1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
18#include <linux/kmod.h>
19#include <linux/module.h>
20#include <linux/vmalloc.h>
21#include <linux/netfilter/x_tables.h>
22#include <linux/netfilter_bridge/ebtables.h>
23#include <linux/spinlock.h>
24#include <linux/mutex.h>
25#include <linux/slab.h>
26#include <asm/uaccess.h>
27#include <linux/smp.h>
28#include <linux/cpumask.h>
29#include <net/sock.h>
30
31#include "../br_private.h"
32
33#define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
34 "report to author: "format, ## args)
35
36
37
38
39
40
41
42
43
44
45#define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
46#define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
47#define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
48 COUNTER_OFFSET(n) * cpu))
49
50
51
52static DEFINE_MUTEX(ebt_mutex);
53
54#ifdef CONFIG_COMPAT
55static void ebt_standard_compat_from_user(void *dst, const void *src)
56{
57 int v = *(compat_int_t *)src;
58
59 if (v >= 0)
60 v += xt_compat_calc_jump(NFPROTO_BRIDGE, v);
61 memcpy(dst, &v, sizeof(v));
62}
63
64static int ebt_standard_compat_to_user(void __user *dst, const void *src)
65{
66 compat_int_t cv = *(int *)src;
67
68 if (cv >= 0)
69 cv -= xt_compat_calc_jump(NFPROTO_BRIDGE, cv);
70 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
71}
72#endif
73
74
75static struct xt_target ebt_standard_target = {
76 .name = "standard",
77 .revision = 0,
78 .family = NFPROTO_BRIDGE,
79 .targetsize = sizeof(int),
80#ifdef CONFIG_COMPAT
81 .compatsize = sizeof(compat_int_t),
82 .compat_from_user = ebt_standard_compat_from_user,
83 .compat_to_user = ebt_standard_compat_to_user,
84#endif
85};
86
87static inline int
88ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
89 struct xt_action_param *par)
90{
91 par->target = w->u.watcher;
92 par->targinfo = w->data;
93 w->u.watcher->target(skb, par);
94
95 return 0;
96}
97
98static inline int
99ebt_do_match(struct ebt_entry_match *m, const struct sk_buff *skb,
100 struct xt_action_param *par)
101{
102 par->match = m->u.match;
103 par->matchinfo = m->data;
104 return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
105}
106
107static inline int
108ebt_dev_check(const char *entry, const struct net_device *device)
109{
110 int i = 0;
111 const char *devname;
112
113 if (*entry == '\0')
114 return 0;
115 if (!device)
116 return 1;
117 devname = device->name;
118
119 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
120 i++;
121 return (devname[i] != entry[i] && entry[i] != 1);
122}
123
124#define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
125
126static inline int
127ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb,
128 const struct net_device *in, const struct net_device *out)
129{
130 const struct ethhdr *h = eth_hdr(skb);
131 const struct net_bridge_port *p;
132 __be16 ethproto;
133 int verdict, i;
134
135 if (vlan_tx_tag_present(skb))
136 ethproto = htons(ETH_P_8021Q);
137 else
138 ethproto = h->h_proto;
139
140 if (e->bitmask & EBT_802_3) {
141 if (FWINV2(ntohs(ethproto) >= 1536, EBT_IPROTO))
142 return 1;
143 } else if (!(e->bitmask & EBT_NOPROTO) &&
144 FWINV2(e->ethproto != ethproto, EBT_IPROTO))
145 return 1;
146
147 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
148 return 1;
149 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
150 return 1;
151
152 if (in && (p = br_port_get_rcu(in)) != NULL &&
153 FWINV2(ebt_dev_check(e->logical_in, p->br->dev), EBT_ILOGICALIN))
154 return 1;
155 if (out && (p = br_port_get_rcu(out)) != NULL &&
156 FWINV2(ebt_dev_check(e->logical_out, p->br->dev), EBT_ILOGICALOUT))
157 return 1;
158
159 if (e->bitmask & EBT_SOURCEMAC) {
160 verdict = 0;
161 for (i = 0; i < 6; i++)
162 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
163 e->sourcemsk[i];
164 if (FWINV2(verdict != 0, EBT_ISOURCE) )
165 return 1;
166 }
167 if (e->bitmask & EBT_DESTMAC) {
168 verdict = 0;
169 for (i = 0; i < 6; i++)
170 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
171 e->destmsk[i];
172 if (FWINV2(verdict != 0, EBT_IDEST) )
173 return 1;
174 }
175 return 0;
176}
177
178static inline __pure
179struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry)
180{
181 return (void *)entry + entry->next_offset;
182}
183
184
185unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
186 const struct net_device *in, const struct net_device *out,
187 struct ebt_table *table)
188{
189 int i, nentries;
190 struct ebt_entry *point;
191 struct ebt_counter *counter_base, *cb_base;
192 const struct ebt_entry_target *t;
193 int verdict, sp = 0;
194 struct ebt_chainstack *cs;
195 struct ebt_entries *chaininfo;
196 const char *base;
197 const struct ebt_table_info *private;
198 struct xt_action_param acpar;
199
200 acpar.family = NFPROTO_BRIDGE;
201 acpar.in = in;
202 acpar.out = out;
203 acpar.hotdrop = false;
204 acpar.hooknum = hook;
205
206 read_lock_bh(&table->lock);
207 private = table->private;
208 cb_base = COUNTER_BASE(private->counters, private->nentries,
209 smp_processor_id());
210 if (private->chainstack)
211 cs = private->chainstack[smp_processor_id()];
212 else
213 cs = NULL;
214 chaininfo = private->hook_entry[hook];
215 nentries = private->hook_entry[hook]->nentries;
216 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
217 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
218
219 base = private->entries;
220 i = 0;
221 while (i < nentries) {
222 if (ebt_basic_match(point, skb, in, out))
223 goto letscontinue;
224
225 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
226 goto letscontinue;
227 if (acpar.hotdrop) {
228 read_unlock_bh(&table->lock);
229 return NF_DROP;
230 }
231
232
233 (*(counter_base + i)).pcnt++;
234 (*(counter_base + i)).bcnt += skb->len;
235
236
237
238 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &acpar);
239
240 t = (struct ebt_entry_target *)
241 (((char *)point) + point->target_offset);
242
243 if (!t->u.target->target)
244 verdict = ((struct ebt_standard_target *)t)->verdict;
245 else {
246 acpar.target = t->u.target;
247 acpar.targinfo = t->data;
248 verdict = t->u.target->target(skb, &acpar);
249 }
250 if (verdict == EBT_ACCEPT) {
251 read_unlock_bh(&table->lock);
252 return NF_ACCEPT;
253 }
254 if (verdict == EBT_DROP) {
255 read_unlock_bh(&table->lock);
256 return NF_DROP;
257 }
258 if (verdict == EBT_RETURN) {
259letsreturn:
260#ifdef CONFIG_NETFILTER_DEBUG
261 if (sp == 0) {
262 BUGPRINT("RETURN on base chain");
263
264 goto letscontinue;
265 }
266#endif
267 sp--;
268
269 i = cs[sp].n;
270 chaininfo = cs[sp].chaininfo;
271 nentries = chaininfo->nentries;
272 point = cs[sp].e;
273 counter_base = cb_base +
274 chaininfo->counter_offset;
275 continue;
276 }
277 if (verdict == EBT_CONTINUE)
278 goto letscontinue;
279#ifdef CONFIG_NETFILTER_DEBUG
280 if (verdict < 0) {
281 BUGPRINT("bogus standard verdict\n");
282 read_unlock_bh(&table->lock);
283 return NF_DROP;
284 }
285#endif
286
287 cs[sp].n = i + 1;
288 cs[sp].chaininfo = chaininfo;
289 cs[sp].e = ebt_next_entry(point);
290 i = 0;
291 chaininfo = (struct ebt_entries *) (base + verdict);
292#ifdef CONFIG_NETFILTER_DEBUG
293 if (chaininfo->distinguisher) {
294 BUGPRINT("jump to non-chain\n");
295 read_unlock_bh(&table->lock);
296 return NF_DROP;
297 }
298#endif
299 nentries = chaininfo->nentries;
300 point = (struct ebt_entry *)chaininfo->data;
301 counter_base = cb_base + chaininfo->counter_offset;
302 sp++;
303 continue;
304letscontinue:
305 point = ebt_next_entry(point);
306 i++;
307 }
308
309
310 if (chaininfo->policy == EBT_RETURN)
311 goto letsreturn;
312 if (chaininfo->policy == EBT_ACCEPT) {
313 read_unlock_bh(&table->lock);
314 return NF_ACCEPT;
315 }
316 read_unlock_bh(&table->lock);
317 return NF_DROP;
318}
319
320
321static inline void *
322find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
323 struct mutex *mutex)
