1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
18#include <linux/kmod.h>
19#include <linux/module.h>
20#include <linux/vmalloc.h>
21#include <linux/netfilter/x_tables.h>
22#include <linux/netfilter_bridge/ebtables.h>
23#include <linux/spinlock.h>
24#include <linux/mutex.h>
25#include <linux/slab.h>
26#include <linux/uaccess.h>
27#include <linux/smp.h>
28#include <linux/cpumask.h>
29#include <linux/audit.h>
30#include <net/sock.h>
31
32#include "../br_private.h"
33
34#define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
35 "report to author: "format, ## args)
36
37
38
39
40
41
42
43
44
45#define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
46#define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
47#define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
48 COUNTER_OFFSET(n) * cpu))
49
50
51
52static DEFINE_MUTEX(ebt_mutex);
53
54#ifdef CONFIG_COMPAT
55static void ebt_standard_compat_from_user(void *dst, const void *src)
56{
57 int v = *(compat_int_t *)src;
58
59 if (v >= 0)
60 v += xt_compat_calc_jump(NFPROTO_BRIDGE, v);
61 memcpy(dst, &v, sizeof(v));
62}
63
64static int ebt_standard_compat_to_user(void __user *dst, const void *src)
65{
66 compat_int_t cv = *(int *)src;
67
68 if (cv >= 0)
69 cv -= xt_compat_calc_jump(NFPROTO_BRIDGE, cv);
70 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
71}
72#endif
73
74
75static struct xt_target ebt_standard_target = {
76 .name = "standard",
77 .revision = 0,
78 .family = NFPROTO_BRIDGE,
79 .targetsize = sizeof(int),
80#ifdef CONFIG_COMPAT
81 .compatsize = sizeof(compat_int_t),
82 .compat_from_user = ebt_standard_compat_from_user,
83 .compat_to_user = ebt_standard_compat_to_user,
84#endif
85};
86
87static inline int
88ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
89 struct xt_action_param *par)
90{
91 par->target = w->u.watcher;
92 par->targinfo = w->data;
93 w->u.watcher->target(skb, par);
94
95 return 0;
96}
97
98static inline int
99ebt_do_match(struct ebt_entry_match *m, const struct sk_buff *skb,
100 struct xt_action_param *par)
101{
102 par->match = m->u.match;
103 par->matchinfo = m->data;
104 return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
105}
106
107static inline int
108ebt_dev_check(const char *entry, const struct net_device *device)
109{
110 int i = 0;
111 const char *devname;
112
113 if (*entry == '\0')
114 return 0;
115 if (!device)
116 return 1;
117 devname = device->name;
118
119 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
120 i++;
121 return devname[i] != entry[i] && entry[i] != 1;
122}
123
124
125static inline int
126ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb,
127 const struct net_device *in, const struct net_device *out)
128{
129 const struct ethhdr *h = eth_hdr(skb);
130 const struct net_bridge_port *p;
131 __be16 ethproto;
132
133 if (skb_vlan_tag_present(skb))
134 ethproto = htons(ETH_P_8021Q);
135 else
136 ethproto = h->h_proto;
137
138 if (e->bitmask & EBT_802_3) {
139 if (NF_INVF(e, EBT_IPROTO, eth_proto_is_802_3(ethproto)))
140 return 1;
141 } else if (!(e->bitmask & EBT_NOPROTO) &&
142 NF_INVF(e, EBT_IPROTO, e->ethproto != ethproto))
143 return 1;
144
145 if (NF_INVF(e, EBT_IIN, ebt_dev_check(e->in, in)))
146 return 1;
147 if (NF_INVF(e, EBT_IOUT, ebt_dev_check(e->out, out)))
148 return 1;
149
150 if (in && (p = br_port_get_rcu(in)) != NULL &&
151 NF_INVF(e, EBT_ILOGICALIN,
152 ebt_dev_check(e->logical_in, p->br->dev)))
153 return 1;
154 if (out && (p = br_port_get_rcu(out)) != NULL &&
155 NF_INVF(e, EBT_ILOGICALOUT,
156 ebt_dev_check(e->logical_out, p->br->dev)))
157 return 1;
158
159 if (e->bitmask & EBT_SOURCEMAC) {
160 if (NF_INVF(e, EBT_ISOURCE,
161 !ether_addr_equal_masked(h->h_source, e->sourcemac,
162 e->sourcemsk)))
163 return 1;
164 }
165 if (e->bitmask & EBT_DESTMAC) {
166 if (NF_INVF(e, EBT_IDEST,
167 !ether_addr_equal_masked(h->h_dest, e->destmac,
168 e->destmsk)))
169 return 1;
170 }
171 return 0;
172}
173
174static inline
175struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry)
176{
177 return (void *)entry + entry->next_offset;
178}
179
180
181unsigned int ebt_do_table(struct sk_buff *skb,
182 const struct nf_hook_state *state,
183 struct ebt_table *table)
184{
185 unsigned int hook = state->hook;
186 int i, nentries;
187 struct ebt_entry *point;
188 struct ebt_counter *counter_base, *cb_base;
189 const struct ebt_entry_target *t;
190 int verdict, sp = 0;
191 struct ebt_chainstack *cs;
192 struct ebt_entries *chaininfo;
193 const char *base;
194 const struct ebt_table_info *private;
195 struct xt_action_param acpar;
196
197 acpar.state = state;
198 acpar.hotdrop = false;
199
200 read_lock_bh(&table->lock);
201 private = table->private;
202 cb_base = COUNTER_BASE(private->counters, private->nentries,
203 smp_processor_id());
204 if (private->chainstack)
205 cs = private->chainstack[smp_processor_id()];
206 else
207 cs = NULL;
208 chaininfo = private->hook_entry[hook];
209 nentries = private->hook_entry[hook]->nentries;
210 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
211 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
212
213 base = private->entries;
214 i = 0;
215 while (i < nentries) {
216 if (ebt_basic_match(point, skb, state->in, state->out))
217 goto letscontinue;
218
219 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
220 goto letscontinue;
221 if (acpar.hotdrop) {
222 read_unlock_bh(&table->lock);
223 return NF_DROP;
224 }
225
226
227 (*(counter_base + i)).pcnt++;
228 (*(counter_base + i)).bcnt += skb->len;
229
230
231
232
233 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &acpar);
234
235 t = (struct ebt_entry_target *)
236 (((char *)point) + point->target_offset);
237
238 if (!t->u.target->target)
239 verdict = ((struct ebt_standard_target *)t)->verdict;
240 else {
241 acpar.target = t->u.target;
242 acpar.targinfo = t->data;
243 verdict = t->u.target->target(skb, &acpar);
244 }
245 if (verdict == EBT_ACCEPT) {
246 read_unlock_bh(&table->lock);
247 return NF_ACCEPT;
248 }
249 if (verdict == EBT_DROP) {
250 read_unlock_bh(&table->lock);
251 return NF_DROP;
252 }
253 if (verdict == EBT_RETURN) {
254letsreturn:
255#ifdef CONFIG_NETFILTER_DEBUG
256 if (sp == 0) {
257 BUGPRINT("RETURN on base chain");
258
259 goto letscontinue;
260 }
261#endif
262 sp--;
263
264 i = cs[sp].n;
265 chaininfo = cs[sp].chaininfo;
266 nentries = chaininfo->nentries;
267 point = cs[sp].e;
268 counter_base = cb_base +
269 chaininfo->counter_offset;
270 continue;
271 }
272 if (verdict == EBT_CONTINUE)
273 goto letscontinue;
274#ifdef CONFIG_NETFILTER_DEBUG
275 if (verdict < 0) {
276 BUGPRINT("bogus standard verdict\n");
277 read_unlock_bh(&table->lock);
278 return NF_DROP;
279 }
280#endif
281
282 cs[sp].n = i + 1;
283 cs[sp].chaininfo = chaininfo;
284 cs[sp].e = ebt_next_entry(point);
285 i = 0;
286 chaininfo = (struct ebt_entries *) (base + verdict);
287#ifdef CONFIG_NETFILTER_DEBUG
288 if (chaininfo->distinguisher) {
289 BUGPRINT("jump to non-chain\n");
290 read_unlock_bh(&table->lock);
291 return NF_DROP;
292 }
293#endif
294 nentries = chaininfo->nentries;
295 point = (struct ebt_entry *)chaininfo->data;
296 counter_base = cb_base + chaininfo->counter_offset;
297 sp++;
298 continue;
299letscontinue:
300 point = ebt_next_entry(point);
301 i++;
302 }
303
304
305 if (chaininfo->policy == EBT_RETURN)
306 goto letsreturn;
307 if (chaininfo->policy == EBT_ACCEPT) {
308 read_unlock_bh(&table->lock);
309 return NF_ACCEPT;
310 }
311 read_unlock_bh(&table->lock);
312 return NF_DROP;
313}
314
315
316static inline void *
317find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
318 struct mutex *mutex)
319{
320 struct {
321 struct list_head list;
322 char name[EBT_FUNCTION_MAXNAMELEN];
323 } *e;
324
325 mutex_lock(mutex);
326 list_for_each_entry(e, head, list) {
327 if (strcmp(e->name, name) == 0)
328 return e;
329 }
330 *error = -ENOENT;
