook_entry[i]); 1757 } 1758 } 1759 1760 return 0; 1761} 1762 1763 1764static int compat_table_info(const struct ebt_table_info *info, 1765 struct compat_ebt_replace *newinfo) 1766{ 1767 unsigned int size = info->entries_size; 1768 const void *entries = info->entries; 1769 1770 newinfo->entries_size = size; 1771 1772 return EBT_ENTRY_ITERATE(entries, size, compat_calc_entry, info, 1773 entries, newinfo); 1774} 1775 1776static int compat_copy_everything_to_user(struct ebt_table *t, 1777 void __user *user, int *len, int cmd) 1778{ 1779 struct compat_ebt_replace repl, tmp; 1780 struct ebt_counter *oldcounters; 1781 struct ebt_table_info tinfo; 1782 int ret; 1783 void __user *pos; 1784 1785 memset(&tinfo, 0, sizeof(tinfo)); 1786 1787 if (cmd == EBT_SO_GET_ENTRIES) { 1788 tinfo.entries_size = t->private->entries_size; 1789 tinfo.nentries = t->private->nentries; 1790 tinfo.entries = t->private->entries; 1791 oldcounters = t->private->counters; 1792 } else { 1793 tinfo.entries_size = t->table->entries_size; 1794 tinfo.nentries = t->table->nentries; 1795 tinfo.entries = t->table->entries; 1796 oldcounters = t->table->counters; 1797 } 1798 1799 if (copy_from_user(&tmp, user, sizeof(tmp))) 1800 return -EFAULT; 1801 1802 if (tmp.nentries != tinfo.nentries || 1803 (tmp.num_counters && tmp.num_counters != tinfo.nentries)) 1804 return -EINVAL; 1805 1806 memcpy(&repl, &tmp, sizeof(repl)); 1807 if (cmd == EBT_SO_GET_ENTRIES) 1808 ret = compat_table_info(t->private, &repl); 1809 else 1810 ret = compat_table_info(&tinfo, &repl); 1811 if (ret) 1812 return ret; 1813 1814 if (*len != sizeof(tmp) + repl.entries_size + 1815 (tmp.num_counters? tinfo.nentries * sizeof(struct ebt_counter): 0)) { 1816 pr_err("wrong size: *len %d, entries_size %u, replsz %d\n", 1817 *len, tinfo.entries_size, repl.entries_size); 1818 return -EINVAL; 1819 } 1820 1821 /* userspace might not need the counters */ 1822 ret = copy_counters_to_user(t, oldcounters, compat_ptr(tmp.counters), 1823 tmp.num_counters, tinfo.nentries); 1824 if (ret) 1825 return ret; 1826 1827 pos = compat_ptr(tmp.entries); 1828 return EBT_ENTRY_ITERATE(tinfo.entries, tinfo.entries_size, 1829 compat_copy_entry_to_user, &pos, &tmp.entries_size); 1830} 1831 1832struct ebt_entries_buf_state { 1833 char *buf_kern_start; /* kernel buffer to copy (translated) data to */ 1834 u32 buf_kern_len; /* total size of kernel buffer */ 1835 u32 buf_kern_offset; /* amount of data copied so far */ 1836 u32 buf_user_offset; /* read position in userspace buffer */ 1837}; 1838 1839static int ebt_buf_count(struct ebt_entries_buf_state *state, unsigned int sz) 1840{ 1841 state->buf_kern_offset += sz; 1842 return state->buf_kern_offset >= sz ? 0 : -EINVAL; 1843} 1844 1845static int ebt_buf_add(struct ebt_entries_buf_state *state, 1846 void *data, unsigned int sz) 1847{ 1848 if (state->buf_kern_start == NULL) 1849 goto count_only; 1850 1851 BUG_ON(state->buf_kern_offset + sz > state->buf_kern_len); 1852 1853 memcpy(state->buf_kern_start + state->buf_kern_offset, data, sz); 1854 1855 count_only: 1856 state->buf_user_offset += sz; 1857 return ebt_buf_count(state, sz); 1858} 1859 1860static int ebt_buf_add_pad(struct ebt_entries_buf_state *state, unsigned int sz) 1861{ 1862 char *b = state->buf_kern_start; 1863 1864 BUG_ON(b && state->buf_kern_offset > state->buf_kern_len); 1865 1866 if (b != NULL && sz > 0) 