324{
325 struct {
326 struct list_head list;
327 char name[EBT_FUNCTION_MAXNAMELEN];
328 } *e;
329
330 *error = mutex_lock_interruptible(mutex);
331 if (*error != 0)
332 return NULL;
333
334 list_for_each_entry(e, head, list) {
335 if (strcmp(e->name, name) == 0)
336 return e;
337 }
338 *error = -ENOENT;
339 mutex_unlock(mutex);
340 return NULL;
341}
342
343static void *
344find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
345 int *error, struct mutex *mutex)
346{
347 return try_then_request_module(
348 find_inlist_lock_noload(head, name, error, mutex),
349 "%s%s", prefix, name);
350}
351
352static inline struct ebt_table *
353find_table_lock(struct net *net, const char *name, int *error,
354 struct mutex *mutex)
355{
356 return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name,
357 "ebtable_", error, mutex);
358}
359
360static inline int
361ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
362 unsigned int *cnt)
363{
364 const struct ebt_entry *e = par->entryinfo;
365 struct xt_match *match;
366 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
367 int ret;
368
369 if (left < sizeof(struct ebt_entry_match) ||
370 left - sizeof(struct ebt_entry_match) < m->match_size)
371 return -EINVAL;
372
373 match = xt_request_find_match(NFPROTO_BRIDGE, m->u.name, 0);
374 if (IS_ERR(match))
375 return PTR_ERR(match);
376 m->u.match = match;
377
378 par->match = match;
379 par->matchinfo = m->data;
380 ret = xt_check_match(par, m->match_size,
381 e->ethproto, e->invflags & EBT_IPROTO);
382 if (ret < 0) {
383 module_put(match->me);
384 return ret;
385 }
386
387 (*cnt)++;
388 return 0;
389}
390
391static inline int
392ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
393 unsigned int *cnt)
394{
395 const struct ebt_entry *e = par->entryinfo;
396 struct xt_target *watcher;
397 size_t left = ((char *)e + e->target_offset) - (char *)w;
398 int ret;
399
400 if (left < sizeof(struct ebt_entry_watcher) ||
401 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
402 return -EINVAL;
403
404 watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0);
405 if (IS_ERR(watcher))
406 return PTR_ERR(watcher);
407 w->u.watcher = watcher;
408
409 par->target = watcher;
410 par->targinfo = w->data;
411 ret = xt_check_target(par, w->watcher_size,
412 e->ethproto, e->invflags & EBT_IPROTO);
413 if (ret < 0) {
414 module_put(watcher->me);
415 return ret;
416 }
417
418 (*cnt)++;
419 return 0;
420}
421
422static int ebt_verify_pointers(const struct ebt_replace *repl,
423 struct ebt_table_info *newinfo)
424{
425 unsigned int limit = repl->entries_size;
426 unsigned int valid_hooks = repl->valid_hooks;
427 unsigned int offset = 0;
428 int i;
429
430 for (i = 0; i < NF_BR_NUMHOOKS; i++)
431 newinfo->hook_entry[i] = NULL;
432
433 newinfo->entries_size = repl->entries_size;
434 newinfo->nentries = repl->nentries;
435
436 while (offset < limit) {
437 size_t left = limit - offset;
438 struct ebt_entry *e = (void *)newinfo->entries + offset;
439
440 if (left < sizeof(unsigned int))
441 break;
442
443 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
444 if ((valid_hooks & (1 << i)) == 0)
445 continue;
446 if ((char __user *)repl->hook_entry[i] ==
447 repl->entries + offset)
448 break;
449 }
450
451 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
452 if (e->bitmask != 0) {
453
454
455 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
456 "in distinguisher\n");
457 return -EINVAL;
458 }
459 if (i != NF_BR_NUMHOOKS)
460 newinfo->hook_entry[i] = (struct ebt_entries *)e;
461 if (left < sizeof(struct ebt_entries))
462 break;
463 offset += sizeof(struct ebt_entries);
464 } else {
465 if (left < sizeof(struct ebt_entry))
466 break;
467 if (left < e->next_offset)
468 break;
469 if (e->next_offset < sizeof(struct ebt_entry))
470 return -EINVAL;
471 offset += e->next_offset;
472 }
473 }
474 if (offset != limit) {
475 BUGPRINT("entries_size too small\n");
476 return -EINVAL;
477 }
478
479
480 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
481 if (!newinfo->hook_entry[i] &&
482 (valid_hooks & (1 << i))) {
483 BUGPRINT("Valid hook without chain\n");
484 return -EINVAL;
485 }
486 }
487 return 0;
488}
489
490
491
492
493
494static inline int
495ebt_check_entry_size_and_hooks(const struct ebt_entry *e,
496 const struct ebt_table_info *newinfo,
497 unsigned int *n, unsigned int *cnt,
498 unsigned int *totalcnt, unsigned int *udc_cnt)
499{
500 int i;
501
502 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
503 if ((void *)e == (void *)newinfo->hook_entry[i])
504 break;
505 }
506
507
508 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
509
510
511 if (*n != *cnt) {
512 BUGPRINT("nentries does not equal the nr of entries "
513 "in the chain\n");
514 return -EINVAL;
515 }
516 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
517 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
518
519 if (i != NF_BR_NUMHOOKS ||
520 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
521 BUGPRINT("bad policy\n");
522 return -EINVAL;
523 }
524 }
525 if (i == NF_BR_NUMHOOKS)
526 (*udc_cnt)++;
527 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
528 BUGPRINT("counter_offset != totalcnt");
529 return -EINVAL;
530 }
531 *n = ((struct ebt_entries *)e)->nentries;
532 *cnt = 0;
533 return 0;
534 }
535
536 if (sizeof(struct ebt_entry) > e->watchers_offset ||
537 e->watchers_offset > e->target_offset ||
538 e->target_offset >= e->next_offset) {
539 BUGPRINT("entry offsets not in right order\n");
540 return -EINVAL;
541 }
542
543 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
544 BUGPRINT("target size too small\n");
545 return -EINVAL;
546 }
547 (*cnt)++;
548 (*totalcnt)++;
549 return 0;
550}
551
552struct ebt_cl_stack
553{
554 struct ebt_chainstack cs;
555 int from;
556 unsigned int hookmask;
557};
558
559
560
561
562
563static inline int
564ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
565 unsigned int *n, struct ebt_cl_stack *udc)
566{
567 int i;
568
569
570 if (e->bitmask)
571 return 0;
572 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
573 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
574 break;
575 }
576
577 if (i != NF_BR_NUMHOOKS)
578 return 0;
579
580 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
581
582 udc[*n].cs.n = 0;
583 udc[*n].hookmask = 0;
584
585 (*n)++;
586 return 0;
587}
588
589static inline int
590ebt_cleanup_match(struct ebt_entry_match *m, struct net *net, unsigned int *i)
591{
592 struct xt_mtdtor_param par;
593
594 if (i && (*i)-- == 0)
595 return 1;
596
597 par.net = net;
598 par.match = m->u.match;
599 par.matchinfo = m->data;
600 par.family = NFPROTO_BRIDGE;
601 if (par.match->destroy != NULL)
602 par.match->destroy(&par);
603 module_put(par.match->me);
604 return 0;
605}
606
607static inline int
608ebt_cleanup_watcher(struct ebt_entry_watcher *w, struct net *net, unsigned int *i)
609{
610 struct xt_tgdtor_param par;
611
612 if (i && (*i)-- == 0)
613 return 1;
614
615 par.net = net;
616 par.target = w->u.watcher;
617 par.targinfo = w->data;
618 par.family = NFPROTO_BRIDGE;
619 if (par.target->destroy != NULL)
620 par.target->destroy(&par);
621 module_put(par.target->me);
622 return 0;
623}
624
625static inline int
626ebt_cleanup_entry(struct ebt_entry *e, struct net *net, unsigned int *cnt)
627{
628 struct xt_tgdtor_param par;
629 struct ebt_entry_target *t;
630
631 if (e->bitmask == 0)
632 return 0;
633
634 if (cnt && (*cnt)-- == 0)
635 return 1;
636 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, NULL);
637 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, NULL);
638 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
639
640 par.net = net;
641 par.target = t->u.target;
642 par.targinfo = t->data;
643 par.family = NFPROTO_BRIDGE;
644 if (par.target->destroy != NULL)
645 par.target->destroy(&par);
646 module_put(par.target->me);
