Snap for 11190379 from ac98214e4c3f3564608bcabc92cd7d699831e496 to mainline-conscrypt-releaseaml_con_341410300android14-mainline-conscrypt-release

Change-Id: I5ca1405cec142a2625c4dc4de8460cb77d9677a4

4 files changed, 132 insertions, 77 deletions

diff --git a/v5/apf.h b/v5/apf.h
index a75ab1b..b0b34af 100644
--- a/v5/apf.h
+++ b/v5/apf.h
@@ -186,6 +186,10 @@
 // Copy the data from APF data region to output buffer. The source offset is encoded as [Rx + second imm].
 // The copy length is encoded in the third imm. "e.g. EDATACOPY [R0 + 5], 5"
 #define EDATACOPY 42
+//  It is executed as a jump, it tells how many bytes of the program regions
+//  are used to store the data and followed by the actual data bytes.
+// "e.g. data 5, abcde"
+#define DATA_EXT_OPCODE 43
 
 #define EXTRACT_OPCODE(i) (((i) >> 3) & 31)
 #define EXTRACT_REGISTER(i) ((i) & 1)
diff --git a/v5/apf_interpreter.c b/v5/apf_interpreter.c
index 3cef719..9c6175d 100644
--- a/v5/apf_interpreter.c
+++ b/v5/apf_interpreter.c
@@ -17,7 +17,7 @@
 #include "apf_interpreter.h"
 
 // TODO: Remove the dependency of the standard library and make the interpreter self-contained.
-#include <string.h> // For memcmp
+#include <string.h>// For memcmp
 
 #include "apf.h"
 
@@ -43,11 +43,17 @@ extern void APF_TRACE_HOOK(uint32_t pc, const uint32_t* regs, const uint8_t* pro
 // superfluous ">= 0" with unsigned expressions generates compile warnings.
 #define ENFORCE_UNSIGNED(c) ((c)==(uint32_t)(c))
 
-int apf_run(uint8_t* program, uint32_t program_len, uint32_t ram_len,
-                  const uint8_t* packet, uint32_t packet_len,
-                  uint32_t filter_age) {
+uint32_t apf_version() {
+    return 20231122;
+}
+
+int apf_run(uint8_t* const program, const uint32_t program_len,
+            const uint32_t ram_len, const uint8_t* const packet,
+            const uint32_t packet_len, const uint32_t filter_age_16384ths) {
 // Is offset within program bounds?
 #define IN_PROGRAM_BOUNDS(p) (ENFORCE_UNSIGNED(p) && (p) < program_len)
+// Is offset within ram bounds?
+#define IN_RAM_BOUNDS(p) (ENFORCE_UNSIGNED(p) && (p) < ram_len)
 // Is offset within packet bounds?
 #define IN_PACKET_BOUNDS(p) (ENFORCE_UNSIGNED(p) && (p) < packet_len)
 // Is access to offset |p| length |size| within data bounds?
@@ -58,6 +64,8 @@ int apf_run(uint8_t* program, uint32_t program_len, uint32_t ram_len,
                                  (p) + (size) >= (p))  // catch wraparounds
 // Accept packet if not within program bounds
 #define ASSERT_IN_PROGRAM_BOUNDS(p) ASSERT_RETURN(IN_PROGRAM_BOUNDS(p))
+// Accept packet if not within ram bounds
+#define ASSERT_IN_RAM_BOUNDS(p) ASSERT_RETURN(IN_RAM_BOUNDS(p))
 // Accept packet if not within packet bounds
 #define ASSERT_IN_PACKET_BOUNDS(p) ASSERT_RETURN(IN_PACKET_BOUNDS(p))
 // Accept packet if not within data bounds
@@ -74,7 +82,7 @@ int apf_run(uint8_t* program, uint32_t program_len, uint32_t ram_len,
   memory[MEMORY_OFFSET_PROGRAM_SIZE] = program_len;
   memory[MEMORY_OFFSET_DATA_SIZE] = ram_len;
   memory[MEMORY_OFFSET_PACKET_SIZE] = packet_len;
-  memory[MEMORY_OFFSET_FILTER_AGE] = filter_age;
+  memory[MEMORY_OFFSET_FILTER_AGE] = filter_age_16384ths >> 14;
   ASSERT_IN_PACKET_BOUNDS(APF_FRAME_HEADER_SIZE);
   // Only populate if IP version is IPv4.
   if ((packet[APF_FRAME_HEADER_SIZE] & 0xf0) == 0x40) {
@@ -92,6 +100,18 @@ int apf_run(uint8_t* program, uint32_t program_len, uint32_t ram_len,
   uint8_t* allocated_buffer = NULL;
   // The length of the output buffer
   uint32_t allocate_buffer_len = 0;
+// Is access to offset |p| length |size| within output buffer bounds?
+#define IN_OUTPUT_BOUNDS(p, size) (ENFORCE_UNSIGNED(p) && \
+                                 ENFORCE_UNSIGNED(size) && \
+                                 (p) + (size) <= allocate_buffer_len && \
+                                 (p) + (size) >= (p))
+// Accept packet if not write within allocated output buffer
+#define ASSERT_IN_OUTPUT_BOUNDS(p, size) ASSERT_RETURN(IN_OUTPUT_BOUNDS(p, size))
+
+// Decode the imm length.
+#define DECODE_IMM(value, length)                                              \
+    for (uint32_t i = 0; i < (length) && pc < program_len; i++)                \
+        value = (value << 8) | program[pc++]
 
