1 /* $FreeBSD: src/sys/netinet6/ip6_input.c,v 1.11.2.15 2003/01/24 05:11:35 sam Exp $ */ 2 /* $KAME: ip6_input.c,v 1.259 2002/01/21 04:58:09 jinmei Exp $ */ 3 4 /* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 /* 34 * Copyright (c) 1982, 1986, 1988, 1993 35 * The Regents of the University of California. All rights reserved. 36 * 37 * Redistribution and use in source and binary forms, with or without 38 * modification, are permitted provided that the following conditions 39 * are met: 40 * 1. Redistributions of source code must retain the above copyright 41 * notice, this list of conditions and the following disclaimer. 42 * 2. Redistributions in binary form must reproduce the above copyright 43 * notice, this list of conditions and the following disclaimer in the 44 * documentation and/or other materials provided with the distribution. 45 * 3. Neither the name of the University nor the names of its contributors 46 * may be used to endorse or promote products derived from this software 47 * without specific prior written permission. 48 * 49 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 50 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 51 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 52 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 53 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 54 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 55 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 56 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 57 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 58 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 59 * SUCH DAMAGE. 60 * 61 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 62 */ 63 64 #include "opt_ip6fw.h" 65 #include "opt_inet.h" 66 #include "opt_inet6.h" 67 68 #include <sys/param.h> 69 #include <sys/systm.h> 70 #include <sys/malloc.h> 71 #include <sys/mbuf.h> 72 #include <sys/domain.h> 73 #include <sys/protosw.h> 74 #include <sys/socket.h> 75 #include <sys/socketvar.h> 76 #include <sys/errno.h> 77 #include <sys/time.h> 78 #include <sys/kernel.h> 79 #include <sys/syslog.h> 80 #include <sys/proc.h> 81 #include <sys/priv.h> 82 83 #include <net/if.h> 84 #include <net/if_types.h> 85 #include <net/if_dl.h> 86 #include <net/route.h> 87 #include <net/netisr.h> 88 #include <net/pfil.h> 89 90 #include <sys/thread2.h> 91 #include <sys/msgport2.h> 92 #include <net/netmsg2.h> 93 #include <net/netisr2.h> 94 95 #include <netinet/in.h> 96 #include <netinet/in_systm.h> 97 #ifdef INET 98 #include <netinet/ip.h> 99 #include <netinet/ip_icmp.h> 100 #endif /* INET */ 101 #include <netinet/ip6.h> 102 #include <netinet6/in6_var.h> 103 #include <netinet6/ip6_var.h> 104 #include <netinet/in_pcb.h> 105 #include <netinet/icmp6.h> 106 #include <netinet6/scope6_var.h> 107 #include <netinet6/in6_ifattach.h> 108 #include <netinet6/nd6.h> 109 110 #include <net/ip6fw/ip6_fw.h> 111 112 #include <netinet6/ip6protosw.h> 113 114 #include <net/net_osdep.h> 115 116 extern struct domain inet6domain; 117 extern struct protosw inet6sw[]; 118 119 u_char ip6_protox[IPPROTO_MAX]; 120 struct in6_ifaddr *in6_ifaddr; 121 122 int ip6_forward_srcrt; /* XXX */ 123 int ip6_sourcecheck; /* XXX */ 124 int ip6_sourcecheck_interval; /* XXX */ 125 126 int ip6_ours_check_algorithm; 127 128 struct pfil_head inet6_pfil_hook; 129 130 /* firewall hooks */ 131 ip6_fw_chk_t *ip6_fw_chk_ptr; 132 ip6_fw_ctl_t *ip6_fw_ctl_ptr; 133 int ip6_fw_enable = 1; 134 135 struct ip6stat ip6stat; 136 137 static void ip6_init2 (void *); 138 static struct ip6aux *ip6_setdstifaddr (struct mbuf *, struct in6_ifaddr *); 139 static int ip6_hopopts_input (u_int32_t *, u_int32_t *, struct mbuf **, int *); 140 static void ip6_input(netmsg_t msg); 141 #ifdef PULLDOWN_TEST 142 static struct mbuf *ip6_pullexthdr (struct mbuf *, size_t, int); 143 #endif 144 static void transport6_processing_handler(netmsg_t netmsg); 145 146 /* 147 * IP6 initialization: fill in IP6 protocol switch table. 148 * All protocols not implemented in kernel go to raw IP6 protocol handler. 149 */ 150 void 151 ip6_init(void) 152 { 153 struct protosw *pr; 154 int i; 155 struct timeval tv; 156 157 pr = pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW); 158 if (pr == NULL) 159 panic("ip6_init"); 160 for (i = 0; i < IPPROTO_MAX; i++) 161 ip6_protox[i] = pr - inet6sw; 162 for (pr = inet6domain.dom_protosw; 163 pr < inet6domain.dom_protoswNPROTOSW; pr++) 164 if (pr->pr_domain->dom_family == PF_INET6 && 165 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) 166 ip6_protox[pr->pr_protocol] = pr - inet6sw; 167 168 inet6_pfil_hook.ph_type = PFIL_TYPE_AF; 169 inet6_pfil_hook.ph_af = AF_INET6; 170 if ((i = pfil_head_register(&inet6_pfil_hook)) != 0) { 171 kprintf("%s: WARNING: unable to register pfil hook, " 172 "error %d\n", __func__, i); 173 } 174 175 netisr_register(NETISR_IPV6, ip6_input, NULL); /* XXX hashfn */ 176 scope6_init(); 177 addrsel_policy_init(); 178 nd6_init(); 179 frag6_init(); 180 /* 181 * in many cases, random() here does NOT return random number 182 * as initialization during bootstrap time occur in fixed order. 