647 return 0;
648}
649
650static inline int
651ebt_check_entry(struct ebt_entry *e, struct net *net,
652 const struct ebt_table_info *newinfo,
653 const char *name, unsigned int *cnt,
654 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
655{
656 struct ebt_entry_target *t;
657 struct xt_target *target;
658 unsigned int i, j, hook = 0, hookmask = 0;
659 size_t gap;
660 int ret;
661 struct xt_mtchk_param mtpar;
662 struct xt_tgchk_param tgpar;
663
664
665 if (e->bitmask == 0)
666 return 0;
667
668 if (e->bitmask & ~EBT_F_MASK) {
669 BUGPRINT("Unknown flag for bitmask\n");
670 return -EINVAL;
671 }
672 if (e->invflags & ~EBT_INV_MASK) {
673 BUGPRINT("Unknown flag for inv bitmask\n");
674 return -EINVAL;
675 }
676 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
677 BUGPRINT("NOPROTO & 802_3 not allowed\n");
678 return -EINVAL;
679 }
680
681 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
682 if (!newinfo->hook_entry[i])
683 continue;
684 if ((char *)newinfo->hook_entry[i] < (char *)e)
685 hook = i;
686 else
687 break;
688 }
689
690
691 if (i < NF_BR_NUMHOOKS)
692 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
693 else {
694 for (i = 0; i < udc_cnt; i++)
695 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
696 break;
697 if (i == 0)
698 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
699 else
700 hookmask = cl_s[i - 1].hookmask;
701 }
702 i = 0;
703
704 mtpar.net = tgpar.net = net;
705 mtpar.table = tgpar.table = name;
706 mtpar.entryinfo = tgpar.entryinfo = e;
707 mtpar.hook_mask = tgpar.hook_mask = hookmask;
708 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
709 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
710 if (ret != 0)
711 goto cleanup_matches;
712 j = 0;
713 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j);
714 if (ret != 0)
715 goto cleanup_watchers;
716 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
717 gap = e->next_offset - e->target_offset;
718
719 target = xt_request_find_target(NFPROTO_BRIDGE, t->u.name, 0);
720 if (IS_ERR(target)) {
721 ret = PTR_ERR(target);
722 goto cleanup_watchers;
723 }
724
725 t->u.target = target;
726 if (t->u.target == &ebt_standard_target) {
727 if (gap < sizeof(struct ebt_standard_target)) {
728 BUGPRINT("Standard target size too big\n");
729 ret = -EFAULT;
730 goto cleanup_watchers;
731 }
732 if (((struct ebt_standard_target *)t)->verdict <
733 -NUM_STANDARD_TARGETS) {
734 BUGPRINT("Invalid standard target\n");
735 ret = -EFAULT;
736 goto cleanup_watchers;
737 }
738 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
739 module_put(t->u.target->me);
740 ret = -EFAULT;
741 goto cleanup_watchers;
742 }
743
744 tgpar.target = target;
745 tgpar.targinfo = t->data;
746 ret = xt_check_target(&tgpar, t->target_size,
747 e->ethproto, e->invflags & EBT_IPROTO);
748 if (ret < 0) {
749 module_put(target->me);
750 goto cleanup_watchers;
751 }
752 (*cnt)++;
753 return 0;
754cleanup_watchers:
755 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, &j);
756cleanup_matches:
757 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, &i);
758 return ret;
759}
760
761
762
763
764
765
766static int check_chainloops(const struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
767 unsigned int udc_cnt, unsigned int hooknr, char *base)
768{
769 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
770 const struct ebt_entry *e = (struct ebt_entry *)chain->data;
771 const struct ebt_entry_target *t;
772
773 while (pos < nentries || chain_nr != -1) {
774
775 if (pos == nentries) {
776
777 e = cl_s[chain_nr].cs.e;
778 if (cl_s[chain_nr].from != -1)
779 nentries =
780 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
781 else
782 nentries = chain->nentries;
783 pos = cl_s[chain_nr].cs.n;
784
785 cl_s[chain_nr].cs.n = 0;
786 chain_nr = cl_s[chain_nr].from;
787 if (pos == nentries)
788 continue;
789 }
790 t = (struct ebt_entry_target *)
791 (((char *)e) + e->target_offset);
792 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
793 goto letscontinue;
794 if (e->target_offset + sizeof(struct ebt_standard_target) >
795 e->next_offset) {
796 BUGPRINT("Standard target size too big\n");
797 return -1;
798 }
799 verdict = ((struct ebt_standard_target *)t)->verdict;
800 if (verdict >= 0) {
801 struct ebt_entries *hlp2 =
802 (struct ebt_entries *)(base + verdict);
803 for (i = 0; i < udc_cnt; i++)
804 if (hlp2 == cl_s[i].cs.chaininfo)
805 break;
806
807 if (i == udc_cnt) {
808 BUGPRINT("bad destination\n");
809 return -1;
810 }
811 if (cl_s[i].cs.n) {
812 BUGPRINT("loop\n");
813 return -1;
814 }
815 if (cl_s[i].hookmask & (1 << hooknr))
816 goto letscontinue;
817
818 cl_s[i].cs.n = pos + 1;
819 pos = 0;
820 cl_s[i].cs.e = ebt_next_entry(e);
821 e = (struct ebt_entry *)(hlp2->data);
822 nentries = hlp2->nentries;
823 cl_s[i].from = chain_nr;
824 chain_nr = i;
825
826 cl_s[i].hookmask |= (1 << hooknr);
827 continue;
828 }
829letscontinue:
830 e = ebt_next_entry(e);
831 pos++;
832 }
833 return 0;
834}
835
836
837static int translate_table(struct net *net, const char *name,
838 struct ebt_table_info *newinfo)
839{
840 unsigned int i, j, k, udc_cnt;
841 int ret;
842 struct ebt_cl_stack *cl_s = NULL;
843
844 i = 0;
845 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
846 i++;
847 if (i == NF_BR_NUMHOOKS) {
848 BUGPRINT("No valid hooks specified\n");
849 return -EINVAL;
850 }
851 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
852 BUGPRINT("Chains don't start at beginning\n");
853 return -EINVAL;
854 }
855
856
857 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
858 if (!newinfo->hook_entry[j])
859 continue;
860 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
861 BUGPRINT("Hook order must be followed\n");
862 return -EINVAL;
863 }
864 i = j;
865 }
866
867
868 i = 0;
869 j = 0;
870 k = 0;
871
872 udc_cnt = 0;
873 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
874 ebt_check_entry_size_and_hooks, newinfo,
875 &i, &j, &k, &udc_cnt);
876
877 if (ret != 0)
878 return ret;
879
880 if (i != j) {
881 BUGPRINT("nentries does not equal the nr of entries in the "
882 "(last) chain\n");
883 return -EINVAL;
884 }
885 if (k != newinfo->nentries) {
886 BUGPRINT("Total nentries is wrong\n");
887 return -EINVAL;
888 }
889
890
891
892 if (udc_cnt) {
893
894
895 newinfo->chainstack =
896 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
897 if (!newinfo->chainstack)
898 return -ENOMEM;
899 for_each_possible_cpu(i) {
900 newinfo->chainstack[i] =
901 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
902 if (!newinfo->chainstack[i]) {
903 while (i)
904 vfree(newinfo->chainstack[--i]);
905 vfree(newinfo->chainstack);
906 newinfo->chainstack = NULL;
907 return -ENOMEM;
908 }
909 }
910
911 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
912 if (!cl_s)
913 return -ENOMEM;
914 i = 0;
915 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
916 ebt_get_udc_positions, newinfo, &i, cl_s);
917
918 if (i != udc_cnt) {
919 BUGPRINT("i != udc_cnt\n");
920 vfree(cl_s);
921 return -EFAULT;
922 }
923 }
924
925
926 for (i = 0; i < NF_BR_NUMHOOKS; i++)
927 if (newinfo->hook_entry[i])
928 if (check_chainloops(newinfo->hook_entry[i],
929 cl_s, udc_cnt, i, newinfo->entries)) {
930 vfree(cl_s);
931 return -EINVAL;
932 }
933
934
935
936
937
938
939
940
941
942
943
944
945 i = 0;
946 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
947 ebt_check_entry, net, newinfo, name, &i, cl_s, udc_cnt);
948 if (ret != 0) {
949 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
950 ebt_cleanup_entry, net, &i);
951 }
952 vfree(cl_s);
953 return ret;
954}
955
956
957static void get_counters(const struct ebt_counter *oldcounters,
958 struct ebt_counter *counters, unsigned int nentries)
959{
960 int i, cpu;
961 struct ebt_counter *counter_base;
962
963
964 memcpy(counters, oldcounters,