331 mutex_unlock(mutex);
332 return NULL;
333}
334
335static void *
336find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
337 int *error, struct mutex *mutex)
338{
339 return try_then_request_module(
340 find_inlist_lock_noload(head, name, error, mutex),
341 "%s%s", prefix, name);
342}
343
344static inline struct ebt_table *
345find_table_lock(struct net *net, const char *name, int *error,
346 struct mutex *mutex)
347{
348 return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name,
349 "ebtable_", error, mutex);
350}
351
352static inline int
353ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
354 unsigned int *cnt)
355{
356 const struct ebt_entry *e = par->entryinfo;
357 struct xt_match *match;
358 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
359 int ret;
360
361 if (left < sizeof(struct ebt_entry_match) ||
362 left - sizeof(struct ebt_entry_match) < m->match_size)
363 return -EINVAL;
364
365 match = xt_find_match(NFPROTO_BRIDGE, m->u.name, 0);
366 if (IS_ERR(match) || match->family != NFPROTO_BRIDGE) {
367 if (!IS_ERR(match))
368 module_put(match->me);
369 request_module("ebt_%s", m->u.name);
370 match = xt_find_match(NFPROTO_BRIDGE, m->u.name, 0);
371 }
372 if (IS_ERR(match))
373 return PTR_ERR(match);
374 m->u.match = match;
375
376 par->match = match;
377 par->matchinfo = m->data;
378 ret = xt_check_match(par, m->match_size,
379 e->ethproto, e->invflags & EBT_IPROTO);
380 if (ret < 0) {
381 module_put(match->me);
382 return ret;
383 }
384
385 (*cnt)++;
386 return 0;
387}
388
389static inline int
390ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
391 unsigned int *cnt)
392{
393 const struct ebt_entry *e = par->entryinfo;
394 struct xt_target *watcher;
395 size_t left = ((char *)e + e->target_offset) - (char *)w;
396 int ret;
397
398 if (left < sizeof(struct ebt_entry_watcher) ||
399 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
400 return -EINVAL;
401
402 watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0);
403 if (IS_ERR(watcher))
404 return PTR_ERR(watcher);
405 w->u.watcher = watcher;
406
407 par->target = watcher;
408 par->targinfo = w->data;
409 ret = xt_check_target(par, w->watcher_size,
410 e->ethproto, e->invflags & EBT_IPROTO);
411 if (ret < 0) {
412 module_put(watcher->me);
413 return ret;
414 }
415
416 (*cnt)++;
417 return 0;
418}
419
420static int ebt_verify_pointers(const struct ebt_replace *repl,
421 struct ebt_table_info *newinfo)
422{
423 unsigned int limit = repl->entries_size;
424 unsigned int valid_hooks = repl->valid_hooks;
425 unsigned int offset = 0;
426 int i;
427
428 for (i = 0; i < NF_BR_NUMHOOKS; i++)
429 newinfo->hook_entry[i] = NULL;
430
431 newinfo->entries_size = repl->entries_size;
432 newinfo->nentries = repl->nentries;
433
434 while (offset < limit) {
435 size_t left = limit - offset;
436 struct ebt_entry *e = (void *)newinfo->entries + offset;
437
438 if (left < sizeof(unsigned int))
439 break;
440
441 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
442 if ((valid_hooks & (1 << i)) == 0)
443 continue;
444 if ((char __user *)repl->hook_entry[i] ==
445 repl->entries + offset)
446 break;
447 }
448
449 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
450 if (e->bitmask != 0) {
451
452
453
454 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
455 "in distinguisher\n");
456 return -EINVAL;
457 }
458 if (i != NF_BR_NUMHOOKS)
459 newinfo->hook_entry[i] = (struct ebt_entries *)e;
460 if (left < sizeof(struct ebt_entries))
461 break;
462 offset += sizeof(struct ebt_entries);
463 } else {
464 if (left < sizeof(struct ebt_entry))
465 break;
466 if (left < e->next_offset)
467 break;
468 if (e->next_offset < sizeof(struct ebt_entry))
469 return -EINVAL;
470 offset += e->next_offset;
471 }
472 }
473 if (offset != limit) {
474 BUGPRINT("entries_size too small\n");
475 return -EINVAL;
476 }
477
478
479 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
480 if (!newinfo->hook_entry[i] &&
481 (valid_hooks & (1 << i))) {
482 BUGPRINT("Valid hook without chain\n");
483 return -EINVAL;
484 }
485 }
486 return 0;
487}
488
489
490
491
492static inline int
493ebt_check_entry_size_and_hooks(const struct ebt_entry *e,
494 const struct ebt_table_info *newinfo,
495 unsigned int *n, unsigned int *cnt,
496 unsigned int *totalcnt, unsigned int *udc_cnt)
497{
498 int i;
499
500 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
501 if ((void *)e == (void *)newinfo->hook_entry[i])
502 break;
503 }
504
505
506
507 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
508
509
510
511 if (*n != *cnt) {
512 BUGPRINT("nentries does not equal the nr of entries "
513 "in the chain\n");
514 return -EINVAL;
515 }
516 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
517 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
518
519 if (i != NF_BR_NUMHOOKS ||
520 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
521 BUGPRINT("bad policy\n");
522 return -EINVAL;
523 }
524 }
525 if (i == NF_BR_NUMHOOKS)
526 (*udc_cnt)++;
527 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
528 BUGPRINT("counter_offset != totalcnt");
529 return -EINVAL;
530 }
531 *n = ((struct ebt_entries *)e)->nentries;
532 *cnt = 0;
533 return 0;
534 }
535
536 if (sizeof(struct ebt_entry) > e->watchers_offset ||
537 e->watchers_offset > e->target_offset ||
538 e->target_offset >= e->next_offset) {
539 BUGPRINT("entry offsets not in right order\n");
540 return -EINVAL;
541 }
542
543 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
544 BUGPRINT("target size too small\n");
545 return -EINVAL;
546 }
547 (*cnt)++;
548 (*totalcnt)++;
549 return 0;
550}
551
552struct ebt_cl_stack {
553 struct ebt_chainstack cs;
554 int from;
555 unsigned int hookmask;
556};
557
558
559
560
561static inline int
562ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
563 unsigned int *n, struct ebt_cl_stack *udc)
564{
565 int i;
566
567
568 if (e->bitmask)
569 return 0;
570 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
571 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
572 break;
573 }
574
575 if (i != NF_BR_NUMHOOKS)
576 return 0;
577
578 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
579
580 udc[*n].cs.n = 0;
581 udc[*n].hookmask = 0;
582
583 (*n)++;
584 return 0;
585}
586
587static inline int
588ebt_cleanup_match(struct ebt_entry_match *m, struct net *net, unsigned int *i)
589{
590 struct xt_mtdtor_param par;
591
592 if (i && (*i)-- == 0)
593 return 1;
594
595 par.net = net;
596 par.match = m->u.match;
597 par.matchinfo = m->data;
598 par.family = NFPROTO_BRIDGE;
599 if (par.match->destroy != NULL)
600 par.match->destroy(&par);
601 module_put(par.match->me);
602 return 0;
603}
604
605static inline int
606ebt_cleanup_watcher(struct ebt_entry_watcher *w, struct net *net, unsigned int *i)
607{
608 struct xt_tgdtor_param par;
609
610 if (i && (*i)-- == 0)
611 return 1;
612
613 par.net = net;
614 par.target = w->u.watcher;
615 par.targinfo = w->data;
616 par.family = NFPROTO_BRIDGE;
617 if (par.target->destroy != NULL)
618 par.target->destroy(&par);
619 module_put(par.target->me);
620 return 0;
621}
622
623static inline int
624ebt_cleanup_entry(struct ebt_entry *e, struct net *net, unsigned int *cnt)
625{
626 struct xt_tgdtor_param par;
627 struct ebt_entry_target *t;
628
629 if (e->bitmask == 0)
630 return 0;
631
632 if (cnt && (*cnt)-- == 0)
633 return 1;
634 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, NULL);
635 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, NULL);
636 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
637
638 par.net = net;
639 par.target = t->u.target;
640 par.targinfo = t->data;
641 par.family = NFPROTO_BRIDGE;
642 if (par.target->destroy != NULL)
643 par.target->destroy(&par);
644 module_put(par.target->me);
645 return 0;
646}
647
648static inline int
649ebt_check_entry(struct ebt_entry *e, struct net *net,
650 const struct ebt_table_info *newinfo,
