1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
18#include <linux/kmod.h>
19#include <linux/module.h>
20#include <linux/vmalloc.h>
21#include <linux/netfilter/x_tables.h>
22#include <linux/netfilter_bridge/ebtables.h>
23#include <linux/spinlock.h>
24#include <linux/mutex.h>
25#include <linux/slab.h>
26#include <linux/uaccess.h>
27#include <linux/smp.h>
28#include <linux/cpumask.h>
29#include <linux/audit.h>
30#include <net/sock.h>
31
32#include "../br_private.h"
33
34#define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
35 "report to author: "format, ## args)
36
37
38
39
40
41
42
43
44
45#define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
46#define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
47#define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
48 COUNTER_OFFSET(n) * cpu))
49
50
51
52static DEFINE_MUTEX(ebt_mutex);
53
54#ifdef CONFIG_COMPAT
55static void ebt_standard_compat_from_user(void *dst, const void *src)
56{
57 int v = *(compat_int_t *)src;
58
59 if (v >= 0)
60 v += xt_compat_calc_jump(NFPROTO_BRIDGE, v);
61 memcpy(dst, &v, sizeof(v));
62}
63
64static int ebt_standard_compat_to_user(void __user *dst, const void *src)
65{
66 compat_int_t cv = *(int *)src;
67
68 if (cv >= 0)
69 cv -= xt_compat_calc_jump(NFPROTO_BRIDGE, cv);
70 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
71}
72#endif
73
74
75static struct xt_target ebt_standard_target = {
76 .name = "standard",
77 .revision = 0,
78 .family = NFPROTO_BRIDGE,
79 .targetsize = sizeof(int),
80#ifdef CONFIG_COMPAT
81 .compatsize = sizeof(compat_int_t),
82 .compat_from_user = ebt_standard_compat_from_user,
83 .compat_to_user = ebt_standard_compat_to_user,
84#endif
85};
86
87static inline int
88ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
89 struct xt_action_param *par)
90{
91 par->target = w->u.watcher;
92 par->targinfo = w->data;
93 w->u.watcher->target(skb, par);
94
95 return 0;
96}
97
98static inline int
99ebt_do_match(struct ebt_entry_match *m, const struct sk_buff *skb,
100 struct xt_action_param *par)
101{
102 par->match = m->u.match;
103 par->matchinfo = m->data;
104 return !m->u.match->match(skb, par);
105}
106
107static inline int
108ebt_dev_check(const char *entry, const struct net_device *device)
109{
110 int i = 0;
111 const char *devname;
112
113 if (*entry == '\0')
114 return 0;
115 if (!device)
116 return 1;
117 devname = device->name;
118
119 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
120 i++;
121 return devname[i] != entry[i] && entry[i] != 1;
122}
123
124
125static inline int
126ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb,
127 const struct net_device *in, const struct net_device *out)
128{
129 const struct ethhdr *h = eth_hdr(skb);
130 const struct net_bridge_port *p;
131 __be16 ethproto;
132
133 if (skb_vlan_tag_present(skb))
134 ethproto = htons(ETH_P_8021Q);
135 else
136 ethproto = h->h_proto;
137
138 if (e->bitmask & EBT_802_3) {
139 if (NF_INVF(e, EBT_IPROTO, eth_proto_is_802_3(ethproto)))
140 return 1;
141 } else if (!(e->bitmask & EBT_NOPROTO) &&
142 NF_INVF(e, EBT_IPROTO, e->ethproto != ethproto))
143 return 1;
144
145 if (NF_INVF(e, EBT_IIN, ebt_dev_check(e->in, in)))
146 return 1;
147 if (NF_INVF(e, EBT_IOUT, ebt_dev_check(e->out, out)))
148 return 1;
149
150 if (in && (p = br_port_get_rcu(in)) != NULL &&
151 NF_INVF(e, EBT_ILOGICALIN,
152 ebt_dev_check(e->logical_in, p->br->dev)))
153 return 1;
154 if (out && (p = br_port_get_rcu(out)) != NULL &&
155 NF_INVF(e, EBT_ILOGICALOUT,
156 ebt_dev_check(e->logical_out, p->br->dev)))
157 return 1;
158
159 if (e->bitmask & EBT_SOURCEMAC) {
160 if (NF_INVF(e, EBT_ISOURCE,
161 !ether_addr_equal_masked(h->h_source, e->sourcemac,
162 e->sourcemsk)))
163 return 1;
164 }
165 if (e->bitmask & EBT_DESTMAC) {
166 if (NF_INVF(e, EBT_IDEST,
167 !ether_addr_equal_masked(h->h_dest, e->destmac,
168 e->destmsk)))
169 return 1;
170 }
171 return 0;
172}
173
174static inline
175struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry)
176{
177 return (void *)entry + entry->next_offset;
178}
179
180static inline const struct ebt_entry_target *
181ebt_get_target_c(const struct ebt_entry *e)
182{
183 return ebt_get_target((struct ebt_entry *)e);
184}
185
186
187unsigned int ebt_do_table(struct sk_buff *skb,
188 const struct nf_hook_state *state,
189 struct ebt_table *table)
190{
191 unsigned int hook = state->hook;
192 int i, nentries;
193 struct ebt_entry *point;
194 struct ebt_counter *counter_base, *cb_base;
195 const struct ebt_entry_target *t;
196 int verdict, sp = 0;
197 struct ebt_chainstack *cs;
198 struct ebt_entries *chaininfo;
199 const char *base;
200 const struct ebt_table_info *private;
201 struct xt_action_param acpar;
202
203 acpar.state = state;
204 acpar.hotdrop = false;
205
206 read_lock_bh(&table->lock);
207 private = table->private;
208 cb_base = COUNTER_BASE(private->counters, private->nentries,
209 smp_processor_id());
210 if (private->chainstack)
211 cs = private->chainstack[smp_processor_id()];
212 else
213 cs = NULL;
214 chaininfo = private->hook_entry[hook];
215 nentries = private->hook_entry[hook]->nentries;
216 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
217 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
218
219 base = private->entries;
220 i = 0;
221 while (i < nentries) {
222 if (ebt_basic_match(point, skb, state->in, state->out))
223 goto letscontinue;
224
225 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
226 goto letscontinue;
227 if (acpar.hotdrop) {
228 read_unlock_bh(&table->lock);
229 return NF_DROP;
230 }
231
232 ADD_COUNTER(*(counter_base + i), 1, skb->len);
233
234
235
236
237 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &acpar);
238
239 t = ebt_get_target_c(point);
240
241 if (!t->u.target->target)
242 verdict = ((struct ebt_standard_target *)t)->verdict;
243 else {
244 acpar.target = t->u.target;
245 acpar.targinfo = t->data;
246 verdict = t->u.target->target(skb, &acpar);
247 }
248 if (verdict == EBT_ACCEPT) {
249 read_unlock_bh(&table->lock);
250 return NF_ACCEPT;
251 }
252 if (verdict == EBT_DROP) {
253 read_unlock_bh(&table->lock);
254 return NF_DROP;
255 }
256 if (verdict == EBT_RETURN) {
257letsreturn:
258 if (WARN(sp == 0, "RETURN on base chain")) {
259
260 goto letscontinue;
261 }
262
263 sp--;
264
265 i = cs[sp].n;
266 chaininfo = cs[sp].chaininfo;
267 nentries = chaininfo->nentries;
268 point = cs[sp].e;
269 counter_base = cb_base +
270 chaininfo->counter_offset;
271 continue;
272 }
273 if (verdict == EBT_CONTINUE)
274 goto letscontinue;
275
276 if (WARN(verdict < 0, "bogus standard verdict\n")) {
277 read_unlock_bh(&table->lock);
278 return NF_DROP;
279 }
280
281
282 cs[sp].n = i + 1;
283 cs[sp].chaininfo = chaininfo;
284 cs[sp].e = ebt_next_entry(point);
285 i = 0;
286 chaininfo = (struct ebt_entries *) (base + verdict);
287
288 if (WARN(chaininfo->distinguisher, "jump to non-chain\n")) {
289 read_unlock_bh(&table->lock);
290 return NF_DROP;
291 }
292
293 nentries = chaininfo->nentries;
294 point = (struct ebt_entry *)chaininfo->data;
295 counter_base = cb_base + chaininfo->counter_offset;
296 sp++;
297 continue;
298letscontinue:
299 point = ebt_next_entry(point);
300 i++;
301 }
302
303
304 if (chaininfo->policy == EBT_RETURN)
305 goto letsreturn;
306 if (chaininfo->policy == EBT_ACCEPT) {
307 read_unlock_bh(&table->lock);
308 return NF_ACCEPT;
309 }
310 read_unlock_bh(&table->lock);
311 return NF_DROP;
312}
313
314
315static inline void *
316find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
317 struct mutex *mutex)
318{
319 struct {
320 struct list_head list;
321 char name[EBT_FUNCTION_MAXNAMELEN];
322 } *e;
323
324 mutex_lock(mutex);
325 list_for_each_entry(e, head, list) {
326 if (strcmp(e->name, name) == 0)
327 return e;
328 }
329 *error = -ENOENT;
330 mutex_unlock(mutex);
331 return NULL;
332}
333
334static void *
335find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
336 int *error, struct mutex *mutex)
337{
338 return try_then_request_module(