965 sizeof(struct ebt_counter) * nentries);
966
967
968 for_each_possible_cpu(cpu) {
969 if (cpu == 0)
970 continue;
971 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
972 for (i = 0; i < nentries; i++) {
973 counters[i].pcnt += counter_base[i].pcnt;
974 counters[i].bcnt += counter_base[i].bcnt;
975 }
976 }
977}
978
979static int do_replace_finish(struct net *net, struct ebt_replace *repl,
980 struct ebt_table_info *newinfo)
981{
982 int ret, i;
983 struct ebt_counter *counterstmp = NULL;
984
985 struct ebt_table_info *table;
986 struct ebt_table *t;
987
988
989
990 if (repl->num_counters) {
991 unsigned long size = repl->num_counters * sizeof(*counterstmp);
992 counterstmp = vmalloc(size);
993 if (!counterstmp)
994 return -ENOMEM;
995 }
996
997 newinfo->chainstack = NULL;
998 ret = ebt_verify_pointers(repl, newinfo);
999 if (ret != 0)
1000 goto free_counterstmp;
1001
1002 ret = translate_table(net, repl->name, newinfo);
1003
1004 if (ret != 0)
1005 goto free_counterstmp;
1006
1007 t = find_table_lock(net, repl->name, &ret, &ebt_mutex);
1008 if (!t) {
1009 ret = -ENOENT;
1010 goto free_iterate;
1011 }
1012
1013
1014 if (t->check && (ret = t->check(newinfo, repl->valid_hooks)))
1015 goto free_unlock;
1016
1017 if (repl->num_counters && repl->num_counters != t->private->nentries) {
1018 BUGPRINT("Wrong nr. of counters requested\n");
1019 ret = -EINVAL;
1020 goto free_unlock;
1021 }
1022
1023
1024 table = t->private;
1025
1026 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1027 ret = -ENOENT;
1028 goto free_unlock;
1029 } else if (table->nentries && !newinfo->nentries)
1030 module_put(t->me);
1031
1032 write_lock_bh(&t->lock);
1033 if (repl->num_counters)
1034 get_counters(t->private->counters, counterstmp,
1035 t->private->nentries);
1036
1037 t->private = newinfo;
1038 write_unlock_bh(&t->lock);
1039 mutex_unlock(&ebt_mutex);
1040
1041
1042
1043
1044 if (repl->num_counters &&
1045 copy_to_user(repl->counters, counterstmp,
1046 repl->num_counters * sizeof(struct ebt_counter))) {
1047 ret = -EFAULT;
1048 }
1049 else
1050 ret = 0;
1051
1052
1053 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1054 ebt_cleanup_entry, net, NULL);
1055
1056 vfree(table->entries);
1057 if (table->chainstack) {
1058 for_each_possible_cpu(i)
1059 vfree(table->chainstack[i]);
1060 vfree(table->chainstack);
1061 }
1062 vfree(table);
1063
1064 vfree(counterstmp);
1065 return ret;
1066
1067free_unlock:
1068 mutex_unlock(&ebt_mutex);
1069free_iterate:
1070 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1071 ebt_cleanup_entry, net, NULL);
1072free_counterstmp:
1073 vfree(counterstmp);
1074
1075 if (newinfo->chainstack) {
1076 for_each_possible_cpu(i)
1077 vfree(newinfo->chainstack[i]);
1078 vfree(newinfo->chainstack);
1079 }
1080 return ret;
1081}
1082
1083
1084static int do_replace(struct net *net, const void __user *user,
1085 unsigned int len)
1086{
1087 int ret, countersize;
1088 struct ebt_table_info *newinfo;
1089 struct ebt_replace tmp;
1090
1091 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1092 return -EFAULT;
1093
1094 if (len != sizeof(tmp) + tmp.entries_size) {
1095 BUGPRINT("Wrong len argument\n");
1096 return -EINVAL;
1097 }
1098
1099 if (tmp.entries_size == 0) {
1100 BUGPRINT("Entries_size never zero\n");
1101 return -EINVAL;
1102 }
1103
1104 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) /
1105 NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
1106 return -ENOMEM;
1107 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
1108 return -ENOMEM;
1109
1110 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
1111 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1112 if (!newinfo)
1113 return -ENOMEM;
1114
1115 if (countersize)
1116 memset(newinfo->counters, 0, countersize);
1117
1118 newinfo->entries = vmalloc(tmp.entries_size);
1119 if (!newinfo->entries) {
1120 ret = -ENOMEM;
1121 goto free_newinfo;
1122 }
1123 if (copy_from_user(
1124 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
1125 BUGPRINT("Couldn't copy entries from userspace\n");
1126 ret = -EFAULT;
1127 goto free_entries;
1128 }
1129
1130 ret = do_replace_finish(net, &tmp, newinfo);
1131 if (ret == 0)
1132 return ret;
1133free_entries:
1134 vfree(newinfo->entries);
1135free_newinfo:
1136 vfree(newinfo);
1137 return ret;
1138}
1139
1140struct ebt_table *
1141ebt_register_table(struct net *net, const struct ebt_table *input_table)
1142{
1143 struct ebt_table_info *newinfo;
1144 struct ebt_table *t, *table;
1145 struct ebt_replace_kernel *repl;
1146 int ret, i, countersize;
1147 void *p;
1148
1149 if (input_table == NULL || (repl = input_table->table) == NULL ||
1150 repl->entries == NULL || repl->entries_size == 0 ||
1151 repl->counters != NULL || input_table->private != NULL) {
1152 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1153 return ERR_PTR(-EINVAL);
1154 }
1155
1156
1157 table = kmemdup(input_table, sizeof(struct ebt_table), GFP_KERNEL);
1158 if (!table) {
1159 ret = -ENOMEM;
1160 goto out;
1161 }
1162
1163 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1164 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1165 ret = -ENOMEM;
1166 if (!newinfo)
1167 goto free_table;
1168
1169 p = vmalloc(repl->entries_size);
1170 if (!p)
1171 goto free_newinfo;
1172
1173 memcpy(p, repl->entries, repl->entries_size);
1174 newinfo->entries = p;
1175
1176 newinfo->entries_size = repl->entries_size;
1177 newinfo->nentries = repl->nentries;
1178
1179 if (countersize)
1180 memset(newinfo->counters, 0, countersize);
1181
1182
1183 newinfo->chainstack = NULL;
1184 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1185 if ((repl->valid_hooks & (1 << i)) == 0)
1186 newinfo->hook_entry[i] = NULL;
1187 else
1188 newinfo->hook_entry[i] = p +
1189 ((char *)repl->hook_entry[i] - repl->entries);
1190 }
1191 ret = translate_table(net, repl->name, newinfo);
1192 if (ret != 0) {
1193 BUGPRINT("Translate_table failed\n");
1194 goto free_chainstack;
1195 }
1196
1197 if (table->check && table->check(newinfo, table->valid_hooks)) {
1198 BUGPRINT("The table doesn't like its own initial data, lol\n");
1199 return ERR_PTR(-EINVAL);
1200 }
1201
1202 table->private = newinfo;
1203 rwlock_init(&table->lock);
1204 ret = mutex_lock_interruptible(&ebt_mutex);
1205 if (ret != 0)
1206 goto free_chainstack;
1207
1208 list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) {
1209 if (strcmp(t->name, table->name) == 0) {
1210 ret = -EEXIST;
1211 BUGPRINT("Table name already exists\n");
1212 goto free_unlock;
1213 }
1214 }
1215
1216
1217 if (newinfo->nentries && !try_module_get(table->me)) {
1218 ret = -ENOENT;
1219 goto free_unlock;
1220 }
1221 list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]);
1222 mutex_unlock(&ebt_mutex);
1223 return table;
1224free_unlock:
1225 mutex_unlock(&ebt_mutex);
1226free_chainstack:
1227 if (newinfo->chainstack) {
1228 for_each_possible_cpu(i)
1229 vfree(newinfo->chainstack[i]);
1230 vfree(newinfo->chainstack);
1231 }
1232 vfree(newinfo->entries);
1233free_newinfo:
1234 vfree(newinfo);
1235free_table:
1236 kfree(table);
1237out:
1238 return ERR_PTR(ret);
1239}
1240
1241void ebt_unregister_table(struct net *net, struct ebt_table *table)
1242{
1243 int i;
1244
1245 if (!table) {
1246 BUGPRINT("Request to unregister NULL table!!!\n");
1247 return;
1248 }
1249 mutex_lock(&ebt_mutex);
1250 list_del(&table->list);
1251 mutex_unlock(&ebt_mutex);
1252 EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size,
1253 ebt_cleanup_entry, net, NULL);
1254 if (table->private->nentries)
1255 module_put(table->me);
1256 vfree(table->private->entries);
1257 if (table->private->chainstack) {
1258 for_each_possible_cpu(i)
1259 vfree(table->private->chainstack[i]);
1260 vfree(table->private->chainstack);
1261 }
1262 vfree(table->private);
1263 kfree(table);
1264}
1265
1266