651 const char *name, unsigned int *cnt,
652 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
653{
654 struct ebt_entry_target *t;
655 struct xt_target *target;
656 unsigned int i, j, hook = 0, hookmask = 0;
657 size_t gap;
658 int ret;
659 struct xt_mtchk_param mtpar;
660 struct xt_tgchk_param tgpar;
661
662
663 if (e->bitmask == 0)
664 return 0;
665
666 if (e->bitmask & ~EBT_F_MASK) {
667 BUGPRINT("Unknown flag for bitmask\n");
668 return -EINVAL;
669 }
670 if (e->invflags & ~EBT_INV_MASK) {
671 BUGPRINT("Unknown flag for inv bitmask\n");
672 return -EINVAL;
673 }
674 if ((e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3)) {
675 BUGPRINT("NOPROTO & 802_3 not allowed\n");
676 return -EINVAL;
677 }
678
679 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
680 if (!newinfo->hook_entry[i])
681 continue;
682 if ((char *)newinfo->hook_entry[i] < (char *)e)
683 hook = i;
684 else
685 break;
686 }
687
688
689
690 if (i < NF_BR_NUMHOOKS)
691 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
692 else {
693 for (i = 0; i < udc_cnt; i++)
694 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
695 break;
696 if (i == 0)
697 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
698 else
699 hookmask = cl_s[i - 1].hookmask;
700 }
701 i = 0;
702
703 mtpar.net = tgpar.net = net;
704 mtpar.table = tgpar.table = name;
705 mtpar.entryinfo = tgpar.entryinfo = e;
706 mtpar.hook_mask = tgpar.hook_mask = hookmask;
707 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
708 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
709 if (ret != 0)
710 goto cleanup_matches;
711 j = 0;
712 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j);
713 if (ret != 0)
714 goto cleanup_watchers;
715 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
716 gap = e->next_offset - e->target_offset;
717
718 target = xt_request_find_target(NFPROTO_BRIDGE, t->u.name, 0);
719 if (IS_ERR(target)) {
720 ret = PTR_ERR(target);
721 goto cleanup_watchers;
722 }
723
724 t->u.target = target;
725 if (t->u.target == &ebt_standard_target) {
726 if (gap < sizeof(struct ebt_standard_target)) {
727 BUGPRINT("Standard target size too big\n");
728 ret = -EFAULT;
729 goto cleanup_watchers;
730 }
731 if (((struct ebt_standard_target *)t)->verdict <
732 -NUM_STANDARD_TARGETS) {
733 BUGPRINT("Invalid standard target\n");
734 ret = -EFAULT;
735 goto cleanup_watchers;
736 }
737 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
738 module_put(t->u.target->me);
739 ret = -EFAULT;
740 goto cleanup_watchers;
741 }
742
743 tgpar.target = target;
744 tgpar.targinfo = t->data;
745 ret = xt_check_target(&tgpar, t->target_size,
746 e->ethproto, e->invflags & EBT_IPROTO);
747 if (ret < 0) {
748 module_put(target->me);
749 goto cleanup_watchers;
750 }
751 (*cnt)++;
752 return 0;
753cleanup_watchers:
754 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, &j);
755cleanup_matches:
756 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, &i);
757 return ret;
758}
759
760
761
762
763
764static int check_chainloops(const struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
765 unsigned int udc_cnt, unsigned int hooknr, char *base)
766{
767 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
768 const struct ebt_entry *e = (struct ebt_entry *)chain->data;
769 const struct ebt_entry_target *t;
770
771 while (pos < nentries || chain_nr != -1) {
772
773 if (pos == nentries) {
774
775 e = cl_s[chain_nr].cs.e;
776 if (cl_s[chain_nr].from != -1)
777 nentries =
778 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
779 else
780 nentries = chain->nentries;
781 pos = cl_s[chain_nr].cs.n;
782
783 cl_s[chain_nr].cs.n = 0;
784 chain_nr = cl_s[chain_nr].from;
785 if (pos == nentries)
786 continue;
787 }
788 t = (struct ebt_entry_target *)
789 (((char *)e) + e->target_offset);
790 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
791 goto letscontinue;
792 if (e->target_offset + sizeof(struct ebt_standard_target) >
793 e->next_offset) {
794 BUGPRINT("Standard target size too big\n");
795 return -1;
796 }
797 verdict = ((struct ebt_standard_target *)t)->verdict;
798 if (verdict >= 0) {
799 struct ebt_entries *hlp2 =
800 (struct ebt_entries *)(base + verdict);
801 for (i = 0; i < udc_cnt; i++)
802 if (hlp2 == cl_s[i].cs.chaininfo)
803 break;
804
805 if (i == udc_cnt) {
806 BUGPRINT("bad destination\n");
807 return -1;
808 }
809 if (cl_s[i].cs.n) {
810 BUGPRINT("loop\n");
811 return -1;
812 }
813 if (cl_s[i].hookmask & (1 << hooknr))
814 goto letscontinue;
815
816 cl_s[i].cs.n = pos + 1;
817 pos = 0;
818 cl_s[i].cs.e = ebt_next_entry(e);
819 e = (struct ebt_entry *)(hlp2->data);
820 nentries = hlp2->nentries;
821 cl_s[i].from = chain_nr;
822 chain_nr = i;
823
824 cl_s[i].hookmask |= (1 << hooknr);
825 continue;
826 }
827letscontinue:
828 e = ebt_next_entry(e);
829 pos++;
830 }
831 return 0;
832}
833
834
835static int translate_table(struct net *net, const char *name,
836 struct ebt_table_info *newinfo)
837{
838 unsigned int i, j, k, udc_cnt;
839 int ret;
840 struct ebt_cl_stack *cl_s = NULL;
841
842 i = 0;
843 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
844 i++;
845 if (i == NF_BR_NUMHOOKS) {
846 BUGPRINT("No valid hooks specified\n");
847 return -EINVAL;
848 }
849 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
850 BUGPRINT("Chains don't start at beginning\n");
851 return -EINVAL;
852 }
853
854
855
856 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
857 if (!newinfo->hook_entry[j])
858 continue;
859 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
860 BUGPRINT("Hook order must be followed\n");
861 return -EINVAL;
862 }
863 i = j;
864 }
865
866
867 i = 0;
868 j = 0;
869 k = 0;
870
871
872 udc_cnt = 0;
873 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
874 ebt_check_entry_size_and_hooks, newinfo,
875 &i, &j, &k, &udc_cnt);
876
877 if (ret != 0)
878 return ret;
879
880 if (i != j) {
881 BUGPRINT("nentries does not equal the nr of entries in the "
882 "(last) chain\n");
883 return -EINVAL;
884 }
885 if (k != newinfo->nentries) {
886 BUGPRINT("Total nentries is wrong\n");
887 return -EINVAL;
888 }
889
890
891
892
893 if (udc_cnt) {
894
895
896
897 newinfo->chainstack =
898 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
899 if (!newinfo->chainstack)
900 return -ENOMEM;
901 for_each_possible_cpu(i) {
902 newinfo->chainstack[i] =
903 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
904 if (!newinfo->chainstack[i]) {
905 while (i)
906 vfree(newinfo->chainstack[--i]);
907 vfree(newinfo->chainstack);
908 newinfo->chainstack = NULL;
909 return -ENOMEM;
910 }
911 }
912
913 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
914 if (!cl_s)
915 return -ENOMEM;
916 i = 0;
917 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
918 ebt_get_udc_positions, newinfo, &i, cl_s);
919
920 if (i != udc_cnt) {
921 BUGPRINT("i != udc_cnt\n");
922 vfree(cl_s);
923 return -EFAULT;
924 }
925 }
926
927
928 for (i = 0; i < NF_BR_NUMHOOKS; i++)
929 if (newinfo->hook_entry[i])
930 if (check_chainloops(newinfo->hook_entry[i],
931 cl_s, udc_cnt, i, newinfo->entries)) {
932 vfree(cl_s);
933 return -EINVAL;
934 }
935
936
937
938
939
940
941
942
943
944
945
946
947
948 i = 0;
949 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
950 ebt_check_entry, net, newinfo, name, &i, cl_s, udc_cnt);
951 if (ret != 0) {
952 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
953 ebt_cleanup_entry, net, &i);
954 }
955 vfree(cl_s);
956 return ret;
957}
958
959
960static void get_counters(const struct ebt_counter *oldcounters,
961 struct ebt_counter *counters, unsigned int nentries)
962{
963 int i, cpu;
964 struct ebt_counter *counter_base;
965
966
967 memcpy(counters, oldcounters,
968 sizeof(struct ebt_counter) * nentries);
969
970
971 for_each_possible_cpu(cpu) {
972 if (cpu == 0)
973 continue;
974 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
