diff --git a/pkg/ebpf/c/capture_filtering.h b/pkg/ebpf/c/capture_filtering.h index 75f70eb88e08..b48c12074805 100644 --- a/pkg/ebpf/c/capture_filtering.h +++ b/pkg/ebpf/c/capture_filtering.h @@ -62,7 +62,7 @@ statfunc bool filter_file_path(void *ctx, void *filter_map, struct file *file) has_filter = true; - if (has_prefix(filter_p->path, (char *) &path_buf->buf, MAX_PATH_PREF_SIZE)) { + if (has_prefix(filter_p->path, (char *) &path_buf->buf, MAX_PATH_PREF_SIZE - 1)) { filter_match = true; break; } diff --git a/pkg/ebpf/c/common/common.h b/pkg/ebpf/c/common/common.h index f35146d0e01d..2137d1ae2afd 100644 --- a/pkg/ebpf/c/common/common.h +++ b/pkg/ebpf/c/common/common.h @@ -34,7 +34,8 @@ statfunc const char *get_device_name(struct device *dev) ({ \ int rc = 1; \ char *pre = p, *str = s; \ - _Pragma("unroll") for (int z = 0; z < n; pre++, str++, z++) \ + int z; \ + _Pragma("unroll") for (z = 0; z < n; pre++, str++, z++) \ { \ if (!*pre) { \ rc = 1; \ @@ -44,6 +45,23 @@ statfunc const char *get_device_name(struct device *dev) break; \ } \ } \ + /* if prefix is longer than n, return 0 */ \ + if (z == n && *pre) \ + rc = 0; \ + rc; \ + }) + + #define strncmp(str1, str2, n) \ + ({ \ + int rc = 0; \ + char *s1 = str1, *s2 = str2; \ + _Pragma("unroll") for (int z = 0; z < n; s1++, s2++, z++) \ + { \ + if (*s1 != *s2 || *s1 == '\0' || *s2 == '\0') { \ + rc = (unsigned char) *s1 - (unsigned char) *s2; \ + break; \ + } \ + } \ rc; \ }) @@ -61,7 +79,22 @@ static __inline int has_prefix(char *prefix, char *str, int n) } } - // prefix is too long + // if prefix is longer than n, return 0 + if (i == n && *prefix) + return 0; + + // prefix and string are identical + return 1; +} + +static __inline int strncmp(char *str1, char *str2, int n) +{ + int i; + #pragma unroll + for (i = 0; i < n; str1++, str2++, i++) { + if (*str1 != *str2 || *str1 == '\0' || *str2 == '\0') + return (unsigned char) *str1 - (unsigned char) *str2; + } return 0; } diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c index 5dc6b2f0fa9e..d7022149ac96 100644 --- a/pkg/ebpf/c/tracee.bpf.c +++ b/pkg/ebpf/c/tracee.bpf.c @@ -1925,7 +1925,7 @@ send_bpf_perf_attach(program_data_t *p, struct file *bpf_prog_file, struct file bpf_probe_read_kernel_str( &class_system, REQUIRED_SYSTEM_LENGTH, BPF_CORE_READ(tp_class, system)); class_system[REQUIRED_SYSTEM_LENGTH - 1] = '\0'; - if (has_prefix("syscalls", class_system, REQUIRED_SYSTEM_LENGTH)) { + if (strncmp("syscalls", class_system, REQUIRED_SYSTEM_LENGTH - 1) == 0) { is_syscall_tracepoint = true; } @@ -3140,7 +3140,7 @@ statfunc int capture_file_write(struct pt_regs *ctx, u32 event_id, bool is_buf) // otherwise the capture will overwrite itself. int pid = 0; void *path_buf = get_path_str_cached(file); - if (path_buf != NULL && has_prefix("/dev/null", (char *) path_buf, 10)) { + if (path_buf != NULL && strncmp("/dev/null", (char *) path_buf, 9) == 0) { pid = p.event->context.task.pid; } @@ -6329,16 +6329,16 @@ statfunc int net_l7_is_http(struct __sk_buff *skb, u32 l7_off) } // check if HTTP response - if (has_prefix("HTTP/", http_min_str, 6)) { + if (strncmp("HTTP/", http_min_str, 5) == 0) { return proto_http_resp; } // check if HTTP request - if (has_prefix("GET ", http_min_str, 5) || - has_prefix("POST ", http_min_str, 6) || - has_prefix("PUT ", http_min_str, 5) || - has_prefix("DELETE ", http_min_str, 8) || - has_prefix("HEAD ", http_min_str, 6)) { + if (strncmp("GET ", http_min_str, 4) == 0 || + strncmp("POST ", http_min_str, 5) == 0 || + strncmp("PUT ", http_min_str, 4) == 0 || + strncmp("DELETE ", http_min_str, 7) == 0 || + strncmp("HEAD ", http_min_str, 5) == 0) { return proto_http_req; } @@ -6901,7 +6901,7 @@ int tracepoint__exec_test(struct bpf_raw_tracepoint_args *ctx) return -1; struct file *file = get_file_ptr_from_bprm(bprm); void *file_path = get_path_str(__builtin_preserve_access_index(&file->f_path)); - if (file_path == NULL || !has_prefix("/tmp/test", file_path, 9)) + if (file_path == NULL || strncmp("/tmp/test", file_path, 9) != 0) return 0; // Submit all test events