183 */ 184 microtime(&tv); 185 ip6_flow_seq = krandom() ^ tv.tv_usec; 186 microtime(&tv); 187 ip6_desync_factor = (krandom() ^ tv.tv_usec) % MAX_TEMP_DESYNC_FACTOR; 188 } 189 190 static void 191 ip6_init2(void *dummy) 192 { 193 nd6_timer_init(); 194 in6_tmpaddrtimer_init(); 195 } 196 197 /* cheat */ 198 /* This must be after route_init(), which is now SI_ORDER_THIRD */ 199 SYSINIT(netinet6init2, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ip6_init2, NULL); 200 201 extern struct route_in6 ip6_forward_rt; 202 203 static void 204 ip6_input(netmsg_t msg) 205 { 206 struct mbuf *m = msg->packet.nm_packet; 207 struct ip6_hdr *ip6; 208 int off = sizeof(struct ip6_hdr), nest; 209 u_int32_t plen; 210 u_int32_t rtalert = ~0; 211 int nxt, ours = 0, rh_present = 0; 212 struct ifnet *deliverifp = NULL; 213 struct in6_addr odst; 214 int srcrt = 0; 215 216 /* 217 * make sure we don't have onion peering information into m_aux. 218 */ 219 ip6_delaux(m); 220 221 /* 222 * mbuf statistics 223 */ 224 if (m->m_flags & M_EXT) { 225 if (m->m_next) 226 ip6stat.ip6s_mext2m++; 227 else 228 ip6stat.ip6s_mext1++; 229 } else { 230 #define M2MMAX NELEM(ip6stat.ip6s_m2m) 231 if (m->m_next) { 232 if (m->m_flags & M_LOOP) { 233 ip6stat.ip6s_m2m[loif->if_index]++; /* XXX */ 234 } else if (m->m_pkthdr.rcvif->if_index < M2MMAX) 235 ip6stat.ip6s_m2m[m->m_pkthdr.rcvif->if_index]++; 236 else 237 ip6stat.ip6s_m2m[0]++; 238 } else 239 ip6stat.ip6s_m1++; 240 #undef M2MMAX 241 } 242 243 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_receive); 244 ip6stat.ip6s_total++; 245 246 #ifndef PULLDOWN_TEST 247 /* 248 * L2 bridge code and some other code can return mbuf chain 249 * that does not conform to KAME requirement. too bad. 250 * XXX: fails to join if interface MTU > MCLBYTES. jumbogram? 251 */ 252 if (m && m->m_next != NULL && m->m_pkthdr.len < MCLBYTES) { 253 struct mbuf *n; 254 255 n = m_getb(m->m_pkthdr.len, M_NOWAIT, MT_HEADER, M_PKTHDR); 256 if (n == NULL) 257 goto bad; 258 M_MOVE_PKTHDR(n, m); 259 260 m_copydata(m, 0, n->m_pkthdr.len, mtod(n, caddr_t)); 261 n->m_len = n->m_pkthdr.len; 262 m_freem(m); 263 m = n; 264 } 265 IP6_EXTHDR_CHECK_VOIDRET(m, 0, sizeof(struct ip6_hdr)); 266 #endif 267 268 if (m->m_len < sizeof(struct ip6_hdr)) { 269 struct ifnet *inifp; 270 inifp = m->m_pkthdr.rcvif; 271 if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 272 ip6stat.ip6s_toosmall++; 273 in6_ifstat_inc(inifp, ifs6_in_hdrerr); 274 goto bad2; 275 } 276 } 277 278 ip6 = mtod(m, struct ip6_hdr *); 279 280 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 281 ip6stat.ip6s_badvers++; 282 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); 283 goto bad; 284 } 285 286 /* 287 * Run through list of hooks for input packets. 288 * 289 * NB: Beware of the destination address changing 290 * (e.g. by NAT rewriting). When this happens, 291 * tell ip6_forward to do the right thing. 292 */ 293 if (pfil_has_hooks(&inet6_pfil_hook)) { 294 odst = ip6->ip6_dst; 295 if (pfil_run_hooks(&inet6_pfil_hook, &m, 296 m->m_pkthdr.rcvif, PFIL_IN)) { 297 goto bad2; 298 } 299 if (m == NULL) /* consumed by filter */ 300 goto bad2; 301 ip6 = mtod(m, struct ip6_hdr *); 302 srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); 303 } 304 305 ip6stat.ip6s_nxthist[ip6->ip6_nxt]++; 306 307 #ifdef ALTQ 308 if (altq_input != NULL && (*altq_input)(m, AF_INET6) == 0) { 309 /* packet is dropped by traffic conditioner */ 310 return; 311 } 312 #endif 313 314 /* 315 * Check with the firewall... 316 */ 317 if (ip6_fw_enable && ip6_fw_chk_ptr) { 318 u_short port = 0; 319 /* If ipfw says divert, we have to just drop packet */ 320 /* use port as a dummy argument */ 321 if ((*ip6_fw_chk_ptr)(&ip6, NULL, &port, &m)) { 322 m_freem(m); 323 m = NULL; 324 } 325 if (!m) 326 goto bad2; 327 } 328 329 /* 330 * Check against address spoofing/corruption. 331 */ 332 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) || 333 IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) { 334 /* 335 * XXX: "badscope" is not very suitable for a multicast source. 336 */ 337 ip6stat.ip6s_badscope++; 338 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 339 goto bad; 340 } 341 if ((IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) || 342 IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) && 343 (m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) { 344 ip6stat.ip6s_badscope++; 345 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 346 goto bad; 347 } 348 349 /* 350 * The following check is not documented in specs. A malicious 351 * party may be able to use IPv4 mapped addr to confuse tcp/udp stack 352 * and bypass security checks (act as if it was from 127.0.0.1 by using 353 * IPv6 src ::ffff:127.0.0.1). Be cautious. 354 * 355 * This check chokes if we are in an SIIT cloud. As none of BSDs 356 * support IPv4-less kernel compilation, we cannot support SIIT 357 * environment at all. So, it makes more sense for us to reject any 358 * malicious packets for non-SIIT environment, than try to do a 359 * partial support for SIIT environment. 360 */ 361 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 362 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 363 ip6stat.ip6s_badscope++; 364 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 365 goto bad; 366 } 367 #if 0 368 /* 369 * Reject packets with IPv4 compatible addresses (auto tunnel). 