339 find_inlist_lock_noload(head, name, error, mutex),
340 "%s%s", prefix, name);
341}
342
343static inline struct ebt_table *
344find_table_lock(struct net *net, const char *name, int *error,
345 struct mutex *mutex)
346{
347 return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name,
348 "ebtable_", error, mutex);
349}
350
351static inline void ebt_free_table_info(struct ebt_table_info *info)
352{
353 int i;
354
355 if (info->chainstack) {
356 for_each_possible_cpu(i)
357 vfree(info->chainstack[i]);
358 vfree(info->chainstack);
359 }
360}
361static inline int
362ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
363 unsigned int *cnt)
364{
365 const struct ebt_entry *e = par->entryinfo;
366 struct xt_match *match;
367 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
368 int ret;
369
370 if (left < sizeof(struct ebt_entry_match) ||
371 left - sizeof(struct ebt_entry_match) < m->match_size)
372 return -EINVAL;
373
374 match = xt_find_match(NFPROTO_BRIDGE, m->u.name, m->u.revision);
375 if (IS_ERR(match) || match->family != NFPROTO_BRIDGE) {
376 if (!IS_ERR(match))
377 module_put(match->me);
378 request_module("ebt_%s", m->u.name);
379 match = xt_find_match(NFPROTO_BRIDGE, m->u.name, m->u.revision);
380 }
381 if (IS_ERR(match))
382 return PTR_ERR(match);
383 m->u.match = match;
384
385 par->match = match;
386 par->matchinfo = m->data;
387 ret = xt_check_match(par, m->match_size,
388 e->ethproto, e->invflags & EBT_IPROTO);
389 if (ret < 0) {
390 module_put(match->me);
391 return ret;
392 }
393
394 (*cnt)++;
395 return 0;
396}
397
398static inline int
399ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
400 unsigned int *cnt)
401{
402 const struct ebt_entry *e = par->entryinfo;
403 struct xt_target *watcher;
404 size_t left = ((char *)e + e->target_offset) - (char *)w;
405 int ret;
406
407 if (left < sizeof(struct ebt_entry_watcher) ||
408 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
409 return -EINVAL;
410
411 watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0);
412 if (IS_ERR(watcher))
413 return PTR_ERR(watcher);
414
415 if (watcher->family != NFPROTO_BRIDGE) {
416 module_put(watcher->me);
417 return -ENOENT;
418 }
419
420 w->u.watcher = watcher;
421
422 par->target = watcher;
423 par->targinfo = w->data;
424 ret = xt_check_target(par, w->watcher_size,
425 e->ethproto, e->invflags & EBT_IPROTO);
426 if (ret < 0) {
427 module_put(watcher->me);
428 return ret;
429 }
430
431 (*cnt)++;
432 return 0;
433}
434
435static int ebt_verify_pointers(const struct ebt_replace *repl,
436 struct ebt_table_info *newinfo)
437{
438 unsigned int limit = repl->entries_size;
439 unsigned int valid_hooks = repl->valid_hooks;
440 unsigned int offset = 0;
441 int i;
442
443 for (i = 0; i < NF_BR_NUMHOOKS; i++)
444 newinfo->hook_entry[i] = NULL;
445
446 newinfo->entries_size = repl->entries_size;
447 newinfo->nentries = repl->nentries;
448
449 while (offset < limit) {
450 size_t left = limit - offset;
451 struct ebt_entry *e = (void *)newinfo->entries + offset;
452
453 if (left < sizeof(unsigned int))
454 break;
455
456 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
457 if ((valid_hooks & (1 << i)) == 0)
458 continue;
459 if ((char __user *)repl->hook_entry[i] ==
460 repl->entries + offset)
461 break;
462 }
463
464 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
465 if (e->bitmask != 0) {
466
467
468
469 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
470 "in distinguisher\n");
471 return -EINVAL;
472 }
473 if (i != NF_BR_NUMHOOKS)
474 newinfo->hook_entry[i] = (struct ebt_entries *)e;
475 if (left < sizeof(struct ebt_entries))
476 break;
477 offset += sizeof(struct ebt_entries);
478 } else {
479 if (left < sizeof(struct ebt_entry))
480 break;
481 if (left < e->next_offset)
482 break;
483 if (e->next_offset < sizeof(struct ebt_entry))
484 return -EINVAL;
485 offset += e->next_offset;
486 }
487 }
488 if (offset != limit) {
489 BUGPRINT("entries_size too small\n");
490 return -EINVAL;
491 }
492
493
494 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
495 if (!newinfo->hook_entry[i] &&
496 (valid_hooks & (1 << i))) {
497 BUGPRINT("Valid hook without chain\n");
498 return -EINVAL;
499 }
500 }
501 return 0;
502}
503
504
505
506
507static inline int
508ebt_check_entry_size_and_hooks(const struct ebt_entry *e,
509 const struct ebt_table_info *newinfo,
510 unsigned int *n, unsigned int *cnt,
511 unsigned int *totalcnt, unsigned int *udc_cnt)
512{
513 int i;
514
515 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
516 if ((void *)e == (void *)newinfo->hook_entry[i])
517 break;
518 }
519
520
521
522 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
523
524
525
526 if (*n != *cnt) {
527 BUGPRINT("nentries does not equal the nr of entries "
528 "in the chain\n");
529 return -EINVAL;
530 }
531 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
532 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
533
534 if (i != NF_BR_NUMHOOKS ||
535 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
536 BUGPRINT("bad policy\n");
537 return -EINVAL;
538 }
539 }
540 if (i == NF_BR_NUMHOOKS)
541 (*udc_cnt)++;
542 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
543 BUGPRINT("counter_offset != totalcnt");
544 return -EINVAL;
545 }
546 *n = ((struct ebt_entries *)e)->nentries;
547 *cnt = 0;
548 return 0;
549 }
550
551 if (sizeof(struct ebt_entry) > e->watchers_offset ||
552 e->watchers_offset > e->target_offset ||
553 e->target_offset >= e->next_offset) {
554 BUGPRINT("entry offsets not in right order\n");
555 return -EINVAL;
556 }
557
558 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
559 BUGPRINT("target size too small\n");
560 return -EINVAL;
561 }
562 (*cnt)++;
563 (*totalcnt)++;
564 return 0;
565}
566
567struct ebt_cl_stack {
568 struct ebt_chainstack cs;
569 int from;
570 unsigned int hookmask;
571};
572
573
574
575
576static inline int
577ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
578 unsigned int *n, struct ebt_cl_stack *udc)
579{
580 int i;
581
582
583 if (e->bitmask)
584 return 0;
585 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
586 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
587 break;
588 }
589
590 if (i != NF_BR_NUMHOOKS)
591 return 0;
592
593 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
594
595 udc[*n].cs.n = 0;
596 udc[*n].hookmask = 0;
597
598 (*n)++;
599 return 0;
600}
601
602static inline int
603ebt_cleanup_match(struct ebt_entry_match *m, struct net *net, unsigned int *i)
604{
605 struct xt_mtdtor_param par;
606
607 if (i && (*i)-- == 0)
608 return 1;
609
610 par.net = net;
611 par.match = m->u.match;
612 par.matchinfo = m->data;
613 par.family = NFPROTO_BRIDGE;
614 if (par.match->destroy != NULL)
615 par.match->destroy(&par);
616 module_put(par.match->me);
617 return 0;
618}
619
620static inline int
621ebt_cleanup_watcher(struct ebt_entry_watcher *w, struct net *net, unsigned int *i)
622{
623 struct xt_tgdtor_param par;
624
625 if (i && (*i)-- == 0)
626 return 1;
627
628 par.net = net;
629 par.target = w->u.watcher;
630 par.targinfo = w->data;
631 par.family = NFPROTO_BRIDGE;
632 if (par.target->destroy != NULL)
633 par.target->destroy(&par);
634 module_put(par.target->me);
635 return 0;
636}
637
638static inline int
639ebt_cleanup_entry(struct ebt_entry *e, struct net *net, unsigned int *cnt)
640{
641 struct xt_tgdtor_param par;
642 struct ebt_entry_target *t;
643
644 if (e->bitmask == 0)
645 return 0;
646
647 if (cnt && (*cnt)-- == 0)
648 return 1;
649 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, NULL);
650 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, NULL);
651 t = ebt_get_target(e);
652
653 par.net = net;
654 par.target = t->u.target;
655 par.targinfo = t->data;
656 par.family = NFPROTO_BRIDGE;
657 if (par.target->destroy != NULL)
658 par.target->destroy(&par);
659 module_put(par.target->me);
660 return 0;
661}
662
663static inline int
664ebt_check_entry(struct ebt_entry *e, struct net *net,
665 const struct ebt_table_info *newinfo,
