]> git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/blob - net/bridge/netfilter/ebtables.c
projects / mirror_ubuntu-zesty-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'master' into for-linus
[mirror_ubuntu-zesty-kernel.git] / net / bridge / netfilter / ebtables.c
1 /*
2 * ebtables
3 *
4 * Author:
5 * Bart De Schuymer <bdschuym@pandora.be>
6 *
7 * ebtables.c,v 2.0, July, 2002
8 *
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
11 *
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
16 */
17
18
19 #include <linux/kmod.h>
20 #include <linux/module.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter_bridge/ebtables.h>
24 #include <linux/spinlock.h>
25 #include <linux/mutex.h>
26 #include <asm/uaccess.h>
27 #include <linux/smp.h>
28 #include <linux/cpumask.h>
29 #include <net/sock.h>
30 /* needed for logical [in,out]-dev filtering */
31 #include "../br_private.h"
32
33 #define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35 /* #define BUGPRINT(format, args...) */
36
37 /*
38 * Each cpu has its own set of counters, so there is no need for write_lock in
39 * the softirq
40 * For reading or updating the counters, the user context needs to
41 * get a write_lock
42 */
43
44 /* The size of each set of counters is altered to get cache alignment */
45 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
46 #define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
47 #define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
48 COUNTER_OFFSET(n) * cpu))
49
50
51
52 static DEFINE_MUTEX(ebt_mutex);
53
54 #ifdef CONFIG_COMPAT
55 static void ebt_standard_compat_from_user(void *dst, const void *src)
56 {
57 int v = *(compat_int_t *)src;
58
59 if (v >= 0)
60 v += xt_compat_calc_jump(NFPROTO_BRIDGE, v);
61 memcpy(dst, &v, sizeof(v));
62 }
63
64 static int ebt_standard_compat_to_user(void __user *dst, const void *src)
65 {
66 compat_int_t cv = *(int *)src;
67
68 if (cv >= 0)
69 cv -= xt_compat_calc_jump(NFPROTO_BRIDGE, cv);
70 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
71 }
72 #endif
73
74
75 static struct xt_target ebt_standard_target = {
76 .name = "standard",
77 .revision = 0,
78 .family = NFPROTO_BRIDGE,
79 .targetsize = sizeof(int),
80 #ifdef CONFIG_COMPAT
81 .compatsize = sizeof(compat_int_t),
82 .compat_from_user = ebt_standard_compat_from_user,
83 .compat_to_user = ebt_standard_compat_to_user,
84 #endif
85 };
86
87 static inline int
88 ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
89 struct xt_target_param *par)
90 {
91 par->target = w->u.watcher;
92 par->targinfo = w->data;
93 w->u.watcher->target(skb, par);
94 /* watchers don't give a verdict */
95 return 0;
96 }
97
98 static inline int ebt_do_match (struct ebt_entry_match *m,
99 const struct sk_buff *skb, struct xt_match_param *par)
100 {
101 par->match = m->u.match;
102 par->matchinfo = m->data;
103 return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
104 }
105
106 static inline int
107 ebt_dev_check(const char *entry, const struct net_device *device)
108 {
109 int i = 0;
110 const char *devname;
111
112 if (*entry == '\0')
113 return 0;
114 if (!device)
115 return 1;
116 devname = device->name;
117 /* 1 is the wildcard token */
118 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
119 i++;
120 return (devname[i] != entry[i] && entry[i] != 1);
121 }
122
123 #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
124 /* process standard matches */
125 static inline int
126 ebt_basic_match(const struct ebt_entry *e, const struct ethhdr *h,
127 const struct net_device *in, const struct net_device *out)
128 {
129 int verdict, i;
130
131 if (e->bitmask & EBT_802_3) {
132 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
133 return 1;
134 } else if (!(e->bitmask & EBT_NOPROTO) &&
135 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
136 return 1;
137
138 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
139 return 1;
140 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
141 return 1;
142 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
143 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
144 return 1;
145 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
146 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
147 return 1;
148
149 if (e->bitmask & EBT_SOURCEMAC) {
150 verdict = 0;
151 for (i = 0; i < 6; i++)
152 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
153 e->sourcemsk[i];
154 if (FWINV2(verdict != 0, EBT_ISOURCE) )
155 return 1;
156 }
157 if (e->bitmask & EBT_DESTMAC) {
158 verdict = 0;
159 for (i = 0; i < 6; i++)
160 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
161 e->destmsk[i];
162 if (FWINV2(verdict != 0, EBT_IDEST) )
163 return 1;
164 }
165 return 0;
166 }
167
168 static inline __pure
169 struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry)
170 {
171 return (void *)entry + entry->next_offset;
172 }
173
174 /* Do some firewalling */
175 unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
176 const struct net_device *in, const struct net_device *out,
177 struct ebt_table *table)
178 {
179 int i, nentries;
180 struct ebt_entry *point;
181 struct ebt_counter *counter_base, *cb_base;
182 const struct ebt_entry_target *t;
183 int verdict, sp = 0;
184 struct ebt_chainstack *cs;
185 struct ebt_entries *chaininfo;
186 const char *base;
187 const struct ebt_table_info *private;
188 bool hotdrop = false;
189 struct xt_match_param mtpar;
190 struct xt_target_param tgpar;
191
192 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
193 mtpar.in = tgpar.in = in;
194 mtpar.out = tgpar.out = out;
195 mtpar.hotdrop = &hotdrop;
196 mtpar.hooknum = tgpar.hooknum = hook;
197
198 read_lock_bh(&table->lock);
199 private = table->private;
200 cb_base = COUNTER_BASE(private->counters, private->nentries,
201 smp_processor_id());
202 if (private->chainstack)
203 cs = private->chainstack[smp_processor_id()];
204 else
205 cs = NULL;
206 chaininfo = private->hook_entry[hook];
207 nentries = private->hook_entry[hook]->nentries;
208 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
209 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
210 /* base for chain jumps */
211 base = private->entries;
212 i = 0;
213 while (i < nentries) {
214 if (ebt_basic_match(point, eth_hdr(skb), in, out))
215 goto letscontinue;
216
217 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0)
218 goto letscontinue;
219 if (hotdrop) {
220 read_unlock_bh(&table->lock);
221 return NF_DROP;
222 }
223
224 /* increase counter */
225 (*(counter_base + i)).pcnt++;
226 (*(counter_base + i)).bcnt += skb->len;
227
228 /* these should only watch: not modify, nor tell us
229 what to do with the packet */
230 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar);
231
232 t = (struct ebt_entry_target *)
233 (((char *)point) + point->target_offset);
234 /* standard target */
235 if (!t->u.target->target)
236 verdict = ((struct ebt_standard_target *)t)->verdict;
237 else {
238 tgpar.target = t->u.target;
239 tgpar.targinfo = t->data;
240 verdict = t->u.target->target(skb, &tgpar);
241 }
242 if (verdict == EBT_ACCEPT) {
243 read_unlock_bh(&table->lock);
244 return NF_ACCEPT;
245 }
246 if (verdict == EBT_DROP) {
247 read_unlock_bh(&table->lock);
248 return NF_DROP;
249 }
250 if (verdict == EBT_RETURN) {
251 letsreturn:
252 #ifdef CONFIG_NETFILTER_DEBUG
253 if (sp == 0) {
254 BUGPRINT("RETURN on base chain");
255 /* act like this is EBT_CONTINUE */
256 goto letscontinue;
257 }
258 #endif
259 sp--;
260 /* put all the local variables right */
261 i = cs[sp].n;
262 chaininfo = cs[sp].chaininfo;
263 nentries = chaininfo->nentries;
264 point = cs[sp].e;
265 counter_base = cb_base +
266 chaininfo->counter_offset;
267 continue;
268 }
269 if (verdict == EBT_CONTINUE)
270 goto letscontinue;
271 #ifdef CONFIG_NETFILTER_DEBUG
272 if (verdict < 0) {
273 BUGPRINT("bogus standard verdict\n");
274 read_unlock_bh(&table->lock);
275 return NF_DROP;
276 }
277 #endif
278 /* jump to a udc */
279 cs[sp].n = i + 1;
280 cs[sp].chaininfo = chaininfo;
281 cs[sp].e = ebt_next_entry(point);
282 i = 0;
283 chaininfo = (struct ebt_entries *) (base + verdict);
284 #ifdef CONFIG_NETFILTER_DEBUG
285 if (chaininfo->distinguisher) {
286 BUGPRINT("jump to non-chain\n");
287 read_unlock_bh(&table->lock);
288 return NF_DROP;
289 }
290 #endif
291 nentries = chaininfo->nentries;
292 point = (struct ebt_entry *)chaininfo->data;
293 counter_base = cb_base + chaininfo->counter_offset;
294 sp++;
295 continue;
296 letscontinue:
297 point = ebt_next_entry(point);
298 i++;
299 }
300
301 /* I actually like this :) */
302 if (chaininfo->policy == EBT_RETURN)
303 goto letsreturn;
304 if (chaininfo->policy == EBT_ACCEPT) {
305 read_unlock_bh(&table->lock);
306 return NF_ACCEPT;
307 }
308 read_unlock_bh(&table->lock);
309 return NF_DROP;
310 }
311
312 /* If it succeeds, returns element and locks mutex */
313 static inline void *
314 find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
315 struct mutex *mutex)
316 {
317 struct {
318 struct list_head list;
