[BRIDGE]: prevent bad forwarding table updates
[linux-2.6] / net / bridge / br_stp_bpdu.c
1 /*
2  *      Spanning tree protocol; BPDU handling
3  *      Linux ethernet bridge
4  *
5  *      Authors:
6  *      Lennert Buytenhek               <buytenh@gnu.org>
7  *
8  *      $Id: br_stp_bpdu.c,v 1.3 2001/11/10 02:35:25 davem Exp $
9  *
10  *      This program is free software; you can redistribute it and/or
11  *      modify it under the terms of the GNU General Public License
12  *      as published by the Free Software Foundation; either version
13  *      2 of the License, or (at your option) any later version.
14  */
15
16 #include <linux/kernel.h>
17 #include <linux/netfilter_bridge.h>
18
19 #include "br_private.h"
20 #include "br_private_stp.h"
21
22 #define JIFFIES_TO_TICKS(j) (((j) << 8) / HZ)
23 #define TICKS_TO_JIFFIES(j) (((j) * HZ) >> 8)
24
25 static void br_send_bpdu(struct net_bridge_port *p, unsigned char *data, int length)
26 {
27         struct net_device *dev;
28         struct sk_buff *skb;
29         int size;
30
31         if (!p->br->stp_enabled)
32                 return;
33
34         size = length + 2*ETH_ALEN + 2;
35         if (size < 60)
36                 size = 60;
37
38         dev = p->dev;
39
40         if ((skb = dev_alloc_skb(size)) == NULL) {
41                 printk(KERN_INFO "br: memory squeeze!\n");
42                 return;
43         }
44
45         skb->dev = dev;
46         skb->protocol = htons(ETH_P_802_2);
47         skb->mac.raw = skb_put(skb, size);
48         memcpy(skb->mac.raw, bridge_ula, ETH_ALEN);
49         memcpy(skb->mac.raw+ETH_ALEN, dev->dev_addr, ETH_ALEN);
50         skb->mac.raw[2*ETH_ALEN] = 0;
51         skb->mac.raw[2*ETH_ALEN+1] = length;
52         skb->nh.raw = skb->mac.raw + 2*ETH_ALEN + 2;
53         memcpy(skb->nh.raw, data, length);
54         memset(skb->nh.raw + length, 0xa5, size - length - 2*ETH_ALEN - 2);
55
56         NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
57                 dev_queue_xmit);
58 }
59
60 static __inline__ void br_set_ticks(unsigned char *dest, int jiff)
61 {
62         __u16 ticks;
63
64         ticks = JIFFIES_TO_TICKS(jiff);
65         dest[0] = (ticks >> 8) & 0xFF;
66         dest[1] = ticks & 0xFF;
67 }
68
69 static __inline__ int br_get_ticks(unsigned char *dest)
70 {
71         return TICKS_TO_JIFFIES((dest[0] << 8) | dest[1]);
72 }
73
74 /* called under bridge lock */
75 void br_send_config_bpdu(struct net_bridge_port *p, struct br_config_bpdu *bpdu)
76 {
77         unsigned char buf[38];
78
79         buf[0] = 0x42;
80         buf[1] = 0x42;
81         buf[2] = 0x03;
82         buf[3] = 0;
83         buf[4] = 0;
84         buf[5] = 0;
85         buf[6] = BPDU_TYPE_CONFIG;
86         buf[7] = (bpdu->topology_change ? 0x01 : 0) |
87                 (bpdu->topology_change_ack ? 0x80 : 0);
88         buf[8] = bpdu->root.prio[0];
89         buf[9] = bpdu->root.prio[1];
90         buf[10] = bpdu->root.addr[0];
91         buf[11] = bpdu->root.addr[1];
92         buf[12] = bpdu->root.addr[2];
93         buf[13] = bpdu->root.addr[3];
94         buf[14] = bpdu->root.addr[4];
95         buf[15] = bpdu->root.addr[5];
96         buf[16] = (bpdu->root_path_cost >> 24) & 0xFF;
97         buf[17] = (bpdu->root_path_cost >> 16) & 0xFF;
98         buf[18] = (bpdu->root_path_cost >> 8) & 0xFF;
99         buf[19] = bpdu->root_path_cost & 0xFF;
100         buf[20] = bpdu->bridge_id.prio[0];
101         buf[21] = bpdu->bridge_id.prio[1];
102         buf[22] = bpdu->bridge_id.addr[0];
103         buf[23] = bpdu->bridge_id.addr[1];
104         buf[24] = bpdu->bridge_id.addr[2];
105         buf[25] = bpdu->bridge_id.addr[3];