1267static int do_update_counters(struct net *net, const char *name,
1268 struct ebt_counter __user *counters,
1269 unsigned int num_counters,
1270 const void __user *user, unsigned int len)
1271{
1272 int i, ret;
1273 struct ebt_counter *tmp;
1274 struct ebt_table *t;
1275
1276 if (num_counters == 0)
1277 return -EINVAL;
1278
1279 tmp = vmalloc(num_counters * sizeof(*tmp));
1280 if (!tmp)
1281 return -ENOMEM;
1282
1283 t = find_table_lock(net, name, &ret, &ebt_mutex);
1284 if (!t)
1285 goto free_tmp;
1286
1287 if (num_counters != t->private->nentries) {
1288 BUGPRINT("Wrong nr of counters\n");
1289 ret = -EINVAL;
1290 goto unlock_mutex;
1291 }
1292
1293 if (copy_from_user(tmp, counters, num_counters * sizeof(*counters))) {
1294 ret = -EFAULT;
1295 goto unlock_mutex;
1296 }
1297
1298
1299 write_lock_bh(&t->lock);
1300
1301
1302 for (i = 0; i < num_counters; i++) {
1303 t->private->counters[i].pcnt += tmp[i].pcnt;
1304 t->private->counters[i].bcnt += tmp[i].bcnt;
1305 }
1306
1307 write_unlock_bh(&t->lock);
1308 ret = 0;
1309unlock_mutex:
1310 mutex_unlock(&ebt_mutex);
1311free_tmp:
1312 vfree(tmp);
1313 return ret;
1314}
1315
1316static int update_counters(struct net *net, const void __user *user,
1317 unsigned int len)
1318{
1319 struct ebt_replace hlp;
1320
1321 if (copy_from_user(&hlp, user, sizeof(hlp)))
1322 return -EFAULT;
1323
1324 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1325 return -EINVAL;
1326
1327 return do_update_counters(net, hlp.name, hlp.counters,
1328 hlp.num_counters, user, len);
1329}
1330
1331static inline int ebt_make_matchname(const struct ebt_entry_match *m,
1332 const char *base, char __user *ubase)
1333{
1334 char __user *hlp = ubase + ((char *)m - base);
1335 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1336 return -EFAULT;
1337 return 0;
1338}
1339
1340static inline int ebt_make_watchername(const struct ebt_entry_watcher *w,
1341 const char *base, char __user *ubase)
1342{
1343 char __user *hlp = ubase + ((char *)w - base);
1344 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1345 return -EFAULT;
1346 return 0;
1347}
1348
1349static inline int
1350ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
1351{
1352 int ret;
1353 char __user *hlp;
1354 const struct ebt_entry_target *t;
1355
1356 if (e->bitmask == 0)
1357 return 0;
1358
1359 hlp = ubase + (((char *)e + e->target_offset) - base);
1360 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1361
1362 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1363 if (ret != 0)
1364 return ret;
1365 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1366 if (ret != 0)
1367 return ret;
1368 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1369 return -EFAULT;
1370 return 0;
1371}
1372
1373static int copy_counters_to_user(struct ebt_table *t,
1374 const struct ebt_counter *oldcounters,
1375 void __user *user, unsigned int num_counters,
1376 unsigned int nentries)
1377{
1378 struct ebt_counter *counterstmp;
1379 int ret = 0;
1380
1381
1382 if (num_counters == 0)
1383 return 0;
1384
1385 if (num_counters != nentries) {
1386 BUGPRINT("Num_counters wrong\n");
1387 return -EINVAL;
1388 }
1389
1390 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1391 if (!counterstmp)
1392 return -ENOMEM;
1393
1394 write_lock_bh(&t->lock);
1395 get_counters(oldcounters, counterstmp, nentries);
1396 write_unlock_bh(&t->lock);
1397
1398 if (copy_to_user(user, counterstmp,
1399 nentries * sizeof(struct ebt_counter)))
1400 ret = -EFAULT;
1401 vfree(counterstmp);
1402 return ret;
1403}
1404
1405
1406static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1407 const int *len, int cmd)
1408{
1409 struct ebt_replace tmp;
1410 const struct ebt_counter *oldcounters;
1411 unsigned int entries_size, nentries;
1412 int ret;
1413 char *entries;
1414
1415 if (cmd == EBT_SO_GET_ENTRIES) {
1416 entries_size = t->private->entries_size;
1417 nentries = t->private->nentries;
1418 entries = t->private->entries;
1419 oldcounters = t->private->counters;
1420 } else {
1421 entries_size = t->table->entries_size;
1422 nentries = t->table->nentries;
1423 entries = t->table->entries;
1424 oldcounters = t->table->counters;
1425 }
1426
1427 if (copy_from_user(&tmp, user, sizeof(tmp)))
1428 return -EFAULT;
1429
1430 if (*len != sizeof(struct ebt_replace) + entries_size +
1431 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0))
1432 return -EINVAL;
1433
1434 if (tmp.nentries != nentries) {
1435 BUGPRINT("Nentries wrong\n");
1436 return -EINVAL;
1437 }
1438
1439 if (tmp.entries_size != entries_size) {
1440 BUGPRINT("Wrong size\n");
1441 return -EINVAL;
1442 }
1443
1444 ret = copy_counters_to_user(t, oldcounters, tmp.counters,
1445 tmp.num_counters, nentries);
1446 if (ret)
1447 return ret;
1448
1449 if (copy_to_user(tmp.entries, entries, entries_size)) {
1450 BUGPRINT("Couldn't copy entries to userspace\n");
1451 return -EFAULT;
1452 }
1453
1454 return EBT_ENTRY_ITERATE(entries, entries_size,
1455 ebt_make_names, entries, tmp.entries);
1456}
1457
1458static int do_ebt_set_ctl(struct sock *sk,
1459 int cmd, void __user *user, unsigned int len)
1460{
1461 int ret;
1462
1463 if (!capable(CAP_NET_ADMIN))
1464 return -EPERM;
1465
1466 switch(cmd) {
1467 case EBT_SO_SET_ENTRIES:
1468 ret = do_replace(sock_net(sk), user, len);
1469 break;
1470 case EBT_SO_SET_COUNTERS:
1471 ret = update_counters(sock_net(sk), user, len);
1472 break;
1473 default:
1474 ret = -EINVAL;
1475 }
1476 return ret;
1477}
1478
1479static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1480{
1481 int ret;
1482 struct ebt_replace tmp;
1483 struct ebt_table *t;
1484
1485 if (!capable(CAP_NET_ADMIN))
1486 return -EPERM;
1487
1488 if (copy_from_user(&tmp, user, sizeof(tmp)))
1489 return -EFAULT;
1490
1491 t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex);
1492 if (!t)
1493 return ret;
1494
1495 switch(cmd) {
1496 case EBT_SO_GET_INFO:
1497 case EBT_SO_GET_INIT_INFO:
1498 if (*len != sizeof(struct ebt_replace)){
1499 ret = -EINVAL;
1500 mutex_unlock(&ebt_mutex);
1501 break;
1502 }
1503 if (cmd == EBT_SO_GET_INFO) {
1504 tmp.nentries = t->private->nentries;
1505 tmp.entries_size = t->private->entries_size;
1506 tmp.valid_hooks = t->valid_hooks;
1507 } else {
1508 tmp.nentries = t->table->nentries;
1509 tmp.entries_size = t->table->entries_size;
1510 tmp.valid_hooks = t->table->valid_hooks;
1511 }
1512 mutex_unlock(&ebt_mutex);
1513 if (copy_to_user(user, &tmp, *len) != 0){
1514 BUGPRINT("c2u Didn't work\n");
1515 ret = -EFAULT;
1516 break;
1517 }
1518 ret = 0;
1519 break;
1520
1521 case EBT_SO_GET_ENTRIES:
1522 case EBT_SO_GET_INIT_ENTRIES:
1523 ret = copy_everything_to_user(t, user, len, cmd);
1524 mutex_unlock(&ebt_mutex);
1525 break;
1526
1527 default:
1528 mutex_unlock(&ebt_mutex);
1529 ret = -EINVAL;
1530 }
1531
1532 return ret;
1533}
1534
1535#ifdef CONFIG_COMPAT
1536
1537struct compat_ebt_replace {
1538 char name[EBT_TABLE_MAXNAMELEN];
1539 compat_uint_t valid_hooks;
1540 compat_uint_t nentries;
1541 compat_uint_t entries_size;
1542
1543 compat_uptr_t hook_entry[NF_BR_NUMHOOKS];
1544
1545 compat_uint_t num_counters;
1546
1547 compat_uptr_t counters;
1548 compat_uptr_t entries;
1549};
1550
1551
1552struct compat_ebt_entry_mwt {
1553 union {
1554 char name[EBT_FUNCTION_MAXNAMELEN];
1555 compat_uptr_t ptr;
1556 } u;
1557 compat_uint_t match_size;
1558 compat_uint_t data[0];
1559};
1560
1561
1562static int ebt_compat_entry_padsize(void)
1563{
1564 BUILD_BUG_ON(XT_ALIGN(sizeof(struct ebt_entry_match)) <
1565 COMPAT_XT_ALIGN(sizeof(struct compat_ebt_entry_mwt)));
1566 return (int) XT_ALIGN(sizeof(struct ebt_entry_match)) -
1567 COMPAT_XT_ALIGN(sizeof(struct compat_ebt_entry_mwt));
1568}
1569
1570static int ebt_compat_match_offset(const struct xt_match *match,
1571 unsigned int userlen)
1572{
1573
1574
1575
1576
1577
1578
1579 if (unlikely(match->matchsize == -1))