319 char name[EBT_FUNCTION_MAXNAMELEN];
320 } *e;
321
322 *error = mutex_lock_interruptible(mutex);
323 if (*error != 0)
324 return NULL;
325
326 list_for_each_entry(e, head, list) {
327 if (strcmp(e->name, name) == 0)
328 return e;
329 }
330 *error = -ENOENT;
331 mutex_unlock(mutex);
332 return NULL;
333 }
334
335 static void *
336 find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
337 int *error, struct mutex *mutex)
338 {
339 return try_then_request_module(
340 find_inlist_lock_noload(head, name, error, mutex),
341 "%s%s", prefix, name);
342 }
343
344 static inline struct ebt_table *
345 find_table_lock(struct net *net, const char *name, int *error,
346 struct mutex *mutex)
347 {
348 return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name,
349 "ebtable_", error, mutex);
350 }
351
352 static inline int
353 ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
354 unsigned int *cnt)
355 {
356 const struct ebt_entry *e = par->entryinfo;
357 struct xt_match *match;
358 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
359 int ret;
360
361 if (left < sizeof(struct ebt_entry_match) ||
362 left - sizeof(struct ebt_entry_match) < m->match_size)
363 return -EINVAL;
364
365 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
366 m->u.name, 0), "ebt_%s", m->u.name);
367 if (IS_ERR(match))
368 return PTR_ERR(match);
369 if (match == NULL)
370 return -ENOENT;
371 m->u.match = match;
372
373 par->match = match;
374 par->matchinfo = m->data;
375 ret = xt_check_match(par, m->match_size,
376 e->ethproto, e->invflags & EBT_IPROTO);
377 if (ret < 0) {
378 module_put(match->me);
379 return ret;
380 }
381
382 (*cnt)++;
383 return 0;
384 }
385
386 static inline int
387 ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
388 unsigned int *cnt)
389 {
390 const struct ebt_entry *e = par->entryinfo;
391 struct xt_target *watcher;
392 size_t left = ((char *)e + e->target_offset) - (char *)w;
393 int ret;
394
395 if (left < sizeof(struct ebt_entry_watcher) ||
396 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
397 return -EINVAL;
398
399 watcher = try_then_request_module(
400 xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
401 "ebt_%s", w->u.name);
402 if (IS_ERR(watcher))
403 return PTR_ERR(watcher);
404 if (watcher == NULL)
405 return -ENOENT;
406 w->u.watcher = watcher;
407
408 par->target = watcher;
409 par->targinfo = w->data;
410 ret = xt_check_target(par, w->watcher_size,
411 e->ethproto, e->invflags & EBT_IPROTO);
412 if (ret < 0) {
413 module_put(watcher->me);
414 return ret;
415 }
416
417 (*cnt)++;
418 return 0;
419 }
420
421 static int ebt_verify_pointers(const struct ebt_replace *repl,
422 struct ebt_table_info *newinfo)
423 {
424 unsigned int limit = repl->entries_size;
425 unsigned int valid_hooks = repl->valid_hooks;
426 unsigned int offset = 0;
427 int i;
428
429 for (i = 0; i < NF_BR_NUMHOOKS; i++)
430 newinfo->hook_entry[i] = NULL;
431
432 newinfo->entries_size = repl->entries_size;
433 newinfo->nentries = repl->nentries;
434
435 while (offset < limit) {
436 size_t left = limit - offset;
437 struct ebt_entry *e = (void *)newinfo->entries + offset;
438
439 if (left < sizeof(unsigned int))
440 break;
441
442 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
443 if ((valid_hooks & (1 << i)) == 0)
444 continue;
445 if ((char __user *)repl->hook_entry[i] ==
446 repl->entries + offset)
447 break;
448 }
449
450 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
451 if (e->bitmask != 0) {
452 /* we make userspace set this right,
453 so there is no misunderstanding */
454 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
455 "in distinguisher\n");
456 return -EINVAL;
457 }
458 if (i != NF_BR_NUMHOOKS)
459 newinfo->hook_entry[i] = (struct ebt_entries *)e;
460 if (left < sizeof(struct ebt_entries))
461 break;
462 offset += sizeof(struct ebt_entries);
463 } else {
464 if (left < sizeof(struct ebt_entry))
465 break;
466 if (left < e->next_offset)
467 break;
468 if (e->next_offset < sizeof(struct ebt_entry))
469 return -EINVAL;
470 offset += e->next_offset;
471 }
472 }
473 if (offset != limit) {
474 BUGPRINT("entries_size too small\n");
475 return -EINVAL;
476 }
477
478 /* check if all valid hooks have a chain */
479 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
480 if (!newinfo->hook_entry[i] &&
481 (valid_hooks & (1 << i))) {
482 BUGPRINT("Valid hook without chain\n");
483 return -EINVAL;
484 }
485 }
486 return 0;
487 }
488
489 /*
490 * this one is very careful, as it is the first function
491 * to parse the userspace data
492 */
493 static inline int
494 ebt_check_entry_size_and_hooks(const struct ebt_entry *e,
495 const struct ebt_table_info *newinfo,
496 unsigned int *n, unsigned int *cnt,
497 unsigned int *totalcnt, unsigned int *udc_cnt)
498 {
499 int i;
500
501 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
502 if ((void *)e == (void *)newinfo->hook_entry[i])
503 break;
504 }
505 /* beginning of a new chain
506 if i == NF_BR_NUMHOOKS it must be a user defined chain */
507 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
508 /* this checks if the previous chain has as many entries
509 as it said it has */
510 if (*n != *cnt) {
511 BUGPRINT("nentries does not equal the nr of entries "
512 "in the chain\n");
513 return -EINVAL;
514 }
515 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
516 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
517 /* only RETURN from udc */
518 if (i != NF_BR_NUMHOOKS ||
519 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
520 BUGPRINT("bad policy\n");
521 return -EINVAL;
522 }
523 }
524 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
525 (*udc_cnt)++;
526 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
527 BUGPRINT("counter_offset != totalcnt");
528 return -EINVAL;
529 }
530 *n = ((struct ebt_entries *)e)->nentries;
531 *cnt = 0;
532 return 0;
533 }
534 /* a plain old entry, heh */
535 if (sizeof(struct ebt_entry) > e->watchers_offset ||
536 e->watchers_offset > e->target_offset ||
537 e->target_offset >= e->next_offset) {
538 BUGPRINT("entry offsets not in right order\n");
539 return -EINVAL;
540 }
541 /* this is not checked anywhere else */
542 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
543 BUGPRINT("target size too small\n");
544 return -EINVAL;
545 }
546 (*cnt)++;
547 (*totalcnt)++;
548 return 0;
549 }
550
551 struct ebt_cl_stack
552 {
553 struct ebt_chainstack cs;
554 int from;
555 unsigned int hookmask;
556 };
557
558 /*
559 * we need these positions to check that the jumps to a different part of the
560 * entries is a jump to the beginning of a new chain.
561 */
562 static inline int
563 ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
564 unsigned int *n, struct ebt_cl_stack *udc)
565 {
566 int i;
567
568 /* we're only interested in chain starts */
569 if (e->bitmask)
570 return 0;
571 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
572 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
573 break;
574 }
575 /* only care about udc */
576 if (i != NF_BR_NUMHOOKS)
577 return 0;
578
579 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
580 /* these initialisations are depended on later in check_chainloops() */
581 udc[*n].cs.n = 0;
582 udc[*n].hookmask = 0;
583
584 (*n)++;
585 return 0;
586 }
587
588 static inline int
589 ebt_cleanup_match(struct ebt_entry_match *m, struct net *net, unsigned int *i)
590 {
591 struct xt_mtdtor_param par;
592
593 if (i && (*i)-- == 0)
594 return 1;
595
596 par.net = net;
597 par.match = m->u.match;
598 par.matchinfo = m->data;
599 par.family = NFPROTO_BRIDGE;
600 if (par.match->destroy != NULL)
601 par.match->destroy(&par);
602 module_put(par.match->me);
603 return 0;
604 }
605
606 static inline int
607 ebt_cleanup_watcher(struct ebt_entry_watcher *w, struct net *net, unsigned int *i)
608 {
609 struct xt_tgdtor_param par;
610
611 if (i && (*i)-- == 0)
612 return 1;
613
614 par.net = net;
615 par.target = w->u.watcher;
616 par.targinfo = w->data;
617 par.family = NFPROTO_BRIDGE;
618 if (par.target->destroy != NULL)
619 par.target->destroy(&par);
620 module_put(par.target->me);
621 return 0;
622 }
623
624 static inline int
625 ebt_cleanup_entry(struct ebt_entry *e, struct net *net, unsigned int *cnt)
626 {
627 struct xt_tgdtor_param par;
628 struct ebt_entry_target *t;
629
630 if (e->bitmask == 0)
631 return 0;
632 /* we're done */
633 if (cnt && (*cnt)-- == 0)
634 return 1;
635 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, NULL);
636 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, NULL);
637 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
638
639 par.net = net;
640 par.target = t->u.target;
641 par.targinfo = t->data;
642 par.family = NFPROTO_BRIDGE;
643 if (par.target->destroy != NULL)
644 par.target->destroy(&par);
645 module_put(par.target->me);
646 return 0;
647 }
648
649 static inline int
650 ebt_check_entry(struct ebt_entry *e, struct net *net,
651 const struct ebt_table_info *newinfo,
652 const char *name, unsigned int *cnt,
