BPF: harden libpcap on BSD

It's unlikely that pcap_setwritefilter() and pcap_lockfilter()
will make it into a release, so harden a pcap without these ourself
for the time being.

diff --git a/configure b/configure
index fb5b5fff4b41360da22c458847c600e39f1bf772..7e3351a218d403db105efb6648712d7f78da4a59 100755 (executable)
--- a/configure
+++ b/configure
@@ -1544,7 +1544,6 @@ EOF
                rm -f _libpcap.c libpcap
                $abort && exit 1
        fi
-       LIBPCAP_LIBS="-L/tmp/foo/usr/local/lib -lpcap"
        echo "CFLAGS+=  $LIBPCAP_CFLAGS" >>$CONFIG_MK
        echo "LDADD+=           $LIBPCAP_LIBS" >>$CONFIG_MK
        echo "#define   USE_LIBPCAP" >>$CONFIG_H

diff --git a/src/bpf-pcap.c b/src/bpf-pcap.c
index 7f0f08aac482e43c48fc5dd6072eef098d844a91..c77083bcbe4887a4a7b320e2a99ba8fedd38d6d2 100644 (file)
--- a/src/bpf-pcap.c
+++ b/src/bpf-pcap.c
@@ -26,6 +26,8 @@
  * SUCH DAMAGE.
  */
 
+#include <sys/ioctl.h>
+
 #include <errno.h>
 #include <pcap.h>
 #include <stdlib.h>
@@ -188,9 +190,17 @@ bpf_setwfilter(const struct bpf *bpf, void *filter, unsigned int filter_len)
        struct bpf_program pf = { .bf_insns = filter, .bf_len = filter_len };
 
        return pcap_setwritefilter(bpf->bpf_handle, &pf);
-#else
-#warning A compromised libpcap socket can be used as a raw socket
+#elif defined(BIOCSETWF)
+       struct bpf_program pf = { .bf_insns = filter, .bf_len = filter_len };
+       int fd = pcap_fileno(bpf->bpf_handle);
 
+       if (fd == -1) {
+               errno = EBADF;
+               return -1;
+       }
+       return ioctl(fd, BIOCSETWF, &pf);
+#else
+#warning No BIOCSETWF support - a compromised BPF can be used as a raw socket
        UNUSED(bpf);
        UNUSED(filter);
        UNUSED(filter_len);
@@ -204,6 +214,14 @@ bpf_lockfilter(const struct bpf *bpf)
 {
 #ifdef HAVE_PCAP_LOCKFILTER
        return pcap_lockfilter(bpf->bpf_handle);
+#elif defined(BIOCLOCK)
+       int fd = pcap_fileno(bpf->bpf_handle);
+
+       if (fd == -1) {
+               errno = EBADF;
+               return -1;
+       }
+       return ioctl(fd, BIOCLOCK);
 #else
        UNUSED(bpf);
        errno = ENOSYS;