[NETFILTER]: bridge-netfilter: fix net_device refcnt leaks
[linux-2.6] / net / bridge / br_stp_bpdu.c
1 /*
2  *      Spanning tree protocol; BPDU handling
3  *      Linux ethernet bridge
4  *
5  *      Authors:
6  *      Lennert Buytenhek               <buytenh@gnu.org>
7  *
8  *      $Id: br_stp_bpdu.c,v 1.3 2001/11/10 02:35:25 davem Exp $
9  *
10  *      This program is free software; you can redistribute it and/or
11  *      modify it under the terms of the GNU General Public License
12  *      as published by the Free Software Foundation; either version
13  *      2 of the License, or (at your option) any later version.
14  */
15
16 #include <linux/kernel.h>
17 #include <linux/netfilter_bridge.h>
18 #include <linux/etherdevice.h>
19 #include <linux/llc.h>
20 #include <net/net_namespace.h>
21 #include <net/llc.h>
22 #include <net/llc_pdu.h>
23 #include <asm/unaligned.h>
24
25 #include "br_private.h"
26 #include "br_private_stp.h"
27
28 #define STP_HZ          256
29
30 #define LLC_RESERVE sizeof(struct llc_pdu_un)
31
32 static void br_send_bpdu(struct net_bridge_port *p,
33                          const unsigned char *data, int length)
34 {
35         struct sk_buff *skb;
36
37         skb = dev_alloc_skb(length+LLC_RESERVE);
38         if (!skb)
39                 return;
40
41         skb->dev = p->dev;
42         skb->protocol = htons(ETH_P_802_2);
43
44         skb_reserve(skb, LLC_RESERVE);
45         memcpy(__skb_put(skb, length), data, length);
46
47         llc_pdu_header_init(skb, LLC_PDU_TYPE_U, LLC_SAP_BSPAN,
48                             LLC_SAP_BSPAN, LLC_PDU_CMD);
49         llc_pdu_init_as_ui_cmd(skb);
50
51         llc_mac_hdr_init(skb, p->dev->dev_addr, p->br->group_addr);
52
53         NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
54                 dev_queue_xmit);
55 }
56
57 static inline void br_set_ticks(unsigned char *dest, int j)
58 {
59         unsigned long ticks = (STP_HZ * j)/ HZ;
60
61         put_unaligned(htons(ticks), (__be16 *)dest);
62 }
63
64 static inline int br_get_ticks(const unsigned char *src)
65 {
66         unsigned long ticks = ntohs(get_unaligned((__be16 *)src));
67
68         return DIV_ROUND_UP(ticks * HZ, STP_HZ);
69 }
70
71 /* called under bridge lock */
72 void br_send_config_bpdu(struct net_bridge_port *p, struct br_config_bpdu *bpdu)
73 {
74         unsigned char buf[35];
75
76         if (p->br->stp_enabled != BR_KERNEL_STP)
77                 return;
78
79         buf[0] = 0;
80         buf[1] = 0;
81         buf[2] = 0;
82         buf[3] = BPDU_TYPE_CONFIG;
83         buf[4] = (bpdu->topology_change ? 0x01 : 0) |
84                 (bpdu->topology_change_ack ? 0x80 : 0);
85         buf[5] = bpdu->root.prio[0];
86         buf[6] = bpdu->root.prio[1];
87         buf[7] = bpdu->root.addr[0];
88         buf[8] = bpdu->root.addr[1];
89         buf[9] = bpdu->root.addr[2];
90         buf[10] = bpdu->root.addr[3];
91         buf[11] = bpdu->root.addr[4];
92         buf[12] = bpdu->root.addr[5];
93         buf[13] = (bpdu->root_path_cost >> 24) & 0xFF;
94         buf[14] = (bpdu->root_path_cost >> 16) & 0xFF;
95         buf[15] = (bpdu->root_path_cost >> 8) & 0xFF;
96         buf[16] = bpdu->root_path_cost & 0xFF;
97         buf[17] = bpdu->bridge_id.prio[0];
98         buf[18] = bpdu->bridge_id.prio[1];
99         buf[19] = bpdu->bridge_id.addr[0];
100         buf[20] = bpdu->bridge_id.addr[1];
101         buf[21] = bpdu->bridge_id.addr[2];
102         buf[22] = bpdu->bridge_id.addr[3];
103         buf[23] = bpdu->bridge_id.addr[4];
104         buf[24] = bpdu->bridge_id.addr[5];
105         buf[25] = (bpdu->port_id >> 8) & 0xFF;
106         buf[26] = bpdu->port_id & 0xFF;
107
108         br_set_ticks(buf+27, bpdu->message_age);
109         br_set_ticks(buf+29, bpdu->max_age);
110         br_set_ticks(buf+31, bpdu->hello_time);
111         br_set_ticks(buf+33, bpdu->forward_delay);
112
113         br_send_bpdu(p, buf, 35);
114 }
115
116 /* called under bridge lock */
117 void br_send_tcn_bpdu(struct net_bridge_port *p)
118 {
119         unsigned char buf[4];
120
121         if (p->br->stp_enabled != BR_KERNEL_STP)
122                 return;
123
124         buf[0] = 0;
125         buf[1] = 0;
126         buf[2] = 0;
127         buf[3] = BPDU_TYPE_TCN;
128         br_send_bpdu(p, buf, 4);
129 }
130
131 /*
132  * Called from llc.