653 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
654 {
655 struct ebt_entry_target *t;
656 struct xt_target *target;
657 unsigned int i, j, hook = 0, hookmask = 0;
658 size_t gap;
659 int ret;
660 struct xt_mtchk_param mtpar;
661 struct xt_tgchk_param tgpar;
662
663 /* don't mess with the struct ebt_entries */
664 if (e->bitmask == 0)
665 return 0;
666
667 if (e->bitmask & ~EBT_F_MASK) {
668 BUGPRINT("Unknown flag for bitmask\n");
669 return -EINVAL;
670 }
671 if (e->invflags & ~EBT_INV_MASK) {
672 BUGPRINT("Unknown flag for inv bitmask\n");
673 return -EINVAL;
674 }
675 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
676 BUGPRINT("NOPROTO & 802_3 not allowed\n");
677 return -EINVAL;
678 }
679 /* what hook do we belong to? */
680 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
681 if (!newinfo->hook_entry[i])
682 continue;
683 if ((char *)newinfo->hook_entry[i] < (char *)e)
684 hook = i;
685 else
686 break;
687 }
688 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
689 a base chain */
690 if (i < NF_BR_NUMHOOKS)
691 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
692 else {
693 for (i = 0; i < udc_cnt; i++)
694 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
695 break;
696 if (i == 0)
697 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
698 else
699 hookmask = cl_s[i - 1].hookmask;
700 }
701 i = 0;
702
703 mtpar.net = tgpar.net = net;
704 mtpar.table = tgpar.table = name;
705 mtpar.entryinfo = tgpar.entryinfo = e;
706 mtpar.hook_mask = tgpar.hook_mask = hookmask;
707 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
708 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
709 if (ret != 0)
710 goto cleanup_matches;
711 j = 0;
712 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j);
713 if (ret != 0)
714 goto cleanup_watchers;
715 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
716 gap = e->next_offset - e->target_offset;
717
718 target = try_then_request_module(
719 xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
720 "ebt_%s", t->u.name);
721 if (IS_ERR(target)) {
722 ret = PTR_ERR(target);
723 goto cleanup_watchers;
724 } else if (target == NULL) {
725 ret = -ENOENT;
726 goto cleanup_watchers;
727 }
728
729 t->u.target = target;
730 if (t->u.target == &ebt_standard_target) {
731 if (gap < sizeof(struct ebt_standard_target)) {
732 BUGPRINT("Standard target size too big\n");
733 ret = -EFAULT;
734 goto cleanup_watchers;
735 }
736 if (((struct ebt_standard_target *)t)->verdict <
737 -NUM_STANDARD_TARGETS) {
738 BUGPRINT("Invalid standard target\n");
739 ret = -EFAULT;
740 goto cleanup_watchers;
741 }
742 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
743 module_put(t->u.target->me);
744 ret = -EFAULT;
745 goto cleanup_watchers;
746 }
747
748 tgpar.target = target;
749 tgpar.targinfo = t->data;
750 ret = xt_check_target(&tgpar, t->target_size,
751 e->ethproto, e->invflags & EBT_IPROTO);
752 if (ret < 0) {
753 module_put(target->me);
754 goto cleanup_watchers;
755 }
756 (*cnt)++;
757 return 0;
758 cleanup_watchers:
759 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, &j);
760 cleanup_matches:
761 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, &i);
762 return ret;
763 }
764
765 /*
766 * checks for loops and sets the hook mask for udc
767 * the hook mask for udc tells us from which base chains the udc can be
768 * accessed. This mask is a parameter to the check() functions of the extensions
769 */
770 static int check_chainloops(const struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
771 unsigned int udc_cnt, unsigned int hooknr, char *base)
772 {
773 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
774 const struct ebt_entry *e = (struct ebt_entry *)chain->data;
775 const struct ebt_entry_target *t;
776
777 while (pos < nentries || chain_nr != -1) {
778 /* end of udc, go back one 'recursion' step */
779 if (pos == nentries) {
780 /* put back values of the time when this chain was called */
781 e = cl_s[chain_nr].cs.e;
782 if (cl_s[chain_nr].from != -1)
783 nentries =
784 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
785 else
786 nentries = chain->nentries;
787 pos = cl_s[chain_nr].cs.n;
788 /* make sure we won't see a loop that isn't one */
789 cl_s[chain_nr].cs.n = 0;
790 chain_nr = cl_s[chain_nr].from;
791 if (pos == nentries)
792 continue;
793 }
794 t = (struct ebt_entry_target *)
795 (((char *)e) + e->target_offset);
796 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
797 goto letscontinue;
798 if (e->target_offset + sizeof(struct ebt_standard_target) >
799 e->next_offset) {
800 BUGPRINT("Standard target size too big\n");
801 return -1;
802 }
803 verdict = ((struct ebt_standard_target *)t)->verdict;
804 if (verdict >= 0) { /* jump to another chain */
805 struct ebt_entries *hlp2 =
806 (struct ebt_entries *)(base + verdict);
807 for (i = 0; i < udc_cnt; i++)
808 if (hlp2 == cl_s[i].cs.chaininfo)
809 break;
810 /* bad destination or loop */
811 if (i == udc_cnt) {
812 BUGPRINT("bad destination\n");
813 return -1;
814 }
815 if (cl_s[i].cs.n) {
816 BUGPRINT("loop\n");
817 return -1;
818 }
819 if (cl_s[i].hookmask & (1 << hooknr))
820 goto letscontinue;
821 /* this can't be 0, so the loop test is correct */
822 cl_s[i].cs.n = pos + 1;
823 pos = 0;
824 cl_s[i].cs.e = ebt_next_entry(e);
825 e = (struct ebt_entry *)(hlp2->data);
826 nentries = hlp2->nentries;
827 cl_s[i].from = chain_nr;
828 chain_nr = i;
829 /* this udc is accessible from the base chain for hooknr */
830 cl_s[i].hookmask |= (1 << hooknr);
831 continue;
832 }
833 letscontinue:
834 e = ebt_next_entry(e);
835 pos++;
836 }
837 return 0;
838 }
839
840 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
841 static int translate_table(struct net *net, const char *name,
842 struct ebt_table_info *newinfo)
843 {
844 unsigned int i, j, k, udc_cnt;
845 int ret;
846 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
847
848 i = 0;
849 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
850 i++;
851 if (i == NF_BR_NUMHOOKS) {
852 BUGPRINT("No valid hooks specified\n");
853 return -EINVAL;
854 }
855 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
856 BUGPRINT("Chains don't start at beginning\n");
857 return -EINVAL;
858 }
859 /* make sure chains are ordered after each other in same order
860 as their corresponding hooks */
861 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
862 if (!newinfo->hook_entry[j])
863 continue;
864 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
865 BUGPRINT("Hook order must be followed\n");
866 return -EINVAL;
867 }
868 i = j;
869 }
870
871 /* do some early checkings and initialize some things */
872 i = 0; /* holds the expected nr. of entries for the chain */
873 j = 0; /* holds the up to now counted entries for the chain */
874 k = 0; /* holds the total nr. of entries, should equal
875 newinfo->nentries afterwards */
876 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
877 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
878 ebt_check_entry_size_and_hooks, newinfo,
879 &i, &j, &k, &udc_cnt);
880
881 if (ret != 0)
882 return ret;
883
884 if (i != j) {
885 BUGPRINT("nentries does not equal the nr of entries in the "
886 "(last) chain\n");
887 return -EINVAL;
888 }
889 if (k != newinfo->nentries) {
890 BUGPRINT("Total nentries is wrong\n");
891 return -EINVAL;
892 }
893
894 /* get the location of the udc, put them in an array
895 while we're at it, allocate the chainstack */
896 if (udc_cnt) {
897 /* this will get free'd in do_replace()/ebt_register_table()
898 if an error occurs */
899 newinfo->chainstack =
900 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
901 if (!newinfo->chainstack)
902 return -ENOMEM;
903 for_each_possible_cpu(i) {
904 newinfo->chainstack[i] =
905 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
906 if (!newinfo->chainstack[i]) {
907 while (i)
908 vfree(newinfo->chainstack[--i]);
909 vfree(newinfo->chainstack);
910 newinfo->chainstack = NULL;
911 return -ENOMEM;
912 }
913 }
914
915 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
916 if (!cl_s)
917 return -ENOMEM;
918 i = 0; /* the i'th udc */
919 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
920 ebt_get_udc_positions, newinfo, &i, cl_s);
921 /* sanity check */
922 if (i != udc_cnt) {
923 BUGPRINT("i != udc_cnt\n");
924 vfree(cl_s);
925 return -EFAULT;
926 }
927 }
928
929 /* Check for loops */
930 for (i = 0; i < NF_BR_NUMHOOKS; i++)
931 if (newinfo->hook_entry[i])
932 if (check_chainloops(newinfo->hook_entry[i],
933 cl_s, udc_cnt, i, newinfo->entries)) {
934 vfree(cl_s);
935 return -EINVAL;
936 }
937
938 /* we now know the following (along with E=mc²):
939 - the nr of entries in each chain is right
940 - the size of the allocated space is right
941 - all valid hooks have a corresponding chain
942 - there are no loops
943 - wrong data can still be on the level of a single entry
944 - could be there are jumps to places that are not the
945 beginning of a chain. This can only occur in chains that
946 are not accessible from any base chains, so we don't care. */