106         buf[26] = bpdu->bridge_id.addr[4];
107         buf[27] = bpdu->bridge_id.addr[5];
108         buf[28] = (bpdu->port_id >> 8) & 0xFF;
109         buf[29] = bpdu->port_id & 0xFF;
110
111         br_set_ticks(buf+30, bpdu->message_age);
112         br_set_ticks(buf+32, bpdu->max_age);
113         br_set_ticks(buf+34, bpdu->hello_time);
114         br_set_ticks(buf+36, bpdu->forward_delay);
115
116         br_send_bpdu(p, buf, 38);
117 }
118
119 /* called under bridge lock */
120 void br_send_tcn_bpdu(struct net_bridge_port *p)
121 {
122         unsigned char buf[7];
123
124         buf[0] = 0x42;
125         buf[1] = 0x42;
126         buf[2] = 0x03;
127         buf[3] = 0;
128         buf[4] = 0;
129         buf[5] = 0;
130         buf[6] = BPDU_TYPE_TCN;
131         br_send_bpdu(p, buf, 7);
132 }
133
134 static const unsigned char header[6] = {0x42, 0x42, 0x03, 0x00, 0x00, 0x00};
135
136 /* NO locks */
137 int br_stp_handle_bpdu(struct sk_buff *skb)
138 {
139         struct net_bridge_port *p = skb->dev->br_port;
140         struct net_bridge *br = p->br;
141         unsigned char *buf;
142
143         /* insert into forwarding database after filtering to avoid spoofing */
144         br_fdb_update(p->br, p, eth_hdr(skb)->h_source);
145
146         /* need at least the 802 and STP headers */
147         if (!pskb_may_pull(skb, sizeof(header)+1) ||
148             memcmp(skb->data, header, sizeof(header)))
149                 goto err;
150
151         buf = skb_pull(skb, sizeof(header));
152
153         spin_lock_bh(&br->lock);
154         if (p->state == BR_STATE_DISABLED 
155             || !(br->dev->flags & IFF_UP)
156             || !br->stp_enabled)
157                 goto out;
158
159         if (buf[0] == BPDU_TYPE_CONFIG) {
160                 struct br_config_bpdu bpdu;
161
162                 if (!pskb_may_pull(skb, 32))
163                     goto out;
164
165                 buf = skb->data;
166                 bpdu.topology_change = (buf[1] & 0x01) ? 1 : 0;
167                 bpdu.topology_change_ack = (buf[1] & 0x80) ? 1 : 0;
168
169                 bpdu.root.prio[0] = buf[2];
170                 bpdu.root.prio[1] = buf[3];
171                 bpdu.root.addr[0] = buf[4];
172                 bpdu.root.addr[1] = buf[5];
173                 bpdu.root.addr[2] = buf[6];
174                 bpdu.root.addr[3] = buf[7];
175                 bpdu.root.addr[4] = buf[8];
176                 bpdu.root.addr[5] = buf[9];
177                 bpdu.root_path_cost =
178                         (buf[10] << 24) |
179                         (buf[11] << 16) |
180                         (buf[12] << 8) |
181                         buf[13];
182                 bpdu.bridge_id.prio[0] = buf[14];
183                 bpdu.bridge_id.prio[1] = buf[15];
184                 bpdu.bridge_id.addr[0] = buf[16];
185                 bpdu.bridge_id.addr[1] = buf[17];
186                 bpdu.bridge_id.addr[2] = buf[18];
187                 bpdu.bridge_id.addr[3] = buf[19];
188                 bpdu.bridge_id.addr[4] = buf[20];
189                 bpdu.bridge_id.addr[5] = buf[21];
190                 bpdu.port_id = (buf[22] << 8) | buf[23];
191
192                 bpdu.message_age = br_get_ticks(buf+24);
193                 bpdu.max_age = br_get_ticks(buf+26);
194                 bpdu.hello_time = br_get_ticks(buf+28);
195                 bpdu.forward_delay = br_get_ticks(buf+30);
196
197                 br_received_config_bpdu(p, &bpdu);
198         }
199
200         else if (buf[0] == BPDU_TYPE_TCN) {
201                 br_received_tcn_bpdu(p);
202         }
203  out:
204         spin_unlock_bh(&br->lock);
205  err:
206         kfree_skb(skb);
207         return 0;
208 }