370 * 371 * The code forbids auto tunnel relay case in RFC1933 (the check is 372 * stronger than RFC1933). We may want to re-enable it if mech-xx 373 * is revised to forbid relaying case. 374 */ 375 if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) || 376 IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) { 377 ip6stat.ip6s_badscope++; 378 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 379 goto bad; 380 } 381 #endif 382 383 /* drop packets if interface ID portion is already filled */ 384 if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) { 385 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src) && 386 ip6->ip6_src.s6_addr16[1]) { 387 ip6stat.ip6s_badscope++; 388 goto bad; 389 } 390 if ((IN6_IS_ADDR_MC_INTFACELOCAL(&ip6->ip6_dst) || 391 IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) && 392 ip6->ip6_dst.s6_addr16[1]) { 393 ip6stat.ip6s_badscope++; 394 goto bad; 395 } 396 } 397 398 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) 399 ip6->ip6_src.s6_addr16[1] 400 = htons(m->m_pkthdr.rcvif->if_index); 401 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) 402 ip6->ip6_dst.s6_addr16[1] 403 = htons(m->m_pkthdr.rcvif->if_index); 404 405 /* 406 * Multicast check 407 * 408 * WARNING! For general subnet proxying the interface hw will 409 * likely filter out the multicast solicitations, so 410 * the interface must be in promiscuous mode. 411 */ 412 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 413 ours = 1; 414 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_mcast); 415 deliverifp = m->m_pkthdr.rcvif; 416 goto hbhcheck; 417 } 418 419 /* 420 * Unicast check 421 */ 422 if (ip6_forward_rt.ro_rt != NULL && 423 (ip6_forward_rt.ro_rt->rt_flags & RTF_UP) && 424 IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, 425 &((struct sockaddr_in6 *)(&ip6_forward_rt.ro_dst))->sin6_addr)) { 426 ip6stat.ip6s_forward_cachehit++; 427 } else { 428 struct sockaddr_in6 *dst6; 429 430 if (ip6_forward_rt.ro_rt) { 431 /* route is down or destination is different */ 432 ip6stat.ip6s_forward_cachemiss++; 433 RTFREE(ip6_forward_rt.ro_rt); 434 ip6_forward_rt.ro_rt = 0; 435 } 436 437 bzero(&ip6_forward_rt.ro_dst, sizeof(struct sockaddr_in6)); 438 dst6 = &ip6_forward_rt.ro_dst; 439 dst6->sin6_len = sizeof(struct sockaddr_in6); 440 dst6->sin6_family = AF_INET6; 441 dst6->sin6_addr = ip6->ip6_dst; 442 443 rtalloc_ign((struct route *)&ip6_forward_rt, RTF_PRCLONING); 444 } 445 446 #define rt6_key(r) ((struct sockaddr_in6 *)((r)->rt_nodes->rn_key)) 447 448 /* 449 * Accept the packet if the forwarding interface to the destination 450 * according to the routing table is the loopback interface, 451 * unless the associated route has a gateway. 452 * Note that this approach causes to accept a packet if there is a 453 * route to the loopback interface for the destination of the packet. 454 * But we think it's even useful in some situations, e.g. when using 455 * a special daemon which wants to intercept the packet. 456 * 457 * XXX: some OSes automatically make a cloned route for the destination 458 * of an outgoing packet. If the outgoing interface of the packet 459 * is a loopback one, the kernel would consider the packet to be 460 * accepted, even if we have no such address assinged on the interface. 461 * We check the cloned flag of the route entry to reject such cases, 462 * assuming that route entries for our own addresses are not made by 463 * cloning (it should be true because in6_addloop explicitly installs 464 * the host route). However, we might have to do an explicit check 465 * while it would be less efficient. Or, should we rather install a 466 * reject route for such a case? 467 */ 468 if (ip6_forward_rt.ro_rt && 469 (ip6_forward_rt.ro_rt->rt_flags & 470 (RTF_HOST|RTF_GATEWAY)) == RTF_HOST && 471 #ifdef RTF_WASCLONED 472 !(ip6_forward_rt.ro_rt->rt_flags & RTF_WASCLONED) && 473 #endif 474 #ifdef RTF_CLONED 475 !(ip6_forward_rt.ro_rt->rt_flags & RTF_CLONED) && 476 #endif 477 #if 0 478 /* 479 * The check below is redundant since the comparison of 480 * the destination and the key of the rtentry has 481 * already done through looking up the routing table. 482 */ 483 IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, 484 &rt6_key(ip6_forward_rt.ro_rt)->sin6_addr) 485 #endif 486 ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_LOOP) { 487 struct in6_ifaddr *ia6 = 488 (struct in6_ifaddr *)ip6_forward_rt.ro_rt->rt_ifa; 489 490 /* 491 * record address information into m_aux. 492 */ 493 ip6_setdstifaddr(m, ia6); 494 495 /* 496 * packets to a tentative, duplicated, or somehow invalid 497 * address must not be accepted. 498 */ 499 if (!(ia6->ia6_flags & IN6_IFF_NOTREADY)) { 500 /* this address is ready */ 501 ours = 1; 502 deliverifp = ia6->ia_ifp; /* correct? */ 503 /* Count the packet in the ip address stats */ 504 IFA_STAT_INC(&ia6->ia_ifa, ipackets, 1); 505 IFA_STAT_INC(&ia6->ia_ifa, ibytes, m->m_pkthdr.len); 506 goto hbhcheck; 507 } else { 508 /* address is not ready, so discard the packet. */ 509 nd6log((LOG_INFO, 510 "ip6_input: packet to an unready address %s->%s\n", 511 ip6_sprintf(&ip6->ip6_src), 512 ip6_sprintf(&ip6->ip6_dst))); 513 514 goto bad; 515 } 516 } 517 518 /* 519 * Now there is no reason to process the packet if it's not our own 520 * and we're not a router. 521 */ 522 if (!ip6_forwarding) { 523 ip6stat.ip6s_cantforward++; 524 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 525 goto bad; 526 } 527 528 hbhcheck: 529 /* 530 * record address information into m_aux, if we don't have one yet. 531 * note that we are unable to record it, if the address is not listed 532 * as our interface address (e.g. multicast addresses and such). 533 */ 534 if (deliverifp && !ip6_getdstifaddr(m)) { 535 struct in6_ifaddr *ia6; 536 537 ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst); 538 if (ia6) { 539 if (!ip6_setdstifaddr(m, ia6)) { 540 /* 541 * XXX maybe we should drop the packet here, 542 * as we could not provide enough information 543 * to the upper layers. 544 */ 545 } 546 } 547 } 548 549 /* 550 * Process Hop-by-Hop options header if it's contained. 551 * m may be modified in ip6_hopopts_input(). 552 * If a JumboPayload option is included, plen will also be modified. 