1867 memset(b + state->buf_kern_offset, 0, sz); 1868 /* do not adjust ->buf_user_offset here, we added kernel-side padding */ 1869 return ebt_buf_count(state, sz); 1870} 1871 1872enum compat_mwt { 1873 EBT_COMPAT_MATCH, 1874 EBT_COMPAT_WATCHER, 1875 EBT_COMPAT_TARGET, 1876}; 1877 1878static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt, 1879 enum compat_mwt compat_mwt, 1880 struct ebt_entries_buf_state *state, 1881 const unsigned char *base) 1882{ 1883 char name[EBT_FUNCTION_MAXNAMELEN]; 1884 struct xt_match *match; 1885 struct xt_target *wt; 1886 void *dst = NULL; 1887 int off, pad = 0, ret = 0; 1888 unsigned int size_kern, entry_offset, match_size = mwt->match_size; 1889 1890 strlcpy(name, mwt->u.name, sizeof(name)); 1891 1892 if (state->buf_kern_start) 1893 dst = state->buf_kern_start + state->buf_kern_offset; 1894 1895 entry_offset = (unsigned char *) mwt - base; 1896 switch (compat_mwt) { 1897 case EBT_COMPAT_MATCH: 1898 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE, 1899 name, 0), "ebt_%s", name); 1900 if (match == NULL) 1901 return -ENOENT; 1902 if (IS_ERR(match)) 1903 return PTR_ERR(match); 1904 1905 off = ebt_compat_match_offset(match, match_size); 1906 if (dst) { 1907 if (match->compat_from_user) 1908 match->compat_from_user(dst, mwt->data); 1909 else 1910 memcpy(dst, mwt->data, match_size); 1911 } 1912 1913 size_kern = match->matchsize; 1914 if (unlikely(size_kern == -1)) 1915 size_kern = match_size; 1916 module_put(match->me); 1917 break; 1918 case EBT_COMPAT_WATCHER: /* fallthrough */ 1919 case EBT_COMPAT_TARGET: 1920 wt = try_then_request_module(xt_find_target(NFPROTO_BRIDGE, 1921 name, 0), "ebt_%s", name); 1922 if (wt == NULL) 1923 return -ENOENT; 1924 if (IS_ERR(wt)) 1925 return PTR_ERR(wt); 1926 off = xt_compat_target_offset(wt); 1927 1928 if (dst) { 1929 if (wt->compat_from_user) 1930 wt->compat_from_user(dst, mwt->data); 1931 else 1932 memcpy(dst, mwt->data, match_size); 1933 } 1934 1935 size_kern = wt->targetsize; 1936 module_put(wt->me); 1937 break; 1938 } 1939 1940 if (!dst) { 1941 ret = xt_compat_add_offset(NFPROTO_BRIDGE, entry_offset, 1942 off + ebt_compat_entry_padsize()); 1943 if (ret < 0) 1944 return ret; 1945 } 1946 1947 state->buf_kern_offset += match_size + off; 1948 state->buf_user_offset += match_size; 1949 pad = XT_ALIGN(size_kern) - size_kern; 1950 1951 if (pad > 0 && dst) { 1952 BUG_ON(state->buf_kern_len <= pad); 1953 BUG_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad); 1954 memset(dst + size_kern, 0, pad); 1955 } 1956 return off + match_size; 1957} 1958 1959/* 1960 * return size of all matches, watchers or target, including necessary 1961 * alignment and padding. 1962 */ 1963static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32, 1964 unsigned int size_left, enum compat_mwt type, 1965 struct ebt_entries_buf_state *state, const void *base) 1966{ 1967 int growth = 0; 1968 char *buf; 1969 1970 if (size_left == 0) 1971 return 0; 1972 1973 buf = (char *) match32; 1974 1975 while (size_left >= sizeof(*match32)) { 1976 struct ebt_entry_match *match_kern; 1977 int ret; 1978 1979 match_kern = (struct ebt_entry_match *) state->buf_kern_start; 1980 if (match_kern) { 1981 char *tmp; 1982 tmp = state->buf_kern_start + state->buf_kern_offset; 1983 match_kern = (struct ebt_entry_match *) tmp; 1984 } 1985 ret = ebt_buf_add(state, buf, sizeof(*match32)); 