947
948 /* used to know what we need to clean up if something goes wrong */
949 i = 0;
950 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
951 ebt_check_entry, net, newinfo, name, &i, cl_s, udc_cnt);
952 if (ret != 0) {
953 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
954 ebt_cleanup_entry, net, &i);
955 }
956 vfree(cl_s);
957 return ret;
958 }
959
960 /* called under write_lock */
961 static void get_counters(const struct ebt_counter *oldcounters,
962 struct ebt_counter *counters, unsigned int nentries)
963 {
964 int i, cpu;
965 struct ebt_counter *counter_base;
966
967 /* counters of cpu 0 */
968 memcpy(counters, oldcounters,
969 sizeof(struct ebt_counter) * nentries);
970
971 /* add other counters to those of cpu 0 */
972 for_each_possible_cpu(cpu) {
973 if (cpu == 0)
974 continue;
975 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
976 for (i = 0; i < nentries; i++) {
977 counters[i].pcnt += counter_base[i].pcnt;
978 counters[i].bcnt += counter_base[i].bcnt;
979 }
980 }
981 }
982
983 static int do_replace_finish(struct net *net, struct ebt_replace *repl,
984 struct ebt_table_info *newinfo)
985 {
986 int ret, i;
987 struct ebt_counter *counterstmp = NULL;
988 /* used to be able to unlock earlier */
989 struct ebt_table_info *table;
990 struct ebt_table *t;
991
992 /* the user wants counters back
993 the check on the size is done later, when we have the lock */
994 if (repl->num_counters) {
995 unsigned long size = repl->num_counters * sizeof(*counterstmp);
996 counterstmp = vmalloc(size);
997 if (!counterstmp)
998 return -ENOMEM;
999 }
1000
1001 newinfo->chainstack = NULL;
1002 ret = ebt_verify_pointers(repl, newinfo);
1003 if (ret != 0)
1004 goto free_counterstmp;
1005
1006 ret = translate_table(net, repl->name, newinfo);
1007
1008 if (ret != 0)
1009 goto free_counterstmp;
1010
1011 t = find_table_lock(net, repl->name, &ret, &ebt_mutex);
1012 if (!t) {
1013 ret = -ENOENT;
1014 goto free_iterate;
1015 }
1016
1017 /* the table doesn't like it */
1018 if (t->check && (ret = t->check(newinfo, repl->valid_hooks)))
1019 goto free_unlock;
1020
1021 if (repl->num_counters && repl->num_counters != t->private->nentries) {
1022 BUGPRINT("Wrong nr. of counters requested\n");
1023 ret = -EINVAL;
1024 goto free_unlock;
1025 }
1026
1027 /* we have the mutex lock, so no danger in reading this pointer */
1028 table = t->private;
1029 /* make sure the table can only be rmmod'ed if it contains no rules */
1030 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1031 ret = -ENOENT;
1032 goto free_unlock;
1033 } else if (table->nentries && !newinfo->nentries)
1034 module_put(t->me);
1035 /* we need an atomic snapshot of the counters */
1036 write_lock_bh(&t->lock);
1037 if (repl->num_counters)
1038 get_counters(t->private->counters, counterstmp,
1039 t->private->nentries);
1040
1041 t->private = newinfo;
1042 write_unlock_bh(&t->lock);
1043 mutex_unlock(&ebt_mutex);
1044 /* so, a user can change the chains while having messed up her counter
1045 allocation. Only reason why this is done is because this way the lock
1046 is held only once, while this doesn't bring the kernel into a
1047 dangerous state. */
1048 if (repl->num_counters &&
1049 copy_to_user(repl->counters, counterstmp,
1050 repl->num_counters * sizeof(struct ebt_counter))) {
1051 ret = -EFAULT;
1052 }
1053 else
1054 ret = 0;
1055
1056 /* decrease module count and free resources */
1057 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1058 ebt_cleanup_entry, net, NULL);
1059
1060 vfree(table->entries);
1061 if (table->chainstack) {
1062 for_each_possible_cpu(i)
1063 vfree(table->chainstack[i]);
1064 vfree(table->chainstack);
1065 }
1066 vfree(table);
1067
1068 vfree(counterstmp);
1069 return ret;
1070
1071 free_unlock:
1072 mutex_unlock(&ebt_mutex);
1073 free_iterate:
1074 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1075 ebt_cleanup_entry, net, NULL);
1076 free_counterstmp:
1077 vfree(counterstmp);
1078 /* can be initialized in translate_table() */
1079 if (newinfo->chainstack) {
1080 for_each_possible_cpu(i)
1081 vfree(newinfo->chainstack[i]);
1082 vfree(newinfo->chainstack);
1083 }
1084 return ret;
1085 }
1086
1087 /* replace the table */
1088 static int do_replace(struct net *net, const void __user *user,
1089 unsigned int len)
1090 {
1091 int ret, countersize;
1092 struct ebt_table_info *newinfo;
1093 struct ebt_replace tmp;
1094
1095 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1096 return -EFAULT;
1097
1098 if (len != sizeof(tmp) + tmp.entries_size) {
1099 BUGPRINT("Wrong len argument\n");
1100 return -EINVAL;
1101 }
1102
1103 if (tmp.entries_size == 0) {
1104 BUGPRINT("Entries_size never zero\n");
1105 return -EINVAL;
1106 }
1107 /* overflow check */
1108 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) /
1109 NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
1110 return -ENOMEM;
1111 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
1112 return -ENOMEM;
1113
1114 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
1115 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1116 if (!newinfo)
1117 return -ENOMEM;
1118
1119 if (countersize)
1120 memset(newinfo->counters, 0, countersize);
1121
1122 newinfo->entries = vmalloc(tmp.entries_size);
1123 if (!newinfo->entries) {
1124 ret = -ENOMEM;
1125 goto free_newinfo;
1126 }
1127 if (copy_from_user(
1128 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
1129 BUGPRINT("Couldn't copy entries from userspace\n");
1130 ret = -EFAULT;
1131 goto free_entries;
1132 }
1133
1134 ret = do_replace_finish(net, &tmp, newinfo);
1135 if (ret == 0)
1136 return ret;
1137 free_entries:
1138 vfree(newinfo->entries);
1139 free_newinfo:
1140 vfree(newinfo);
1141 return ret;
1142 }
1143
1144 struct ebt_table *
1145 ebt_register_table(struct net *net, const struct ebt_table *input_table)
1146 {
1147 struct ebt_table_info *newinfo;
1148 struct ebt_table *t, *table;
1149 struct ebt_replace_kernel *repl;
1150 int ret, i, countersize;
1151 void *p;
1152
1153 if (input_table == NULL || (repl = input_table->table) == NULL ||
1154 repl->entries == 0 || repl->entries_size == 0 ||
1155 repl->counters != NULL || input_table->private != NULL) {
1156 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1157 return ERR_PTR(-EINVAL);
1158 }
1159
1160 /* Don't add one table to multiple lists. */
1161 table = kmemdup(input_table, sizeof(struct ebt_table), GFP_KERNEL);
1162 if (!table) {
1163 ret = -ENOMEM;
1164 goto out;
1165 }
1166
1167 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1168 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1169 ret = -ENOMEM;
1170 if (!newinfo)
1171 goto free_table;
1172
1173 p = vmalloc(repl->entries_size);
1174 if (!p)
1175 goto free_newinfo;
1176
1177 memcpy(p, repl->entries, repl->entries_size);
1178 newinfo->entries = p;
1179
1180 newinfo->entries_size = repl->entries_size;
1181 newinfo->nentries = repl->nentries;
1182
1183 if (countersize)
1184 memset(newinfo->counters, 0, countersize);
1185
1186 /* fill in newinfo and parse the entries */
1187 newinfo->chainstack = NULL;
1188 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1189 if ((repl->valid_hooks & (1 << i)) == 0)
1190 newinfo->hook_entry[i] = NULL;
1191 else
1192 newinfo->hook_entry[i] = p +
1193 ((char *)repl->hook_entry[i] - repl->entries);
1194 }
1195 ret = translate_table(net, repl->name, newinfo);
1196 if (ret != 0) {
1197 BUGPRINT("Translate_table failed\n");
1198 goto free_chainstack;
1199 }
1200
1201 if (table->check && table->check(newinfo, table->valid_hooks)) {
1202 BUGPRINT("The table doesn't like its own initial data, lol\n");
1203 return ERR_PTR(-EINVAL);
1204 }
1205
1206 table->private = newinfo;
1207 rwlock_init(&table->lock);
1208 ret = mutex_lock_interruptible(&ebt_mutex);
1209 if (ret != 0)
1210 goto free_chainstack;
1211
1212 list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) {
1213 if (strcmp(t->name, table->name) == 0) {
1214 ret = -EEXIST;
1215 BUGPRINT("Table name already exists\n");
1216 goto free_unlock;
1217 }
1218 }
1219
1220 /* Hold a reference count if the chains aren't empty */
1221 if (newinfo->nentries && !try_module_get(table->me)) {
1222 ret = -ENOENT;
1223 goto free_unlock;
1224 }
1225 list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]);
1226 mutex_unlock(&ebt_mutex);
1227 return table;
1228 free_unlock:
1229 mutex_unlock(&ebt_mutex);
1230 free_chainstack:
1231 if (newinfo->chainstack) {
1232 for_each_possible_cpu(i)
1233 vfree(newinfo->chainstack[i]);
1234 vfree(newinfo->chainstack);
1235 }
1236 vfree(newinfo->entries);
1237 free_newinfo:
1238 vfree(newinfo);
1239 free_table:
1240 kfree(table);
1241 out:
1242 return ERR_PTR(ret);
1243 }
1244
1245 void ebt_unregister_table(struct net *net, struct ebt_table *table)
1246 {
1247 int i;
1248
1249 if (!table) {
1250 BUGPRINT("Request to unregister NULL table!!!\n");
1251 return;
1252 }
1253 mutex_lock(&ebt_mutex);
1254 list_del(&table->list);
1255 mutex_unlock(&ebt_mutex);
