Filter SocketCAN frames in userland if necessary.

infrastation · infrastation · commit 2afd5f27b440 · 2025-03-10T12:26:15.000Z
On Linux little-endian hosts the first four bytes of a SocketCAN frame are the opposite byte order at the kernel side of the socket, so a filter program that accesses any of these bytes needs either to account for the byte order difference (if possible) or to run in userland. Implement this logic in fix_dlt_can_socketcan() and call it from fix_program() if necessary. See also GitHub bug report #1247.
diff --git a/CHANGES b/CHANGES
@@ -50,6 +50,7 @@ DayOfTheWeek, Month DD, YYYY / The Tcpdump Group
       Deprecate bpf_filter().
       Require a live capture for all Linux BPF extensions.
       Have "outbound" mean Tx only for DLT_SLIP.
+      Filter Linux SocketCAN frames in userland if necessary.
     rpcap:
       Support user names and passwords in rpcap:// and rpcaps:// URLs.
       Add a -t flag to rpcapd to specify the data channel port; from
diff --git a/pcap-linux.c b/pcap-linux.c
@@ -5821,6 +5821,62 @@ iface_get_arptype(int fd, const char *device, char *ebuf)
 	return ifr.ifr_hwaddr.sa_family;
 }
 
+/*
+ * In a DLT_CAN_SOCKETCAN frame the first four bytes are a 32-bit integer
+ * value in host byte order if the filter program is running in the kernel and
+ * in network byte order if in userland.  This applies to both CC, FD and XL
+ * frames, see pcap_handle_packet_mmap() for the rationale.  Return 1 iff the
+ * [possibly modified] filter program can work correctly in the kernel.
+ */
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+static int
+fix_dlt_can_socketcan(const u_int len, struct bpf_insn insn[])
+{
+	for (u_int i = 0; i < len; ++i) {
+		switch (insn[i].code) {
+		case BPF_LD|BPF_B|BPF_ABS: // ldb [k]
+		case BPF_LDX|BPF_MSH|BPF_B: // ldxb 4*([k]&0xf)
+			if (insn[i].k < 4)
+				insn[i].k = 3 - insn[i].k; // Fixed now.
+			break;
+		case BPF_LD|BPF_H|BPF_ABS: // ldh [k]
+		case BPF_LD|BPF_W|BPF_ABS: // ld [k]
+			/*
+			 * A halfword or a word load cannot be fixed by just
+			 * changing k, even if every required byte is within
+			 * the byte-swapped part of the frame, even if the
+			 * load is aligned.  The fix would require either
+			 * rewriting the filter program extensively or
+			 * generating it differently in the first place.
+			 */
+		case BPF_LD|BPF_B|BPF_IND: // ldb [x + k]
+		case BPF_LD|BPF_H|BPF_IND: // ldh [x + k]
+		case BPF_LD|BPF_W|BPF_IND: // ld [x + k]
+			/*
+			 * In addition to the above, a variable offset load
+			 * cannot be fixed because x can have any value, thus
+			 * x + k can have any value, but only the first four
+			 * bytes are swapped.  An easy way to demonstrate it
+			 * is to compile "link[link[4]] == 0", which will use
+			 * "ldb [x + 0]" to access one of the first four bytes
+			 * of the frame iff CAN CC/FD payload length is less
+			 * than 4.
+			 */
+			if (insn[i].k < 4)
+				return 0; // Userland filtering only.
+			break;
+		}
+	}
+	return 1;
+}
+#else
+static int
+fix_dlt_can_socketcan(const u_int len _U_, struct bpf_insn insn[] _U_)
+{
+	return 1;
+}
+#endif // __BYTE_ORDER == __LITTLE_ENDIAN
+
 static int
 fix_program(pcap_t *handle, struct sock_fprog *fcode)
 {
@@ -5847,6 +5903,17 @@ fix_program(pcap_t *handle, struct sock_fprog *fcode)
 	fcode->len = len;
 	fcode->filter = (struct sock_filter *) f;
 
+	switch (handle->linktype) {
+	case DLT_CAN_SOCKETCAN:
+		/*
+		 * If a similar fix needs to be done for CAN frames that
+		 * appear on the "any" pseudo-interface, it needs to be done
+		 * differently because that would be within DLT_LINUX_SLL or
+		 * DLT_LINUX_SLL2.
+		 */
+		return fix_dlt_can_socketcan(len, f);
+	}
+
 	for (i = 0; i < len; ++i) {
 		p = &f[i];
 		/*