975 for (i = 0; i < nentries; i++) {
976 counters[i].pcnt += counter_base[i].pcnt;
977 counters[i].bcnt += counter_base[i].bcnt;
978 }
979 }
980}
981
982static int do_replace_finish(struct net *net, struct ebt_replace *repl,
983 struct ebt_table_info *newinfo)
984{
985 int ret, i;
986 struct ebt_counter *counterstmp = NULL;
987
988 struct ebt_table_info *table;
989 struct ebt_table *t;
990
991
992
993
994 if (repl->num_counters) {
995 unsigned long size = repl->num_counters * sizeof(*counterstmp);
996 counterstmp = vmalloc(size);
997 if (!counterstmp)
998 return -ENOMEM;
999 }
1000
1001 newinfo->chainstack = NULL;
1002 ret = ebt_verify_pointers(repl, newinfo);
1003 if (ret != 0)
1004 goto free_counterstmp;
1005
1006 ret = translate_table(net, repl->name, newinfo);
1007
1008 if (ret != 0)
1009 goto free_counterstmp;
1010
1011 t = find_table_lock(net, repl->name, &ret, &ebt_mutex);
1012 if (!t) {
1013 ret = -ENOENT;
1014 goto free_iterate;
1015 }
1016
1017
1018 if (t->check && (ret = t->check(newinfo, repl->valid_hooks)))
1019 goto free_unlock;
1020
1021 if (repl->num_counters && repl->num_counters != t->private->nentries) {
1022 BUGPRINT("Wrong nr. of counters requested\n");
1023 ret = -EINVAL;
1024 goto free_unlock;
1025 }
1026
1027
1028 table = t->private;
1029
1030 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1031 ret = -ENOENT;
1032 goto free_unlock;
1033 } else if (table->nentries && !newinfo->nentries)
1034 module_put(t->me);
1035
1036 write_lock_bh(&t->lock);
1037 if (repl->num_counters)
1038 get_counters(t->private->counters, counterstmp,
1039 t->private->nentries);
1040
1041 t->private = newinfo;
1042 write_unlock_bh(&t->lock);
1043 mutex_unlock(&ebt_mutex);
1044
1045
1046
1047
1048
1049 if (repl->num_counters &&
1050 copy_to_user(repl->counters, counterstmp,
1051 repl->num_counters * sizeof(struct ebt_counter))) {
1052
1053 net_warn_ratelimited("ebtables: counters copy to user failed while replacing table\n");
1054 }
1055
1056
1057 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1058 ebt_cleanup_entry, net, NULL);
1059
1060 vfree(table->entries);
1061 if (table->chainstack) {
1062 for_each_possible_cpu(i)
1063 vfree(table->chainstack[i]);
1064 vfree(table->chainstack);
1065 }
1066 vfree(table);
1067
1068 vfree(counterstmp);
1069
1070#ifdef CONFIG_AUDIT
1071 if (audit_enabled) {
1072 struct audit_buffer *ab;
1073
1074 ab = audit_log_start(current->audit_context, GFP_KERNEL,
1075 AUDIT_NETFILTER_CFG);
1076 if (ab) {
1077 audit_log_format(ab, "table=%s family=%u entries=%u",
1078 repl->name, AF_BRIDGE, repl->nentries);
1079 audit_log_end(ab);
1080 }
1081 }
1082#endif
1083 return ret;
1084
1085free_unlock:
1086 mutex_unlock(&ebt_mutex);
1087free_iterate:
1088 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1089 ebt_cleanup_entry, net, NULL);
1090free_counterstmp:
1091 vfree(counterstmp);
1092
1093 if (newinfo->chainstack) {
1094 for_each_possible_cpu(i)
1095 vfree(newinfo->chainstack[i]);
1096 vfree(newinfo->chainstack);
1097 }
1098 return ret;
1099}
1100
1101
1102static int do_replace(struct net *net, const void __user *user,
1103 unsigned int len)
1104{
1105 int ret, countersize;
1106 struct ebt_table_info *newinfo;
1107 struct ebt_replace tmp;
1108
1109 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1110 return -EFAULT;
1111
1112 if (len != sizeof(tmp) + tmp.entries_size) {
1113 BUGPRINT("Wrong len argument\n");
1114 return -EINVAL;
1115 }
1116
1117 if (tmp.entries_size == 0) {
1118 BUGPRINT("Entries_size never zero\n");
1119 return -EINVAL;
1120 }
1121
1122 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) /
1123 NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
1124 return -ENOMEM;
1125 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
1126 return -ENOMEM;
1127
1128 tmp.name[sizeof(tmp.name) - 1] = 0;
1129
1130 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
1131 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1132 if (!newinfo)
1133 return -ENOMEM;
1134
1135 if (countersize)
1136 memset(newinfo->counters, 0, countersize);
1137
1138 newinfo->entries = vmalloc(tmp.entries_size);
1139 if (!newinfo->entries) {
1140 ret = -ENOMEM;
1141 goto free_newinfo;
1142 }
1143 if (copy_from_user(
1144 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
1145 BUGPRINT("Couldn't copy entries from userspace\n");
1146 ret = -EFAULT;
1147 goto free_entries;
1148 }
1149
1150 ret = do_replace_finish(net, &tmp, newinfo);
1151 if (ret == 0)
1152 return ret;
1153free_entries:
1154 vfree(newinfo->entries);
1155free_newinfo:
1156 vfree(newinfo);
1157 return ret;
1158}
1159
1160struct ebt_table *
1161ebt_register_table(struct net *net, const struct ebt_table *input_table)
1162{
1163 struct ebt_table_info *newinfo;
1164 struct ebt_table *t, *table;
1165 struct ebt_replace_kernel *repl;
1166 int ret, i, countersize;
1167 void *p;
1168
1169 if (input_table == NULL || (repl = input_table->table) == NULL ||
1170 repl->entries == NULL || repl->entries_size == 0 ||
1171 repl->counters != NULL || input_table->private != NULL) {
1172 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1173 return ERR_PTR(-EINVAL);
1174 }
1175
1176
1177 table = kmemdup(input_table, sizeof(struct ebt_table), GFP_KERNEL);
1178 if (!table) {
1179 ret = -ENOMEM;
1180 goto out;
1181 }
1182
1183 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1184 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1185 ret = -ENOMEM;
1186 if (!newinfo)
1187 goto free_table;
1188
1189 p = vmalloc(repl->entries_size);
1190 if (!p)
1191 goto free_newinfo;
1192
1193 memcpy(p, repl->entries, repl->entries_size);
1194 newinfo->entries = p;
1195
1196 newinfo->entries_size = repl->entries_size;
1197 newinfo->nentries = repl->nentries;
1198
1199 if (countersize)
1200 memset(newinfo->counters, 0, countersize);
1201
1202
1203 newinfo->chainstack = NULL;
1204 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1205 if ((repl->valid_hooks & (1 << i)) == 0)
1206 newinfo->hook_entry[i] = NULL;
1207 else
1208 newinfo->hook_entry[i] = p +
1209 ((char *)repl->hook_entry[i] - repl->entries);
1210 }
1211 ret = translate_table(net, repl->name, newinfo);
1212 if (ret != 0) {
1213 BUGPRINT("Translate_table failed\n");
1214 goto free_chainstack;
1215 }
1216
1217 if (table->check && table->check(newinfo, table->valid_hooks)) {
1218 BUGPRINT("The table doesn't like its own initial data, lol\n");
1219 ret = -EINVAL;
1220 goto free_chainstack;
1221 }
1222
1223 table->private = newinfo;
1224 rwlock_init(&table->lock);
1225 mutex_lock(&ebt_mutex);
1226 list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) {
1227 if (strcmp(t->name, table->name) == 0) {
1228 ret = -EEXIST;
1229 BUGPRINT("Table name already exists\n");
1230 goto free_unlock;
1231 }
1232 }
1233
1234
1235 if (newinfo->nentries && !try_module_get(table->me)) {
1236 ret = -ENOENT;
1237 goto free_unlock;
1238 }
1239 list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]);
1240 mutex_unlock(&ebt_mutex);
1241 return table;
1242free_unlock:
1243 mutex_unlock(&ebt_mutex);
1244free_chainstack:
1245 if (newinfo->chainstack) {
1246 for_each_possible_cpu(i)
1247 vfree(newinfo->chainstack[i]);
1248 vfree(newinfo->chainstack);
1249 }
1250 vfree(newinfo->entries);
1251free_newinfo:
1252 vfree(newinfo);
1253free_table:
1254 kfree(table);
1255out:
1256 return ERR_PTR(ret);
1257}
1258
1259void ebt_unregister_table(struct net *net, struct ebt_table *table)
1260{
1261 int i;
1262
1263 if (!table) {
1264 BUGPRINT("Request to unregister NULL table!!!\n");
1265 return;
1266 }
1267 mutex_lock(&ebt_mutex);
1268 list_del(&table->list);
1269 mutex_unlock(&ebt_mutex);
1270 EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size,
1271 ebt_cleanup_entry, net, NULL);
1272 if (table->private->nentries)
1273 module_put(table->me);
1274 vfree(table->private->entries);