1986 if (ret < 0) 1987 return ret; 1988 size_left -= sizeof(*match32); 1989 1990 /* add padding before match->data (if any) */ 1991 ret = ebt_buf_add_pad(state, ebt_compat_entry_padsize()); 1992 if (ret < 0) 1993 return ret; 1994 1995 if (match32->match_size > size_left) 1996 return -EINVAL; 1997 1998 size_left -= match32->match_size; 1999 2000 ret = compat_mtw_from_user(match32, type, state, base); 2001 if (ret < 0) 2002 return ret; 2003 2004 BUG_ON(ret < match32->match_size); 2005 growth += ret - match32->match_size; 2006 growth += ebt_compat_entry_padsize(); 2007 2008 buf += sizeof(*match32); 2009 buf += match32->match_size; 2010 2011 if (match_kern) 2012 match_kern->match_size = ret; 2013 2014 WARN_ON(type == EBT_COMPAT_TARGET && size_left); 2015 match32 = (struct compat_ebt_entry_mwt *) buf; 2016 } 2017 2018 return growth; 2019} 2020 2021#define EBT_COMPAT_WATCHER_ITERATE(e, fn, args...) \ 2022({ \ 2023 unsigned int __i; \ 2024 int __ret = 0; \ 2025 struct compat_ebt_entry_mwt *__watcher; \ 2026 \ 2027 for (__i = e->watchers_offset; \ 2028 __i < (e)->target_offset; \ 2029 __i += __watcher->watcher_size + \ 2030 sizeof(struct compat_ebt_entry_mwt)) { \ 2031 __watcher = (void *)(e) + __i; \ 2032 __ret = fn(__watcher , ## args); \ 2033 if (__ret != 0) \ 2034 break; \ 2035 } \ 2036 if (__ret == 0) { \ 2037 if (__i != (e)->target_offset) \ 2038 __ret = -EINVAL; \ 2039 } \ 2040 __ret; \ 2041}) 2042 2043#define EBT_COMPAT_MATCH_ITERATE(e, fn, args...) \ 2044({ \ 2045 unsigned int __i; \ 2046 int __ret = 0; \ 2047 struct compat_ebt_entry_mwt *__match; \ 2048 \ 2049 for (__i = sizeof(struct ebt_entry); \ 2050 __i < (e)->watchers_offset; \ 2051 __i += __match->match_size + \ 2052 sizeof(struct compat_ebt_entry_mwt)) { \ 2053 __match = (void *)(e) + __i; \ 2054 __ret = fn(__match , ## args); \ 2055 if (__ret != 0) \ 2056 break; \ 2057 } \ 2058 if (__ret == 0) { \ 2059 if (__i != (e)->watchers_offset) \ 2060 __ret = -EINVAL; \ 2061 } \ 2062 __ret; \ 2063}) 2064 2065/* called for all ebt_entry structures. */ 2066static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base, 2067 unsigned int *total, 2068 struct ebt_entries_buf_state *state) 2069{ 2070 unsigned int i, j, startoff, new_offset = 0; 2071 /* stores match/watchers/targets & offset of next struct ebt_entry: */ 2072 unsigned int offsets[4]; 2073 unsigned int *offsets_update = NULL; 2074 int ret; 2075 char *buf_start; 2076 2077 if (*total < sizeof(struct ebt_entries)) 2078 return -EINVAL; 2079 2080 if (!entry->bitmask) { 2081 *total -= sizeof(struct ebt_entries); 2082 return ebt_buf_add(state, entry, sizeof(struct ebt_entries)); 2083 } 2084 if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry)) 2085 return -EINVAL; 2086 2087 startoff = state->buf_user_offset; 2088 /* pull in most part of ebt_entry, it does not need to be changed. */ 2089 ret = ebt_buf_add(state, entry, 2090 offsetof(struct ebt_entry, watchers_offset)); 2091 if (ret < 0) 2092 return ret; 2093 2094 offsets[0] = sizeof(struct ebt_entry); /* matches come first */ 2095 memcpy(&offsets[1], &entry->watchers_offset, 2096 sizeof(offsets) - sizeof(offsets[0])); 2097 2098 if (state->buf_kern_start) { 2099 buf_start = state->buf_kern_start + state->buf_kern_offset; 2100 offsets_update = (unsigned int *) buf_start; 2101 } 2102 ret = ebt_buf_add(state, &offsets[1], 2103 sizeof(offsets) - sizeof(offsets[0])); 2104 if (ret < 0) 2105 return ret; 2106 buf_start = (char *) entry; 2107 /* 2108 * 0: matches offset, always follows ebt_entry. 