666 const char *name, unsigned int *cnt,
667 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
668{
669 struct ebt_entry_target *t;
670 struct xt_target *target;
671 unsigned int i, j, hook = 0, hookmask = 0;
672 size_t gap;
673 int ret;
674 struct xt_mtchk_param mtpar;
675 struct xt_tgchk_param tgpar;
676
677
678 if (e->bitmask == 0)
679 return 0;
680
681 if (e->bitmask & ~EBT_F_MASK) {
682 BUGPRINT("Unknown flag for bitmask\n");
683 return -EINVAL;
684 }
685 if (e->invflags & ~EBT_INV_MASK) {
686 BUGPRINT("Unknown flag for inv bitmask\n");
687 return -EINVAL;
688 }
689 if ((e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3)) {
690 BUGPRINT("NOPROTO & 802_3 not allowed\n");
691 return -EINVAL;
692 }
693
694 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
695 if (!newinfo->hook_entry[i])
696 continue;
697 if ((char *)newinfo->hook_entry[i] < (char *)e)
698 hook = i;
699 else
700 break;
701 }
702
703
704
705 if (i < NF_BR_NUMHOOKS)
706 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
707 else {
708 for (i = 0; i < udc_cnt; i++)
709 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
710 break;
711 if (i == 0)
712 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
713 else
714 hookmask = cl_s[i - 1].hookmask;
715 }
716 i = 0;
717
718 memset(&mtpar, 0, sizeof(mtpar));
719 memset(&tgpar, 0, sizeof(tgpar));
720 mtpar.net = tgpar.net = net;
721 mtpar.table = tgpar.table = name;
722 mtpar.entryinfo = tgpar.entryinfo = e;
723 mtpar.hook_mask = tgpar.hook_mask = hookmask;
724 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
725 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
726 if (ret != 0)
727 goto cleanup_matches;
728 j = 0;
729 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j);
730 if (ret != 0)
731 goto cleanup_watchers;
732 t = ebt_get_target(e);
733 gap = e->next_offset - e->target_offset;
734
735 target = xt_request_find_target(NFPROTO_BRIDGE, t->u.name, 0);
736 if (IS_ERR(target)) {
737 ret = PTR_ERR(target);
738 goto cleanup_watchers;
739 }
740
741
742 if (target->family != NFPROTO_BRIDGE) {
743 module_put(target->me);
744 ret = -ENOENT;
745 goto cleanup_watchers;
746 }
747
748 t->u.target = target;
749 if (t->u.target == &ebt_standard_target) {
750 if (gap < sizeof(struct ebt_standard_target)) {
751 BUGPRINT("Standard target size too big\n");
752 ret = -EFAULT;
753 goto cleanup_watchers;
754 }
755 if (((struct ebt_standard_target *)t)->verdict <
756 -NUM_STANDARD_TARGETS) {
757 BUGPRINT("Invalid standard target\n");
758 ret = -EFAULT;
759 goto cleanup_watchers;
760 }
761 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
762 module_put(t->u.target->me);
763 ret = -EFAULT;
764 goto cleanup_watchers;
765 }
766
767 tgpar.target = target;
768 tgpar.targinfo = t->data;
769 ret = xt_check_target(&tgpar, t->target_size,
770 e->ethproto, e->invflags & EBT_IPROTO);
771 if (ret < 0) {
772 module_put(target->me);
773 goto cleanup_watchers;
774 }
775 (*cnt)++;
776 return 0;
777cleanup_watchers:
778 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, &j);
779cleanup_matches:
780 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, &i);
781 return ret;
782}
783
784
785
786
787
788static int check_chainloops(const struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
789 unsigned int udc_cnt, unsigned int hooknr, char *base)
790{
791 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
792 const struct ebt_entry *e = (struct ebt_entry *)chain->data;
793 const struct ebt_entry_target *t;
794
795 while (pos < nentries || chain_nr != -1) {
796
797 if (pos == nentries) {
798
799 e = cl_s[chain_nr].cs.e;
800 if (cl_s[chain_nr].from != -1)
801 nentries =
802 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
803 else
804 nentries = chain->nentries;
805 pos = cl_s[chain_nr].cs.n;
806
807 cl_s[chain_nr].cs.n = 0;
808 chain_nr = cl_s[chain_nr].from;
809 if (pos == nentries)
810 continue;
811 }
812 t = ebt_get_target_c(e);
813 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
814 goto letscontinue;
815 if (e->target_offset + sizeof(struct ebt_standard_target) >
816 e->next_offset) {
817 BUGPRINT("Standard target size too big\n");
818 return -1;
819 }
820 verdict = ((struct ebt_standard_target *)t)->verdict;
821 if (verdict >= 0) {
822 struct ebt_entries *hlp2 =
823 (struct ebt_entries *)(base + verdict);
824 for (i = 0; i < udc_cnt; i++)
825 if (hlp2 == cl_s[i].cs.chaininfo)
826 break;
827
828 if (i == udc_cnt) {
829 BUGPRINT("bad destination\n");
830 return -1;
831 }
832 if (cl_s[i].cs.n) {
833 BUGPRINT("loop\n");
834 return -1;
835 }
836 if (cl_s[i].hookmask & (1 << hooknr))
837 goto letscontinue;
838
839 cl_s[i].cs.n = pos + 1;
840 pos = 0;
841 cl_s[i].cs.e = ebt_next_entry(e);
842 e = (struct ebt_entry *)(hlp2->data);
843 nentries = hlp2->nentries;
844 cl_s[i].from = chain_nr;
845 chain_nr = i;
846
847 cl_s[i].hookmask |= (1 << hooknr);
848 continue;
849 }
850letscontinue:
851 e = ebt_next_entry(e);
852 pos++;
853 }
854 return 0;
855}
856
857
858static int translate_table(struct net *net, const char *name,
859 struct ebt_table_info *newinfo)
860{
861 unsigned int i, j, k, udc_cnt;
862 int ret;
863 struct ebt_cl_stack *cl_s = NULL;
864
865 i = 0;
866 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
867 i++;
868 if (i == NF_BR_NUMHOOKS) {
869 BUGPRINT("No valid hooks specified\n");
870 return -EINVAL;
871 }
872 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
873 BUGPRINT("Chains don't start at beginning\n");
874 return -EINVAL;
875 }
876
877
878
879 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
880 if (!newinfo->hook_entry[j])
881 continue;
882 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
883 BUGPRINT("Hook order must be followed\n");
884 return -EINVAL;
885 }
886 i = j;
887 }
888
889
890 i = 0;
891 j = 0;
892 k = 0;
893
894
895 udc_cnt = 0;
896 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
897 ebt_check_entry_size_and_hooks, newinfo,
898 &i, &j, &k, &udc_cnt);
899
900 if (ret != 0)
901 return ret;
902
903 if (i != j) {
904 BUGPRINT("nentries does not equal the nr of entries in the "
905 "(last) chain\n");
906 return -EINVAL;
907 }
908 if (k != newinfo->nentries) {
909 BUGPRINT("Total nentries is wrong\n");
910 return -EINVAL;
911 }
912
913
914
915
916 if (udc_cnt) {
917
918
919
920 newinfo->chainstack =
921 vmalloc(array_size(nr_cpu_ids,
922 sizeof(*(newinfo->chainstack))));
923 if (!newinfo->chainstack)
924 return -ENOMEM;
925 for_each_possible_cpu(i) {
926 newinfo->chainstack[i] =
927 vmalloc(array_size(udc_cnt, sizeof(*(newinfo->chainstack[0]))));
928 if (!newinfo->chainstack[i]) {
929 while (i)
930 vfree(newinfo->chainstack[--i]);
931 vfree(newinfo->chainstack);
932 newinfo->chainstack = NULL;
933 return -ENOMEM;
934 }
935 }
936
937 cl_s = vmalloc(array_size(udc_cnt, sizeof(*cl_s)));
938 if (!cl_s)
939 return -ENOMEM;
940 i = 0;
941 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
942 ebt_get_udc_positions, newinfo, &i, cl_s);
943
944 if (i != udc_cnt) {
945 BUGPRINT("i != udc_cnt\n");
946 vfree(cl_s);
947 return -EFAULT;
948 }
949 }
950
951
952 for (i = 0; i < NF_BR_NUMHOOKS; i++)
953 if (newinfo->hook_entry[i])
954 if (check_chainloops(newinfo->hook_entry[i],
955 cl_s, udc_cnt, i, newinfo->entries)) {
956 vfree(cl_s);
957 return -EINVAL;
958 }
959
960
961
962
963
964
965
966
967
968
969
970
971
972 i = 0;
973 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
974 ebt_check_entry, net, newinfo, name, &i, cl_s, udc_cnt);
975 if (ret != 0) {
976 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
977 ebt_cleanup_entry, net, &i);
978 }
979 vfree(cl_s);
980 return ret;
981}
982
983
984static void get_counters(const struct ebt_counter *oldcounters,
985 struct ebt_counter *counters, unsigned int nentries)
986{
987 int i, cpu;
988 struct ebt_counter *counter_base;
989
990
991 memcpy(counters, oldcounters,
992 sizeof(struct ebt_counter) * nentries);
993
994
995 for_each_possible_cpu(cpu) {
996 if (cpu == 0)
997 continue;
998 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