   do {
       APF_TRACE_HOOK(pc, registers, program, program_len, packet, packet_len, memory, ram_len);
@@ -113,9 +133,7 @@ int apf_run(uint8_t* program, uint32_t program_len, uint32_t ram_len,
       if (len_field != 0) {
           const uint32_t imm_len = 1 << (len_field - 1);
           ASSERT_FORWARD_IN_PROGRAM(pc + imm_len - 1);
-          uint32_t i;
-          for (i = 0; i < imm_len; i++)
-              imm = (imm << 8) | program[pc++];
+          DECODE_IMM(imm, imm_len);
           // Sign extend imm into signed_imm.
           signed_imm = imm << ((4 - imm_len) * 8);
           signed_imm >>= (4 - imm_len) * 8;
@@ -178,9 +196,7 @@ int apf_run(uint8_t* program, uint32_t program_len, uint32_t ram_len,
               } else if (len_field != 0) {
                   uint32_t cmp_imm_len = 1 << (len_field - 1);
                   ASSERT_FORWARD_IN_PROGRAM(pc + cmp_imm_len - 1);
-                  uint32_t i;
-                  for (i = 0; i < cmp_imm_len; i++)
-                      cmp_imm = (cmp_imm << 8) | program[pc++];
+                  DECODE_IMM(cmp_imm, cmp_imm_len);
               }
               switch (opcode) {
                   case JEQ_OPCODE:
@@ -307,6 +323,14 @@ int apf_run(uint8_t* program, uint32_t program_len, uint32_t ram_len,
                         0 /* dscp */);
                     allocated_buffer = NULL;
                     break;
+                  case DATA_EXT_OPCODE: {
+                    ASSERT_FORWARD_IN_PROGRAM(pc + 1);
+                    uint32_t skip_len = 0;
+                    DECODE_IMM(skip_len, 2);
+                    ASSERT_FORWARD_IN_PROGRAM(pc + skip_len - 1);
+                    pc += skip_len;
+                    break;
+                  }
                   // Unknown extended opcode
                   default:
                     // Bail out
@@ -346,6 +370,31 @@ int apf_run(uint8_t* program, uint32_t program_len, uint32_t ram_len,
               }
               break;
           }
+          case MEMCOPY_OPCODE: {
+              ASSERT_RETURN(allocated_buffer != NULL);
+              ASSERT_RETURN(len_field > 0);
+              uint32_t src_offs = imm;
+              uint32_t copy_len = 0;
+              DECODE_IMM(copy_len, 1);
+              uint32_t dst_offs = memory[MEMORY_OFFSET_OUTPUT_BUFFER_OFFSET];
+              ASSERT_IN_OUTPUT_BOUNDS(dst_offs, copy_len);
+              // reg_num == 0 copy from packet, reg_num == 1 copy from data.
+              if (reg_num == 0) {
+                  ASSERT_IN_PACKET_BOUNDS(src_offs);
+                  const uint32_t last_packet_offs = src_offs + copy_len - 1;
+                  ASSERT_RETURN(last_packet_offs >= src_offs);
+                  ASSERT_IN_PACKET_BOUNDS(last_packet_offs);
+                  memmove(allocated_buffer + dst_offs, packet + src_offs,
+                          copy_len);
+              } else {
+                  ASSERT_IN_RAM_BOUNDS(src_offs + copy_len - 1);
+                  memmove(allocated_buffer + dst_offs, program + src_offs,
+                          copy_len);
+              }
+              dst_offs += copy_len;
+              memory[MEMORY_OFFSET_OUTPUT_BUFFER_OFFSET] = dst_offs;
+              break;
+          }
           // Unknown opcode
           default:
               // Bail out
diff --git a/v5/apf_interpreter.h b/v5/apf_interpreter.h
index 461d3ee..914e356 100644
--- a/v5/apf_interpreter.h
+++ b/v5/apf_interpreter.h
@@ -24,65 +24,73 @@ extern "C" {
 #endif
 