2109 * 1: watchers offset, from ebt_entry structure 2110 * 2: target offset, from ebt_entry structure 2111 * 3: next ebt_entry offset, from ebt_entry structure 2112 * 2113 * offsets are relative to beginning of struct ebt_entry (i.e., 0). 2114 */ 2115 for (i = 0, j = 1 ; j < 4 ; j++, i++) { 2116 struct compat_ebt_entry_mwt *match32; 2117 unsigned int size; 2118 char *buf = buf_start; 2119 2120 buf = buf_start + offsets[i]; 2121 if (offsets[i] > offsets[j]) 2122 return -EINVAL; 2123 2124 match32 = (struct compat_ebt_entry_mwt *) buf; 2125 size = offsets[j] - offsets[i]; 2126 ret = ebt_size_mwt(match32, size, i, state, base); 2127 if (ret < 0) 2128 return ret; 2129 new_offset += ret; 2130 if (offsets_update && new_offset) { 2131 pr_debug("ebtables: change offset %d to %d\n", 2132 offsets_update[i], offsets[j] + new_offset); 2133 offsets_update[i] = offsets[j] + new_offset; 2134 } 2135 } 2136 2137 startoff = state->buf_user_offset - startoff; 2138 2139 BUG_ON(*total < startoff); 2140 *total -= startoff; 2141 return 0; 2142} 2143 2144/* 2145 * repl->entries_size is the size of the ebt_entry blob in userspace. 2146 * It might need more memory when copied to a 64 bit kernel in case 2147 * userspace is 32-bit. So, first task: find out how much memory is needed. 2148 * 2149 * Called before validation is performed. 2150 */ 2151static int compat_copy_entries(unsigned char *data, unsigned int size_user, 2152 struct ebt_entries_buf_state *state) 2153{ 2154 unsigned int size_remaining = size_user; 2155 int ret; 2156 2157 ret = EBT_ENTRY_ITERATE(data, size_user, size_entry_mwt, data, 2158 &size_remaining, state); 2159 if (ret < 0) 2160 return ret; 2161 2162 WARN_ON(size_remaining); 2163 return state->buf_kern_offset; 2164} 2165 2166 2167static int compat_copy_ebt_replace_from_user(struct ebt_replace *repl, 2168 void __user *user, unsigned int len) 2169{ 2170 struct compat_ebt_replace tmp; 2171 int i; 2172 2173 if (len < sizeof(tmp)) 2174 return -EINVAL; 2175 2176 if (copy_from_user(&tmp, user, sizeof(tmp))) 2177 return -EFAULT; 2178 2179 if (len != sizeof(tmp) + tmp.entries_size) 2180 return -EINVAL; 2181 2182 if (tmp.entries_size == 0) 2183 return -EINVAL; 2184 2185 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / 2186 NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter)) 2187 return -ENOMEM; 2188 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter)) 2189 return -ENOMEM; 2190 2191 memcpy(repl, &tmp, offsetof(struct ebt_replace, hook_entry)); 2192 2193 /* starting with hook_entry, 32 vs. 64 bit structures are different */ 2194 for (i = 0; i < NF_BR_NUMHOOKS; i++) 2195 repl->hook_entry[i] = compat_ptr(tmp.hook_entry[i]); 2196 2197 repl->num_counters = tmp.num_counters; 2198 repl->counters = compat_ptr(tmp.counters); 2199 repl->entries = compat_ptr(tmp.entries); 2200 return 0; 2201} 2202 2203static int compat_do_replace(struct net *net, void __user *user, 2204 unsigned int len) 2205{ 2206 int ret, i, countersize, size64; 2207 struct ebt_table_info *newinfo; 2208 struct ebt_replace tmp; 2209 struct ebt_entries_buf_state state; 2210 void *entries_tmp; 2211 2212 ret = compat_copy_ebt_replace_from_user(&tmp, user, len); 2213 if (ret) { 2214 /* try real handler