999 for (i = 0; i < nentries; i++)
1000 ADD_COUNTER(counters[i], counter_base[i].pcnt,
1001 counter_base[i].bcnt);
1002 }
1003}
1004
1005static int do_replace_finish(struct net *net, struct ebt_replace *repl,
1006 struct ebt_table_info *newinfo)
1007{
1008 int ret;
1009 struct ebt_counter *counterstmp = NULL;
1010
1011 struct ebt_table_info *table;
1012 struct ebt_table *t;
1013
1014
1015
1016
1017 if (repl->num_counters) {
1018 unsigned long size = repl->num_counters * sizeof(*counterstmp);
1019 counterstmp = vmalloc(size);
1020 if (!counterstmp)
1021 return -ENOMEM;
1022 }
1023
1024 newinfo->chainstack = NULL;
1025 ret = ebt_verify_pointers(repl, newinfo);
1026 if (ret != 0)
1027 goto free_counterstmp;
1028
1029 ret = translate_table(net, repl->name, newinfo);
1030
1031 if (ret != 0)
1032 goto free_counterstmp;
1033
1034 t = find_table_lock(net, repl->name, &ret, &ebt_mutex);
1035 if (!t) {
1036 ret = -ENOENT;
1037 goto free_iterate;
1038 }
1039
1040
1041 if (t->check && (ret = t->check(newinfo, repl->valid_hooks)))
1042 goto free_unlock;
1043
1044 if (repl->num_counters && repl->num_counters != t->private->nentries) {
1045 BUGPRINT("Wrong nr. of counters requested\n");
1046 ret = -EINVAL;
1047 goto free_unlock;
1048 }
1049
1050
1051 table = t->private;
1052
1053 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1054 ret = -ENOENT;
1055 goto free_unlock;
1056 } else if (table->nentries && !newinfo->nentries)
1057 module_put(t->me);
1058
1059 write_lock_bh(&t->lock);
1060 if (repl->num_counters)
1061 get_counters(t->private->counters, counterstmp,
1062 t->private->nentries);
1063
1064 t->private = newinfo;
1065 write_unlock_bh(&t->lock);
1066 mutex_unlock(&ebt_mutex);
1067
1068
1069
1070
1071
1072 if (repl->num_counters &&
1073 copy_to_user(repl->counters, counterstmp,
1074 repl->num_counters * sizeof(struct ebt_counter))) {
1075
1076 net_warn_ratelimited("ebtables: counters copy to user failed while replacing table\n");
1077 }
1078
1079
1080 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
1081 ebt_cleanup_entry, net, NULL);
1082
1083 vfree(table->entries);
1084 ebt_free_table_info(table);
1085 vfree(table);
1086 vfree(counterstmp);
1087
1088#ifdef CONFIG_AUDIT
1089 if (audit_enabled) {
1090 audit_log(audit_context(), GFP_KERNEL,
1091 AUDIT_NETFILTER_CFG,
1092 "table=%s family=%u entries=%u",
1093 repl->name, AF_BRIDGE, repl->nentries);
1094 }
1095#endif
1096 return ret;
1097
1098free_unlock:
1099 mutex_unlock(&ebt_mutex);
1100free_iterate:
1101 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
1102 ebt_cleanup_entry, net, NULL);
1103free_counterstmp:
1104 vfree(counterstmp);
1105
1106 ebt_free_table_info(newinfo);
1107 return ret;
1108}
1109
1110
1111static int do_replace(struct net *net, const void __user *user,
1112 unsigned int len)
1113{
1114 int ret, countersize;
1115 struct ebt_table_info *newinfo;
1116 struct ebt_replace tmp;
1117
1118 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1119 return -EFAULT;
1120
1121 if (len != sizeof(tmp) + tmp.entries_size) {
1122 BUGPRINT("Wrong len argument\n");
1123 return -EINVAL;
1124 }
1125
1126 if (tmp.entries_size == 0) {
1127 BUGPRINT("Entries_size never zero\n");
1128 return -EINVAL;
1129 }
1130
1131 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) /
1132 NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
1133 return -ENOMEM;
1134 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
1135 return -ENOMEM;
1136
1137 tmp.name[sizeof(tmp.name) - 1] = 0;
1138
1139 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
1140 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1141 if (!newinfo)
1142 return -ENOMEM;
1143
1144 if (countersize)
1145 memset(newinfo->counters, 0, countersize);
1146
1147 newinfo->entries = vmalloc(tmp.entries_size);
1148 if (!newinfo->entries) {
1149 ret = -ENOMEM;
1150 goto free_newinfo;
1151 }
1152 if (copy_from_user(
1153 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
1154 BUGPRINT("Couldn't copy entries from userspace\n");
1155 ret = -EFAULT;
1156 goto free_entries;
1157 }
1158
1159 ret = do_replace_finish(net, &tmp, newinfo);
1160 if (ret == 0)
1161 return ret;
1162free_entries:
1163 vfree(newinfo->entries);
1164free_newinfo:
1165 vfree(newinfo);
1166 return ret;
1167}
1168
1169static void __ebt_unregister_table(struct net *net, struct ebt_table *table)
1170{
1171 mutex_lock(&ebt_mutex);
1172 list_del(&table->list);
1173 mutex_unlock(&ebt_mutex);
1174 EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size,
1175 ebt_cleanup_entry, net, NULL);
1176 if (table->private->nentries)
1177 module_put(table->me);
1178 vfree(table->private->entries);
1179 ebt_free_table_info(table->private);
1180 vfree(table->private);
1181 kfree(table);
1182}
1183
1184int ebt_register_table(struct net *net, const struct ebt_table *input_table,
1185 const struct nf_hook_ops *ops, struct ebt_table **res)
1186{
1187 struct ebt_table_info *newinfo;
1188 struct ebt_table *t, *table;
1189 struct ebt_replace_kernel *repl;
1190 int ret, i, countersize;
1191 void *p;
1192
1193 if (input_table == NULL || (repl = input_table->table) == NULL ||
1194 repl->entries == NULL || repl->entries_size == 0 ||
1195 repl->counters != NULL || input_table->private != NULL) {
1196 BUGPRINT("Bad table data for ebt_register_table!!!\n");
1197 return -EINVAL;
1198 }
1199
1200
1201 table = kmemdup(input_table, sizeof(struct ebt_table), GFP_KERNEL);
1202 if (!table) {
1203 ret = -ENOMEM;
1204 goto out;
1205 }
1206
1207 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
1208 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1209 ret = -ENOMEM;
1210 if (!newinfo)
1211 goto free_table;
1212
1213 p = vmalloc(repl->entries_size);
1214 if (!p)
1215 goto free_newinfo;
1216
1217 memcpy(p, repl->entries, repl->entries_size);
1218 newinfo->entries = p;
1219
1220 newinfo->entries_size = repl->entries_size;
1221 newinfo->nentries = repl->nentries;
1222
1223 if (countersize)
1224 memset(newinfo->counters, 0, countersize);
1225
1226
1227 newinfo->chainstack = NULL;
1228 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1229 if ((repl->valid_hooks & (1 << i)) == 0)
1230 newinfo->hook_entry[i] = NULL;
1231 else
1232 newinfo->hook_entry[i] = p +
1233 ((char *)repl->hook_entry[i] - repl->entries);
1234 }
1235 ret = translate_table(net, repl->name, newinfo);
1236 if (ret != 0) {
1237 BUGPRINT("Translate_table failed\n");
1238 goto free_chainstack;
1239 }
1240
1241 if (table->check && table->check(newinfo, table->valid_hooks)) {
1242 BUGPRINT("The table doesn't like its own initial data, lol\n");
1243 ret = -EINVAL;
1244 goto free_chainstack;
1245 }
1246
1247 table->private = newinfo;
1248 rwlock_init(&table->lock);
1249 mutex_lock(&ebt_mutex);
1250 list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) {
1251 if (strcmp(t->name, table->name) == 0) {
1252 ret = -EEXIST;
1253 BUGPRINT("Table name already exists\n");
1254 goto free_unlock;
1255 }
1256 }
1257
1258
1259 if (newinfo->nentries && !try_module_get(table->me)) {
1260 ret = -ENOENT;
1261 goto free_unlock;
1262 }
1263 list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]);
1264 mutex_unlock(&ebt_mutex);
1265
1266 WRITE_ONCE(*res, table);
1267
1268 if (!ops)
1269 return 0;
1270
1271 ret = nf_register_net_hooks(net, ops, hweight32(table->valid_hooks));
1272 if (ret) {
1273 __ebt_unregister_table(net, table);
1274 *res = NULL;
1275 }
1276
1277 return ret;
1278free_unlock:
1279 mutex_unlock(&ebt_mutex);
1280free_chainstack:
1281 ebt_free_table_info(newinfo);
1282 vfree(newinfo->entries);
1283free_newinfo:
1284 vfree(newinfo);
1285free_table:
1286 kfree(table);
1287out:
1288 return ret;
1289}
1290
1291void ebt_unregister_table(struct net *net, struct ebt_table *table,
1292 const struct nf_hook_ops *ops)
1293{
1294 if (ops)
1295 nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
1296 __ebt_unregister_table(net, table);
1297}
1298
1299
1300static int do_update_counters(struct net *net, const char *name,