553 */ 554 plen = (u_int32_t)ntohs(ip6->ip6_plen); 555 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 556 struct ip6_hbh *hbh; 557 558 if (ip6_hopopts_input(&plen, &rtalert, &m, &off)) { 559 #if 0 /*touches NULL pointer*/ 560 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 561 #endif 562 goto bad2; /* m have already been freed */ 563 } 564 565 /* adjust pointer */ 566 ip6 = mtod(m, struct ip6_hdr *); 567 568 /* 569 * if the payload length field is 0 and the next header field 570 * indicates Hop-by-Hop Options header, then a Jumbo Payload 571 * option MUST be included. 572 */ 573 if (ip6->ip6_plen == 0 && plen == 0) { 574 /* 575 * Note that if a valid jumbo payload option is 576 * contained, ip6_hoptops_input() must set a valid 577 * (non-zero) payload length to the variable plen. 578 */ 579 ip6stat.ip6s_badoptions++; 580 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 581 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); 582 icmp6_error(m, ICMP6_PARAM_PROB, 583 ICMP6_PARAMPROB_HEADER, 584 (caddr_t)&ip6->ip6_plen - (caddr_t)ip6); 585 goto bad2; 586 } 587 #ifndef PULLDOWN_TEST 588 /* ip6_hopopts_input() ensures that mbuf is contiguous */ 589 hbh = (struct ip6_hbh *)(ip6 + 1); 590 #else 591 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 592 sizeof(struct ip6_hbh)); 593 if (hbh == NULL) { 594 ip6stat.ip6s_tooshort++; 595 goto bad2; 596 } 597 #endif 598 nxt = hbh->ip6h_nxt; 599 600 /* 601 * If we are acting as a router and the packet contains a 602 * router alert option, see if we know the option value. 603 * Currently, we only support the option value for MLD, in which 604 * case we should pass the packet to the multicast routing 605 * daemon. 606 */ 607 if (rtalert != ~0 && ip6_forwarding) { 608 switch (rtalert) { 609 case IP6OPT_RTALERT_MLD: 610 ours = 1; 611 break; 612 default: 613 /* 614 * RFC2711 requires unrecognized values must be 615 * silently ignored. 616 */ 617 break; 618 } 619 } 620 } else 621 nxt = ip6->ip6_nxt; 622 623 /* 624 * Check that the amount of data in the buffers 625 * is as at least much as the IPv6 header would have us expect. 626 * Trim mbufs if longer than we expect. 627 * Drop packet if shorter than we expect. 628 */ 629 if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) { 630 ip6stat.ip6s_tooshort++; 631 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 632 goto bad; 633 } 634 if (m->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) { 635 if (m->m_len == m->m_pkthdr.len) { 636 m->m_len = sizeof(struct ip6_hdr) + plen; 637 m->m_pkthdr.len = sizeof(struct ip6_hdr) + plen; 638 } else 639 m_adj(m, sizeof(struct ip6_hdr) + plen - m->m_pkthdr.len); 640 } 641 642 /* 643 * Forward if desirable. 644 */ 645 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 646 /* 647 * If we are acting as a multicast router, all 648 * incoming multicast packets are passed to the 649 * kernel-level multicast forwarding function. 650 * The packet is returned (relatively) intact; if 651 * ip6_mforward() returns a non-zero value, the packet 652 * must be discarded, else it may be accepted below. 653 */ 654 if (ip6_mrouter && ip6_mforward(ip6, m->m_pkthdr.rcvif, m)) { 655 ip6stat.ip6s_cantforward++; 656 goto bad; 657 } 658 if (!ours) 659 goto bad; 660 } else if (!ours) { 661 ip6_forward(m, srcrt); 662 goto bad2; 663 } 664 665 ip6 = mtod(m, struct ip6_hdr *); 666 667 /* 668 * Malicious party may be able to use IPv4 mapped addr to confuse 669 * tcp/udp stack and bypass security checks (act as if it was from 670 * 127.0.0.1 by using IPv6 src ::ffff:127.0.0.1). Be cautious. 671 * 672 * For SIIT end node behavior, you may want to disable the check. 673 * However, you will become vulnerable to attacks using IPv4 mapped 674 * source. 675 */ 676 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 677 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 678 ip6stat.ip6s_badscope++; 679 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 680 goto bad; 681 } 682 683 /* 684 * Tell launch routine the next header 685 */ 686 ip6stat.ip6s_delivered++; 687 in6_ifstat_inc(deliverifp, ifs6_in_deliver); 688 nest = 0; 689 690 rh_present = 0; 691 while (nxt != IPPROTO_DONE) { 692 struct protosw *sw6; 693 694 if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) { 695 ip6stat.ip6s_toomanyhdr++; 696 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); 697 goto bad; 698 } 699 700 /* 701 * protection against faulty packet - there should be 702 * more sanity checks in header chain processing. 703 */ 704 if (m->m_pkthdr.len < off) { 705 ip6stat.ip6s_tooshort++; 706 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 707 goto bad; 708 } 709 710 #if 0 711 /* 712 * do we need to do it for every header? yeah, other 713 * functions can play with it (like re-allocate and copy). 714 */ 715 mhist = ip6_addaux(m); 716 if (mhist && M_TRAILINGSPACE(mhist) >= sizeof(nxt)) { 717 hist = mtod(mhist, caddr_t) + mhist->m_len; 718 bcopy(&nxt, hist, sizeof(nxt)); 719 mhist->m_len += sizeof(nxt); 720 } else { 721 ip6stat.ip6s_toomanyhdr++; 722 goto bad; 723 } 724 #endif 725 726 if (nxt == IPPROTO_ROUTING) { 727 if (rh_present++) { 728 in6_ifstat_inc(m->m_pkthdr.rcvif, 729 ifs6_in_hdrerr); 730 ip6stat.ip6s_badoptions++; 731 goto bad; 732 } 733 } 734 735 sw6 = &inet6sw[ip6_protox[nxt]]; 736 /* 737 * If this is a terminal header forward to the port, otherwise 738 * process synchronously for more headers. 