in case userland supplied needed padding */ 2215 if (ret == -EINVAL && do_replace(net, user, len) == 0) 2216 ret = 0; 2217 return ret; 2218 } 2219 2220 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids; 2221 newinfo = vmalloc(sizeof(*newinfo) + countersize); 2222 if (!newinfo) 2223 return -ENOMEM; 2224 2225 if (countersize) 2226 memset(newinfo->counters, 0, countersize); 2227 2228 memset(&state, 0, sizeof(state)); 2229 2230 newinfo->entries = vmalloc(tmp.entries_size); 2231 if (!newinfo->entries) { 2232 ret = -ENOMEM; 2233 goto free_newinfo; 2234 } 2235 if (copy_from_user( 2236 newinfo->entries, tmp.entries, tmp.entries_size) != 0) { 2237 ret = -EFAULT; 2238 goto free_entries; 2239 } 2240 2241 entries_tmp = newinfo->entries; 2242 2243 xt_compat_lock(NFPROTO_BRIDGE); 2244 2245 ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state); 2246 if (ret < 0) 2247 goto out_unlock; 2248 2249 pr_debug("tmp.entries_size %d, kern off %d, user off %d delta %d\n", 2250 tmp.entries_size, state.buf_kern_offset, state.buf_user_offset, 2251 xt_compat_calc_jump(NFPROTO_BRIDGE, tmp.entries_size)); 2252 2253 size64 = ret; 2254 newinfo->entries = vmalloc(size64); 2255 if (!newinfo->entries) { 2256 vfree(entries_tmp); 2257 ret = -ENOMEM; 2258 goto out_unlock; 2259 } 2260 2261 memset(&state, 0, sizeof(state)); 2262 state.buf_kern_start = newinfo->entries; 2263 state.buf_kern_len = size64; 2264 2265 ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state); 2266 BUG_ON(ret < 0); /* parses same data again */ 2267 2268 vfree(entries_tmp); 2269 tmp.entries_size = size64; 2270 2271 for (i = 0; i < NF_BR_NUMHOOKS; i++) { 2272 char __user *usrptr; 2273 if (tmp.hook_entry[i]) { 2274 unsigned int delta; 2275 usrptr = (char __user *) tmp.hook_entry[i]; 2276 delta = usrptr - tmp.entries; 2277 usrptr += xt_compat_calc_jump(NFPROTO_BRIDGE, delta); 2278 tmp.hook_entry[i] = (struct ebt_entries __user *)usrptr; 2279 } 2280 } 2281 2282 xt_compat_flush_offsets(NFPROTO_BRIDGE); 2283 xt_compat_unlock(NFPROTO_BRIDGE); 2284 2285 ret = do_replace_finish(net, &tmp, newinfo); 2286 if (ret == 0) 2287 return ret; 2288free_entries: 2289 vfree(newinfo->entries); 2290free_newinfo: 2291 vfree(newinfo); 2292 return ret; 2293out_unlock: 2294 xt_compat_flush_offsets(NFPROTO_BRIDGE); 2295 xt_compat_unlock(NFPROTO_BRIDGE); 2296 goto free_entries; 2297} 2298 2299static int compat_update_counters(struct net *net, void __user *user, 2300 unsigned int len) 2301{ 2302 struct compat_ebt_replace hlp; 2303 2304 if (copy_from_user(&hlp, user, sizeof(hlp))) 2305 return -EFAULT; 2306 2307 /* try real handler in case userland supplied needed padding */ 2308 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter)) 2309 return update_counters(net, user, len); 2310 2311 return do_update_counters(net, hlp.name, compat_ptr(hlp.counters), 2312 hlp.num_counters, user, len); 2313} 2314 2315static int compat_do_ebt_set_ctl(struct sock *sk, 2316 int cmd, void __user *user, unsigned int len) 2317{ 2318 int ret; 2319 2320 if (!capable(CAP_NET_ADMIN)) 2321 return -EPERM; 2322 2323 switch (cmd) { 2324 case EBT_SO_SET_ENTRIES: 2325 ret = compat_do_replace(sock_net(sk), user, len); 2326 break; 2327 case EBT_SO_SET_COUNTERS: 2328 ret = compat_update_counters(sock_net(sk), user, len); 2329 break; 2330 default: 2331 ret = -EINVAL; 2332 } 2333 return ret; 2334} 2335 2336static int