1301 struct ebt_counter __user *counters,
1302 unsigned int num_counters,
1303 const void __user *user, unsigned int len)
1304{
1305 int i, ret;
1306 struct ebt_counter *tmp;
1307 struct ebt_table *t;
1308
1309 if (num_counters == 0)
1310 return -EINVAL;
1311
1312 tmp = vmalloc(array_size(num_counters, sizeof(*tmp)));
1313 if (!tmp)
1314 return -ENOMEM;
1315
1316 t = find_table_lock(net, name, &ret, &ebt_mutex);
1317 if (!t)
1318 goto free_tmp;
1319
1320 if (num_counters != t->private->nentries) {
1321 BUGPRINT("Wrong nr of counters\n");
1322 ret = -EINVAL;
1323 goto unlock_mutex;
1324 }
1325
1326 if (copy_from_user(tmp, counters, num_counters * sizeof(*counters))) {
1327 ret = -EFAULT;
1328 goto unlock_mutex;
1329 }
1330
1331
1332 write_lock_bh(&t->lock);
1333
1334
1335 for (i = 0; i < num_counters; i++)
1336 ADD_COUNTER(t->private->counters[i], tmp[i].pcnt, tmp[i].bcnt);
1337
1338 write_unlock_bh(&t->lock);
1339 ret = 0;
1340unlock_mutex:
1341 mutex_unlock(&ebt_mutex);
1342free_tmp:
1343 vfree(tmp);
1344 return ret;
1345}
1346
1347static int update_counters(struct net *net, const void __user *user,
1348 unsigned int len)
1349{
1350 struct ebt_replace hlp;
1351
1352 if (copy_from_user(&hlp, user, sizeof(hlp)))
1353 return -EFAULT;
1354
1355 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1356 return -EINVAL;
1357
1358 return do_update_counters(net, hlp.name, hlp.counters,
1359 hlp.num_counters, user, len);
1360}
1361
1362static inline int ebt_obj_to_user(char __user *um, const char *_name,
1363 const char *data, int entrysize,
1364 int usersize, int datasize, u8 revision)
1365{
1366 char name[EBT_EXTENSION_MAXNAMELEN] = {0};
1367
1368
1369
1370
1371 strlcpy(name, _name, sizeof(name));
1372 if (copy_to_user(um, name, EBT_EXTENSION_MAXNAMELEN) ||
1373 put_user(revision, (u8 __user *)(um + EBT_EXTENSION_MAXNAMELEN)) ||
1374 put_user(datasize, (int __user *)(um + EBT_EXTENSION_MAXNAMELEN + 1)) ||
1375 xt_data_to_user(um + entrysize, data, usersize, datasize,
1376 XT_ALIGN(datasize)))
1377 return -EFAULT;
1378
1379 return 0;
1380}
1381
1382static inline int ebt_match_to_user(const struct ebt_entry_match *m,
1383 const char *base, char __user *ubase)
1384{
1385 return ebt_obj_to_user(ubase + ((char *)m - base),
1386 m->u.match->name, m->data, sizeof(*m),
1387 m->u.match->usersize, m->match_size,
1388 m->u.match->revision);
1389}
1390
1391static inline int ebt_watcher_to_user(const struct ebt_entry_watcher *w,
1392 const char *base, char __user *ubase)
1393{
1394 return ebt_obj_to_user(ubase + ((char *)w - base),
1395 w->u.watcher->name, w->data, sizeof(*w),
1396 w->u.watcher->usersize, w->watcher_size,
1397 w->u.watcher->revision);
1398}
1399
1400static inline int ebt_entry_to_user(struct ebt_entry *e, const char *base,
1401 char __user *ubase)
1402{
1403 int ret;
1404 char __user *hlp;
1405 const struct ebt_entry_target *t;
1406
1407 if (e->bitmask == 0) {
1408
1409 if (copy_to_user(ubase + ((char *)e - base), e,
1410 sizeof(struct ebt_entries)))
1411 return -EFAULT;
1412 return 0;
1413 }
1414
1415 if (copy_to_user(ubase + ((char *)e - base), e, sizeof(*e)))
1416 return -EFAULT;
1417
1418 hlp = ubase + (((char *)e + e->target_offset) - base);
1419 t = ebt_get_target_c(e);
1420
1421 ret = EBT_MATCH_ITERATE(e, ebt_match_to_user, base, ubase);
1422 if (ret != 0)
1423 return ret;
1424 ret = EBT_WATCHER_ITERATE(e, ebt_watcher_to_user, base, ubase);
1425 if (ret != 0)
1426 return ret;
1427 ret = ebt_obj_to_user(hlp, t->u.target->name, t->data, sizeof(*t),
1428 t->u.target->usersize, t->target_size,
1429 t->u.target->revision);
1430 if (ret != 0)
1431 return ret;
1432
1433 return 0;
1434}
1435
1436static int copy_counters_to_user(struct ebt_table *t,
1437 const struct ebt_counter *oldcounters,
1438 void __user *user, unsigned int num_counters,
1439 unsigned int nentries)
1440{
1441 struct ebt_counter *counterstmp;
1442 int ret = 0;
1443
1444
1445 if (num_counters == 0)
1446 return 0;
1447
1448 if (num_counters != nentries) {
1449 BUGPRINT("Num_counters wrong\n");
1450 return -EINVAL;
1451 }
1452
1453 counterstmp = vmalloc(array_size(nentries, sizeof(*counterstmp)));
1454 if (!counterstmp)
1455 return -ENOMEM;
1456
1457 write_lock_bh(&t->lock);
1458 get_counters(oldcounters, counterstmp, nentries);
1459 write_unlock_bh(&t->lock);
1460
1461 if (copy_to_user(user, counterstmp,
1462 nentries * sizeof(struct ebt_counter)))
1463 ret = -EFAULT;
1464 vfree(counterstmp);
1465 return ret;
1466}
1467
1468
1469static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1470 const int *len, int cmd)
1471{
1472 struct ebt_replace tmp;
1473 const struct ebt_counter *oldcounters;
1474 unsigned int entries_size, nentries;
1475 int ret;
1476 char *entries;
1477
1478 if (cmd == EBT_SO_GET_ENTRIES) {
1479 entries_size = t->private->entries_size;
1480 nentries = t->private->nentries;
1481 entries = t->private->entries;
1482 oldcounters = t->private->counters;
1483 } else {
1484 entries_size = t->table->entries_size;
1485 nentries = t->table->nentries;
1486 entries = t->table->entries;
1487 oldcounters = t->table->counters;
1488 }
1489
1490 if (copy_from_user(&tmp, user, sizeof(tmp)))
1491 return -EFAULT;
1492
1493 if (*len != sizeof(struct ebt_replace) + entries_size +
1494 (tmp.num_counters ? nentries * sizeof(struct ebt_counter) : 0))
1495 return -EINVAL;
1496
1497 if (tmp.nentries != nentries) {
1498 BUGPRINT("Nentries wrong\n");
1499 return -EINVAL;
1500 }
1501
1502 if (tmp.entries_size != entries_size) {
1503 BUGPRINT("Wrong size\n");
1504 return -EINVAL;
1505 }
1506
1507 ret = copy_counters_to_user(t, oldcounters, tmp.counters,
1508 tmp.num_counters, nentries);
1509 if (ret)
1510 return ret;
1511
1512
1513 return EBT_ENTRY_ITERATE(entries, entries_size,
1514 ebt_entry_to_user, entries, tmp.entries);
1515}
1516
1517static int do_ebt_set_ctl(struct sock *sk,
1518 int cmd, void __user *user, unsigned int len)
1519{
1520 int ret;
1521 struct net *net = sock_net(sk);
1522
1523 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
1524 return -EPERM;
1525
1526 switch (cmd) {
1527 case EBT_SO_SET_ENTRIES:
1528 ret = do_replace(net, user, len);
1529 break;
1530 case EBT_SO_SET_COUNTERS:
1531 ret = update_counters(net, user, len);
1532 break;
1533 default:
1534 ret = -EINVAL;
1535 }
1536 return ret;
1537}
1538
1539static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1540{
1541 int ret;
1542 struct ebt_replace tmp;
1543 struct ebt_table *t;
1544 struct net *net = sock_net(sk);
1545
1546 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
1547 return -EPERM;
1548
1549 if (copy_from_user(&tmp, user, sizeof(tmp)))
1550 return -EFAULT;
1551
1552 tmp.name[sizeof(tmp.name) - 1] = '\0';
1553
1554 t = find_table_lock(net, tmp.name, &ret, &ebt_mutex);
1555 if (!t)
1556 return ret;
1557
1558 switch (cmd) {
1559 case EBT_SO_GET_INFO:
1560 case EBT_SO_GET_INIT_INFO:
1561 if (*len != sizeof(struct ebt_replace)) {
1562 ret = -EINVAL;
1563 mutex_unlock(&ebt_mutex);
1564 break;
1565 }
1566 if (cmd == EBT_SO_GET_INFO) {
1567 tmp.nentries = t->private->nentries;
1568 tmp.entries_size = t->private->entries_size;
1569 tmp.valid_hooks = t->valid_hooks;
1570 } else {
1571 tmp.nentries = t->table->nentries;
1572 tmp.entries_size = t->table->entries_size;
1573 tmp.valid_hooks = t->table->valid_hooks;
1574 }
1575 mutex_unlock(&ebt_mutex);
1576 if (copy_to_user(user, &tmp, *len) != 0) {
1577 BUGPRINT("c2u Didn't work\n");
1578 ret = -EFAULT;
1579 break;
1580 }
1581 ret = 0;
1582 break;
1583
1584 case EBT_SO_GET_ENTRIES:
1585 case EBT_SO_GET_INIT_ENTRIES:
1586 ret = copy_everything_to_user(t, user, len, cmd);
1587 mutex_unlock(&ebt_mutex);
1588 break;
1589
1590 default:
1591 mutex_unlock(&ebt_mutex);
1592 ret = -EINVAL;
1593 }
1594
1595 return ret;
1596}
1597
1598#ifdef CONFIG_COMPAT
1599
1600struct compat_ebt_replace {
1601 char name[EBT_TABLE_MAXNAMELEN];
1602 compat_uint_t valid_hooks;
1603 compat_uint_t nentries;
1604 compat_uint_t entries_size;
1605
1606 compat_uptr_t hook_entry[NF_BR_NUMHOOKS];