739 */ 740 if (sw6->pr_flags & PR_LASTHDR) { 741 struct netmsg_packet *pmsg; 742 lwkt_port_t port; 743 744 port = netisr_cpuport(0); /* XXX */ 745 if ((m->m_flags & M_HASH) == 0) 746 m_sethash(m, 0); /* XXX */ 747 748 KKASSERT(port != NULL); 749 pmsg = &m->m_hdr.mh_netmsg; 750 netmsg_init(&pmsg->base, NULL, 751 &netisr_apanic_rport, 752 0, transport6_processing_handler); 753 pmsg->nm_packet = m; 754 pmsg->nm_nxt = nxt; 755 pmsg->base.lmsg.u.ms_result = off; 756 lwkt_sendmsg(port, &pmsg->base.lmsg); 757 /* done with m */ 758 nxt = IPPROTO_DONE; 759 } else { 760 nxt = sw6->pr_input(&m, &off, nxt); 761 } 762 } 763 goto bad2; 764 bad: 765 m_freem(m); 766 bad2: 767 ; 768 /* msg was embedded in the mbuf, do not reply! */ 769 } 770 771 /* 772 * We have to call the pr_input() function from the correct protocol 773 * thread. The sw6->pr_soport() request at the end of ip6_input() 774 * returns the port and we forward a netmsg to the port to execute 775 * this function. 776 */ 777 static void 778 transport6_processing_handler(netmsg_t netmsg) 779 { 780 struct netmsg_packet *pmsg = (struct netmsg_packet *)netmsg; 781 struct protosw *sw6; 782 int hlen; 783 int nxt; 784 785 sw6 = &inet6sw[ip6_protox[pmsg->nm_nxt]]; 786 hlen = pmsg->base.lmsg.u.ms_result; 787 788 nxt = sw6->pr_input(&pmsg->nm_packet, &hlen, pmsg->nm_nxt); 789 KKASSERT(nxt == IPPROTO_DONE); 790 /* netmsg was embedded in the mbuf, do not reply! */ 791 } 792 793 /* 794 * set/grab in6_ifaddr correspond to IPv6 destination address. 795 * XXX backward compatibility wrapper 796 */ 797 static struct ip6aux * 798 ip6_setdstifaddr(struct mbuf *m, struct in6_ifaddr *ia6) 799 { 800 struct ip6aux *n; 801 802 n = ip6_addaux(m); 803 if (n) 804 n->ip6a_dstia6 = ia6; 805 return n; /* NULL if failed to set */ 806 } 807 808 struct in6_ifaddr * 809 ip6_getdstifaddr(struct mbuf *m) 810 { 811 struct ip6aux *n; 812 813 n = ip6_findaux(m); 814 if (n) 815 return n->ip6a_dstia6; 816 else 817 return NULL; 818 } 819 820 /* 821 * Hop-by-Hop options header processing. If a valid jumbo payload option is 822 * included, the real payload length will be stored in plenp. 823 */ 824 static int 825 ip6_hopopts_input(u_int32_t *plenp, 826 u_int32_t *rtalertp,/* XXX: should be stored more smart way */ 827 struct mbuf **mp, 828 int *offp) 829 { 830 struct mbuf *m = *mp; 831 int off = *offp, hbhlen; 832 struct ip6_hbh *hbh; 833 834 /* validation of the length of the header */ 835 #ifndef PULLDOWN_TEST 836 IP6_EXTHDR_CHECK(m, off, sizeof(*hbh), -1); 837 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off); 838 hbhlen = (hbh->ip6h_len + 1) << 3; 839 840 IP6_EXTHDR_CHECK(m, off, hbhlen, -1); 841 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off); 842 #else 843 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, 844 sizeof(struct ip6_hdr), sizeof(struct ip6_hbh)); 845 if (hbh == NULL) { 846 ip6stat.ip6s_tooshort++; 847 return -1; 848 } 849 hbhlen = (hbh->ip6h_len + 1) << 3; 850 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 851 hbhlen); 852 if (hbh == NULL) { 853 ip6stat.ip6s_tooshort++; 854 return -1; 855 } 856 #endif 857 off += hbhlen; 858 hbhlen -= sizeof(struct ip6_hbh); 859 860 if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh), 861 hbhlen, rtalertp, plenp) < 0) 862 return (-1); 863 864 *offp = off; 865 *mp = m; 866 return (0); 867 } 868 869 /* 870 * Search header for all Hop-by-hop options and process each option. 871 * This function is separate from ip6_hopopts_input() in order to 872 * handle a case where the sending node itself process its hop-by-hop 873 * options header. In such a case, the function is called from ip6_output(). 874 * 875 * The function assumes that hbh header is located right after the IPv6 header 876 * (RFC2460 p7), opthead is pointer into data content in m, and opthead to 877 * opthead + hbhlen is located in continuous memory region. 878 */ 879 int 880 ip6_process_hopopts(struct mbuf *m, u_int8_t *opthead, int hbhlen, 881 u_int32_t *rtalertp, u_int32_t *plenp) 882 { 883 struct ip6_hdr *ip6; 884 int optlen = 0; 885 u_int8_t *opt = opthead; 886 u_int16_t rtalert_val; 887 u_int32_t jumboplen; 888 const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh); 889 890 for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) { 891 switch (*opt) { 892 case IP6OPT_PAD1: 893 optlen = 1; 894 break; 895 case IP6OPT_PADN: 896 if (hbhlen < IP6OPT_MINLEN) { 897 ip6stat.ip6s_toosmall++; 898 goto bad; 899 } 900 optlen = *(opt + 1) + 2; 901 break; 902 case IP6OPT_RTALERT: 903 /* XXX may need check for alignment */ 904 if (hbhlen < IP6OPT_RTALERT_LEN) { 905 ip6stat.ip6s_toosmall++; 906 goto bad; 907 } 908 if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) { 909 /* XXX stat */ 910 icmp6_error(m, ICMP6_PARAM_PROB, 911 ICMP6_PARAMPROB_HEADER, 912 erroff + opt + 1 - opthead); 913 return (-1); 914 } 915 optlen = IP6OPT_RTALERT_LEN; 916 bcopy((caddr_t)(opt + 2), (caddr_t)&rtalert_val, 2); 917 *rtalertp = ntohs(rtalert_val); 918 break; 919 case IP6OPT_JUMBO: 920 /* XXX may need check for alignment */ 921 if (hbhlen < IP6OPT_JUMBO_LEN) { 922 ip6stat.ip6s_toosmall++; 923 goto bad; 924 } 925 if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) { 926 /* XXX stat */ 927 icmp6_error(m, ICMP6_PARAM_PROB, 928 ICMP6_PARAMPROB_HEADER, 929 erroff + opt + 1 - opthead); 930 return (-1); 931 } 932 optlen = IP6OPT_JUMBO_LEN; 933 934 /* 935 * IPv6 packets that have non 0 payload length 936 * must not contain a jumbo payload option. 937 */ 938 ip6 = mtod(m, struct ip6_hdr *); 939 if (ip6->ip6_plen) { 940 ip6stat.ip6s_badoptions++; 941 icmp6_error(m, ICMP6_PARAM_PROB, 942 ICMP6_PARAMPROB_HEADER, 943 erroff + opt - opthead); 944 return (-1); 945 } 946 947 /* 948 * We may see jumbolen in unaligned location, so 949 * we'd need to perform bcopy(). 950 */ 951 bcopy(opt + 2, &jumboplen, sizeof(jumboplen)); 952 jumboplen = (u_int32_t)htonl(jumboplen); 953 954 #if 1 955 /* 956 * if there are multiple jumbo payload options, 957 * *plenp will be non-zero and the packet will be 958 * rejected. 