+static int
+wprobe_check_filter(void *data, int datalen, int gs)
+{
+ struct wprobe_filter_item_hdr *hdr;
+ void *orig_data = data;
+ void *end = data + datalen;
+ int i, j, k, is, cur_is;
+
+ for (i = j = is = 0; i < gs; i++) {
+ hdr = data;
+ data += sizeof(*hdr);
+
+ if (data > end)
+ goto overrun;
+
+ hdr->name[31] = 0;
+ cur_is = be32_to_cpu(hdr->n_items);
+ hdr->n_items = cur_is;
+ is += cur_is;
+ for (j = 0; j < cur_is; j++) {
+ struct sock_filter *sf;
+ int n_items;
+
+ hdr = data;
+ data += sizeof(*hdr);
+ if (data > end)
+ goto overrun;
+
+ hdr->name[31] = 0;
+ n_items = be32_to_cpu(hdr->n_items);
+ hdr->n_items = n_items;
+
+ if (n_items > 1024)
+ goto overrun;
+
+ sf = data;
+ if (n_items > 0) {
+ for (k = 0; k < n_items; k++) {
+ sf->code = be16_to_cpu(sf->code);
+ sf->k = be32_to_cpu(sf->k);
+ sf++;
+ }
+ if (sk_chk_filter(data, n_items) != 0) {
+ printk("%s: filter check failed at group %d, item %d\n", __func__, i, j);
+ return 0;
+ }
+ }
+ data += n_items * sizeof(struct sock_filter);
+ }
+ }
+ return is;
+
+overrun:
+ printk(KERN_ERR "%s: overrun during filter check at group %d, item %d, offset=%d, len=%d\n", __func__, i, j, (data - orig_data), datalen);
+ return 0;
+}
+
+static void
+wprobe_free_filter(struct wprobe_filter *f)
+{
+ if (f->skb)
+ kfree_skb(f->skb);
+ if (f->data)
+ kfree(f->data);
+ if (f->items)
+ kfree(f->items);
+ if (f->counters)
+ kfree(f->counters);
+ kfree(f);
+}
+
+
+static int
+wprobe_set_filter(struct wprobe_iface *dev, void *data, int len)
+{
+ struct wprobe_filter_hdr *fhdr;
+ struct wprobe_rtap_hdr *rtap;
+ struct wprobe_filter *f;
+ int i, j, cur_is, is, gs;
+
+ if (len < sizeof(*fhdr))
+ return -EINVAL;
+
+ fhdr = data;
+ data += sizeof(*fhdr);
+ len -= sizeof(*fhdr);
+
+ if (memcmp(fhdr->magic, "WPFF", 4) != 0) {
+ printk(KERN_ERR "%s: filter rejected (invalid magic)\n", __func__);
+ return -EINVAL;
+ }
+
+ gs = be16_to_cpu(fhdr->n_groups);
+ is = wprobe_check_filter(data, len, gs);
+ if (is == 0)
+ return -EINVAL;
+
+ f = kzalloc(sizeof(struct wprobe_filter) +
+ gs * sizeof(struct wprobe_filter_group), GFP_ATOMIC);
+ if (!f)
+ return -ENOMEM;
+
+ f->skb = alloc_skb(WPROBE_MAX_FRAME_SIZE, GFP_ATOMIC);
+ if (!f->skb)
+ goto error;
+
+ f->data = kmalloc(len, GFP_ATOMIC);
+ if (!f->data)
+ goto error;
+
+ f->items = kzalloc(sizeof(struct wprobe_filter_item *) * is, GFP_ATOMIC);
+ if (!f->items)
+ goto error;
+
+ f->counters = kzalloc(sizeof(struct wprobe_filter_counter) * is, GFP_ATOMIC);
+ if (!f->counters)
+ goto error;
+
+ spin_lock_init(&f->lock);
+ memcpy(f->data, data, len);
+ f->n_groups = gs;
+
+ if (f->hdrlen < sizeof(struct wprobe_wlan_hdr))
+ f->hdrlen = sizeof(struct wprobe_wlan_hdr);
+
+ rtap = (struct wprobe_rtap_hdr *)skb_put(f->skb, sizeof(*rtap));
+ memset(rtap, 0, sizeof(*rtap));
+ rtap->len = cpu_to_le16(sizeof(struct wprobe_rtap_hdr) + f->hdrlen);
+ data = f->data;
+
+ cur_is = 0;
+ for (i = 0; i < gs; i++) {
+ struct wprobe_filter_item_hdr *hdr = data;
+ struct wprobe_filter_group *g = &f->groups[i];
+
+ data += sizeof(*hdr);
+ g->name = hdr->name;
+ g->items = &f->items[cur_is];
+ g->counters = &f->counters[cur_is];
+ g->n_items = hdr->n_items;
+
+ for (j = 0; j < g->n_items; j++) {
+ hdr = data;
+ f->items[cur_is++] = data;
+ data += sizeof(*hdr) + hdr->n_items * sizeof(struct sock_filter);
+ }
+ }
+ rcu_assign_pointer(dev->active_filter, f);
+ return 0;
+
+error:
+ wprobe_free_filter(f);
+ return -ENOMEM;
+}
+