1607
1608 compat_uint_t num_counters;
1609
1610 compat_uptr_t counters;
1611 compat_uptr_t entries;
1612};
1613
1614
1615struct compat_ebt_entry_mwt {
1616 union {
1617 struct {
1618 char name[EBT_EXTENSION_MAXNAMELEN];
1619 u8 revision;
1620 };
1621 compat_uptr_t ptr;
1622 } u;
1623 compat_uint_t match_size;
1624 compat_uint_t data[0] __attribute__ ((aligned (__alignof__(struct compat_ebt_replace))));
1625};
1626
1627
1628static int ebt_compat_entry_padsize(void)
1629{
1630 BUILD_BUG_ON(sizeof(struct ebt_entry_match) <
1631 sizeof(struct compat_ebt_entry_mwt));
1632 return (int) sizeof(struct ebt_entry_match) -
1633 sizeof(struct compat_ebt_entry_mwt);
1634}
1635
1636static int ebt_compat_match_offset(const struct xt_match *match,
1637 unsigned int userlen)
1638{
1639
1640
1641
1642
1643
1644 if (unlikely(match->matchsize == -1))
1645 return XT_ALIGN(userlen) - COMPAT_XT_ALIGN(userlen);
1646 return xt_compat_match_offset(match);
1647}
1648
1649static int compat_match_to_user(struct ebt_entry_match *m, void __user **dstptr,
1650 unsigned int *size)
1651{
1652 const struct xt_match *match = m->u.match;
1653 struct compat_ebt_entry_mwt __user *cm = *dstptr;
1654 int off = ebt_compat_match_offset(match, m->match_size);
1655 compat_uint_t msize = m->match_size - off;
1656
1657 if (WARN_ON(off >= m->match_size))
1658 return -EINVAL;
1659
1660 if (copy_to_user(cm->u.name, match->name, strlen(match->name) + 1) ||
1661 put_user(match->revision, &cm->u.revision) ||
1662 put_user(msize, &cm->match_size))
1663 return -EFAULT;
1664
1665 if (match->compat_to_user) {
1666 if (match->compat_to_user(cm->data, m->data))
1667 return -EFAULT;
1668 } else {
1669 if (xt_data_to_user(cm->data, m->data, match->usersize, msize,
1670 COMPAT_XT_ALIGN(msize)))
1671 return -EFAULT;
1672 }
1673
1674 *size -= ebt_compat_entry_padsize() + off;
1675 *dstptr = cm->data;
1676 *dstptr += msize;
1677 return 0;
1678}
1679
1680static int compat_target_to_user(struct ebt_entry_target *t,
1681 void __user **dstptr,
1682 unsigned int *size)
1683{
1684 const struct xt_target *target = t->u.target;
1685 struct compat_ebt_entry_mwt __user *cm = *dstptr;
1686 int off = xt_compat_target_offset(target);
1687 compat_uint_t tsize = t->target_size - off;
1688
1689 if (WARN_ON(off >= t->target_size))
1690 return -EINVAL;
1691
1692 if (copy_to_user(cm->u.name, target->name, strlen(target->name) + 1) ||
1693 put_user(target->revision, &cm->u.revision) ||
1694 put_user(tsize, &cm->match_size))
1695 return -EFAULT;
1696
1697 if (target->compat_to_user) {
1698 if (target->compat_to_user(cm->data, t->data))
1699 return -EFAULT;
1700 } else {
1701 if (xt_data_to_user(cm->data, t->data, target->usersize, tsize,
1702 COMPAT_XT_ALIGN(tsize)))
1703 return -EFAULT;
1704 }
1705
1706 *size -= ebt_compat_entry_padsize() + off;
1707 *dstptr = cm->data;
1708 *dstptr += tsize;
1709 return 0;
1710}
1711
1712static int compat_watcher_to_user(struct ebt_entry_watcher *w,
1713 void __user **dstptr,
1714 unsigned int *size)
1715{
1716 return compat_target_to_user((struct ebt_entry_target *)w,
1717 dstptr, size);
1718}
1719
1720static int compat_copy_entry_to_user(struct ebt_entry *e, void __user **dstptr,
1721 unsigned int *size)
1722{
1723 struct ebt_entry_target *t;
1724 struct ebt_entry __user *ce;
1725 u32 watchers_offset, target_offset, next_offset;
1726 compat_uint_t origsize;
1727 int ret;
1728
1729 if (e->bitmask == 0) {
1730 if (*size < sizeof(struct ebt_entries))
1731 return -EINVAL;
1732 if (copy_to_user(*dstptr, e, sizeof(struct ebt_entries)))
1733 return -EFAULT;
1734
1735 *dstptr += sizeof(struct ebt_entries);
1736 *size -= sizeof(struct ebt_entries);
1737 return 0;
1738 }
1739
1740 if (*size < sizeof(*ce))
1741 return -EINVAL;
1742
1743 ce = *dstptr;
1744 if (copy_to_user(ce, e, sizeof(*ce)))
1745 return -EFAULT;
1746
1747 origsize = *size;
1748 *dstptr += sizeof(*ce);
1749
1750 ret = EBT_MATCH_ITERATE(e, compat_match_to_user, dstptr, size);
1751 if (ret)
1752 return ret;
1753 watchers_offset = e->watchers_offset - (origsize - *size);
1754
1755 ret = EBT_WATCHER_ITERATE(e, compat_watcher_to_user, dstptr, size);
1756 if (ret)
1757 return ret;
1758 target_offset = e->target_offset - (origsize - *size);
1759
1760 t = ebt_get_target(e);
1761
1762 ret = compat_target_to_user(t, dstptr, size);
1763 if (ret)
1764 return ret;
1765 next_offset = e->next_offset - (origsize - *size);
1766
1767 if (put_user(watchers_offset, &ce->watchers_offset) ||
1768 put_user(target_offset, &ce->target_offset) ||
1769 put_user(next_offset, &ce->next_offset))
1770 return -EFAULT;
1771
1772 *size -= sizeof(*ce);
1773 return 0;
1774}
1775
1776static int compat_calc_match(struct ebt_entry_match *m, int *off)
1777{
1778 *off += ebt_compat_match_offset(m->u.match, m->match_size);
1779 *off += ebt_compat_entry_padsize();
1780 return 0;
1781}
1782
1783static int compat_calc_watcher(struct ebt_entry_watcher *w, int *off)
1784{
1785 *off += xt_compat_target_offset(w->u.watcher);
1786 *off += ebt_compat_entry_padsize();
1787 return 0;
1788}
1789
1790static int compat_calc_entry(const struct ebt_entry *e,
1791 const struct ebt_table_info *info,
1792 const void *base,
1793 struct compat_ebt_replace *newinfo)
1794{
1795 const struct ebt_entry_target *t;
1796 unsigned int entry_offset;
1797 int off, ret, i;
1798
1799 if (e->bitmask == 0)
1800 return 0;
1801
1802 off = 0;
1803 entry_offset = (void *)e - base;
1804
1805 EBT_MATCH_ITERATE(e, compat_calc_match, &off);
1806 EBT_WATCHER_ITERATE(e, compat_calc_watcher, &off);
1807
1808 t = ebt_get_target_c(e);
1809
1810 off += xt_compat_target_offset(t->u.target);
1811 off += ebt_compat_entry_padsize();
1812
1813 newinfo->entries_size -= off;
1814
1815 ret = xt_compat_add_offset(NFPROTO_BRIDGE, entry_offset, off);
1816 if (ret)
1817 return ret;
1818
1819 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1820 const void *hookptr = info->hook_entry[i];
1821 if (info->hook_entry[i] &&
1822 (e < (struct ebt_entry *)(base - hookptr))) {
1823 newinfo->hook_entry[i] -= off;
1824 pr_debug("0x%08X -> 0x%08X\n",
1825 newinfo->hook_entry[i] + off,
1826 newinfo->hook_entry[i]);
1827 }
1828 }
1829
1830 return 0;
1831}
1832
1833
1834static int compat_table_info(const struct ebt_table_info *info,
1835 struct compat_ebt_replace *newinfo)
1836{
1837 unsigned int size = info->entries_size;
1838 const void *entries = info->entries;
1839
1840 newinfo->entries_size = size;
1841 if (info->nentries) {
1842 int ret = xt_compat_init_offsets(NFPROTO_BRIDGE,
1843 info->nentries);
1844 if (ret)
1845 return ret;
1846 }
1847
1848 return EBT_ENTRY_ITERATE(entries, size, compat_calc_entry, info,
1849 entries, newinfo);
1850}
1851
1852static int compat_copy_everything_to_user(struct ebt_table *t,
1853 void __user *user, int *len, int cmd)
1854{
1855 struct compat_ebt_replace repl, tmp;
1856 struct ebt_counter *oldcounters;
1857 struct ebt_table_info tinfo;
1858 int ret;
1859 void __user *pos;
1860
1861 memset(&tinfo, 0, sizeof(tinfo));
1862
1863 if (cmd == EBT_SO_GET_ENTRIES) {
1864 tinfo.entries_size = t->private->entries_size;
1865 tinfo.nentries = t->private->nentries;
1866 tinfo.entries = t->private->entries;
1867 oldcounters = t->private->counters;
1868 } else {
1869 tinfo.entries_size = t->table->entries_size;
1870 tinfo.nentries = t->table->nentries;
1871 tinfo.entries = t->table->entries;
1872 oldcounters = t->table->counters;
1873 }
1874
1875 if (copy_from_user(&tmp, user, sizeof(tmp)))
1876 return -EFAULT;
1877
1878 if (tmp.nentries != tinfo.nentries ||
1879 (tmp.num_counters && tmp.num_counters != tinfo.nentries))
1880 return -EINVAL;
1881
1882 memcpy(&repl, &tmp, sizeof(repl));
1883 if (cmd == EBT_SO_GET_ENTRIES)
1884 ret = compat_table_info(t->private, &repl);
1885 else
1886 ret = compat_table_info(&tinfo, &repl);
1887 if (ret)
1888 return ret;
1889
1890 if (*len != sizeof(tmp) + repl.entries_size +
1891 (tmp.num_counters? tinfo.nentries * sizeof(struct ebt_counter): 0)) {
1892 pr_err("wrong size: *len %d, entries_size %u, replsz %d\n",