959 * the behavior may need some debate in ipngwg - 960 * multiple options does not make sense, however, 961 * there's no explicit mention in specification. 962 */ 963 if (*plenp != 0) { 964 ip6stat.ip6s_badoptions++; 965 icmp6_error(m, ICMP6_PARAM_PROB, 966 ICMP6_PARAMPROB_HEADER, 967 erroff + opt + 2 - opthead); 968 return (-1); 969 } 970 #endif 971 972 /* 973 * jumbo payload length must be larger than 65535. 974 */ 975 if (jumboplen <= IPV6_MAXPACKET) { 976 ip6stat.ip6s_badoptions++; 977 icmp6_error(m, ICMP6_PARAM_PROB, 978 ICMP6_PARAMPROB_HEADER, 979 erroff + opt + 2 - opthead); 980 return (-1); 981 } 982 *plenp = jumboplen; 983 984 break; 985 default: /* unknown option */ 986 if (hbhlen < IP6OPT_MINLEN) { 987 ip6stat.ip6s_toosmall++; 988 goto bad; 989 } 990 optlen = ip6_unknown_opt(opt, m, 991 erroff + opt - opthead); 992 if (optlen == -1) 993 return (-1); 994 optlen += 2; 995 break; 996 } 997 } 998 999 return (0); 1000 1001 bad: 1002 m_freem(m); 1003 return (-1); 1004 } 1005 1006 /* 1007 * Unknown option processing. 1008 * The third argument `off' is the offset from the IPv6 header to the option, 1009 * which is necessary if the IPv6 header the and option header and IPv6 header 1010 * is not continuous in order to return an ICMPv6 error. 1011 */ 1012 int 1013 ip6_unknown_opt(u_int8_t *optp, struct mbuf *m, int off) 1014 { 1015 struct ip6_hdr *ip6; 1016 1017 switch (IP6OPT_TYPE(*optp)) { 1018 case IP6OPT_TYPE_SKIP: /* ignore the option */ 1019 return ((int)*(optp + 1)); 1020 case IP6OPT_TYPE_DISCARD: /* silently discard */ 1021 m_freem(m); 1022 return (-1); 1023 case IP6OPT_TYPE_FORCEICMP: /* send ICMP even if multicasted */ 1024 ip6stat.ip6s_badoptions++; 1025 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_OPTION, off); 1026 return (-1); 1027 case IP6OPT_TYPE_ICMP: /* send ICMP if not multicasted */ 1028 ip6stat.ip6s_badoptions++; 1029 ip6 = mtod(m, struct ip6_hdr *); 1030 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || 1031 (m->m_flags & (M_BCAST|M_MCAST))) 1032 m_freem(m); 1033 else 1034 icmp6_error(m, ICMP6_PARAM_PROB, 1035 ICMP6_PARAMPROB_OPTION, off); 1036 return (-1); 1037 } 1038 1039 m_freem(m); /* XXX: NOTREACHED */ 1040 return (-1); 1041 } 1042 1043 /* 1044 * Create the "control" list for this pcb. 1045 * The function will not modify mbuf chain at all. 1046 * 1047 * with KAME mbuf chain restriction: 1048 * The routine will be called from upper layer handlers like tcp6_input(). 1049 * Thus the routine assumes that the caller (tcp6_input) have already 1050 * called IP6_EXTHDR_CHECK() and all the extension headers are located in the 1051 * very first mbuf on the mbuf chain. 1052 */ 1053 void 1054 ip6_savecontrol(struct inpcb *in6p, struct mbuf **mp, struct ip6_hdr *ip6, 1055 struct mbuf *m) 1056 { 1057 #define IS2292(x, y) ((in6p->in6p_flags & IN6P_RFC2292) ? (x) : (y)) 1058 struct thread *td = curthread; /* XXX */ 1059 int privileged = 0; 1060 1061 1062 if (priv_check(td, PRIV_ROOT) == 0) 1063 privileged++; 1064 1065 #ifdef SO_TIMESTAMP 1066 if (in6p->in6p_socket->so_options & SO_TIMESTAMP) { 1067 struct timeval tv; 1068 1069 microtime(&tv); 1070 *mp = sbcreatecontrol((caddr_t)&tv, sizeof(tv), 1071 SCM_TIMESTAMP, SOL_SOCKET); 1072 if (*mp) { 1073 mp = &(*mp)->m_next; 1074 } 1075 } 1076 #endif 1077 1078 /* RFC 2292 sec. 5 */ 1079 if (in6p->in6p_flags & IN6P_PKTINFO) { 1080 struct in6_pktinfo pi6; 1081 1082 bcopy(&ip6->ip6_dst, &pi6.ipi6_addr, sizeof(struct in6_addr)); 1083 in6_clearscope(&pi6.ipi6_addr); /* XXX */ 1084 pi6.ipi6_ifindex = (m && m->m_pkthdr.rcvif) ? 1085 m->m_pkthdr.rcvif->if_index : 0; 1086 *mp = sbcreatecontrol((caddr_t)&pi6, sizeof(struct in6_pktinfo), 1087 IS2292(IPV6_2292PKTINFO, IPV6_PKTINFO), IPPROTO_IPV6); 1088 if (*mp) 1089 mp = &(*mp)->m_next; 1090 } 1091 1092 if (in6p->in6p_flags & IN6P_HOPLIMIT) { 1093 int hlim = ip6->ip6_hlim & 0xff; 1094 1095 *mp = sbcreatecontrol((caddr_t)&hlim, sizeof(int), 1096 IS2292(IPV6_2292HOPLIMIT, IPV6_HOPLIMIT), IPPROTO_IPV6); 1097 if (*mp) 1098 mp = &(*mp)->m_next; 1099 } 1100 1101 if ((in6p->in6p_flags & IN6P_TCLASS) != 0) { 1102 u_int32_t flowinfo; 1103 int tclass; 1104 1105 flowinfo = (u_int32_t)ntohl(ip6->ip6_flow & IPV6_FLOWINFO_MASK); 1106 flowinfo >>= 20; 1107 1108 tclass = flowinfo & 0xff; 1109 *mp = sbcreatecontrol((caddr_t) &tclass, sizeof(tclass), 1110 IPV6_TCLASS, IPPROTO_IPV6); 1111 if (*mp) 1112 mp = &(*mp)->m_next; 1113 } 1114 1115 /* 1116 * IPV6_HOPOPTS socket option. We require super-user privilege 1117 * for the option, but it might be too strict, since there might 1118 * be some hop-by-hop options which can be returned to normal user. 1119 * See RFC 2292 section 6. 1120 */ 1121 if ((in6p->in6p_flags & IN6P_HOPOPTS) && privileged) { 1122 /* 1123 * Check if a hop-by-hop options header is contatined in the 1124 * received packet, and if so, store the options as ancillary 1125 * data. Note that a hop-by-hop options header must be 1126 * just after the IPv6 header, which is assured through the 1127 * IPv6 input processing. 1128 */ 1129 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1130 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 1131 struct ip6_hbh *hbh; 1132 int hbhlen = 0; 1133 #ifdef PULLDOWN_TEST 1134 struct mbuf *ext; 1135 #endif 1136 1137 #ifndef PULLDOWN_TEST 1138 hbh = (struct ip6_hbh *)(ip6 + 1); 1139 hbhlen = (hbh->ip6h_len + 1) << 3; 1140 #else 1141 ext = ip6_pullexthdr(m, sizeof(struct ip6_hdr), 1142 ip6->ip6_nxt); 1143 if (ext == NULL) { 1144 ip6stat.ip6s_tooshort++; 1145 return; 1146 } 1147 hbh = mtod(ext, struct ip6_hbh *); 1148 hbhlen = (hbh->ip6h_len + 1) << 3; 1149 if (hbhlen != ext->m_len) { 1150 m_freem(ext); 1151 ip6stat.ip6s_tooshort++; 1152 return; 1153 } 1154 #endif 1155 1156 /* 1157 * XXX: We copy the whole header even if a 1158 * jumbo payload option is included, the option which 1159 * is to be removed before returning according to 1160 * RFC 2292. 