 /**
- * Version of APF instruction set processed by apf_run().
- * Should be returned by wifi_get_packet_filter_info.
+ * Returns the max version of the APF instruction set supported by apf_run().
+ * APFv6 is a superset of APFv4. APFv6 interpreters are able to run APFv4 code.
  */
 uint32_t apf_version();
 
 /**
- * Allocates a buffer for APF program to write the transmit packet.
- *
- * The implementations must always support allocating at least one 1500 bytes
- * buffer until it is effectively transmitted. Before passing a memory region
- * back to the caller, the implementations must zero it out.
- *
- * The firmware is responsible for freeing everything that was allocated by APF.
- * It is OK if the firmware decides only to limit allocations to at most one
- * response packet for every packet received by APF. In other words, while
- * processing a single received packet, it is OK for apf_allocate_buffer() to
- * succeed only once and return NULL after that.
- *
- * @param size the size of buffer to allocate, it should be the size of the
- *             packet to be transmitted.
- * @return the pointer to the allocated region. The function can return null to
- *         indicate the allocation failure due to not enough memory. This may
- *         happened if there are too many buffers allocated that have not been
- *         transmitted and deallocated yet.
+ * Allocates a buffer for the APF program to build a reply packet.
+ *
+ * Unless in a critical low memory state, the firmware must allow allocating at
+ * least one 1500 byte buffer for every call to apf_run(). The interpreter will
+ * have at most one active allocation at any given time, and will always either
+ * transmit or deallocate the buffer before apf_run() returns.
+ *
+ * It is OK if the firmware decides to limit allocations to at most one per
+ * apf_run() invocation.
+ *
+ * The firmware MAY choose to allocate a larger buffer than requested, and
+ * give the apf_interpreter a pointer to the middle of the buffer. This will
+ * allow firmware to later (during or after apf_transmit_buffer call) populate
+ * any required headers, trailers, etc.
+ *
+ * @param size - the minimum size of buffer to allocate
+ * @return the pointer to the allocated region. The function can return NULL to
+ *         indicate allocation failure, for example if too many buffers are
+ *         pending transmit. Returning NULL will most likely result in the
+ *         apf_run() returning PASS.
  */
-uint8_t* apf_allocate_buffer(uint32_t size);
+uint8_t* apf_allocate_buffer(int size);
 
 /**
- * Transmits the allocated buffer and deallocates the memory region.
+ * Transmits the allocated buffer and deallocates it.
  *
- * The function is responsible to verify if the range [ptr, ptr + len) is within
- * the buffer it allocated for the program when apf_transmit_buffer() is called.
+ * The apf_interpreter will not read/write from/to the buffer once it calls
+ * this function.
  *
- * The content of the buffer between [ptr, ptr + len) is the transmit packet
- * bytes, starting from the 802.3 header and not including any CRC bytes at the
- * end.
- *
- * The firmware must guarantee the transmit packet is not modified after the APF
- * calls the apf_transmit_buffer().
+ * The content of the buffer between [ptr, ptr + len) are the bytes to be
+ * transmitted, starting from the ethernet header and not including any
+ * CRC bytes at the end.
  *
  * The firmware is expected to make its best effort to transmit. If it
  * exhausts retries, or if there is no channel for too long and the transmit
- * queue is full, then it is OK for the packet to be dropped.
- *
- * @param ptr pointer to the transmit buffer
- * @param len the length of buffer to be transmitted, 0 means don't transmit the
- *            buffer but only deallocate it
- * @param dscp the first 6 bits of the TOS field in the IPv4 header or traffic
+ * queue is full, then it is OK for the packet to be dropped. The firmware should
+ * prefer to fail allocation if transmit is likely to fail.
+ *
+ * apf_transmit_buffer() should be asynchronous, which means the actual packet
+ * transmission can happen sometime after the function returns.
+ *
+ * @param ptr - pointer to the transmit buffer, must have been previously
+ *             returned by apf_allocate_buffer and not deallocated.
+ * @param len - the number of bytes to be transmitted (possibly less than
+ *              the allocated buffer), 0 means don't transmit the buffer
+ *              but only deallocate it
+ * @param dscp - the upper 6 bits of the TOS field in the IPv4 header or traffic
  *             class field in the IPv6 header.
+ * @return non-zero if the firmware *knows* the transmit will fail, zero if
+ *         the firmware thinks the transmit will succeed. Returning an error
+ *         will likely result in apf_run() returning PASS.
  */
-void apf_transmit_buffer(uint8_t *ptr, uint32_t len, uint8_t dscp);
+int apf_transmit_buffer(uint8_t* ptr, int len, uint8_t dscp);
 