1893 *len, tinfo.entries_size, repl.entries_size);
1894 return -EINVAL;
1895 }
1896
1897
1898 ret = copy_counters_to_user(t, oldcounters, compat_ptr(tmp.counters),
1899 tmp.num_counters, tinfo.nentries);
1900 if (ret)
1901 return ret;
1902
1903 pos = compat_ptr(tmp.entries);
1904 return EBT_ENTRY_ITERATE(tinfo.entries, tinfo.entries_size,
1905 compat_copy_entry_to_user, &pos, &tmp.entries_size);
1906}
1907
1908struct ebt_entries_buf_state {
1909 char *buf_kern_start;
1910 u32 buf_kern_len;
1911 u32 buf_kern_offset;
1912 u32 buf_user_offset;
1913};
1914
1915static int ebt_buf_count(struct ebt_entries_buf_state *state, unsigned int sz)
1916{
1917 state->buf_kern_offset += sz;
1918 return state->buf_kern_offset >= sz ? 0 : -EINVAL;
1919}
1920
1921static int ebt_buf_add(struct ebt_entries_buf_state *state,
1922 void *data, unsigned int sz)
1923{
1924 if (state->buf_kern_start == NULL)
1925 goto count_only;
1926
1927 if (WARN_ON(state->buf_kern_offset + sz > state->buf_kern_len))
1928 return -EINVAL;
1929
1930 memcpy(state->buf_kern_start + state->buf_kern_offset, data, sz);
1931
1932 count_only:
1933 state->buf_user_offset += sz;
1934 return ebt_buf_count(state, sz);
1935}
1936
1937static int ebt_buf_add_pad(struct ebt_entries_buf_state *state, unsigned int sz)
1938{
1939 char *b = state->buf_kern_start;
1940
1941 if (WARN_ON(b && state->buf_kern_offset > state->buf_kern_len))
1942 return -EINVAL;
1943
1944 if (b != NULL && sz > 0)
1945 memset(b + state->buf_kern_offset, 0, sz);
1946
1947 return ebt_buf_count(state, sz);
1948}
1949
1950enum compat_mwt {
1951 EBT_COMPAT_MATCH,
1952 EBT_COMPAT_WATCHER,
1953 EBT_COMPAT_TARGET,
1954};
1955
1956static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
1957 enum compat_mwt compat_mwt,
1958 struct ebt_entries_buf_state *state,
1959 const unsigned char *base)
1960{
1961 char name[EBT_EXTENSION_MAXNAMELEN];
1962 struct xt_match *match;
1963 struct xt_target *wt;
1964 void *dst = NULL;
1965 int off, pad = 0;
1966 unsigned int size_kern, match_size = mwt->match_size;
1967
1968 if (strscpy(name, mwt->u.name, sizeof(name)) < 0)
1969 return -EINVAL;
1970
1971 if (state->buf_kern_start)
1972 dst = state->buf_kern_start + state->buf_kern_offset;
1973
1974 switch (compat_mwt) {
1975 case EBT_COMPAT_MATCH:
1976 match = xt_request_find_match(NFPROTO_BRIDGE, name,
1977 mwt->u.revision);
1978 if (IS_ERR(match))
1979 return PTR_ERR(match);
1980
1981 off = ebt_compat_match_offset(match, match_size);
1982 if (dst) {
1983 if (match->compat_from_user)
1984 match->compat_from_user(dst, mwt->data);
1985 else
1986 memcpy(dst, mwt->data, match_size);
1987 }
1988
1989 size_kern = match->matchsize;
1990 if (unlikely(size_kern == -1))
1991 size_kern = match_size;
1992 module_put(match->me);
1993 break;
1994 case EBT_COMPAT_WATCHER:
1995 case EBT_COMPAT_TARGET:
1996 wt = xt_request_find_target(NFPROTO_BRIDGE, name,
1997 mwt->u.revision);
1998 if (IS_ERR(wt))
1999 return PTR_ERR(wt);
2000 off = xt_compat_target_offset(wt);
2001
2002 if (dst) {
2003 if (wt->compat_from_user)
2004 wt->compat_from_user(dst, mwt->data);
2005 else
2006 memcpy(dst, mwt->data, match_size);
2007 }
2008
2009 size_kern = wt->targetsize;
2010 module_put(wt->me);
2011 break;
2012
2013 default:
2014 return -EINVAL;
2015 }
2016
2017 state->buf_kern_offset += match_size + off;
2018 state->buf_user_offset += match_size;
2019 pad = XT_ALIGN(size_kern) - size_kern;
2020
2021 if (pad > 0 && dst) {
2022 if (WARN_ON(state->buf_kern_len <= pad))
2023 return -EINVAL;
2024 if (WARN_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad))
2025 return -EINVAL;
2026 memset(dst + size_kern, 0, pad);
2027 }
2028 return off + match_size;
2029}
2030
2031
2032
2033
2034static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
2035 unsigned int size_left, enum compat_mwt type,
2036 struct ebt_entries_buf_state *state, const void *base)
2037{
2038 int growth = 0;
2039 char *buf;
2040
2041 if (size_left == 0)
2042 return 0;
2043
2044 buf = (char *) match32;
2045
2046 while (size_left >= sizeof(*match32)) {
2047 struct ebt_entry_match *match_kern;
2048 int ret;
2049
2050 match_kern = (struct ebt_entry_match *) state->buf_kern_start;
2051 if (match_kern) {
2052 char *tmp;
2053 tmp = state->buf_kern_start + state->buf_kern_offset;
2054 match_kern = (struct ebt_entry_match *) tmp;
2055 }
2056 ret = ebt_buf_add(state, buf, sizeof(*match32));
2057 if (ret < 0)
2058 return ret;
2059 size_left -= sizeof(*match32);
2060
2061
2062 ret = ebt_buf_add_pad(state, ebt_compat_entry_padsize());
2063 if (ret < 0)
2064 return ret;
2065
2066 if (match32->match_size > size_left)
2067 return -EINVAL;
2068
2069 size_left -= match32->match_size;
2070
2071 ret = compat_mtw_from_user(match32, type, state, base);
2072 if (ret < 0)
2073 return ret;
2074
2075 if (WARN_ON(ret < match32->match_size))
2076 return -EINVAL;
2077 growth += ret - match32->match_size;
2078 growth += ebt_compat_entry_padsize();
2079
2080 buf += sizeof(*match32);
2081 buf += match32->match_size;
2082
2083 if (match_kern)
2084 match_kern->match_size = ret;
2085
2086 if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
2087 return -EINVAL;
2088
2089 match32 = (struct compat_ebt_entry_mwt *) buf;
2090 }
2091
2092 return growth;
2093}
2094
2095
2096static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
2097 unsigned int *total,
2098 struct ebt_entries_buf_state *state)
2099{
2100 unsigned int i, j, startoff, new_offset = 0;
2101
2102 unsigned int offsets[4];
2103 unsigned int *offsets_update = NULL;
2104 int ret;
2105 char *buf_start;
2106
2107 if (*total < sizeof(struct ebt_entries))
2108 return -EINVAL;
2109
2110 if (!entry->bitmask) {
2111 *total -= sizeof(struct ebt_entries);
2112 return ebt_buf_add(state, entry, sizeof(struct ebt_entries));
2113 }
2114 if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry))
2115 return -EINVAL;
2116
2117 startoff = state->buf_user_offset;
2118
2119 ret = ebt_buf_add(state, entry,
2120 offsetof(struct ebt_entry, watchers_offset));
2121 if (ret < 0)
2122 return ret;
2123
2124 offsets[0] = sizeof(struct ebt_entry);
2125 memcpy(&offsets[1], &entry->watchers_offset,
2126 sizeof(offsets) - sizeof(offsets[0]));
2127
2128 if (state->buf_kern_start) {
2129 buf_start = state->buf_kern_start + state->buf_kern_offset;
2130 offsets_update = (unsigned int *) buf_start;
2131 }
2132 ret = ebt_buf_add(state, &offsets[1],
2133 sizeof(offsets) - sizeof(offsets[0]));
2134 if (ret < 0)
2135 return ret;
2136 buf_start = (char *) entry;
2137
2138
2139
2140
2141
2142
2143
2144 for (i = 0; i < 4 ; ++i) {
2145 if (offsets[i] > *total)
2146 return -EINVAL;
2147
2148 if (i < 3 && offsets[i] == *total)
2149 return -EINVAL;
2150
2151 if (i == 0)
2152 continue;
2153 if (offsets[i-1] > offsets[i])
2154 return -EINVAL;
2155 }
2156
2157 for (i = 0, j = 1 ; j < 4 ; j++, i++) {
2158 struct compat_ebt_entry_mwt *match32;
2159 unsigned int size;
2160 char *buf = buf_start + offsets[i];
2161
2162 if (offsets[i] > offsets[j])
2163 return -EINVAL;
2164
2165 match32 = (struct compat_ebt_entry_mwt *) buf;
2166 size = offsets[j] - offsets[i];
2167 ret = ebt_size_mwt(match32, size, i, state, base);
2168 if (ret < 0)
2169 return ret;
2170 new_offset += ret;
2171 if (offsets_update && new_offset) {
2172 pr_debug("change offset %d to %d\n",
2173 offsets_update[i], offsets[j] + new_offset);
2174 offsets_update[i] = offsets[j] + new_offset;
2175 }
2176 }
2177
2178 if (state->buf_kern_start == NULL) {
2179 unsigned int offset = buf_start - (char *) base;
2180
2181 ret = xt_compat_add_offset(NFPROTO_BRIDGE, offset, new_offset);
2182 if (ret < 0)
2183 return ret;
2184 }
2185
2186 startoff = state->buf_user_offset - startoff;
2187
2188 if (WARN_ON(*total < startoff))
2189 return -EINVAL;
2190 *total -= startoff;
2191 return 0;
2192}
2193
2194
2195
2196
2197
2198
2199
2200static int compat_copy_entries(unsigned char *data, unsigned int size_user,
2201 struct ebt_entries_buf_state *state)
2202{