1275 if (table->private->chainstack) {
1276 for_each_possible_cpu(i)
1277 vfree(table->private->chainstack[i]);
1278 vfree(table->private->chainstack);
1279 }
1280 vfree(table->private);
1281 kfree(table);
1282}
1283
1284
1285static int do_update_counters(struct net *net, const char *name,
1286 struct ebt_counter __user *counters,
1287 unsigned int num_counters,
1288 const void __user *user, unsigned int len)
1289{
1290 int i, ret;
1291 struct ebt_counter *tmp;
1292 struct ebt_table *t;
1293
1294 if (num_counters == 0)
1295 return -EINVAL;
1296
1297 tmp = vmalloc(num_counters * sizeof(*tmp));
1298 if (!tmp)
1299 return -ENOMEM;
1300
1301 t = find_table_lock(net, name, &ret, &ebt_mutex);
1302 if (!t)
1303 goto free_tmp;
1304
1305 if (num_counters != t->private->nentries) {
1306 BUGPRINT("Wrong nr of counters\n");
1307 ret = -EINVAL;
1308 goto unlock_mutex;
1309 }
1310
1311 if (copy_from_user(tmp, counters, num_counters * sizeof(*counters))) {
1312 ret = -EFAULT;
1313 goto unlock_mutex;
1314 }
1315
1316
1317 write_lock_bh(&t->lock);
1318
1319
1320 for (i = 0; i < num_counters; i++) {
1321 t->private->counters[i].pcnt += tmp[i].pcnt;
1322 t->private->counters[i].bcnt += tmp[i].bcnt;
1323 }
1324
1325 write_unlock_bh(&t->lock);
1326 ret = 0;
1327unlock_mutex:
1328 mutex_unlock(&ebt_mutex);
1329free_tmp:
1330 vfree(tmp);
1331 return ret;
1332}
1333
1334static int update_counters(struct net *net, const void __user *user,
1335 unsigned int len)
1336{
1337 struct ebt_replace hlp;
1338
1339 if (copy_from_user(&hlp, user, sizeof(hlp)))
1340 return -EFAULT;
1341
1342 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1343 return -EINVAL;
1344
1345 return do_update_counters(net, hlp.name, hlp.counters,
1346 hlp.num_counters, user, len);
1347}
1348
1349static inline int ebt_obj_to_user(char __user *um, const char *_name,
1350 const char *data, int entrysize,
1351 int usersize, int datasize)
1352{
1353 char name[EBT_FUNCTION_MAXNAMELEN] = {0};
1354
1355
1356
1357
1358 strlcpy(name, _name, sizeof(name));
1359 if (copy_to_user(um, name, EBT_FUNCTION_MAXNAMELEN) ||
1360 put_user(datasize, (int __user *)(um + EBT_FUNCTION_MAXNAMELEN)) ||
1361 xt_data_to_user(um + entrysize, data, usersize, datasize))
1362 return -EFAULT;
1363
1364 return 0;
1365}
1366
1367static inline int ebt_match_to_user(const struct ebt_entry_match *m,
1368 const char *base, char __user *ubase)
1369{
1370 return ebt_obj_to_user(ubase + ((char *)m - base),
1371 m->u.match->name, m->data, sizeof(*m),
1372 m->u.match->usersize, m->match_size);
1373}
1374
1375static inline int ebt_watcher_to_user(const struct ebt_entry_watcher *w,
1376 const char *base, char __user *ubase)
1377{
1378 return ebt_obj_to_user(ubase + ((char *)w - base),
1379 w->u.watcher->name, w->data, sizeof(*w),
1380 w->u.watcher->usersize, w->watcher_size);
1381}
1382
1383static inline int ebt_entry_to_user(struct ebt_entry *e, const char *base,
1384 char __user *ubase)
1385{
1386 int ret;
1387 char __user *hlp;
1388 const struct ebt_entry_target *t;
1389
1390 if (e->bitmask == 0) {
1391
1392 if (copy_to_user(ubase + ((char *)e - base), e,
1393 sizeof(struct ebt_entries)))
1394 return -EFAULT;
1395 return 0;
1396 }
1397
1398 if (copy_to_user(ubase + ((char *)e - base), e, sizeof(*e)))
1399 return -EFAULT;
1400
1401 hlp = ubase + (((char *)e + e->target_offset) - base);
1402 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1403
1404 ret = EBT_MATCH_ITERATE(e, ebt_match_to_user, base, ubase);
1405 if (ret != 0)
1406 return ret;
1407 ret = EBT_WATCHER_ITERATE(e, ebt_watcher_to_user, base, ubase);
1408 if (ret != 0)
1409 return ret;
1410 ret = ebt_obj_to_user(hlp, t->u.target->name, t->data, sizeof(*t),
1411 t->u.target->usersize, t->target_size);
1412 if (ret != 0)
1413 return ret;
1414
1415 return 0;
1416}
1417
1418static int copy_counters_to_user(struct ebt_table *t,
1419 const struct ebt_counter *oldcounters,
1420 void __user *user, unsigned int num_counters,
1421 unsigned int nentries)
1422{
1423 struct ebt_counter *counterstmp;
1424 int ret = 0;
1425
1426
1427 if (num_counters == 0)
1428 return 0;
1429
1430 if (num_counters != nentries) {
1431 BUGPRINT("Num_counters wrong\n");
1432 return -EINVAL;
1433 }
1434
1435 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1436 if (!counterstmp)
1437 return -ENOMEM;
1438
1439 write_lock_bh(&t->lock);
1440 get_counters(oldcounters, counterstmp, nentries);
1441 write_unlock_bh(&t->lock);
1442
1443 if (copy_to_user(user, counterstmp,
1444 nentries * sizeof(struct ebt_counter)))
1445 ret = -EFAULT;
1446 vfree(counterstmp);
1447 return ret;
1448}
1449
1450
1451static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1452 const int *len, int cmd)
1453{
1454 struct ebt_replace tmp;
1455 const struct ebt_counter *oldcounters;
1456 unsigned int entries_size, nentries;
1457 int ret;
1458 char *entries;
1459
1460 if (cmd == EBT_SO_GET_ENTRIES) {
1461 entries_size = t->private->entries_size;
1462 nentries = t->private->nentries;
1463 entries = t->private->entries;
1464 oldcounters = t->private->counters;
1465 } else {
1466 entries_size = t->table->entries_size;
1467 nentries = t->table->nentries;
1468 entries = t->table->entries;
1469 oldcounters = t->table->counters;
1470 }
1471
1472 if (copy_from_user(&tmp, user, sizeof(tmp)))
1473 return -EFAULT;
1474
1475 if (*len != sizeof(struct ebt_replace) + entries_size +
1476 (tmp.num_counters ? nentries * sizeof(struct ebt_counter) : 0))
1477 return -EINVAL;
1478
1479 if (tmp.nentries != nentries) {
1480 BUGPRINT("Nentries wrong\n");
1481 return -EINVAL;
1482 }
1483
1484 if (tmp.entries_size != entries_size) {
1485 BUGPRINT("Wrong size\n");
1486 return -EINVAL;
1487 }
1488
1489 ret = copy_counters_to_user(t, oldcounters, tmp.counters,
1490 tmp.num_counters, nentries);
1491 if (ret)
1492 return ret;
1493
1494
1495 return EBT_ENTRY_ITERATE(entries, entries_size,
1496 ebt_entry_to_user, entries, tmp.entries);
1497}
1498
1499static int do_ebt_set_ctl(struct sock *sk,
1500 int cmd, void __user *user, unsigned int len)
1501{
1502 int ret;
1503 struct net *net = sock_net(sk);
1504
1505 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
1506 return -EPERM;
1507
1508 switch (cmd) {
1509 case EBT_SO_SET_ENTRIES:
1510 ret = do_replace(net, user, len);
1511 break;
1512 case EBT_SO_SET_COUNTERS:
1513 ret = update_counters(net, user, len);
1514 break;
1515 default:
1516 ret = -EINVAL;
1517 }
1518 return ret;
1519}
1520
1521static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1522{
1523 int ret;
1524 struct ebt_replace tmp;
1525 struct ebt_table *t;
1526 struct net *net = sock_net(sk);
1527
1528 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
1529 return -EPERM;
1530
1531 if (copy_from_user(&tmp, user, sizeof(tmp)))
1532 return -EFAULT;
1533
1534 tmp.name[sizeof(tmp.name) - 1] = '\0';
1535
1536 t = find_table_lock(net, tmp.name, &ret, &ebt_mutex);
1537 if (!t)
1538 return ret;
1539
1540 switch (cmd) {
1541 case EBT_SO_GET_INFO:
1542 case EBT_SO_GET_INIT_INFO:
1543 if (*len != sizeof(struct ebt_replace)) {
1544 ret = -EINVAL;
1545 mutex_unlock(&ebt_mutex);
1546 break;
1547 }
1548 if (cmd == EBT_SO_GET_INFO) {
1549 tmp.nentries = t->private->nentries;
1550 tmp.entries_size = t->private->entries_size;
1551 tmp.valid_hooks = t->valid_hooks;
1552 } else {
1553 tmp.nentries = t->table->nentries;
1554 tmp.entries_size = t->table->entries_size;
1555 tmp.valid_hooks = t->table->valid_hooks;
1556 }
1557 mutex_unlock(&ebt_mutex);
1558 if (copy_to_user(user, &tmp, *len) != 0) {
1559 BUGPRINT("c2u Didn't work\n");
1560 ret = -EFAULT;
1561 break;
1562 }
1563 ret = 0;
1564 break;
1565
1566 case EBT_SO_GET_ENTRIES:
1567 case EBT_SO_GET_INIT_ENTRIES:
1568 ret = copy_everything_to_user(t, user, len, cmd);
1569 mutex_unlock(&ebt_mutex);
1570 break;
1571
1572 default:
1573 mutex_unlock(&ebt_mutex);
1574 ret = -EINVAL;
1575 }
1576