1161 * Note: this constraint is removed in 2292bis. 1162 */ 1163 *mp = sbcreatecontrol((caddr_t)hbh, hbhlen, 1164 IS2292(IPV6_2292HOPOPTS, IPV6_HOPOPTS), 1165 IPPROTO_IPV6); 1166 if (*mp) 1167 mp = &(*mp)->m_next; 1168 #ifdef PULLDOWN_TEST 1169 m_freem(ext); 1170 #endif 1171 } 1172 } 1173 1174 /* IPV6_DSTOPTS and IPV6_RTHDR socket options */ 1175 if ((in6p->in6p_flags & (IN6P_DSTOPTS | IN6P_RTHDRDSTOPTS)) != 0) { 1176 int proto, off, nxt; 1177 1178 /* 1179 * go through the header chain to see if a routing header is 1180 * contained in the packet. We need this information to store 1181 * destination options headers (if any) properly. 1182 * XXX: performance issue. We should record this info when 1183 * processing extension headers in incoming routine. 1184 * (todo) use m_aux? 1185 */ 1186 proto = IPPROTO_IPV6; 1187 off = 0; 1188 nxt = -1; 1189 while (1) { 1190 int newoff; 1191 1192 newoff = ip6_nexthdr(m, off, proto, &nxt); 1193 if (newoff < 0) 1194 break; 1195 if (newoff < off) /* invalid, check for safety */ 1196 break; 1197 if ((proto = nxt) == IPPROTO_ROUTING) 1198 break; 1199 off = newoff; 1200 } 1201 } 1202 1203 if ((in6p->in6p_flags & 1204 (IN6P_RTHDR | IN6P_DSTOPTS | IN6P_RTHDRDSTOPTS)) != 0) { 1205 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1206 int nxt = ip6->ip6_nxt, off = sizeof(struct ip6_hdr); 1207 1208 /* 1209 * Search for destination options headers or routing 1210 * header(s) through the header chain, and stores each 1211 * header as ancillary data. 1212 * Note that the order of the headers remains in 1213 * the chain of ancillary data. 1214 */ 1215 while (1) { /* is explicit loop prevention necessary? */ 1216 struct ip6_ext *ip6e = NULL; 1217 int elen; 1218 #ifdef PULLDOWN_TEST 1219 struct mbuf *ext = NULL; 1220 #endif 1221 1222 /* 1223 * if it is not an extension header, don't try to 1224 * pull it from the chain. 1225 */ 1226 switch (nxt) { 1227 case IPPROTO_DSTOPTS: 1228 case IPPROTO_ROUTING: 1229 case IPPROTO_HOPOPTS: 1230 case IPPROTO_AH: /* is it possible? */ 1231 break; 1232 default: 1233 goto loopend; 1234 } 1235 1236 #ifndef PULLDOWN_TEST 1237 if (off + sizeof(*ip6e) > m->m_len) 1238 goto loopend; 1239 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + off); 1240 if (nxt == IPPROTO_AH) 1241 elen = (ip6e->ip6e_len + 2) << 2; 1242 else 1243 elen = (ip6e->ip6e_len + 1) << 3; 1244 if (off + elen > m->m_len) 1245 goto loopend; 1246 #else 1247 ext = ip6_pullexthdr(m, off, nxt); 1248 if (ext == NULL) { 1249 ip6stat.ip6s_tooshort++; 1250 return; 1251 } 1252 ip6e = mtod(ext, struct ip6_ext *); 1253 if (nxt == IPPROTO_AH) 1254 elen = (ip6e->ip6e_len + 2) << 2; 1255 else 1256 elen = (ip6e->ip6e_len + 1) << 3; 1257 if (elen != ext->m_len) { 1258 m_freem(ext); 1259 ip6stat.ip6s_tooshort++; 1260 return; 1261 } 1262 #endif 1263 1264 switch (nxt) { 1265 case IPPROTO_DSTOPTS: 1266 if ((in6p->in6p_flags & IN6P_DSTOPTS) == 0) 1267 break; 1268 1269 /* 1270 * We also require super-user privilege for 1271 * the option. See comments on IN6_HOPOPTS. 1272 */ 1273 if (!privileged) 1274 break; 1275 1276 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1277 IS2292(IPV6_2292DSTOPTS, IPV6_DSTOPTS), 1278 IPPROTO_IPV6); 1279 if (*mp) 1280 mp = &(*mp)->m_next; 1281 break; 1282 case IPPROTO_ROUTING: 1283 if (!(in6p->in6p_flags & IN6P_RTHDR)) 1284 break; 1285 1286 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1287 IS2292(IPV6_2292RTHDR, IPV6_RTHDR), 1288 IPPROTO_IPV6); 1289 if (*mp) 1290 mp = &(*mp)->m_next; 1291 break; 1292 case IPPROTO_HOPOPTS: 1293 case IPPROTO_AH: /* is it possible? */ 1294 break; 1295 1296 default: 1297 /* 1298 * other cases have been filtered in the above. 1299 * none will visit this case. here we supply 1300 * the code just in case (nxt overwritten or 1301 * other cases). 1302 */ 1303 #ifdef PULLDOWN_TEST 1304 m_freem(ext); 1305 #endif 1306 goto loopend; 1307 1308 } 1309 1310 /* proceed with the next header. */ 1311 off += elen; 1312 nxt = ip6e->ip6e_nxt; 1313 ip6e = NULL; 1314 #ifdef PULLDOWN_TEST 1315 m_freem(ext); 1316 ext = NULL; 1317 #endif 1318 } 1319 loopend: 1320 ; 1321 } 1322 #undef IS2292 1323 } 1324 1325 void 1326 ip6_notify_pmtu(struct inpcb *in6p, struct sockaddr_in6 *dst, u_int32_t *mtu) 1327 { 1328 struct socket *so; 1329 struct mbuf *m_mtu; 1330 struct ip6_mtuinfo mtuctl; 1331 1332 so = in6p->inp_socket; 1333 1334 if (mtu == NULL) 1335 return; 1336 1337 #ifdef DIAGNOSTIC 1338 if (so == NULL) /* I believe this is impossible */ 1339 panic("ip6_notify_pmtu: socket is NULL"); 1340 #endif 1341 1342 bzero(&mtuctl, sizeof(mtuctl)); /* zero-clear for safety */ 1343 mtuctl.ip6m_mtu = *mtu; 1344 mtuctl.ip6m_addr = *dst; 1345 1346 if ((m_mtu = sbcreatecontrol((caddr_t)&mtuctl, sizeof(mtuctl), 1347 IPV6_PATHMTU, IPPROTO_IPV6)) == NULL) 1348 return; 1349 1350 lwkt_gettoken(&so->so_rcv.ssb_token); 1351 if (sbappendaddr(&so->so_rcv.sb, (struct sockaddr *)dst, NULL, m_mtu) 1352 == 0) { 1353 m_freem(m_mtu); 1354 /* XXX: should count statistics */ 1355 } else { 1356 sorwakeup(so); 1357 } 1358 lwkt_reltoken(&so->so_rcv.ssb_token); 1359 } 1360 1361 #ifdef PULLDOWN_TEST 1362 /* 1363 * pull single extension header from mbuf chain. returns single mbuf that 1364 * contains the result, or NULL on error. 