133  *
134  * NO locks, but rcu_read_lock (preempt_disabled)
135  */
136 int br_stp_rcv(struct sk_buff *skb, struct net_device *dev,
137                struct packet_type *pt, struct net_device *orig_dev)
138 {
139         const struct llc_pdu_un *pdu = llc_pdu_un_hdr(skb);
140         const unsigned char *dest = eth_hdr(skb)->h_dest;
141         struct net_bridge_port *p = rcu_dereference(dev->br_port);
142         struct net_bridge *br;
143         const unsigned char *buf;
144
145         if (dev->nd_net != &init_net)
146                 goto err;
147
148         if (!p)
149                 goto err;
150
151         if (pdu->ssap != LLC_SAP_BSPAN
152             || pdu->dsap != LLC_SAP_BSPAN
153             || pdu->ctrl_1 != LLC_PDU_TYPE_U)
154                 goto err;
155
156         if (!pskb_may_pull(skb, 4))
157                 goto err;
158
159         /* compare of protocol id and version */
160         buf = skb->data;
161         if (buf[0] != 0 || buf[1] != 0 || buf[2] != 0)
162                 goto err;
163
164         br = p->br;
165         spin_lock(&br->lock);
166
167         if (br->stp_enabled != BR_KERNEL_STP)
168                 goto out;
169
170         if (!(br->dev->flags & IFF_UP))
171                 goto out;
172
173         if (p->state == BR_STATE_DISABLED)
174                 goto out;
175
176         if (compare_ether_addr(dest, br->group_addr) != 0)
177                 goto out;
178
179         buf = skb_pull(skb, 3);
180
181         if (buf[0] == BPDU_TYPE_CONFIG) {
182                 struct br_config_bpdu bpdu;
183
184                 if (!pskb_may_pull(skb, 32))
185                         goto out;
186
187                 buf = skb->data;
188                 bpdu.topology_change = (buf[1] & 0x01) ? 1 : 0;
189                 bpdu.topology_change_ack = (buf[1] & 0x80) ? 1 : 0;
190
191                 bpdu.root.prio[0] = buf[2];
192                 bpdu.root.prio[1] = buf[3];
193                 bpdu.root.addr[0] = buf[4];
194                 bpdu.root.addr[1] = buf[5];
195                 bpdu.root.addr[2] = buf[6];
196                 bpdu.root.addr[3] = buf[7];
197                 bpdu.root.addr[4] = buf[8];
198                 bpdu.root.addr[5] = buf[9];
199                 bpdu.root_path_cost =
200                         (buf[10] << 24) |
201                         (buf[11] << 16) |
202                         (buf[12] << 8) |
203                         buf[13];
204                 bpdu.bridge_id.prio[0] = buf[14];
205                 bpdu.bridge_id.prio[1] = buf[15];
206                 bpdu.bridge_id.addr[0] = buf[16];
207                 bpdu.bridge_id.addr[1] = buf[17];
208                 bpdu.bridge_id.addr[2] = buf[18];
209                 bpdu.bridge_id.addr[3] = buf[19];
210                 bpdu.bridge_id.addr[4] = buf[20];
211                 bpdu.bridge_id.addr[5] = buf[21];
212                 bpdu.port_id = (buf[22] << 8) | buf[23];
213
214                 bpdu.message_age = br_get_ticks(buf+24);
215                 bpdu.max_age = br_get_ticks(buf+26);
216                 bpdu.hello_time = br_get_ticks(buf+28);
217                 bpdu.forward_delay = br_get_ticks(buf+30);
218
219                 br_received_config_bpdu(p, &bpdu);
220         }
221
222         else if (buf[0] == BPDU_TYPE_TCN) {
223                 br_received_tcn_bpdu(p);
224         }
225  out:
226         spin_unlock(&br->lock);
227  err:
228         kfree_skb(skb);
229         return 0;
230 }