1577 return ret;
1578}
1579
1580#ifdef CONFIG_COMPAT
1581
1582struct compat_ebt_replace {
1583 char name[EBT_TABLE_MAXNAMELEN];
1584 compat_uint_t valid_hooks;
1585 compat_uint_t nentries;
1586 compat_uint_t entries_size;
1587
1588 compat_uptr_t hook_entry[NF_BR_NUMHOOKS];
1589
1590 compat_uint_t num_counters;
1591
1592 compat_uptr_t counters;
1593 compat_uptr_t entries;
1594};
1595
1596
1597struct compat_ebt_entry_mwt {
1598 union {
1599 char name[EBT_FUNCTION_MAXNAMELEN];
1600 compat_uptr_t ptr;
1601 } u;
1602 compat_uint_t match_size;
1603 compat_uint_t data[0];
1604};
1605
1606
1607static int ebt_compat_entry_padsize(void)
1608{
1609 BUILD_BUG_ON(XT_ALIGN(sizeof(struct ebt_entry_match)) <
1610 COMPAT_XT_ALIGN(sizeof(struct compat_ebt_entry_mwt)));
1611 return (int) XT_ALIGN(sizeof(struct ebt_entry_match)) -
1612 COMPAT_XT_ALIGN(sizeof(struct compat_ebt_entry_mwt));
1613}
1614
1615static int ebt_compat_match_offset(const struct xt_match *match,
1616 unsigned int userlen)
1617{
1618
1619
1620
1621
1622
1623 if (unlikely(match->matchsize == -1))
1624 return XT_ALIGN(userlen) - COMPAT_XT_ALIGN(userlen);
1625 return xt_compat_match_offset(match);
1626}
1627
1628static int compat_match_to_user(struct ebt_entry_match *m, void __user **dstptr,
1629 unsigned int *size)
1630{
1631 const struct xt_match *match = m->u.match;
1632 struct compat_ebt_entry_mwt __user *cm = *dstptr;
1633 int off = ebt_compat_match_offset(match, m->match_size);
1634 compat_uint_t msize = m->match_size - off;
1635
1636 BUG_ON(off >= m->match_size);
1637
1638 if (copy_to_user(cm->u.name, match->name,
1639 strlen(match->name) + 1) || put_user(msize, &cm->match_size))
1640 return -EFAULT;
1641
1642 if (match->compat_to_user) {
1643 if (match->compat_to_user(cm->data, m->data))
1644 return -EFAULT;
1645 } else {
1646 if (xt_data_to_user(cm->data, m->data, match->usersize, msize))
1647 return -EFAULT;
1648 }
1649
1650 *size -= ebt_compat_entry_padsize() + off;
1651 *dstptr = cm->data;
1652 *dstptr += msize;
1653 return 0;
1654}
1655
1656static int compat_target_to_user(struct ebt_entry_target *t,
1657 void __user **dstptr,
1658 unsigned int *size)
1659{
1660 const struct xt_target *target = t->u.target;
1661 struct compat_ebt_entry_mwt __user *cm = *dstptr;
1662 int off = xt_compat_target_offset(target);
1663 compat_uint_t tsize = t->target_size - off;
1664
1665 BUG_ON(off >= t->target_size);
1666
1667 if (copy_to_user(cm->u.name, target->name,
1668 strlen(target->name) + 1) || put_user(tsize, &cm->match_size))
1669 return -EFAULT;
1670
1671 if (target->compat_to_user) {
1672 if (target->compat_to_user(cm->data, t->data))
1673 return -EFAULT;
1674 } else {
1675 if (xt_data_to_user(cm->data, t->data, target->usersize, tsize))
1676 return -EFAULT;
1677 }
1678
1679 *size -= ebt_compat_entry_padsize() + off;
1680 *dstptr = cm->data;
1681 *dstptr += tsize;
1682 return 0;
1683}
1684
1685static int compat_watcher_to_user(struct ebt_entry_watcher *w,
1686 void __user **dstptr,
1687 unsigned int *size)
1688{
1689 return compat_target_to_user((struct ebt_entry_target *)w,
1690 dstptr, size);
1691}
1692
1693static int compat_copy_entry_to_user(struct ebt_entry *e, void __user **dstptr,
1694 unsigned int *size)
1695{
1696 struct ebt_entry_target *t;
1697 struct ebt_entry __user *ce;
1698 u32 watchers_offset, target_offset, next_offset;
1699 compat_uint_t origsize;
1700 int ret;
1701
1702 if (e->bitmask == 0) {
1703 if (*size < sizeof(struct ebt_entries))
1704 return -EINVAL;
1705 if (copy_to_user(*dstptr, e, sizeof(struct ebt_entries)))
1706 return -EFAULT;
1707
1708 *dstptr += sizeof(struct ebt_entries);
1709 *size -= sizeof(struct ebt_entries);
1710 return 0;
1711 }
1712
1713 if (*size < sizeof(*ce))
1714 return -EINVAL;
1715
1716 ce = (struct ebt_entry __user *)*dstptr;
1717 if (copy_to_user(ce, e, sizeof(*ce)))
1718 return -EFAULT;
1719
1720 origsize = *size;
1721 *dstptr += sizeof(*ce);
1722
1723 ret = EBT_MATCH_ITERATE(e, compat_match_to_user, dstptr, size);
1724 if (ret)
1725 return ret;
1726 watchers_offset = e->watchers_offset - (origsize - *size);
1727
1728 ret = EBT_WATCHER_ITERATE(e, compat_watcher_to_user, dstptr, size);
1729 if (ret)
1730 return ret;
1731 target_offset = e->target_offset - (origsize - *size);
1732
1733 t = (struct ebt_entry_target *) ((char *) e + e->target_offset);
1734
1735 ret = compat_target_to_user(t, dstptr, size);
1736 if (ret)
1737 return ret;
1738 next_offset = e->next_offset - (origsize - *size);
1739
1740 if (put_user(watchers_offset, &ce->watchers_offset) ||
1741 put_user(target_offset, &ce->target_offset) ||
1742 put_user(next_offset, &ce->next_offset))
1743 return -EFAULT;
1744
1745 *size -= sizeof(*ce);
1746 return 0;
1747}
1748
1749static int compat_calc_match(struct ebt_entry_match *m, int *off)
1750{
1751 *off += ebt_compat_match_offset(m->u.match, m->match_size);
1752 *off += ebt_compat_entry_padsize();
1753 return 0;
1754}
1755
1756static int compat_calc_watcher(struct ebt_entry_watcher *w, int *off)
1757{
1758 *off += xt_compat_target_offset(w->u.watcher);
1759 *off += ebt_compat_entry_padsize();
1760 return 0;
1761}
1762
1763static int compat_calc_entry(const struct ebt_entry *e,
1764 const struct ebt_table_info *info,
1765 const void *base,
1766 struct compat_ebt_replace *newinfo)
1767{
1768 const struct ebt_entry_target *t;
1769 unsigned int entry_offset;
1770 int off, ret, i;
1771
1772 if (e->bitmask == 0)
1773 return 0;
1774
1775 off = 0;
1776 entry_offset = (void *)e - base;
1777
1778 EBT_MATCH_ITERATE(e, compat_calc_match, &off);
1779 EBT_WATCHER_ITERATE(e, compat_calc_watcher, &off);
1780
1781 t = (const struct ebt_entry_target *) ((char *) e + e->target_offset);
1782
1783 off += xt_compat_target_offset(t->u.target);
1784 off += ebt_compat_entry_padsize();
1785
1786 newinfo->entries_size -= off;
1787
1788 ret = xt_compat_add_offset(NFPROTO_BRIDGE, entry_offset, off);
1789 if (ret)
1790 return ret;
1791
1792 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1793 const void *hookptr = info->hook_entry[i];
1794 if (info->hook_entry[i] &&
1795 (e < (struct ebt_entry *)(base - hookptr))) {
1796 newinfo->hook_entry[i] -= off;
1797 pr_debug("0x%08X -> 0x%08X\n",
1798 newinfo->hook_entry[i] + off,
1799 newinfo->hook_entry[i]);
1800 }
1801 }
1802
1803 return 0;
1804}
1805
1806
1807static int compat_table_info(const struct ebt_table_info *info,
1808 struct compat_ebt_replace *newinfo)
1809{
1810 unsigned int size = info->entries_size;
1811 const void *entries = info->entries;
1812
1813 newinfo->entries_size = size;
1814
1815 xt_compat_init_offsets(NFPROTO_BRIDGE, info->nentries);
1816 return EBT_ENTRY_ITERATE(entries, size, compat_calc_entry, info,
1817 entries, newinfo);
1818}
1819
1820static int compat_copy_everything_to_user(struct ebt_table *t,
1821 void __user *user, int *len, int cmd)
1822{
1823 struct compat_ebt_replace repl, tmp;
1824 struct ebt_counter *oldcounters;
1825 struct ebt_table_info tinfo;
1826 int ret;
1827 void __user *pos;
1828
1829 memset(&tinfo, 0, sizeof(tinfo));
1830
1831 if (cmd == EBT_SO_GET_ENTRIES) {
1832 tinfo.entries_size = t->private->entries_size;
1833 tinfo.nentries = t->private->nentries;
1834 tinfo.entries = t->private->entries;
1835 oldcounters = t->private->counters;
1836 } else {
1837 tinfo.entries_size = t->table->entries_size;
1838 tinfo.nentries = t->table->nentries;
1839 tinfo.entries = t->table->entries;
1840 oldcounters = t->table->counters;
1841 }
1842
1843 if (copy_from_user(&tmp, user, sizeof(tmp)))
1844 return -EFAULT;
1845
1846 if (tmp.nentries != tinfo.nentries ||
1847 (tmp.num_counters && tmp.num_counters != tinfo.nentries))
1848 return -EINVAL;
1849
1850 memcpy(&repl, &tmp, sizeof(repl));
1851 if (cmd == EBT_SO_GET_ENTRIES)
1852 ret = compat_table_info(t->private, &repl);
1853 else
1854 ret = compat_table_info(&tinfo, &repl);
1855 if (ret)