1580 return XT_ALIGN(userlen) - COMPAT_XT_ALIGN(userlen);
1581 return xt_compat_match_offset(match);
1582}
1583
1584static int compat_match_to_user(struct ebt_entry_match *m, void __user **dstptr,
1585 unsigned int *size)
1586{
1587 const struct xt_match *match = m->u.match;
1588 struct compat_ebt_entry_mwt __user *cm = *dstptr;
1589 int off = ebt_compat_match_offset(match, m->match_size);
1590 compat_uint_t msize = m->match_size - off;
1591
1592 BUG_ON(off >= m->match_size);
1593
1594 if (copy_to_user(cm->u.name, match->name,
1595 strlen(match->name) + 1) || put_user(msize, &cm->match_size))
1596 return -EFAULT;
1597
1598 if (match->compat_to_user) {
1599 if (match->compat_to_user(cm->data, m->data))
1600 return -EFAULT;
1601 } else if (copy_to_user(cm->data, m->data, msize))
1602 return -EFAULT;
1603
1604 *size -= ebt_compat_entry_padsize() + off;
1605 *dstptr = cm->data;
1606 *dstptr += msize;
1607 return 0;
1608}
1609
1610static int compat_target_to_user(struct ebt_entry_target *t,
1611 void __user **dstptr,
1612 unsigned int *size)
1613{
1614 const struct xt_target *target = t->u.target;
1615 struct compat_ebt_entry_mwt __user *cm = *dstptr;
1616 int off = xt_compat_target_offset(target);
1617 compat_uint_t tsize = t->target_size - off;
1618
1619 BUG_ON(off >= t->target_size);
1620
1621 if (copy_to_user(cm->u.name, target->name,
1622 strlen(target->name) + 1) || put_user(tsize, &cm->match_size))
1623 return -EFAULT;
1624
1625 if (target->compat_to_user) {
1626 if (target->compat_to_user(cm->data, t->data))
1627 return -EFAULT;
1628 } else if (copy_to_user(cm->data, t->data, tsize))
1629 return -EFAULT;
1630
1631 *size -= ebt_compat_entry_padsize() + off;
1632 *dstptr = cm->data;
1633 *dstptr += tsize;
1634 return 0;
1635}
1636
1637static int compat_watcher_to_user(struct ebt_entry_watcher *w,
1638 void __user **dstptr,
1639 unsigned int *size)
1640{
1641 return compat_target_to_user((struct ebt_entry_target *)w,
1642 dstptr, size);
1643}
1644
1645static int compat_copy_entry_to_user(struct ebt_entry *e, void __user **dstptr,
1646 unsigned int *size)
1647{
1648 struct ebt_entry_target *t;
1649 struct ebt_entry __user *ce;
1650 u32 watchers_offset, target_offset, next_offset;
1651 compat_uint_t origsize;
1652 int ret;
1653
1654 if (e->bitmask == 0) {
1655 if (*size < sizeof(struct ebt_entries))
1656 return -EINVAL;
1657 if (copy_to_user(*dstptr, e, sizeof(struct ebt_entries)))
1658 return -EFAULT;
1659
1660 *dstptr += sizeof(struct ebt_entries);
1661 *size -= sizeof(struct ebt_entries);
1662 return 0;
1663 }
1664
1665 if (*size < sizeof(*ce))
1666 return -EINVAL;
1667
1668 ce = (struct ebt_entry __user *)*dstptr;
1669 if (copy_to_user(ce, e, sizeof(*ce)))
1670 return -EFAULT;
1671
1672 origsize = *size;
1673 *dstptr += sizeof(*ce);
1674
1675 ret = EBT_MATCH_ITERATE(e, compat_match_to_user, dstptr, size);
1676 if (ret)
1677 return ret;
1678 watchers_offset = e->watchers_offset - (origsize - *size);
1679
1680 ret = EBT_WATCHER_ITERATE(e, compat_watcher_to_user, dstptr, size);
1681 if (ret)
1682 return ret;
1683 target_offset = e->target_offset - (origsize - *size);
1684
1685 t = (struct ebt_entry_target *) ((char *) e + e->target_offset);
1686
1687 ret = compat_target_to_user(t, dstptr, size);
1688 if (ret)
1689 return ret;
1690 next_offset = e->next_offset - (origsize - *size);
1691
1692 if (put_user(watchers_offset, &ce->watchers_offset) ||
1693 put_user(target_offset, &ce->target_offset) ||
1694 put_user(next_offset, &ce->next_offset))
1695 return -EFAULT;
1696
1697 *size -= sizeof(*ce);
1698 return 0;
1699}
1700
1701static int compat_calc_match(struct ebt_entry_match *m, int *off)
1702{
1703 *off += ebt_compat_match_offset(m->u.match, m->match_size);
1704 *off += ebt_compat_entry_padsize();
1705 return 0;
1706}
1707
1708static int compat_calc_watcher(struct ebt_entry_watcher *w, int *off)
1709{
1710 *off += xt_compat_target_offset(w->u.watcher);
1711 *off += ebt_compat_entry_padsize();
1712 return 0;
1713}
1714
1715static int compat_calc_entry(const struct ebt_entry *e,
1716 const struct ebt_table_info *info,
1717 const void *base,
1718 struct compat_ebt_replace *newinfo)
1719{
1720 const struct ebt_entry_target *t;
1721 unsigned int entry_offset;
1722 int off, ret, i;
1723
1724 if (e->bitmask == 0)
1725 return 0;
1726
1727 off = 0;
1728 entry_offset = (void *)e - base;
1729
1730 EBT_MATCH_ITERATE(e, compat_calc_match, &off);
1731 EBT_WATCHER_ITERATE(e, compat_calc_watcher, &off);
1732
1733 t = (const struct ebt_entry_target *) ((char *) e + e->target_offset);
1734
1735 off += xt_compat_target_offset(t->u.target);
1736 off += ebt_compat_entry_padsize();
1737
1738 newinfo->entries_size -= off;
1739
1740 ret = xt_compat_add_offset(NFPROTO_BRIDGE, entry_offset, off);
1741 if (ret)
1742 return ret;
1743
1744 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1745 const void *hookptr = info->hook_entry[i];
1746 if (info->hook_entry[i] &&
1747 (e < (struct ebt_entry *)(base - hookptr))) {
1748 newinfo->hook_entry[i] -= off;
1749 pr_debug("0x%08X -> 0x%08X\n",
1750 newinfo->hook_entry[i] + off,
1751 newinfo->hook_entry[i]);
1752 }
1753 }
1754
1755 return 0;
1756}
1757
1758
1759static int compat_table_info(const struct ebt_table_info *info,
1760 struct compat_ebt_replace *newinfo)
1761{
1762 unsigned int size = info->entries_size;
1763 const void *entries = info->entries;
1764
1765 newinfo->entries_size = size;
1766
1767 return EBT_ENTRY_ITERATE(entries, size, compat_calc_entry, info,
1768 entries, newinfo);
1769}
1770
1771static int compat_copy_everything_to_user(struct ebt_table *t,
1772 void __user *user, int *len, int cmd)
1773{
1774 struct compat_ebt_replace repl, tmp;
1775 struct ebt_counter *oldcounters;
1776 struct ebt_table_info tinfo;
1777 int ret;
1778 void __user *pos;
1779
1780 memset(&tinfo, 0, sizeof(tinfo));
1781
1782 if (cmd == EBT_SO_GET_ENTRIES) {
1783 tinfo.entries_size = t->private->entries_size;
1784 tinfo.nentries = t->private->nentries;
1785 tinfo.entries = t->private->entries;
1786 oldcounters = t->private->counters;
1787 } else {
1788 tinfo.entries_size = t->table->entries_size;
1789 tinfo.nentries = t->table->nentries;
1790 tinfo.entries = t->table->entries;
1791 oldcounters = t->table->counters;
1792 }
1793
1794 if (copy_from_user(&tmp, user, sizeof(tmp)))
1795 return -EFAULT;
1796
1797 if (tmp.nentries != tinfo.nentries ||
1798 (tmp.num_counters && tmp.num_counters != tinfo.nentries))
1799 return -EINVAL;
1800
1801 memcpy(&repl, &tmp, sizeof(repl));
1802 if (cmd == EBT_SO_GET_ENTRIES)
1803 ret = compat_table_info(t->private, &repl);
1804 else
1805 ret = compat_table_info(&tinfo, &repl);
1806 if (ret)
1807 return ret;
1808
1809 if (*len != sizeof(tmp) + repl.entries_size +
1810 (tmp.num_counters? tinfo.nentries * sizeof(struct ebt_counter): 0)) {
1811 pr_err("wrong size: *len %d, entries_size %u, replsz %d\n",
1812 *len, tinfo.entries_size, repl.entries_size);
1813 return -EINVAL;
1814 }
1815
1816
1817 ret = copy_counters_to_user(t, oldcounters, compat_ptr(tmp.counters),
1818 tmp.num_counters, tinfo.nentries);
1819 if (ret)
1820 return ret;
1821
1822 pos = compat_ptr(tmp.entries);
1823 return EBT_ENTRY_ITERATE(tinfo.entries, tinfo.entries_size,
1824 compat_copy_entry_to_user, &pos, &tmp.entries_size);
1825}
1826
1827struct ebt_entries_buf_state {
1828 char *buf_kern_start;
1829 u32 buf_kern_len;
1830 u32 buf_kern_offset;
1831 u32 buf_user_offset;
1832};
1833
1834static int ebt_buf_count(struct ebt_entries_buf_state *state, unsigned int sz)
1835{
1836 state->buf_kern_offset += sz;
1837 return state->buf_kern_offset >= sz ? 0 : -EINVAL;
1838}
1839
1840static int ebt_buf_add(struct ebt_entries_buf_state *state,
1841 void *data, unsigned int sz)
1842{
1843 if (state->buf_kern_start == NULL)
1844 goto count_only;
1845
1846 BUG_ON(state->buf_kern_offset + sz > state->buf_kern_len);