1256 EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size,
1257 ebt_cleanup_entry, net, NULL);
1258 if (table->private->nentries)
1259 module_put(table->me);
1260 vfree(table->private->entries);
1261 if (table->private->chainstack) {
1262 for_each_possible_cpu(i)
1263 vfree(table->private->chainstack[i]);
1264 vfree(table->private->chainstack);
1265 }
1266 vfree(table->private);
1267 kfree(table);
1268 }
1269
1270 /* userspace just supplied us with counters */
1271 static int do_update_counters(struct net *net, const char *name,
1272 struct ebt_counter __user *counters,
1273 unsigned int num_counters,
1274 const void __user *user, unsigned int len)
1275 {
1276 int i, ret;
1277 struct ebt_counter *tmp;
1278 struct ebt_table *t;
1279
1280 if (num_counters == 0)
1281 return -EINVAL;
1282
1283 tmp = vmalloc(num_counters * sizeof(*tmp));
1284 if (!tmp)
1285 return -ENOMEM;
1286
1287 t = find_table_lock(net, name, &ret, &ebt_mutex);
1288 if (!t)
1289 goto free_tmp;
1290
1291 if (num_counters != t->private->nentries) {
1292 BUGPRINT("Wrong nr of counters\n");
1293 ret = -EINVAL;
1294 goto unlock_mutex;
1295 }
1296
1297 if (copy_from_user(tmp, counters, num_counters * sizeof(*counters))) {
1298 ret = -EFAULT;
1299 goto unlock_mutex;
1300 }
1301
1302 /* we want an atomic add of the counters */
1303 write_lock_bh(&t->lock);
1304
1305 /* we add to the counters of the first cpu */
1306 for (i = 0; i < num_counters; i++) {
1307 t->private->counters[i].pcnt += tmp[i].pcnt;
1308 t->private->counters[i].bcnt += tmp[i].bcnt;
1309 }
1310
1311 write_unlock_bh(&t->lock);
1312 ret = 0;
1313 unlock_mutex:
1314 mutex_unlock(&ebt_mutex);
1315 free_tmp:
1316 vfree(tmp);
1317 return ret;
1318 }
1319
1320 static int update_counters(struct net *net, const void __user *user,
1321 unsigned int len)
1322 {
1323 struct ebt_replace hlp;
1324
1325 if (copy_from_user(&hlp, user, sizeof(hlp)))
1326 return -EFAULT;
1327
1328 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1329 return -EINVAL;
1330
1331 return do_update_counters(net, hlp.name, hlp.counters,
1332 hlp.num_counters, user, len);
1333 }
1334
1335 static inline int ebt_make_matchname(const struct ebt_entry_match *m,
1336 const char *base, char __user *ubase)
1337 {
1338 char __user *hlp = ubase + ((char *)m - base);
1339 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1340 return -EFAULT;
1341 return 0;
1342 }
1343
1344 static inline int ebt_make_watchername(const struct ebt_entry_watcher *w,
1345 const char *base, char __user *ubase)
1346 {
1347 char __user *hlp = ubase + ((char *)w - base);
1348 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1349 return -EFAULT;
1350 return 0;
1351 }
1352
1353 static inline int
1354 ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
1355 {
1356 int ret;
1357 char __user *hlp;
1358 const struct ebt_entry_target *t;
1359
1360 if (e->bitmask == 0)
1361 return 0;
1362
1363 hlp = ubase + (((char *)e + e->target_offset) - base);
1364 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1365
1366 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1367 if (ret != 0)
1368 return ret;
1369 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1370 if (ret != 0)
1371 return ret;
1372 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1373 return -EFAULT;
1374 return 0;
1375 }
1376
1377 static int copy_counters_to_user(struct ebt_table *t,
1378 const struct ebt_counter *oldcounters,
1379 void __user *user, unsigned int num_counters,
1380 unsigned int nentries)
1381 {
1382 struct ebt_counter *counterstmp;
1383 int ret = 0;
1384
1385 /* userspace might not need the counters */
1386 if (num_counters == 0)
1387 return 0;
1388
1389 if (num_counters != nentries) {
1390 BUGPRINT("Num_counters wrong\n");
1391 return -EINVAL;
1392 }
1393
1394 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1395 if (!counterstmp)
1396 return -ENOMEM;
1397
1398 write_lock_bh(&t->lock);
1399 get_counters(oldcounters, counterstmp, nentries);
1400 write_unlock_bh(&t->lock);
1401
1402 if (copy_to_user(user, counterstmp,
1403 nentries * sizeof(struct ebt_counter)))
1404 ret = -EFAULT;
1405 vfree(counterstmp);
1406 return ret;
1407 }
1408
1409 /* called with ebt_mutex locked */
1410 static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1411 const int *len, int cmd)
1412 {
1413 struct ebt_replace tmp;
1414 const struct ebt_counter *oldcounters;
1415 unsigned int entries_size, nentries;
1416 int ret;
1417 char *entries;
1418
1419 if (cmd == EBT_SO_GET_ENTRIES) {
1420 entries_size = t->private->entries_size;
1421 nentries = t->private->nentries;
1422 entries = t->private->entries;
1423 oldcounters = t->private->counters;
1424 } else {
1425 entries_size = t->table->entries_size;
1426 nentries = t->table->nentries;
1427 entries = t->table->entries;
1428 oldcounters = t->table->counters;
1429 }
1430
1431 if (copy_from_user(&tmp, user, sizeof(tmp)))
1432 return -EFAULT;
1433
1434 if (*len != sizeof(struct ebt_replace) + entries_size +
1435 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0))
1436 return -EINVAL;
1437
1438 if (tmp.nentries != nentries) {
1439 BUGPRINT("Nentries wrong\n");
1440 return -EINVAL;
1441 }
1442
1443 if (tmp.entries_size != entries_size) {
1444 BUGPRINT("Wrong size\n");
1445 return -EINVAL;
1446 }
1447
1448 ret = copy_counters_to_user(t, oldcounters, tmp.counters,
1449 tmp.num_counters, nentries);
1450 if (ret)
1451 return ret;
1452
1453 if (copy_to_user(tmp.entries, entries, entries_size)) {
1454 BUGPRINT("Couldn't copy entries to userspace\n");
1455 return -EFAULT;
1456 }
1457 /* set the match/watcher/target names right */
1458 return EBT_ENTRY_ITERATE(entries, entries_size,
1459 ebt_make_names, entries, tmp.entries);
1460 }
1461
1462 static int do_ebt_set_ctl(struct sock *sk,
1463 int cmd, void __user *user, unsigned int len)
1464 {
1465 int ret;
1466
1467 if (!capable(CAP_NET_ADMIN))
1468 return -EPERM;
1469
1470 switch(cmd) {
1471 case EBT_SO_SET_ENTRIES:
1472 ret = do_replace(sock_net(sk), user, len);
1473 break;
1474 case EBT_SO_SET_COUNTERS:
1475 ret = update_counters(sock_net(sk), user, len);
1476 break;
1477 default:
1478 ret = -EINVAL;
1479 }
1480 return ret;
1481 }
1482
1483 static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1484 {
1485 int ret;
1486 struct ebt_replace tmp;
1487 struct ebt_table *t;
1488
1489 if (!capable(CAP_NET_ADMIN))
1490 return -EPERM;
1491
1492 if (copy_from_user(&tmp, user, sizeof(tmp)))
1493 return -EFAULT;
1494
1495 t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex);
1496 if (!t)
1497 return ret;
1498
1499 switch(cmd) {
1500 case EBT_SO_GET_INFO:
1501 case EBT_SO_GET_INIT_INFO:
1502 if (*len != sizeof(struct ebt_replace)){
1503 ret = -EINVAL;
1504 mutex_unlock(&ebt_mutex);
1505 break;
1506 }
1507 if (cmd == EBT_SO_GET_INFO) {
1508 tmp.nentries = t->private->nentries;
1509 tmp.entries_size = t->private->entries_size;
1510 tmp.valid_hooks = t->valid_hooks;
1511 } else {
1512 tmp.nentries = t->table->nentries;
1513 tmp.entries_size = t->table->entries_size;
1514 tmp.valid_hooks = t->table->valid_hooks;
1515 }
1516 mutex_unlock(&ebt_mutex);
1517 if (copy_to_user(user, &tmp, *len) != 0){
1518 BUGPRINT("c2u Didn't work\n");
1519 ret = -EFAULT;
1520 break;
1521 }
1522 ret = 0;
1523 break;
1524
1525 case EBT_SO_GET_ENTRIES:
1526 case EBT_SO_GET_INIT_ENTRIES:
1527 ret = copy_everything_to_user(t, user, len, cmd);
1528 mutex_unlock(&ebt_mutex);
1529 break;
1530
1531 default:
1532 mutex_unlock(&ebt_mutex);
1533 ret = -EINVAL;
1534 }
1535
1536 return ret;
1537 }
1538
1539 #ifdef CONFIG_COMPAT
1540 /* 32 bit-userspace compatibility definitions. */
1541 struct compat_ebt_replace {
1542 char name[EBT_TABLE_MAXNAMELEN];
1543 compat_uint_t valid_hooks;
1544 compat_uint_t nentries;
1545 compat_uint_t entries_size;
1546 /* start of the chains */
1547 compat_uptr_t hook_entry[NF_BR_NUMHOOKS];
1548 /* nr of counters userspace expects back */
1549 compat_uint_t num_counters;
1550 /* where the kernel will put the old counters. */
1551 compat_uptr_t counters;
1552 compat_uptr_t entries;
1553 };
1554
1555 /* struct ebt_entry_match, _target and _watcher have same layout */
1556 struct compat_ebt_entry_mwt {
1557 union {
1558 char name[EBT_FUNCTION_MAXNAMELEN];
1559 compat_uptr_t ptr;
1560 } u;
1561 compat_uint_t match_size;
1562 compat_uint_t data[0];
1563 };
1564
1565 /* account for possible padding between match_size and ->data */
1566 static int ebt_compat_entry_padsize(void)
1567 {
1568 BUILD_BUG_ON(XT_ALIGN(sizeof(struct ebt_entry_match)) <
1569 COMPAT_XT_ALIGN(sizeof(struct compat_ebt_entry_mwt)));
1570 return (int) XT_ALIGN(sizeof(struct ebt_entry_match)) -
1571 COMPAT_XT_ALIGN(sizeof(struct compat_ebt_entry_mwt));
1572 }
1573
1574 static int ebt_compat_match_offset(const struct xt_match *match,
1575 unsigned int userlen)
1576 {
1577 /*
1578 * ebt_among needs special handling. The kernel .matchsize is
1579 * set to -1 at registration time; at runtime an EBT_ALIGN()ed
1580 * value is expected.
1581 * Example: userspace sends 4500, ebt_among.c wants 4504.