1856 return ret;
1857
1858 if (*len != sizeof(tmp) + repl.entries_size +
1859 (tmp.num_counters? tinfo.nentries * sizeof(struct ebt_counter): 0)) {
1860 pr_err("wrong size: *len %d, entries_size %u, replsz %d\n",
1861 *len, tinfo.entries_size, repl.entries_size);
1862 return -EINVAL;
1863 }
1864
1865
1866 ret = copy_counters_to_user(t, oldcounters, compat_ptr(tmp.counters),
1867 tmp.num_counters, tinfo.nentries);
1868 if (ret)
1869 return ret;
1870
1871 pos = compat_ptr(tmp.entries);
1872 return EBT_ENTRY_ITERATE(tinfo.entries, tinfo.entries_size,
1873 compat_copy_entry_to_user, &pos, &tmp.entries_size);
1874}
1875
1876struct ebt_entries_buf_state {
1877 char *buf_kern_start;
1878 u32 buf_kern_len;
1879 u32 buf_kern_offset;
1880 u32 buf_user_offset;
1881};
1882
1883static int ebt_buf_count(struct ebt_entries_buf_state *state, unsigned int sz)
1884{
1885 state->buf_kern_offset += sz;
1886 return state->buf_kern_offset >= sz ? 0 : -EINVAL;
1887}
1888
1889static int ebt_buf_add(struct ebt_entries_buf_state *state,
1890 void *data, unsigned int sz)
1891{
1892 if (state->buf_kern_start == NULL)
1893 goto count_only;
1894
1895 BUG_ON(state->buf_kern_offset + sz > state->buf_kern_len);
1896
1897 memcpy(state->buf_kern_start + state->buf_kern_offset, data, sz);
1898
1899 count_only:
1900 state->buf_user_offset += sz;
1901 return ebt_buf_count(state, sz);
1902}
1903
1904static int ebt_buf_add_pad(struct ebt_entries_buf_state *state, unsigned int sz)
1905{
1906 char *b = state->buf_kern_start;
1907
1908 BUG_ON(b && state->buf_kern_offset > state->buf_kern_len);
1909
1910 if (b != NULL && sz > 0)
1911 memset(b + state->buf_kern_offset, 0, sz);
1912
1913 return ebt_buf_count(state, sz);
1914}
1915
1916enum compat_mwt {
1917 EBT_COMPAT_MATCH,
1918 EBT_COMPAT_WATCHER,
1919 EBT_COMPAT_TARGET,
1920};
1921
1922static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
1923 enum compat_mwt compat_mwt,
1924 struct ebt_entries_buf_state *state,
1925 const unsigned char *base)
1926{
1927 char name[EBT_FUNCTION_MAXNAMELEN];
1928 struct xt_match *match;
1929 struct xt_target *wt;
1930 void *dst = NULL;
1931 int off, pad = 0;
1932 unsigned int size_kern, match_size = mwt->match_size;
1933
1934 strlcpy(name, mwt->u.name, sizeof(name));
1935
1936 if (state->buf_kern_start)
1937 dst = state->buf_kern_start + state->buf_kern_offset;
1938
1939 switch (compat_mwt) {
1940 case EBT_COMPAT_MATCH:
1941 match = xt_request_find_match(NFPROTO_BRIDGE, name, 0);
1942 if (IS_ERR(match))
1943 return PTR_ERR(match);
1944
1945 off = ebt_compat_match_offset(match, match_size);
1946 if (dst) {
1947 if (match->compat_from_user)
1948 match->compat_from_user(dst, mwt->data);
1949 else
1950 memcpy(dst, mwt->data, match_size);
1951 }
1952
1953 size_kern = match->matchsize;
1954 if (unlikely(size_kern == -1))
1955 size_kern = match_size;
1956 module_put(match->me);
1957 break;
1958 case EBT_COMPAT_WATCHER:
1959 case EBT_COMPAT_TARGET:
1960 wt = xt_request_find_target(NFPROTO_BRIDGE, name, 0);
1961 if (IS_ERR(wt))
1962 return PTR_ERR(wt);
1963 off = xt_compat_target_offset(wt);
1964
1965 if (dst) {
1966 if (wt->compat_from_user)
1967 wt->compat_from_user(dst, mwt->data);
1968 else
1969 memcpy(dst, mwt->data, match_size);
1970 }
1971
1972 size_kern = wt->targetsize;
1973 module_put(wt->me);
1974 break;
1975
1976 default:
1977 return -EINVAL;
1978 }
1979
1980 state->buf_kern_offset += match_size + off;
1981 state->buf_user_offset += match_size;
1982 pad = XT_ALIGN(size_kern) - size_kern;
1983
1984 if (pad > 0 && dst) {
1985 BUG_ON(state->buf_kern_len <= pad);
1986 BUG_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad);
1987 memset(dst + size_kern, 0, pad);
1988 }
1989 return off + match_size;
1990}
1991
1992
1993
1994
1995static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
1996 unsigned int size_left, enum compat_mwt type,
1997 struct ebt_entries_buf_state *state, const void *base)
1998{
1999 int growth = 0;
2000 char *buf;
2001
2002 if (size_left == 0)
2003 return 0;
2004
2005 buf = (char *) match32;
2006
2007 while (size_left >= sizeof(*match32)) {
2008 struct ebt_entry_match *match_kern;
2009 int ret;
2010
2011 match_kern = (struct ebt_entry_match *) state->buf_kern_start;
2012 if (match_kern) {
2013 char *tmp;
2014 tmp = state->buf_kern_start + state->buf_kern_offset;
2015 match_kern = (struct ebt_entry_match *) tmp;
2016 }
2017 ret = ebt_buf_add(state, buf, sizeof(*match32));
2018 if (ret < 0)
2019 return ret;
2020 size_left -= sizeof(*match32);
2021
2022
2023 ret = ebt_buf_add_pad(state, ebt_compat_entry_padsize());
2024 if (ret < 0)
2025 return ret;
2026
2027 if (match32->match_size > size_left)
2028 return -EINVAL;
2029
2030 size_left -= match32->match_size;
2031
2032 ret = compat_mtw_from_user(match32, type, state, base);
2033 if (ret < 0)
2034 return ret;
2035
2036 BUG_ON(ret < match32->match_size);
2037 growth += ret - match32->match_size;
2038 growth += ebt_compat_entry_padsize();
2039
2040 buf += sizeof(*match32);
2041 buf += match32->match_size;
2042
2043 if (match_kern)
2044 match_kern->match_size = ret;
2045
2046 WARN_ON(type == EBT_COMPAT_TARGET && size_left);
2047 match32 = (struct compat_ebt_entry_mwt *) buf;
2048 }
2049
2050 return growth;
2051}
2052
2053
2054static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
2055 unsigned int *total,
2056 struct ebt_entries_buf_state *state)
2057{
2058 unsigned int i, j, startoff, new_offset = 0;
2059
2060 unsigned int offsets[4];
2061 unsigned int *offsets_update = NULL;
2062 int ret;
2063 char *buf_start;
2064
2065 if (*total < sizeof(struct ebt_entries))
2066 return -EINVAL;
2067
2068 if (!entry->bitmask) {
2069 *total -= sizeof(struct ebt_entries);
2070 return ebt_buf_add(state, entry, sizeof(struct ebt_entries));
2071 }
2072 if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry))
2073 return -EINVAL;
2074
2075 startoff = state->buf_user_offset;
2076
2077 ret = ebt_buf_add(state, entry,
2078 offsetof(struct ebt_entry, watchers_offset));
2079 if (ret < 0)
2080 return ret;
2081
2082 offsets[0] = sizeof(struct ebt_entry);
2083 memcpy(&offsets[1], &entry->watchers_offset,
2084 sizeof(offsets) - sizeof(offsets[0]));
2085
2086 if (state->buf_kern_start) {
2087 buf_start = state->buf_kern_start + state->buf_kern_offset;
2088 offsets_update = (unsigned int *) buf_start;
2089 }
2090 ret = ebt_buf_add(state, &offsets[1],
2091 sizeof(offsets) - sizeof(offsets[0]));
2092 if (ret < 0)
2093 return ret;
2094 buf_start = (char *) entry;
2095
2096
2097
2098
2099
2100
2101
2102 for (i = 0, j = 1 ; j < 4 ; j++, i++) {
2103 struct compat_ebt_entry_mwt *match32;
2104 unsigned int size;
2105 char *buf = buf_start;
2106
2107 buf = buf_start + offsets[i];
2108 if (offsets[i] > offsets[j])
2109 return -EINVAL;
2110
2111 match32 = (struct compat_ebt_entry_mwt *) buf;
2112 size = offsets[j] - offsets[i];
2113 ret = ebt_size_mwt(match32, size, i, state, base);
2114 if (ret < 0)
2115 return ret;
2116 new_offset += ret;
2117 if (offsets_update && new_offset) {
2118 pr_debug("change offset %d to %d\n",
2119 offsets_update[i], offsets[j] + new_offset);
2120 offsets_update[i] = offsets[j] + new_offset;
2121 }
2122 }
2123
2124 if (state->buf_kern_start == NULL) {
2125 unsigned int offset = buf_start - (char *) base;
2126
2127 ret = xt_compat_add_offset(NFPROTO_BRIDGE, offset, new_offset);
2128 if (ret < 0)
2129 return ret;
2130 }
2131
2132 startoff = state->buf_user_offset - startoff;
2133
2134 BUG_ON(*total < startoff);
2135 *total -= startoff;
2136 return 0;
2137}
2138
2139
2140
2141
2142
2143
2144
2145static int compat_copy_entries(unsigned char *data, unsigned int size_user,
2146 struct ebt_entries_buf_state *state)
2147{
2148 unsigned int size_remaining = size_user;
2149 int ret;
2150
2151 ret = EBT_ENTRY_ITERATE(data, size_user, size_entry_mwt, data,
2152 &size_remaining, state);
2153 if (ret < 0)
2154 return ret;