1847
1848 memcpy(state->buf_kern_start + state->buf_kern_offset, data, sz);
1849
1850 count_only:
1851 state->buf_user_offset += sz;
1852 return ebt_buf_count(state, sz);
1853}
1854
1855static int ebt_buf_add_pad(struct ebt_entries_buf_state *state, unsigned int sz)
1856{
1857 char *b = state->buf_kern_start;
1858
1859 BUG_ON(b && state->buf_kern_offset > state->buf_kern_len);
1860
1861 if (b != NULL && sz > 0)
1862 memset(b + state->buf_kern_offset, 0, sz);
1863
1864 return ebt_buf_count(state, sz);
1865}
1866
1867enum compat_mwt {
1868 EBT_COMPAT_MATCH,
1869 EBT_COMPAT_WATCHER,
1870 EBT_COMPAT_TARGET,
1871};
1872
1873static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
1874 enum compat_mwt compat_mwt,
1875 struct ebt_entries_buf_state *state,
1876 const unsigned char *base)
1877{
1878 char name[EBT_FUNCTION_MAXNAMELEN];
1879 struct xt_match *match;
1880 struct xt_target *wt;
1881 void *dst = NULL;
1882 int off, pad = 0, ret = 0;
1883 unsigned int size_kern, entry_offset, match_size = mwt->match_size;
1884
1885 strlcpy(name, mwt->u.name, sizeof(name));
1886
1887 if (state->buf_kern_start)
1888 dst = state->buf_kern_start + state->buf_kern_offset;
1889
1890 entry_offset = (unsigned char *) mwt - base;
1891 switch (compat_mwt) {
1892 case EBT_COMPAT_MATCH:
1893 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
1894 name, 0), "ebt_%s", name);
1895 if (match == NULL)
1896 return -ENOENT;
1897 if (IS_ERR(match))
1898 return PTR_ERR(match);
1899
1900 off = ebt_compat_match_offset(match, match_size);
1901 if (dst) {
1902 if (match->compat_from_user)
1903 match->compat_from_user(dst, mwt->data);
1904 else
1905 memcpy(dst, mwt->data, match_size);
1906 }
1907
1908 size_kern = match->matchsize;
1909 if (unlikely(size_kern == -1))
1910 size_kern = match_size;
1911 module_put(match->me);
1912 break;
1913 case EBT_COMPAT_WATCHER:
1914 case EBT_COMPAT_TARGET:
1915 wt = try_then_request_module(xt_find_target(NFPROTO_BRIDGE,
1916 name, 0), "ebt_%s", name);
1917 if (wt == NULL)
1918 return -ENOENT;
1919 if (IS_ERR(wt))
1920 return PTR_ERR(wt);
1921 off = xt_compat_target_offset(wt);
1922
1923 if (dst) {
1924 if (wt->compat_from_user)
1925 wt->compat_from_user(dst, mwt->data);
1926 else
1927 memcpy(dst, mwt->data, match_size);
1928 }
1929
1930 size_kern = wt->targetsize;
1931 module_put(wt->me);
1932 break;
1933 }
1934
1935 if (!dst) {
1936 ret = xt_compat_add_offset(NFPROTO_BRIDGE, entry_offset,
1937 off + ebt_compat_entry_padsize());
1938 if (ret < 0)
1939 return ret;
1940 }
1941
1942 state->buf_kern_offset += match_size + off;
1943 state->buf_user_offset += match_size;
1944 pad = XT_ALIGN(size_kern) - size_kern;
1945
1946 if (pad > 0 && dst) {
1947 BUG_ON(state->buf_kern_len <= pad);
1948 BUG_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad);
1949 memset(dst + size_kern, 0, pad);
1950 }
1951 return off + match_size;
1952}
1953
1954
1955
1956
1957
1958static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
1959 unsigned int size_left, enum compat_mwt type,
1960 struct ebt_entries_buf_state *state, const void *base)
1961{
1962 int growth = 0;
1963 char *buf;
1964
1965 if (size_left == 0)
1966 return 0;
1967
1968 buf = (char *) match32;
1969
1970 while (size_left >= sizeof(*match32)) {
1971 struct ebt_entry_match *match_kern;
1972 int ret;
1973
1974 match_kern = (struct ebt_entry_match *) state->buf_kern_start;
1975 if (match_kern) {
1976 char *tmp;
1977 tmp = state->buf_kern_start + state->buf_kern_offset;
1978 match_kern = (struct ebt_entry_match *) tmp;
1979 }
1980 ret = ebt_buf_add(state, buf, sizeof(*match32));
1981 if (ret < 0)
1982 return ret;
1983 size_left -= sizeof(*match32);
1984
1985
1986 ret = ebt_buf_add_pad(state, ebt_compat_entry_padsize());
1987 if (ret < 0)
1988 return ret;
1989
1990 if (match32->match_size > size_left)
1991 return -EINVAL;
1992
1993 size_left -= match32->match_size;
1994
1995 ret = compat_mtw_from_user(match32, type, state, base);
1996 if (ret < 0)
1997 return ret;
1998
1999 BUG_ON(ret < match32->match_size);
2000 growth += ret - match32->match_size;
2001 growth += ebt_compat_entry_padsize();
2002
2003 buf += sizeof(*match32);
2004 buf += match32->match_size;
2005
2006 if (match_kern)
2007 match_kern->match_size = ret;
2008
2009 WARN_ON(type == EBT_COMPAT_TARGET && size_left);
2010 match32 = (struct compat_ebt_entry_mwt *) buf;
2011 }
2012
2013 return growth;
2014}
2015
2016#define EBT_COMPAT_WATCHER_ITERATE(e, fn, args...) \
2017({ \
2018 unsigned int __i; \
2019 int __ret = 0; \
2020 struct compat_ebt_entry_mwt *__watcher; \
2021 \
2022 for (__i = e->watchers_offset; \
2023 __i < (e)->target_offset; \
2024 __i += __watcher->watcher_size + \
2025 sizeof(struct compat_ebt_entry_mwt)) { \
2026 __watcher = (void *)(e) + __i; \
2027 __ret = fn(__watcher , ## args); \
2028 if (__ret != 0) \
2029 break; \
2030 } \
2031 if (__ret == 0) { \
2032 if (__i != (e)->target_offset) \
2033 __ret = -EINVAL; \
2034 } \
2035 __ret; \
2036})
2037
2038#define EBT_COMPAT_MATCH_ITERATE(e, fn, args...) \
2039({ \
2040 unsigned int __i; \
2041 int __ret = 0; \
2042 struct compat_ebt_entry_mwt *__match; \
2043 \
2044 for (__i = sizeof(struct ebt_entry); \
2045 __i < (e)->watchers_offset; \
2046 __i += __match->match_size + \
2047 sizeof(struct compat_ebt_entry_mwt)) { \
2048 __match = (void *)(e) + __i; \
2049 __ret = fn(__match , ## args); \
2050 if (__ret != 0) \
2051 break; \
2052 } \
2053 if (__ret == 0) { \
2054 if (__i != (e)->watchers_offset) \
2055 __ret = -EINVAL; \
2056 } \
2057 __ret; \
2058})
2059
2060
2061static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
2062 unsigned int *total,
2063 struct ebt_entries_buf_state *state)
2064{
2065 unsigned int i, j, startoff, new_offset = 0;
2066
2067 unsigned int offsets[4];
2068 unsigned int *offsets_update = NULL;
2069 int ret;
2070 char *buf_start;
2071
2072 if (*total < sizeof(struct ebt_entries))
2073 return -EINVAL;
2074
2075 if (!entry->bitmask) {
2076 *total -= sizeof(struct ebt_entries);
2077 return ebt_buf_add(state, entry, sizeof(struct ebt_entries));
2078 }
2079 if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry))
2080 return -EINVAL;
2081
2082 startoff = state->buf_user_offset;
2083
2084 ret = ebt_buf_add(state, entry,
2085 offsetof(struct ebt_entry, watchers_offset));
2086 if (ret < 0)
2087 return ret;
2088
2089 offsets[0] = sizeof(struct ebt_entry);
2090 memcpy(&offsets[1], &entry->watchers_offset,
2091 sizeof(offsets) - sizeof(offsets[0]));
2092
2093 if (state->buf_kern_start) {
2094 buf_start = state->buf_kern_start + state->buf_kern_offset;
2095 offsets_update = (unsigned int *) buf_start;
2096 }
2097 ret = ebt_buf_add(state, &offsets[1],
2098 sizeof(offsets) - sizeof(offsets[0]));
2099 if (ret < 0)
2100 return ret;
2101 buf_start = (char *) entry;
2102
2103
2104
2105
2106
2107
2108
2109
2110 for (i = 0, j = 1 ; j < 4 ; j++, i++) {
2111 struct compat_ebt_entry_mwt *match32;
2112 unsigned int size;
2113 char *buf = buf_start;
2114
2115 buf = buf_start + offsets[i];
2116 if (offsets[i] > offsets[j])
2117 return -EINVAL;
2118
2119 match32 = (struct compat_ebt_entry_mwt *) buf;
2120 size = offsets[j] - offsets[i];
2121 ret = ebt_size_mwt(match32, size, i, state, base);
2122 if (ret < 0)
2123 return ret;
2124 new_offset += ret;
2125 if (offsets_update && new_offset) {
2126 pr_debug("change offset %d to %d\n",
2127 offsets_update[i], offsets[j] + new_offset);
2128 offsets_update[i] = offsets[j] + new_offset;
2129 }
2130 }
2131
2132 startoff = state->buf_user_offset - startoff;
2133
2134 BUG_ON(*total < startoff);
2135 *total -= startoff;
2136 return 0;
2137}
2138
2139
2140
2141
2142
2143
2144
2145
2146static int compat_copy_entries(unsigned char *data, unsigned int size_user,
2147 struct ebt_entries_buf_state *state)
2148{
2149 unsigned int size_remaining = size_user;