1582 */
1583 if (unlikely(match->matchsize == -1))
1584 return XT_ALIGN(userlen) - COMPAT_XT_ALIGN(userlen);
1585 return xt_compat_match_offset(match);
1586 }
1587
1588 static int compat_match_to_user(struct ebt_entry_match *m, void __user **dstptr,
1589 unsigned int *size)
1590 {
1591 const struct xt_match *match = m->u.match;
1592 struct compat_ebt_entry_mwt __user *cm = *dstptr;
1593 int off = ebt_compat_match_offset(match, m->match_size);
1594 compat_uint_t msize = m->match_size - off;
1595
1596 BUG_ON(off >= m->match_size);
1597
1598 if (copy_to_user(cm->u.name, match->name,
1599 strlen(match->name) + 1) || put_user(msize, &cm->match_size))
1600 return -EFAULT;
1601
1602 if (match->compat_to_user) {
1603 if (match->compat_to_user(cm->data, m->data))
1604 return -EFAULT;
1605 } else if (copy_to_user(cm->data, m->data, msize))
1606 return -EFAULT;
1607
1608 *size -= ebt_compat_entry_padsize() + off;
1609 *dstptr = cm->data;
1610 *dstptr += msize;
1611 return 0;
1612 }
1613
1614 static int compat_target_to_user(struct ebt_entry_target *t,
1615 void __user **dstptr,
1616 unsigned int *size)
1617 {
1618 const struct xt_target *target = t->u.target;
1619 struct compat_ebt_entry_mwt __user *cm = *dstptr;
1620 int off = xt_compat_target_offset(target);
1621 compat_uint_t tsize = t->target_size - off;
1622
1623 BUG_ON(off >= t->target_size);
1624
1625 if (copy_to_user(cm->u.name, target->name,
1626 strlen(target->name) + 1) || put_user(tsize, &cm->match_size))
1627 return -EFAULT;
1628
1629 if (target->compat_to_user) {
1630 if (target->compat_to_user(cm->data, t->data))
1631 return -EFAULT;
1632 } else if (copy_to_user(cm->data, t->data, tsize))
1633 return -EFAULT;
1634
1635 *size -= ebt_compat_entry_padsize() + off;
1636 *dstptr = cm->data;
1637 *dstptr += tsize;
1638 return 0;
1639 }
1640
1641 static int compat_watcher_to_user(struct ebt_entry_watcher *w,
1642 void __user **dstptr,
1643 unsigned int *size)
1644 {
1645 return compat_target_to_user((struct ebt_entry_target *)w,
1646 dstptr, size);
1647 }
1648
1649 static int compat_copy_entry_to_user(struct ebt_entry *e, void __user **dstptr,
1650 unsigned int *size)
1651 {
1652 struct ebt_entry_target *t;
1653 struct ebt_entry __user *ce;
1654 u32 watchers_offset, target_offset, next_offset;
1655 compat_uint_t origsize;
1656 int ret;
1657
1658 if (e->bitmask == 0) {
1659 if (*size < sizeof(struct ebt_entries))
1660 return -EINVAL;
1661 if (copy_to_user(*dstptr, e, sizeof(struct ebt_entries)))
1662 return -EFAULT;
1663
1664 *dstptr += sizeof(struct ebt_entries);
1665 *size -= sizeof(struct ebt_entries);
1666 return 0;
1667 }
1668
1669 if (*size < sizeof(*ce))
1670 return -EINVAL;
1671
1672 ce = (struct ebt_entry __user *)*dstptr;
1673 if (copy_to_user(ce, e, sizeof(*ce)))
1674 return -EFAULT;
1675
1676 origsize = *size;
1677 *dstptr += sizeof(*ce);
1678
1679 ret = EBT_MATCH_ITERATE(e, compat_match_to_user, dstptr, size);
1680 if (ret)
1681 return ret;
1682 watchers_offset = e->watchers_offset - (origsize - *size);
1683
1684 ret = EBT_WATCHER_ITERATE(e, compat_watcher_to_user, dstptr, size);
1685 if (ret)
1686 return ret;
1687 target_offset = e->target_offset - (origsize - *size);
1688
1689 t = (struct ebt_entry_target *) ((char *) e + e->target_offset);
1690
1691 ret = compat_target_to_user(t, dstptr, size);
1692 if (ret)
1693 return ret;
1694 next_offset = e->next_offset - (origsize - *size);
1695
1696 if (put_user(watchers_offset, &ce->watchers_offset) ||
1697 put_user(target_offset, &ce->target_offset) ||
1698 put_user(next_offset, &ce->next_offset))
1699 return -EFAULT;
1700
1701 *size -= sizeof(*ce);
1702 return 0;
1703 }
1704
1705 static int compat_calc_match(struct ebt_entry_match *m, int *off)
1706 {
1707 *off += ebt_compat_match_offset(m->u.match, m->match_size);
1708 *off += ebt_compat_entry_padsize();
1709 return 0;
1710 }
1711
1712 static int compat_calc_watcher(struct ebt_entry_watcher *w, int *off)
1713 {
1714 *off += xt_compat_target_offset(w->u.watcher);
1715 *off += ebt_compat_entry_padsize();
1716 return 0;
1717 }
1718
1719 static int compat_calc_entry(const struct ebt_entry *e,
1720 const struct ebt_table_info *info,
1721 const void *base,
1722 struct compat_ebt_replace *newinfo)
1723 {
1724 const struct ebt_entry_target *t;
1725 unsigned int entry_offset;
1726 int off, ret, i;
1727
1728 if (e->bitmask == 0)
1729 return 0;
1730
1731 off = 0;
1732 entry_offset = (void *)e - base;
1733
1734 EBT_MATCH_ITERATE(e, compat_calc_match, &off);
1735 EBT_WATCHER_ITERATE(e, compat_calc_watcher, &off);
1736
1737 t = (const struct ebt_entry_target *) ((char *) e + e->target_offset);
1738
1739 off += xt_compat_target_offset(t->u.target);
1740 off += ebt_compat_entry_padsize();
1741
1742 newinfo->entries_size -= off;
1743
1744 ret = xt_compat_add_offset(NFPROTO_BRIDGE, entry_offset, off);
1745 if (ret)
1746 return ret;
1747
1748 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1749 const void *hookptr = info->hook_entry[i];
1750 if (info->hook_entry[i] &&
1751 (e < (struct ebt_entry *)(base - hookptr))) {
1752 newinfo->hook_entry[i] -= off;
1753 pr_debug("0x%08X -> 0x%08X\n",
1754 newinfo->hook_entry[i] + off,
1755 newinfo->hook_entry[i]);
1756 }
1757 }
1758
1759 return 0;
1760 }
1761
1762
1763 static int compat_table_info(const struct ebt_table_info *info,
1764 struct compat_ebt_replace *newinfo)
1765 {
1766 unsigned int size = info->entries_size;
1767 const void *entries = info->entries;
1768
1769 newinfo->entries_size = size;
1770
1771 return EBT_ENTRY_ITERATE(entries, size, compat_calc_entry, info,
1772 entries, newinfo);
1773 }
1774
1775 static int compat_copy_everything_to_user(struct ebt_table *t,
1776 void __user *user, int *len, int cmd)
1777 {
1778 struct compat_ebt_replace repl, tmp;
1779 struct ebt_counter *oldcounters;
1780 struct ebt_table_info tinfo;
1781 int ret;
1782 void __user *pos;
1783
1784 memset(&tinfo, 0, sizeof(tinfo));
1785
1786 if (cmd == EBT_SO_GET_ENTRIES) {
1787 tinfo.entries_size = t->private->entries_size;
1788 tinfo.nentries = t->private->nentries;
1789 tinfo.entries = t->private->entries;
1790 oldcounters = t->private->counters;
1791 } else {
1792 tinfo.entries_size = t->table->entries_size;
1793 tinfo.nentries = t->table->nentries;
1794 tinfo.entries = t->table->entries;
1795 oldcounters = t->table->counters;
1796 }
1797
1798 if (copy_from_user(&tmp, user, sizeof(tmp)))
1799 return -EFAULT;
1800
1801 if (tmp.nentries != tinfo.nentries ||
1802 (tmp.num_counters && tmp.num_counters != tinfo.nentries))
1803 return -EINVAL;
1804
1805 memcpy(&repl, &tmp, sizeof(repl));
1806 if (cmd == EBT_SO_GET_ENTRIES)
1807 ret = compat_table_info(t->private, &repl);
1808 else
1809 ret = compat_table_info(&tinfo, &repl);
1810 if (ret)
1811 return ret;
1812
1813 if (*len != sizeof(tmp) + repl.entries_size +
1814 (tmp.num_counters? tinfo.nentries * sizeof(struct ebt_counter): 0)) {
1815 pr_err("wrong size: *len %d, entries_size %u, replsz %d\n",
1816 *len, tinfo.entries_size, repl.entries_size);
1817 return -EINVAL;
1818 }
1819
1820 /* userspace might not need the counters */
1821 ret = copy_counters_to_user(t, oldcounters, compat_ptr(tmp.counters),
1822 tmp.num_counters, tinfo.nentries);
1823 if (ret)
1824 return ret;
1825
1826 pos = compat_ptr(tmp.entries);
1827 return EBT_ENTRY_ITERATE(tinfo.entries, tinfo.entries_size,
1828 compat_copy_entry_to_user, &pos, &tmp.entries_size);
1829 }
1830
1831 struct ebt_entries_buf_state {
1832 char *buf_kern_start; /* kernel buffer to copy (translated) data to */
1833 u32 buf_kern_len; /* total size of kernel buffer */
1834 u32 buf_kern_offset; /* amount of data copied so far */
1835 u32 buf_user_offset; /* read position in userspace buffer */
1836 };
1837
1838 static int ebt_buf_count(struct ebt_entries_buf_state *state, unsigned int sz)
1839 {
1840 state->buf_kern_offset += sz;
1841 return state->buf_kern_offset >= sz ? 0 : -EINVAL;
1842 }
1843
1844 static int ebt_buf_add(struct ebt_entries_buf_state *state,
1845 void *data, unsigned int sz)
1846 {
1847 if (state->buf_kern_start == NULL)
1848 goto count_only;
1849
1850 BUG_ON(state->buf_kern_offset + sz > state->buf_kern_len);
1851
1852 memcpy(state->buf_kern_start + state->buf_kern_offset, data, sz);
1853
1854 count_only:
1855 state->buf_user_offset += sz;
1856 return ebt_buf_count(state, sz);
1857 }
1858
1859 static int ebt_buf_add_pad(struct ebt_entries_buf_state *state, unsigned int sz)
1860 {
1861 char *b = state->buf_kern_start;
1862
1863 BUG_ON(b && state->buf_kern_offset > state->buf_kern_len);
1864
1865 if (b != NULL && sz > 0)
1866 memset(b + state->buf_kern_offset, 0, sz);
1867 /* do not adjust ->buf_user_offset here, we added kernel-side padding */
1868 return ebt_buf_count(state, sz);
1869 }
1870
1871 enum compat_mwt {
1872 EBT_COMPAT_MATCH,
1873 EBT_COMPAT_WATCHER,
1874 EBT_COMPAT_TARGET,
1875 };
1876
1877 static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
1878 enum compat_mwt compat_mwt,
1879 struct ebt_entries_buf_state *state,
1880 const unsigned char *base)
1881 {
1882 char name[EBT_FUNCTION_MAXNAMELEN];
1883 struct xt_match *match;
1884 struct xt_target *wt;
1885 void *dst = NULL;
1886 int off, pad = 0, ret = 0;
1887 unsigned int size_kern, entry_offset, match_size = mwt->match_size;
1888
1889 strlcpy(name, mwt->u.name, sizeof(name));
1890
1891 if (state->buf_kern_start)
1892 dst = state->buf_kern_start + state->buf_kern_offset;
1893
1894 entry_offset = (unsigned char *) mwt - base;
1895 switch (compat_mwt) {
1896 case EBT_COMPAT_MATCH:
1897 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
1898 name, 0), "ebt_%s", name);
1899 if (match == NULL)
1900 return -ENOENT;
1901 if (IS_ERR(match))
1902 return PTR_ERR(match);
1903
1904 off = ebt_compat_match_offset(match, match_size);
1905 if (dst) {
1906 if (match->compat_from_user)
1907 match->compat_from_user(dst, mwt->data);
1908 else
1909 memcpy(dst, mwt->data, match_size);
1910 }
1911
1912 size_kern = match->matchsize;
1913 if (unlikely(size_kern == -1))
1914 size_kern = match_size;
1915 module_put(match->me);
1916 break;
1917 case EBT_COMPAT_WATCHER: /* fallthrough */
1918 case EBT_COMPAT_TARGET:
1919 wt = try_then_request_module(xt_find_target(NFPROTO_BRIDGE,
1920 name, 0), "ebt_%s", name);
1921 if (wt == NULL)
1922 return -ENOENT;
1923 if (IS_ERR(wt))
1924 return PTR_ERR(wt);
1925 off = xt_compat_target_offset(wt);
1926
1927 if (dst) {
1928 if (wt->compat_from_user)
1929 wt->compat_from_user(dst, mwt->data);
1930 else
1931 memcpy(dst, mwt->data, match_size);
1932 }
1933
1934 size_kern = wt->targetsize;
1935 module_put(wt->me);
1936 break;
1937 }
1938
1939 if (!dst) {
1940 ret = xt_compat_add_offset(NFPROTO_BRIDGE, entry_offset,
1941 off + ebt_compat_entry_padsize());
1942 if (ret < 0)
1943 return ret;
1944 }
1945
1946 state->buf_kern_offset += match_size + off;
1947 state->buf_user_offset += match_size;
1948 pad = XT_ALIGN(size_kern) - size_kern;
1949
1950 if (pad > 0 && dst) {
1951 BUG_ON(state->buf_kern_len <= pad);
1952 BUG_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad);
1953 memset(dst + size_kern, 0, pad);
1954 }
1955 return off + match_size;
1956 }
1957
1958 /*
1959 * return size of all matches, watchers or target, including necessary
1960 * alignment and padding.