 /**
- * Runs a packet filtering program over a packet.
+ * Runs an APF program over a packet.
  *
- * The return value of the apf_run indicates whether the packet should be
- * passed to AP or not. As a part of apf_run execution, the packet filtering
+ * The return value of apf_run indicates whether the packet should
+ * be passed or dropped. As a part of apf_run execution, the APF
  * program can call apf_allocate_buffer()/apf_transmit_buffer() to construct
- * an egress packet to transmit it.
+ * a reply packet and transmit it.
  *
  * The text section containing the program instructions starts at address
  * program and stops at + program_len - 1, and the writable data section
@@ -93,24 +101,24 @@ void apf_transmit_buffer(uint8_t *ptr, uint32_t len, uint8_t dscp);
  *        |    text section    |      data section      |
  *        +--------------------+------------------------+
  *
- * @param program the program bytecode, followed by the writable data region.
- * @param program_len the length in bytes of the read-only portion of the APF
+ * @param program - the program bytecode, followed by the writable data region.
+ * @param program_len - the length in bytes of the read-only portion of the APF
  *                    buffer pointed to by {@code program}.
- * @param ram_len total length of the APF buffer pointed to by {@code program},
- *                including the read-only bytecode portion and the read-write
- *                data portion.
- * @param packet the packet bytes, starting from the 802.3 header and not
- *               including any CRC bytes at the end.
- * @param packet_len the length of {@code packet} in bytes.
- * @param filter_age the number of seconds since the filter was programmed.
- *
- * @return non-zero if packet should be passed to AP, zero if
- *         packet should be dropped. Return 1 indicating the packet is accepted
- *         without error. Negative return values are reserved for error code.
+ * @param ram_len - total length of the APF buffer pointed to by
+ *                  {@code program}, including the read-only bytecode
+ *                  portion and the read-write data portion.
+ * @param packet - the packet bytes, starting from the ethernet header.
+ * @param packet_len - the length of {@code packet} in bytes, not
+ *                     including trailers/CRC.
+ * @param filter_age_16384ths - the number of 1/16384 seconds since the filter
+ *                     was programmed.
+ *
+ * @return non-zero if packet should be passed, zero if packet should
+ *                  be dropped.
  */
-int apf_run(uint8_t* program, uint32_t program_len, uint32_t ram_len,
-                  const uint8_t* packet, uint32_t packet_len,
-                  uint32_t filter_age);
+int apf_run(uint8_t* const program, const uint32_t program_len,
+            const uint32_t ram_len, const uint8_t* const packet,
+            const uint32_t packet_len, const uint32_t filter_age_16384ths);
 
 #ifdef __cplusplus
 }
diff --git a/v5/test_buf_allocator.c b/v5/test_buf_allocator.c
index 1358063..867dba1 100644
--- a/v5/test_buf_allocator.c
+++ b/v5/test_buf_allocator.c
@@ -25,18 +25,11 @@ uint32_t apf_test_tx_packet_len;
 uint8_t apf_test_tx_dscp;
 
 /**
- * Test implementation of apf_version()
- */
-uint32_t apf_version() {
-  return 5;
-}
-
-/**
  * Test implementation of apf_allocate_buffer()
  *
  * Clean up the apf_test_buffer and return the pointer to beginning of the buffer region.
  */
-uint8_t* apf_allocate_buffer(uint32_t size) {
+uint8_t* apf_allocate_buffer(int size) {
   if (size > APF_TX_BUFFER_SIZE) {
     return NULL;
   }
@@ -49,8 +42,9 @@ uint8_t* apf_allocate_buffer(uint32_t size) {
  *
  * Copy the content of allocated buffer to the apf_test_tx_packet region.
  */
-void apf_transmit_buffer(uint8_t* ptr, uint32_t len, uint8_t dscp) {
+int apf_transmit_buffer(uint8_t* ptr, int len, uint8_t dscp) {
   apf_test_tx_packet_len = len;
   apf_test_tx_dscp = dscp;
   memcpy(apf_test_tx_packet, ptr, len);
+  return 0;
 }