2155
2156 WARN_ON(size_remaining);
2157 return state->buf_kern_offset;
2158}
2159
2160
2161static int compat_copy_ebt_replace_from_user(struct ebt_replace *repl,
2162 void __user *user, unsigned int len)
2163{
2164 struct compat_ebt_replace tmp;
2165 int i;
2166
2167 if (len < sizeof(tmp))
2168 return -EINVAL;
2169
2170 if (copy_from_user(&tmp, user, sizeof(tmp)))
2171 return -EFAULT;
2172
2173 if (len != sizeof(tmp) + tmp.entries_size)
2174 return -EINVAL;
2175
2176 if (tmp.entries_size == 0)
2177 return -EINVAL;
2178
2179 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) /
2180 NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
2181 return -ENOMEM;
2182 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
2183 return -ENOMEM;
2184
2185 memcpy(repl, &tmp, offsetof(struct ebt_replace, hook_entry));
2186
2187
2188 for (i = 0; i < NF_BR_NUMHOOKS; i++)
2189 repl->hook_entry[i] = compat_ptr(tmp.hook_entry[i]);
2190
2191 repl->num_counters = tmp.num_counters;
2192 repl->counters = compat_ptr(tmp.counters);
2193 repl->entries = compat_ptr(tmp.entries);
2194 return 0;
2195}
2196
2197static int compat_do_replace(struct net *net, void __user *user,
2198 unsigned int len)
2199{
2200 int ret, i, countersize, size64;
2201 struct ebt_table_info *newinfo;
2202 struct ebt_replace tmp;
2203 struct ebt_entries_buf_state state;
2204 void *entries_tmp;
2205
2206 ret = compat_copy_ebt_replace_from_user(&tmp, user, len);
2207 if (ret) {
2208
2209 if (ret == -EINVAL && do_replace(net, user, len) == 0)
2210 ret = 0;
2211 return ret;
2212 }
2213
2214 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
2215 newinfo = vmalloc(sizeof(*newinfo) + countersize);
2216 if (!newinfo)
2217 return -ENOMEM;
2218
2219 if (countersize)
2220 memset(newinfo->counters, 0, countersize);
2221
2222 memset(&state, 0, sizeof(state));
2223
2224 newinfo->entries = vmalloc(tmp.entries_size);
2225 if (!newinfo->entries) {
2226 ret = -ENOMEM;
2227 goto free_newinfo;
2228 }
2229 if (copy_from_user(
2230 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
2231 ret = -EFAULT;
2232 goto free_entries;
2233 }
2234
2235 entries_tmp = newinfo->entries;
2236
2237 xt_compat_lock(NFPROTO_BRIDGE);
2238
2239 xt_compat_init_offsets(NFPROTO_BRIDGE, tmp.nentries);
2240 ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
2241 if (ret < 0)
2242 goto out_unlock;
2243
2244 pr_debug("tmp.entries_size %d, kern off %d, user off %d delta %d\n",
2245 tmp.entries_size, state.buf_kern_offset, state.buf_user_offset,
2246 xt_compat_calc_jump(NFPROTO_BRIDGE, tmp.entries_size));
2247
2248 size64 = ret;
2249 newinfo->entries = vmalloc(size64);
2250 if (!newinfo->entries) {
2251 vfree(entries_tmp);
2252 ret = -ENOMEM;
2253 goto out_unlock;
2254 }
2255
2256 memset(&state, 0, sizeof(state));
2257 state.buf_kern_start = newinfo->entries;
2258 state.buf_kern_len = size64;
2259
2260 ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
2261 BUG_ON(ret < 0);
2262
2263 vfree(entries_tmp);
2264 tmp.entries_size = size64;
2265
2266 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
2267 char __user *usrptr;
2268 if (tmp.hook_entry[i]) {
2269 unsigned int delta;
2270 usrptr = (char __user *) tmp.hook_entry[i];
2271 delta = usrptr - tmp.entries;
2272 usrptr += xt_compat_calc_jump(NFPROTO_BRIDGE, delta);
2273 tmp.hook_entry[i] = (struct ebt_entries __user *)usrptr;
2274 }
2275 }
2276
2277 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2278 xt_compat_unlock(NFPROTO_BRIDGE);
2279
2280 ret = do_replace_finish(net, &tmp, newinfo);
2281 if (ret == 0)
2282 return ret;
2283free_entries:
2284 vfree(newinfo->entries);
2285free_newinfo:
2286 vfree(newinfo);
2287 return ret;
2288out_unlock:
2289 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2290 xt_compat_unlock(NFPROTO_BRIDGE);
2291 goto free_entries;
2292}
2293
2294static int compat_update_counters(struct net *net, void __user *user,
2295 unsigned int len)
2296{
2297 struct compat_ebt_replace hlp;
2298
2299 if (copy_from_user(&hlp, user, sizeof(hlp)))
2300 return -EFAULT;
2301
2302
2303 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
2304 return update_counters(net, user, len);
2305
2306 return do_update_counters(net, hlp.name, compat_ptr(hlp.counters),
2307 hlp.num_counters, user, len);
2308}
2309
2310static int compat_do_ebt_set_ctl(struct sock *sk,
2311 int cmd, void __user *user, unsigned int len)
2312{
2313 int ret;
2314 struct net *net = sock_net(sk);
2315
2316 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
2317 return -EPERM;
2318
2319 switch (cmd) {
2320 case EBT_SO_SET_ENTRIES:
2321 ret = compat_do_replace(net, user, len);
2322 break;
2323 case EBT_SO_SET_COUNTERS:
2324 ret = compat_update_counters(net, user, len);
2325 break;
2326 default:
2327 ret = -EINVAL;
2328 }
2329 return ret;
2330}
2331
2332static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
2333 void __user *user, int *len)
2334{
2335 int ret;
2336 struct compat_ebt_replace tmp;
2337 struct ebt_table *t;
2338 struct net *net = sock_net(sk);
2339
2340 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
2341 return -EPERM;
2342
2343
2344 if ((cmd == EBT_SO_GET_INFO ||
2345 cmd == EBT_SO_GET_INIT_INFO) && *len != sizeof(tmp))
2346 return do_ebt_get_ctl(sk, cmd, user, len);
2347
2348 if (copy_from_user(&tmp, user, sizeof(tmp)))
2349 return -EFAULT;
2350
2351 tmp.name[sizeof(tmp.name) - 1] = '\0';
2352
2353 t = find_table_lock(net, tmp.name, &ret, &ebt_mutex);
2354 if (!t)
2355 return ret;
2356
2357 xt_compat_lock(NFPROTO_BRIDGE);
2358 switch (cmd) {
2359 case EBT_SO_GET_INFO:
2360 tmp.nentries = t->private->nentries;
2361 ret = compat_table_info(t->private, &tmp);
2362 if (ret)
2363 goto out;
2364 tmp.valid_hooks = t->valid_hooks;
2365
2366 if (copy_to_user(user, &tmp, *len) != 0) {
2367 ret = -EFAULT;
2368 break;
2369 }
2370 ret = 0;
2371 break;
2372 case EBT_SO_GET_INIT_INFO:
2373 tmp.nentries = t->table->nentries;
2374 tmp.entries_size = t->table->entries_size;
2375 tmp.valid_hooks = t->table->valid_hooks;
2376
2377 if (copy_to_user(user, &tmp, *len) != 0) {
2378 ret = -EFAULT;
2379 break;
2380 }
2381 ret = 0;
2382 break;
2383 case EBT_SO_GET_ENTRIES:
2384 case EBT_SO_GET_INIT_ENTRIES:
2385
2386
2387
2388
2389
2390
2391
2392
2393 if (copy_everything_to_user(t, user, len, cmd) == 0)
2394 ret = 0;
2395 else
2396 ret = compat_copy_everything_to_user(t, user, len, cmd);
2397 break;
2398 default:
2399 ret = -EINVAL;
2400 }
2401 out:
2402 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2403 xt_compat_unlock(NFPROTO_BRIDGE);
2404 mutex_unlock(&ebt_mutex);
2405 return ret;
2406}
2407#endif
2408
2409static struct nf_sockopt_ops ebt_sockopts = {
2410 .pf = PF_INET,
2411 .set_optmin = EBT_BASE_CTL,
2412 .set_optmax = EBT_SO_SET_MAX + 1,
2413 .set = do_ebt_set_ctl,
2414#ifdef CONFIG_COMPAT
2415 .compat_set = compat_do_ebt_set_ctl,
2416#endif
2417 .get_optmin = EBT_BASE_CTL,
2418 .get_optmax = EBT_SO_GET_MAX + 1,
2419 .get = do_ebt_get_ctl,
2420#ifdef CONFIG_COMPAT
2421 .compat_get = compat_do_ebt_get_ctl,
2422#endif
2423 .owner = THIS_MODULE,
2424};
2425
2426static int __init ebtables_init(void)
2427{
2428 int ret;
2429
2430 ret = xt_register_target(&ebt_standard_target);
2431 if (ret < 0)
2432 return ret;
2433 ret = nf_register_sockopt(&ebt_sockopts);
2434 if (ret < 0) {
2435 xt_unregister_target(&ebt_standard_target);
2436 return ret;
2437 }
2438
2439 printk(KERN_INFO "Ebtables v2.0 registered\n");
2440 return 0;
2441}
2442
2443static void __exit ebtables_fini(void)
2444{
2445 nf_unregister_sockopt(&ebt_sockopts);
2446 xt_unregister_target(&ebt_standard_target);
2447 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
2448}
2449
2450EXPORT_SYMBOL(ebt_register_table);
2451EXPORT_SYMBOL(ebt_unregister_table);
2452EXPORT_SYMBOL(ebt_do_table);
2453module_init(ebtables_init);
2454module_exit(ebtables_fini);
2455MODULE_LICENSE("GPL");
2456