1961 */
1962 static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
1963 unsigned int size_left, enum compat_mwt type,
1964 struct ebt_entries_buf_state *state, const void *base)
1965 {
1966 int growth = 0;
1967 char *buf;
1968
1969 if (size_left == 0)
1970 return 0;
1971
1972 buf = (char *) match32;
1973
1974 while (size_left >= sizeof(*match32)) {
1975 struct ebt_entry_match *match_kern;
1976 int ret;
1977
1978 match_kern = (struct ebt_entry_match *) state->buf_kern_start;
1979 if (match_kern) {
1980 char *tmp;
1981 tmp = state->buf_kern_start + state->buf_kern_offset;
1982 match_kern = (struct ebt_entry_match *) tmp;
1983 }
1984 ret = ebt_buf_add(state, buf, sizeof(*match32));
1985 if (ret < 0)
1986 return ret;
1987 size_left -= sizeof(*match32);
1988
1989 /* add padding before match->data (if any) */
1990 ret = ebt_buf_add_pad(state, ebt_compat_entry_padsize());
1991 if (ret < 0)
1992 return ret;
1993
1994 if (match32->match_size > size_left)
1995 return -EINVAL;
1996
1997 size_left -= match32->match_size;
1998
1999 ret = compat_mtw_from_user(match32, type, state, base);
2000 if (ret < 0)
2001 return ret;
2002
2003 BUG_ON(ret < match32->match_size);
2004 growth += ret - match32->match_size;
2005 growth += ebt_compat_entry_padsize();
2006
2007 buf += sizeof(*match32);
2008 buf += match32->match_size;
2009
2010 if (match_kern)
2011 match_kern->match_size = ret;
2012
2013 WARN_ON(type == EBT_COMPAT_TARGET && size_left);
2014 match32 = (struct compat_ebt_entry_mwt *) buf;
2015 }
2016
2017 return growth;
2018 }
2019
2020 #define EBT_COMPAT_WATCHER_ITERATE(e, fn, args...) \
2021 ({ \
2022 unsigned int __i; \
2023 int __ret = 0; \
2024 struct compat_ebt_entry_mwt *__watcher; \
2025 \
2026 for (__i = e->watchers_offset; \
2027 __i < (e)->target_offset; \
2028 __i += __watcher->watcher_size + \
2029 sizeof(struct compat_ebt_entry_mwt)) { \
2030 __watcher = (void *)(e) + __i; \
2031 __ret = fn(__watcher , ## args); \
2032 if (__ret != 0) \
2033 break; \
2034 } \
2035 if (__ret == 0) { \
2036 if (__i != (e)->target_offset) \
2037 __ret = -EINVAL; \
2038 } \
2039 __ret; \
2040 })
2041
2042 #define EBT_COMPAT_MATCH_ITERATE(e, fn, args...) \
2043 ({ \
2044 unsigned int __i; \
2045 int __ret = 0; \
2046 struct compat_ebt_entry_mwt *__match; \
2047 \
2048 for (__i = sizeof(struct ebt_entry); \
2049 __i < (e)->watchers_offset; \
2050 __i += __match->match_size + \
2051 sizeof(struct compat_ebt_entry_mwt)) { \
2052 __match = (void *)(e) + __i; \
2053 __ret = fn(__match , ## args); \
2054 if (__ret != 0) \
2055 break; \
2056 } \
2057 if (__ret == 0) { \
2058 if (__i != (e)->watchers_offset) \
2059 __ret = -EINVAL; \
2060 } \
2061 __ret; \
2062 })
2063
2064 /* called for all ebt_entry structures. */
2065 static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
2066 unsigned int *total,
2067 struct ebt_entries_buf_state *state)
2068 {
2069 unsigned int i, j, startoff, new_offset = 0;
2070 /* stores match/watchers/targets & offset of next struct ebt_entry: */
2071 unsigned int offsets[4];
2072 unsigned int *offsets_update = NULL;
2073 int ret;
2074 char *buf_start;
2075
2076 if (*total < sizeof(struct ebt_entries))
2077 return -EINVAL;
2078
2079 if (!entry->bitmask) {
2080 *total -= sizeof(struct ebt_entries);
2081 return ebt_buf_add(state, entry, sizeof(struct ebt_entries));
2082 }
2083 if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry))
2084 return -EINVAL;
2085
2086 startoff = state->buf_user_offset;
2087 /* pull in most part of ebt_entry, it does not need to be changed. */
2088 ret = ebt_buf_add(state, entry,
2089 offsetof(struct ebt_entry, watchers_offset));
2090 if (ret < 0)
2091 return ret;
2092
2093 offsets[0] = sizeof(struct ebt_entry); /* matches come first */
2094 memcpy(&offsets[1], &entry->watchers_offset,
2095 sizeof(offsets) - sizeof(offsets[0]));
2096
2097 if (state->buf_kern_start) {
2098 buf_start = state->buf_kern_start + state->buf_kern_offset;
2099 offsets_update = (unsigned int *) buf_start;
2100 }
2101 ret = ebt_buf_add(state, &offsets[1],
2102 sizeof(offsets) - sizeof(offsets[0]));
2103 if (ret < 0)
2104 return ret;
2105 buf_start = (char *) entry;
2106 /*
2107 * 0: matches offset, always follows ebt_entry.
2108 * 1: watchers offset, from ebt_entry structure
2109 * 2: target offset, from ebt_entry structure
2110 * 3: next ebt_entry offset, from ebt_entry structure
2111 *
2112 * offsets are relative to beginning of struct ebt_entry (i.e., 0).
2113 */
2114 for (i = 0, j = 1 ; j < 4 ; j++, i++) {
2115 struct compat_ebt_entry_mwt *match32;
2116 unsigned int size;
2117 char *buf = buf_start;
2118
2119 buf = buf_start + offsets[i];
2120 if (offsets[i] > offsets[j])
2121 return -EINVAL;
2122
2123 match32 = (struct compat_ebt_entry_mwt *) buf;
2124 size = offsets[j] - offsets[i];
2125 ret = ebt_size_mwt(match32, size, i, state, base);
2126 if (ret < 0)
2127 return ret;
2128 new_offset += ret;
2129 if (offsets_update && new_offset) {
2130 pr_debug("ebtables: change offset %d to %d\n",
2131 offsets_update[i], offsets[j] + new_offset);
2132 offsets_update[i] = offsets[j] + new_offset;
2133 }
2134 }
2135
2136 startoff = state->buf_user_offset - startoff;
2137
2138 BUG_ON(*total < startoff);
2139 *total -= startoff;
2140 return 0;
2141 }
2142
2143 /*
2144 * repl->entries_size is the size of the ebt_entry blob in userspace.
2145 * It might need more memory when copied to a 64 bit kernel in case
2146 * userspace is 32-bit. So, first task: find out how much memory is needed.
2147 *
2148 * Called before validation is performed.