2203 unsigned int size_remaining = size_user;
2204 int ret;
2205
2206 ret = EBT_ENTRY_ITERATE(data, size_user, size_entry_mwt, data,
2207 &size_remaining, state);
2208 if (ret < 0)
2209 return ret;
2210
2211 WARN_ON(size_remaining);
2212 return state->buf_kern_offset;
2213}
2214
2215
2216static int compat_copy_ebt_replace_from_user(struct ebt_replace *repl,
2217 void __user *user, unsigned int len)
2218{
2219 struct compat_ebt_replace tmp;
2220 int i;
2221
2222 if (len < sizeof(tmp))
2223 return -EINVAL;
2224
2225 if (copy_from_user(&tmp, user, sizeof(tmp)))
2226 return -EFAULT;
2227
2228 if (len != sizeof(tmp) + tmp.entries_size)
2229 return -EINVAL;
2230
2231 if (tmp.entries_size == 0)
2232 return -EINVAL;
2233
2234 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) /
2235 NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
2236 return -ENOMEM;
2237 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
2238 return -ENOMEM;
2239
2240 memcpy(repl, &tmp, offsetof(struct ebt_replace, hook_entry));
2241
2242
2243 for (i = 0; i < NF_BR_NUMHOOKS; i++)
2244 repl->hook_entry[i] = compat_ptr(tmp.hook_entry[i]);
2245
2246 repl->num_counters = tmp.num_counters;
2247 repl->counters = compat_ptr(tmp.counters);
2248 repl->entries = compat_ptr(tmp.entries);
2249 return 0;
2250}
2251
2252static int compat_do_replace(struct net *net, void __user *user,
2253 unsigned int len)
2254{
2255 int ret, i, countersize, size64;
2256 struct ebt_table_info *newinfo;
2257 struct ebt_replace tmp;
2258 struct ebt_entries_buf_state state;
2259 void *entries_tmp;
2260
2261 ret = compat_copy_ebt_replace_from_user(&tmp, user, len);
2262 if (ret) {
2263
2264 if (ret == -EINVAL && do_replace(net, user, len) == 0)
2265 ret = 0;
2266 return ret;
2267 }
2268
2269 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
2270 newinfo = vmalloc(sizeof(*newinfo) + countersize);
2271 if (!newinfo)
2272 return -ENOMEM;
2273
2274 if (countersize)
2275 memset(newinfo->counters, 0, countersize);
2276
2277 memset(&state, 0, sizeof(state));
2278
2279 newinfo->entries = vmalloc(tmp.entries_size);
2280 if (!newinfo->entries) {
2281 ret = -ENOMEM;
2282 goto free_newinfo;
2283 }
2284 if (copy_from_user(
2285 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
2286 ret = -EFAULT;
2287 goto free_entries;
2288 }
2289
2290 entries_tmp = newinfo->entries;
2291
2292 xt_compat_lock(NFPROTO_BRIDGE);
2293
2294 ret = xt_compat_init_offsets(NFPROTO_BRIDGE, tmp.nentries);
2295 if (ret < 0)
2296 goto out_unlock;
2297 ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
2298 if (ret < 0)
2299 goto out_unlock;
2300
2301 pr_debug("tmp.entries_size %d, kern off %d, user off %d delta %d\n",
2302 tmp.entries_size, state.buf_kern_offset, state.buf_user_offset,
2303 xt_compat_calc_jump(NFPROTO_BRIDGE, tmp.entries_size));
2304
2305 size64 = ret;
2306 newinfo->entries = vmalloc(size64);
2307 if (!newinfo->entries) {
2308 vfree(entries_tmp);
2309 ret = -ENOMEM;
2310 goto out_unlock;
2311 }
2312
2313 memset(&state, 0, sizeof(state));
2314 state.buf_kern_start = newinfo->entries;
2315 state.buf_kern_len = size64;
2316
2317 ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
2318 if (WARN_ON(ret < 0))
2319 goto out_unlock;
2320
2321 vfree(entries_tmp);
2322 tmp.entries_size = size64;
2323
2324 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
2325 char __user *usrptr;
2326 if (tmp.hook_entry[i]) {
2327 unsigned int delta;
2328 usrptr = (char __user *) tmp.hook_entry[i];
2329 delta = usrptr - tmp.entries;
2330 usrptr += xt_compat_calc_jump(NFPROTO_BRIDGE, delta);
2331 tmp.hook_entry[i] = (struct ebt_entries __user *)usrptr;
2332 }
2333 }
2334
2335 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2336 xt_compat_unlock(NFPROTO_BRIDGE);
2337
2338 ret = do_replace_finish(net, &tmp, newinfo);
2339 if (ret == 0)
2340 return ret;
2341free_entries:
2342 vfree(newinfo->entries);
2343free_newinfo:
2344 vfree(newinfo);
2345 return ret;
2346out_unlock:
2347 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2348 xt_compat_unlock(NFPROTO_BRIDGE);
2349 goto free_entries;
2350}
2351
2352static int compat_update_counters(struct net *net, void __user *user,
2353 unsigned int len)
2354{
2355 struct compat_ebt_replace hlp;
2356
2357 if (copy_from_user(&hlp, user, sizeof(hlp)))
2358 return -EFAULT;
2359
2360
2361 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
2362 return update_counters(net, user, len);
2363
2364 return do_update_counters(net, hlp.name, compat_ptr(hlp.counters),
2365 hlp.num_counters, user, len);
2366}
2367
2368static int compat_do_ebt_set_ctl(struct sock *sk,
2369 int cmd, void __user *user, unsigned int len)
2370{
2371 int ret;
2372 struct net *net = sock_net(sk);
2373
2374 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
2375 return -EPERM;
2376
2377 switch (cmd) {
2378 case EBT_SO_SET_ENTRIES:
2379 ret = compat_do_replace(net, user, len);
2380 break;
2381 case EBT_SO_SET_COUNTERS:
2382 ret = compat_update_counters(net, user, len);
2383 break;
2384 default:
2385 ret = -EINVAL;
2386 }
2387 return ret;
2388}
2389
2390static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
2391 void __user *user, int *len)
2392{
2393 int ret;
2394 struct compat_ebt_replace tmp;
2395 struct ebt_table *t;
2396 struct net *net = sock_net(sk);
2397
2398 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
2399 return -EPERM;
2400
2401
2402 if ((cmd == EBT_SO_GET_INFO ||
2403 cmd == EBT_SO_GET_INIT_INFO) && *len != sizeof(tmp))
2404 return do_ebt_get_ctl(sk, cmd, user, len);
2405
2406 if (copy_from_user(&tmp, user, sizeof(tmp)))
2407 return -EFAULT;
2408
2409 tmp.name[sizeof(tmp.name) - 1] = '\0';
2410
2411 t = find_table_lock(net, tmp.name, &ret, &ebt_mutex);
2412 if (!t)
2413 return ret;
2414
2415 xt_compat_lock(NFPROTO_BRIDGE);
2416 switch (cmd) {
2417 case EBT_SO_GET_INFO:
2418 tmp.nentries = t->private->nentries;
2419 ret = compat_table_info(t->private, &tmp);
2420 if (ret)
2421 goto out;
2422 tmp.valid_hooks = t->valid_hooks;
2423
2424 if (copy_to_user(user, &tmp, *len) != 0) {
2425 ret = -EFAULT;
2426 break;
2427 }
2428 ret = 0;
2429 break;
2430 case EBT_SO_GET_INIT_INFO:
2431 tmp.nentries = t->table->nentries;
2432 tmp.entries_size = t->table->entries_size;
2433 tmp.valid_hooks = t->table->valid_hooks;
2434
2435 if (copy_to_user(user, &tmp, *len) != 0) {
2436 ret = -EFAULT;
2437 break;
2438 }
2439 ret = 0;
2440 break;
2441 case EBT_SO_GET_ENTRIES:
2442 case EBT_SO_GET_INIT_ENTRIES:
2443
2444
2445
2446
2447
2448
2449
2450
2451 if (copy_everything_to_user(t, user, len, cmd) == 0)
2452 ret = 0;
2453 else
2454 ret = compat_copy_everything_to_user(t, user, len, cmd);
2455 break;
2456 default:
2457 ret = -EINVAL;
2458 }
2459 out:
2460 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2461 xt_compat_unlock(NFPROTO_BRIDGE);
2462 mutex_unlock(&ebt_mutex);
2463 return ret;
2464}
2465#endif
2466
2467static struct nf_sockopt_ops ebt_sockopts = {
2468 .pf = PF_INET,
2469 .set_optmin = EBT_BASE_CTL,
2470 .set_optmax = EBT_SO_SET_MAX + 1,
2471 .set = do_ebt_set_ctl,
2472#ifdef CONFIG_COMPAT
2473 .compat_set = compat_do_ebt_set_ctl,
2474#endif
2475 .get_optmin = EBT_BASE_CTL,
2476 .get_optmax = EBT_SO_GET_MAX + 1,
2477 .get = do_ebt_get_ctl,
2478#ifdef CONFIG_COMPAT
2479 .compat_get = compat_do_ebt_get_ctl,
2480#endif
2481 .owner = THIS_MODULE,
2482};
2483
2484static int __init ebtables_init(void)
2485{
2486 int ret;
2487
2488 ret = xt_register_target(&ebt_standard_target);
2489 if (ret < 0)
2490 return ret;
2491 ret = nf_register_sockopt(&ebt_sockopts);
2492 if (ret < 0) {
2493 xt_unregister_target(&ebt_standard_target);
2494 return ret;
2495 }
2496
2497 return 0;
2498}
2499
2500static void __exit ebtables_fini(void)
2501{
2502 nf_unregister_sockopt(&ebt_sockopts);
2503 xt_unregister_target(&ebt_standard_target);
2504}
2505
2506EXPORT_SYMBOL(ebt_register_table);
2507EXPORT_SYMBOL(ebt_unregister_table);
2508EXPORT_SYMBOL(ebt_do_table);
2509module_init(ebtables_init);
2510module_exit(ebtables_fini);
2511MODULE_LICENSE("GPL");
2512