1365 */ 1366 static struct mbuf * 1367 ip6_pullexthdr(struct mbuf *m, size_t off, int nxt) 1368 { 1369 struct ip6_ext ip6e; 1370 size_t elen; 1371 struct mbuf *n; 1372 1373 #ifdef DIAGNOSTIC 1374 switch (nxt) { 1375 case IPPROTO_DSTOPTS: 1376 case IPPROTO_ROUTING: 1377 case IPPROTO_HOPOPTS: 1378 case IPPROTO_AH: /* is it possible? */ 1379 break; 1380 default: 1381 kprintf("ip6_pullexthdr: invalid nxt=%d\n", nxt); 1382 } 1383 #endif 1384 1385 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1386 if (nxt == IPPROTO_AH) 1387 elen = (ip6e.ip6e_len + 2) << 2; 1388 else 1389 elen = (ip6e.ip6e_len + 1) << 3; 1390 1391 n = m_getb(elen, M_NOWAIT, MT_DATA, 0); 1392 if (n == NULL) 1393 return NULL; 1394 n->m_len = 0; 1395 1396 if (elen >= M_TRAILINGSPACE(n)) { 1397 m_free(n); 1398 return NULL; 1399 } 1400 1401 m_copydata(m, off, elen, mtod(n, caddr_t)); 1402 n->m_len = elen; 1403 return n; 1404 } 1405 #endif 1406 1407 /* 1408 * Get pointer to the previous header followed by the header 1409 * currently processed. 1410 * XXX: This function supposes that 1411 * M includes all headers, 1412 * the next header field and the header length field of each header 1413 * are valid, and 1414 * the sum of each header length equals to OFF. 1415 * Because of these assumptions, this function must be called very 1416 * carefully. Moreover, it will not be used in the near future when 1417 * we develop `neater' mechanism to process extension headers. 1418 */ 1419 char * 1420 ip6_get_prevhdr(struct mbuf *m, int off) 1421 { 1422 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1423 1424 if (off == sizeof(struct ip6_hdr)) 1425 return (&ip6->ip6_nxt); 1426 else { 1427 int len, nxt; 1428 struct ip6_ext *ip6e = NULL; 1429 1430 nxt = ip6->ip6_nxt; 1431 len = sizeof(struct ip6_hdr); 1432 while (len < off) { 1433 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + len); 1434 1435 switch (nxt) { 1436 case IPPROTO_FRAGMENT: 1437 len += sizeof(struct ip6_frag); 1438 break; 1439 case IPPROTO_AH: 1440 len += (ip6e->ip6e_len + 2) << 2; 1441 break; 1442 default: 1443 len += (ip6e->ip6e_len + 1) << 3; 1444 break; 1445 } 1446 nxt = ip6e->ip6e_nxt; 1447 } 1448 if (ip6e) 1449 return (&ip6e->ip6e_nxt); 1450 else 1451 return NULL; 1452 } 1453 } 1454 1455 /* 1456 * get next header offset. m will be retained. 1457 */ 1458 int 1459 ip6_nexthdr(struct mbuf *m, int off, int proto, int *nxtp) 1460 { 1461 struct ip6_hdr ip6; 1462 struct ip6_ext ip6e; 1463 struct ip6_frag fh; 1464 1465 /* just in case */ 1466 if (m == NULL) 1467 panic("ip6_nexthdr: m == NULL"); 1468 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off) 1469 return -1; 1470 1471 switch (proto) { 1472 case IPPROTO_IPV6: 1473 if (m->m_pkthdr.len < off + sizeof(ip6)) 1474 return -1; 1475 m_copydata(m, off, sizeof(ip6), (caddr_t)&ip6); 1476 if (nxtp) 1477 *nxtp = ip6.ip6_nxt; 1478 off += sizeof(ip6); 1479 return off; 1480 1481 case IPPROTO_FRAGMENT: 1482 /* 1483 * terminate parsing if it is not the first fragment, 1484 * it does not make sense to parse through it. 1485 */ 1486 if (m->m_pkthdr.len < off + sizeof(fh)) 1487 return -1; 1488 m_copydata(m, off, sizeof(fh), (caddr_t)&fh); 1489 /* IP6F_OFF_MASK = 0xfff8(BigEndian), 0xf8ff(LittleEndian) */ 1490 if (fh.ip6f_offlg & IP6F_OFF_MASK) 1491 return -1; 1492 if (nxtp) 1493 *nxtp = fh.ip6f_nxt; 1494 off += sizeof(struct ip6_frag); 1495 return off; 1496 1497 case IPPROTO_AH: 1498 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1499 return -1; 1500 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1501 if (nxtp) 1502 *nxtp = ip6e.ip6e_nxt; 1503 off += (ip6e.ip6e_len + 2) << 2; 1504 return off; 1505 1506 case IPPROTO_HOPOPTS: 1507 case IPPROTO_ROUTING: 1508 case IPPROTO_DSTOPTS: 1509 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1510 return -1; 1511 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1512 if (nxtp) 1513 *nxtp = ip6e.ip6e_nxt; 1514 off += (ip6e.ip6e_len + 1) << 3; 1515 return off; 1516 1517 case IPPROTO_NONE: 1518 case IPPROTO_ESP: 1519 case IPPROTO_IPCOMP: 1520 /* give up */ 1521 return -1; 1522 1523 default: 1524 return -1; 1525 } 1526 1527 return -1; 1528 } 1529 1530 /* 1531 * get offset for the last header in the chain. m will be kept untainted. 1532 */ 1533 int 1534 ip6_lasthdr(struct mbuf *m, int off, int proto, int *nxtp) 1535 { 1536 int newoff; 1537 int nxt; 1538 1539 if (!nxtp) { 1540 nxt = -1; 1541 nxtp = &nxt; 1542 } 1543 while (1) { 1544 newoff = ip6_nexthdr(m, off, proto, nxtp); 1545 if (newoff < 0) 1546 return off; 1547 else if (newoff < off) 1548 return -1; /* invalid */ 1549 else if (newoff == off) 1550 return newoff; 1551 1552 off = newoff; 1553 proto = *nxtp; 1554 } 1555 } 1556 1557 struct ip6aux * 1558 ip6_addaux(struct mbuf *m) 1559 { 1560 struct m_tag *mtag; 1561 1562 mtag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL); 1563 if (!mtag) { 1564 mtag = m_tag_get(PACKET_TAG_IPV6_INPUT, sizeof(struct ip6aux), 1565 M_NOWAIT); 1566 if (mtag) 1567 m_tag_prepend(m, mtag); 1568 } 1569 if (mtag) 1570 bzero(m_tag_data(mtag), sizeof(struct ip6aux)); 1571 return mtag ? (struct ip6aux *)m_tag_data(mtag) : NULL; 1572 } 1573 1574 struct ip6aux * 1575 ip6_findaux(struct mbuf *m) 1576 { 1577 struct m_tag *mtag; 1578 1579 mtag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL); 1580 return mtag ? (struct ip6aux *)m_tag_data(mtag) : NULL; 1581 } 1582 1583 void 1584 ip6_delaux(struct mbuf *m) 1585 { 1586 struct m_tag *mtag; 1587 1588 mtag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL); 1589 if (mtag) 1590 m_tag_delete(m, mtag); 1591 } 1592 1593 /* 1594 * System control for IP6 1595 */ 1596 1597 u_char inet6ctlerrmap[PRC_NCMDS] = { 1598 0, 0, 0, 0, 1599 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH, 1600 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, 1601 EMSGSIZE, EHOSTUNREACH, 0, 0, 1602 0, 0, 0, 0, 1603 ENOPROTOOPT 1604 }; 1605