compat_do_ebt_get_ctl(struct sock *sk, int cmd, 2337 void __user *user, int *len) 2338{ 2339 int ret; 2340 struct compat_ebt_replace tmp; 2341 struct ebt_table *t; 2342 2343 if (!capable(CAP_NET_ADMIN)) 2344 return -EPERM; 2345 2346 /* try real handler in case userland supplied needed padding */ 2347 if ((cmd == EBT_SO_GET_INFO || 2348 cmd == EBT_SO_GET_INIT_INFO) && *len != sizeof(tmp)) 2349 return do_ebt_get_ctl(sk, cmd, user, len); 2350 2351 if (copy_from_user(&tmp, user, sizeof(tmp))) 2352 return -EFAULT; 2353 2354 t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex); 2355 if (!t) 2356 return ret; 2357 2358 xt_compat_lock(NFPROTO_BRIDGE); 2359 switch (cmd) { 2360 case EBT_SO_GET_INFO: 2361 tmp.nentries = t->private->nentries; 2362 ret = compat_table_info(t->private, &tmp); 2363 if (ret) 2364 goto out; 2365 tmp.valid_hooks = t->valid_hooks; 2366 2367 if (copy_to_user(user, &tmp, *len) != 0) { 2368 ret = -EFAULT; 2369 break; 2370 } 2371 ret = 0; 2372 break; 2373 case EBT_SO_GET_INIT_INFO: 2374 tmp.nentries = t->table->nentries; 2375 tmp.entries_size = t->table->entries_size; 2376 tmp.valid_hooks = t->table->valid_hooks; 2377 2378 if (copy_to_user(user, &tmp, *len) != 0) { 2379 ret = -EFAULT; 2380 break; 2381 } 2382 ret = 0; 2383 break; 2384 case EBT_SO_GET_ENTRIES: 2385 case EBT_SO_GET_INIT_ENTRIES: 2386 /* 2387 * try real handler first in case of userland-side padding. 2388 * in case we are dealing with an 'ordinary' 32 bit binary 2389 * without 64bit compatibility padding, this will fail right 2390 * after copy_from_user when the *len argument is validated. 2391 * 2392 * the compat_ variant needs to do one pass over the kernel 2393 * data set to adjust for size differences before it the check. 2394 */ 2395 if (copy_everything_to_user(t, user, len, cmd) == 0) 2396 ret = 0; 2397 else 2398 ret = compat_copy_everything_to_user(t, user, len, cmd); 2399 break; 2400 default: 2401 ret = -EINVAL; 2402 } 2403 out: 2404 xt_compat_flush_offsets(NFPROTO_BRIDGE); 2405 xt_compat_unlock(NFPROTO_BRIDGE); 2406 mutex_unlock(&ebt_mutex); 2407 return ret; 2408} 2409#endif 2410 2411static struct nf_sockopt_ops ebt_sockopts = 2412{ 2413 .pf = PF_INET, 2414 .set_optmin = EBT_BASE_CTL, 2415 .set_optmax = EBT_SO_SET_MAX + 1, 2416 .set = do_ebt_set_ctl, 2417#ifdef CONFIG_COMPAT 2418 .compat_set = compat_do_ebt_set_ctl, 2419#endif 2420 .get_optmin = EBT_BASE_CTL, 2421 .get_optmax = EBT_SO_GET_MAX + 1, 2422 .get = do_ebt_get_ctl, 2423#ifdef CONFIG_COMPAT 2424 .compat_get = compat_do_ebt_get_ctl, 2425#endif 2426 .owner = THIS_MODULE, 2427}; 2428 2429static int __init ebtables_init(void) 2430{ 2431 int ret; 2432 2433 ret = xt_register_target(&ebt_standard_target); 2434 if (ret < 0) 2435 return ret; 2436 ret = nf_register_sockopt(&ebt_sockopts); 2437 if (ret < 0) { 2438 xt_unregister_target(&ebt_standard_target); 2439 return ret; 2440 } 2441 2442 printk(KERN_INFO "Ebtables v2.0 registered\n"); 2443 return 0; 2444} 2445 2446static void __exit ebtables_fini(void) 2447{ 2448 nf_unregister_sockopt(&ebt_sockopts); 2449 xt_unregister_target(&ebt_standard_target); 2450 printk(KERN_INFO "Ebtables v2.0 unregistered\n"); 2451} 2452 2453EXPORT_SYMBOL(ebt_register_table); 2454EXPORT_SYMBOL(ebt_unregister_table); 2455EXPORT_SYMBOL(ebt_do_table); 2456module_init(ebtables_init); 2457module_exit(ebtables_fini); 2458MODULE_LICENSE("GPL"); 2459