2150 int ret;
2151
2152 ret = EBT_ENTRY_ITERATE(data, size_user, size_entry_mwt, data,
2153 &size_remaining, state);
2154 if (ret < 0)
2155 return ret;
2156
2157 WARN_ON(size_remaining);
2158 return state->buf_kern_offset;
2159}
2160
2161
2162static int compat_copy_ebt_replace_from_user(struct ebt_replace *repl,
2163 void __user *user, unsigned int len)
2164{
2165 struct compat_ebt_replace tmp;
2166 int i;
2167
2168 if (len < sizeof(tmp))
2169 return -EINVAL;
2170
2171 if (copy_from_user(&tmp, user, sizeof(tmp)))
2172 return -EFAULT;
2173
2174 if (len != sizeof(tmp) + tmp.entries_size)
2175 return -EINVAL;
2176
2177 if (tmp.entries_size == 0)
2178 return -EINVAL;
2179
2180 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) /
2181 NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
2182 return -ENOMEM;
2183 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
2184 return -ENOMEM;
2185
2186 memcpy(repl, &tmp, offsetof(struct ebt_replace, hook_entry));
2187
2188
2189 for (i = 0; i < NF_BR_NUMHOOKS; i++)
2190 repl->hook_entry[i] = compat_ptr(tmp.hook_entry[i]);
2191
2192 repl->num_counters = tmp.num_counters;
2193 repl->counters = compat_ptr(tmp.counters);
2194 repl->entries = compat_ptr(tmp.entries);
2195 return 0;
2196}
2197
2198static int compat_do_replace(struct net *net, void __user *user,
2199 unsigned int len)
2200{
2201 int ret, i, countersize, size64;
2202 struct ebt_table_info *newinfo;
2203 struct ebt_replace tmp;
2204 struct ebt_entries_buf_state state;
2205 void *entries_tmp;
2206
2207 ret = compat_copy_ebt_replace_from_user(&tmp, user, len);
2208 if (ret) {
2209
2210 if (ret == -EINVAL && do_replace(net, user, len) == 0)
2211 ret = 0;
2212 return ret;
2213 }
2214
2215 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
2216 newinfo = vmalloc(sizeof(*newinfo) + countersize);
2217 if (!newinfo)
2218 return -ENOMEM;
2219
2220 if (countersize)
2221 memset(newinfo->counters, 0, countersize);
2222
2223 memset(&state, 0, sizeof(state));
2224
2225 newinfo->entries = vmalloc(tmp.entries_size);
2226 if (!newinfo->entries) {
2227 ret = -ENOMEM;
2228 goto free_newinfo;
2229 }
2230 if (copy_from_user(
2231 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
2232 ret = -EFAULT;
2233 goto free_entries;
2234 }
2235
2236 entries_tmp = newinfo->entries;
2237
2238 xt_compat_lock(NFPROTO_BRIDGE);
2239
2240 ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
2241 if (ret < 0)
2242 goto out_unlock;
2243
2244 pr_debug("tmp.entries_size %d, kern off %d, user off %d delta %d\n",
2245 tmp.entries_size, state.buf_kern_offset, state.buf_user_offset,
2246 xt_compat_calc_jump(NFPROTO_BRIDGE, tmp.entries_size));
2247
2248 size64 = ret;
2249 newinfo->entries = vmalloc(size64);
2250 if (!newinfo->entries) {
2251 vfree(entries_tmp);
2252 ret = -ENOMEM;
2253 goto out_unlock;
2254 }
2255
2256 memset(&state, 0, sizeof(state));
2257 state.buf_kern_start = newinfo->entries;
2258 state.buf_kern_len = size64;
2259
2260 ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
2261 BUG_ON(ret < 0);
2262
2263 vfree(entries_tmp);
2264 tmp.entries_size = size64;
2265
2266 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
2267 char __user *usrptr;
2268 if (tmp.hook_entry[i]) {
2269 unsigned int delta;
2270 usrptr = (char __user *) tmp.hook_entry[i];
2271 delta = usrptr - tmp.entries;
2272 usrptr += xt_compat_calc_jump(NFPROTO_BRIDGE, delta);
2273 tmp.hook_entry[i] = (struct ebt_entries __user *)usrptr;
2274 }
2275 }
2276
2277 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2278 xt_compat_unlock(NFPROTO_BRIDGE);
2279
2280 ret = do_replace_finish(net, &tmp, newinfo);
2281 if (ret == 0)
2282 return ret;
2283free_entries:
2284 vfree(newinfo->entries);
2285free_newinfo:
2286 vfree(newinfo);
2287 return ret;
2288out_unlock:
2289 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2290 xt_compat_unlock(NFPROTO_BRIDGE);
2291 goto free_entries;
2292}
2293
2294static int compat_update_counters(struct net *net, void __user *user,
2295 unsigned int len)
2296{
2297 struct compat_ebt_replace hlp;
2298
2299 if (copy_from_user(&hlp, user, sizeof(hlp)))
2300 return -EFAULT;
2301
2302
2303 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
2304 return update_counters(net, user, len);
2305
2306 return do_update_counters(net, hlp.name, compat_ptr(hlp.counters),
2307 hlp.num_counters, user, len);
2308}
2309
2310static int compat_do_ebt_set_ctl(struct sock *sk,
2311 int cmd, void __user *user, unsigned int len)
2312{
2313 int ret;
2314
2315 if (!capable(CAP_NET_ADMIN))
2316 return -EPERM;
2317
2318 switch (cmd) {
2319 case EBT_SO_SET_ENTRIES:
2320 ret = compat_do_replace(sock_net(sk), user, len);
2321 break;
2322 case EBT_SO_SET_COUNTERS:
2323 ret = compat_update_counters(sock_net(sk), user, len);
2324 break;
2325 default:
2326 ret = -EINVAL;
2327 }
2328 return ret;
2329}
2330
2331static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
2332 void __user *user, int *len)
2333{
2334 int ret;
2335 struct compat_ebt_replace tmp;
2336 struct ebt_table *t;
2337
2338 if (!capable(CAP_NET_ADMIN))
2339 return -EPERM;
2340
2341
2342 if ((cmd == EBT_SO_GET_INFO ||
2343 cmd == EBT_SO_GET_INIT_INFO) && *len != sizeof(tmp))
2344 return do_ebt_get_ctl(sk, cmd, user, len);
2345
2346 if (copy_from_user(&tmp, user, sizeof(tmp)))
2347 return -EFAULT;
2348
2349 t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex);
2350 if (!t)
2351 return ret;
2352
2353 xt_compat_lock(NFPROTO_BRIDGE);
2354 switch (cmd) {
2355 case EBT_SO_GET_INFO:
2356 tmp.nentries = t->private->nentries;
2357 ret = compat_table_info(t->private, &tmp);
2358 if (ret)
2359 goto out;
2360 tmp.valid_hooks = t->valid_hooks;
2361
2362 if (copy_to_user(user, &tmp, *len) != 0) {
2363 ret = -EFAULT;
2364 break;
2365 }
2366 ret = 0;
2367 break;
2368 case EBT_SO_GET_INIT_INFO:
2369 tmp.nentries = t->table->nentries;
2370 tmp.entries_size = t->table->entries_size;
2371 tmp.valid_hooks = t->table->valid_hooks;
2372
2373 if (copy_to_user(user, &tmp, *len) != 0) {
2374 ret = -EFAULT;
2375 break;
2376 }
2377 ret = 0;
2378 break;
2379 case EBT_SO_GET_ENTRIES:
2380 case EBT_SO_GET_INIT_ENTRIES:
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390 if (copy_everything_to_user(t, user, len, cmd) == 0)
2391 ret = 0;
2392 else
2393 ret = compat_copy_everything_to_user(t, user, len, cmd);
2394 break;
2395 default:
2396 ret = -EINVAL;
2397 }
2398 out:
2399 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2400 xt_compat_unlock(NFPROTO_BRIDGE);
2401 mutex_unlock(&ebt_mutex);
2402 return ret;
2403}
2404#endif
2405
2406static struct nf_sockopt_ops ebt_sockopts =
2407{
2408 .pf = PF_INET,
2409 .set_optmin = EBT_BASE_CTL,
2410 .set_optmax = EBT_SO_SET_MAX + 1,
2411 .set = do_ebt_set_ctl,
2412#ifdef CONFIG_COMPAT
2413 .compat_set = compat_do_ebt_set_ctl,
2414#endif
2415 .get_optmin = EBT_BASE_CTL,
2416 .get_optmax = EBT_SO_GET_MAX + 1,
2417 .get = do_ebt_get_ctl,
2418#ifdef CONFIG_COMPAT
2419 .compat_get = compat_do_ebt_get_ctl,
2420#endif
2421 .owner = THIS_MODULE,
2422};
2423
2424static int __init ebtables_init(void)
2425{
2426 int ret;
2427
2428 ret = xt_register_target(&ebt_standard_target);
2429 if (ret < 0)
2430 return ret;
2431 ret = nf_register_sockopt(&ebt_sockopts);
2432 if (ret < 0) {
2433 xt_unregister_target(&ebt_standard_target);
2434 return ret;
2435 }
2436
2437 printk(KERN_INFO "Ebtables v2.0 registered\n");
2438 return 0;
2439}
2440
2441static void __exit ebtables_fini(void)
2442{
2443 nf_unregister_sockopt(&ebt_sockopts);
2444 xt_unregister_target(&ebt_standard_target);
2445 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
2446}
2447
2448EXPORT_SYMBOL(ebt_register_table);
2449EXPORT_SYMBOL(ebt_unregister_table);
2450EXPORT_SYMBOL(ebt_do_table);
2451module_init(ebtables_init);
2452module_exit(ebtables_fini);
2453MODULE_LICENSE("GPL");
2454