2149 */
2150 static int compat_copy_entries(unsigned char *data, unsigned int size_user,
2151 struct ebt_entries_buf_state *state)
2152 {
2153 unsigned int size_remaining = size_user;
2154 int ret;
2155
2156 ret = EBT_ENTRY_ITERATE(data, size_user, size_entry_mwt, data,
2157 &size_remaining, state);
2158 if (ret < 0)
2159 return ret;
2160
2161 WARN_ON(size_remaining);
2162 return state->buf_kern_offset;
2163 }
2164
2165
2166 static int compat_copy_ebt_replace_from_user(struct ebt_replace *repl,
2167 void __user *user, unsigned int len)
2168 {
2169 struct compat_ebt_replace tmp;
2170 int i;
2171
2172 if (len < sizeof(tmp))
2173 return -EINVAL;
2174
2175 if (copy_from_user(&tmp, user, sizeof(tmp)))
2176 return -EFAULT;
2177
2178 if (len != sizeof(tmp) + tmp.entries_size)
2179 return -EINVAL;
2180
2181 if (tmp.entries_size == 0)
2182 return -EINVAL;
2183
2184 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) /
2185 NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
2186 return -ENOMEM;
2187 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
2188 return -ENOMEM;
2189
2190 memcpy(repl, &tmp, offsetof(struct ebt_replace, hook_entry));
2191
2192 /* starting with hook_entry, 32 vs. 64 bit structures are different */
2193 for (i = 0; i < NF_BR_NUMHOOKS; i++)
2194 repl->hook_entry[i] = compat_ptr(tmp.hook_entry[i]);
2195
2196 repl->num_counters = tmp.num_counters;
2197 repl->counters = compat_ptr(tmp.counters);
2198 repl->entries = compat_ptr(tmp.entries);
2199 return 0;
2200 }
2201
2202 static int compat_do_replace(struct net *net, void __user *user,
2203 unsigned int len)
2204 {
2205 int ret, i, countersize, size64;
2206 struct ebt_table_info *newinfo;
2207 struct ebt_replace tmp;
2208 struct ebt_entries_buf_state state;
2209 void *entries_tmp;
2210
2211 ret = compat_copy_ebt_replace_from_user(&tmp, user, len);
2212 if (ret) {
2213 /* try real handler in case userland supplied needed padding */
2214 if (ret == -EINVAL && do_replace(net, user, len) == 0)
2215 ret = 0;
2216 return ret;
2217 }
2218
2219 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
2220 newinfo = vmalloc(sizeof(*newinfo) + countersize);
2221 if (!newinfo)
2222 return -ENOMEM;
2223
2224 if (countersize)
2225 memset(newinfo->counters, 0, countersize);
2226
2227 memset(&state, 0, sizeof(state));
2228
2229 newinfo->entries = vmalloc(tmp.entries_size);
2230 if (!newinfo->entries) {
2231 ret = -ENOMEM;
2232 goto free_newinfo;
2233 }
2234 if (copy_from_user(
2235 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
2236 ret = -EFAULT;
2237 goto free_entries;
2238 }
2239
2240 entries_tmp = newinfo->entries;
2241
2242 xt_compat_lock(NFPROTO_BRIDGE);
2243
2244 ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
2245 if (ret < 0)
2246 goto out_unlock;
2247
2248 pr_debug("tmp.entries_size %d, kern off %d, user off %d delta %d\n",
2249 tmp.entries_size, state.buf_kern_offset, state.buf_user_offset,
2250 xt_compat_calc_jump(NFPROTO_BRIDGE, tmp.entries_size));
2251
2252 size64 = ret;
2253 newinfo->entries = vmalloc(size64);
2254 if (!newinfo->entries) {
2255 vfree(entries_tmp);
2256 ret = -ENOMEM;
2257 goto out_unlock;
2258 }
2259
2260 memset(&state, 0, sizeof(state));
2261 state.buf_kern_start = newinfo->entries;
2262 state.buf_kern_len = size64;
2263
2264 ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
2265 BUG_ON(ret < 0); /* parses same data again */
2266
2267 vfree(entries_tmp);
2268 tmp.entries_size = size64;
2269
2270 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
2271 char __user *usrptr;
2272 if (tmp.hook_entry[i]) {
2273 unsigned int delta;
2274 usrptr = (char __user *) tmp.hook_entry[i];
2275 delta = usrptr - tmp.entries;
2276 usrptr += xt_compat_calc_jump(NFPROTO_BRIDGE, delta);
2277 tmp.hook_entry[i] = (struct ebt_entries __user *)usrptr;
2278 }
2279 }
2280
2281 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2282 xt_compat_unlock(NFPROTO_BRIDGE);
2283
2284 ret = do_replace_finish(net, &tmp, newinfo);
2285 if (ret == 0)
2286 return ret;
2287 free_entries:
2288 vfree(newinfo->entries);
2289 free_newinfo:
2290 vfree(newinfo);
2291 return ret;
2292 out_unlock:
2293 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2294 xt_compat_unlock(NFPROTO_BRIDGE);
2295 goto free_entries;
2296 }
2297
2298 static int compat_update_counters(struct net *net, void __user *user,
2299 unsigned int len)
2300 {
2301 struct compat_ebt_replace hlp;
2302
2303 if (copy_from_user(&hlp, user, sizeof(hlp)))
2304 return -EFAULT;
2305
2306 /* try real handler in case userland supplied needed padding */
2307 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
2308 return update_counters(net, user, len);
2309
2310 return do_update_counters(net, hlp.name, compat_ptr(hlp.counters),
2311 hlp.num_counters, user, len);
2312 }
2313
2314 static int compat_do_ebt_set_ctl(struct sock *sk,
2315 int cmd, void __user *user, unsigned int len)
2316 {
2317 int ret;
2318
2319 if (!capable(CAP_NET_ADMIN))
2320 return -EPERM;
2321
2322 switch (cmd) {
2323 case EBT_SO_SET_ENTRIES:
2324 ret = compat_do_replace(sock_net(sk), user, len);
2325 break;
2326 case EBT_SO_SET_COUNTERS:
2327 ret = compat_update_counters(sock_net(sk), user, len);
2328 break;
2329 default:
2330 ret = -EINVAL;
2331 }
2332 return ret;
2333 }
2334
2335 static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
2336 void __user *user, int *len)
2337 {
2338 int ret;
2339 struct compat_ebt_replace tmp;
2340 struct ebt_table *t;
2341
2342 if (!capable(CAP_NET_ADMIN))
2343 return -EPERM;
2344
2345 /* try real handler in case userland supplied needed padding */
2346 if ((cmd == EBT_SO_GET_INFO ||
2347 cmd == EBT_SO_GET_INIT_INFO) && *len != sizeof(tmp))
2348 return do_ebt_get_ctl(sk, cmd, user, len);
2349
2350 if (copy_from_user(&tmp, user, sizeof(tmp)))
2351 return -EFAULT;
2352
2353 t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex);
2354 if (!t)
2355 return ret;
2356
2357 xt_compat_lock(NFPROTO_BRIDGE);
2358 switch (cmd) {
2359 case EBT_SO_GET_INFO:
2360 tmp.nentries = t->private->nentries;
2361 ret = compat_table_info(t->private, &tmp);
2362 if (ret)
2363 goto out;
2364 tmp.valid_hooks = t->valid_hooks;
2365
2366 if (copy_to_user(user, &tmp, *len) != 0) {
2367 ret = -EFAULT;
2368 break;
2369 }
2370 ret = 0;
2371 break;
2372 case EBT_SO_GET_INIT_INFO:
2373 tmp.nentries = t->table->nentries;
2374 tmp.entries_size = t->table->entries_size;
2375 tmp.valid_hooks = t->table->valid_hooks;
2376
2377 if (copy_to_user(user, &tmp, *len) != 0) {
2378 ret = -EFAULT;
2379 break;
2380 }
2381 ret = 0;
2382 break;
2383 case EBT_SO_GET_ENTRIES:
2384 case EBT_SO_GET_INIT_ENTRIES:
2385 /*
2386 * try real handler first in case of userland-side padding.
2387 * in case we are dealing with an 'ordinary' 32 bit binary
2388 * without 64bit compatibility padding, this will fail right
2389 * after copy_from_user when the *len argument is validated.
2390 *
2391 * the compat_ variant needs to do one pass over the kernel
2392 * data set to adjust for size differences before it the check.
2393 */
2394 if (copy_everything_to_user(t, user, len, cmd) == 0)
2395 ret = 0;
2396 else
2397 ret = compat_copy_everything_to_user(t, user, len, cmd);
2398 break;
2399 default:
2400 ret = -EINVAL;
2401 }
2402 out:
2403 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2404 xt_compat_unlock(NFPROTO_BRIDGE);
2405 mutex_unlock(&ebt_mutex);
2406 return ret;
2407 }
2408 #endif
2409
2410 static struct nf_sockopt_ops ebt_sockopts =
2411 {
2412 .pf = PF_INET,
2413 .set_optmin = EBT_BASE_CTL,
2414 .set_optmax = EBT_SO_SET_MAX + 1,
2415 .set = do_ebt_set_ctl,
2416 #ifdef CONFIG_COMPAT
2417 .compat_set = compat_do_ebt_set_ctl,
2418 #endif
2419 .get_optmin = EBT_BASE_CTL,
2420 .get_optmax = EBT_SO_GET_MAX + 1,
2421 .get = do_ebt_get_ctl,
2422 #ifdef CONFIG_COMPAT
2423 .compat_get = compat_do_ebt_get_ctl,
2424 #endif
2425 .owner = THIS_MODULE,
2426 };
2427
2428 static int __init ebtables_init(void)
2429 {
2430 int ret;
2431
2432 ret = xt_register_target(&ebt_standard_target);
2433 if (ret < 0)
2434 return ret;
2435 ret = nf_register_sockopt(&ebt_sockopts);
2436 if (ret < 0) {
2437 xt_unregister_target(&ebt_standard_target);
2438 return ret;
2439 }
2440
2441 printk(KERN_INFO "Ebtables v2.0 registered\n");
2442 return 0;
2443 }
2444
2445 static void __exit ebtables_fini(void)
2446 {
2447 nf_unregister_sockopt(&ebt_sockopts);
2448 xt_unregister_target(&ebt_standard_target);
2449 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
2450 }
2451
2452 EXPORT_SYMBOL(ebt_register_table);
2453 EXPORT_SYMBOL(ebt_unregister_table);
2454 EXPORT_SYMBOL(ebt_do_table);
2455 module_init(ebtables_init);
2456 module_exit(ebtables_fini);
2457 MODULE_LICENSE("GPL");
ubuntu-zesty-kernel mirror