1 /* $FreeBSD: src/sys/netinet6/ip6_input.c,v 1.11.2.15 2003/01/24 05:11:35 sam Exp $ */ 2 /* $DragonFly: src/sys/netinet6/ip6_input.c,v 1.28 2006/05/20 06:32:41 dillon Exp $ */ 3 /* $KAME: ip6_input.c,v 1.259 2002/01/21 04:58:09 jinmei Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 /* 35 * Copyright (c) 1982, 1986, 1988, 1993 36 * The Regents of the University of California. All rights reserved. 37 * 38 * Redistribution and use in source and binary forms, with or without 39 * modification, are permitted provided that the following conditions 40 * are met: 41 * 1. Redistributions of source code must retain the above copyright 42 * notice, this list of conditions and the following disclaimer. 43 * 2. Redistributions in binary form must reproduce the above copyright 44 * notice, this list of conditions and the following disclaimer in the 45 * documentation and/or other materials provided with the distribution. 46 * 3. All advertising materials mentioning features or use of this software 47 * must display the following acknowledgement: 48 * This product includes software developed by the University of 49 * California, Berkeley and its contributors. 50 * 4. Neither the name of the University nor the names of its contributors 51 * may be used to endorse or promote products derived from this software 52 * without specific prior written permission. 53 * 54 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 55 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 56 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 57 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 58 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 59 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 60 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 61 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 62 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 63 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 64 * SUCH DAMAGE. 65 * 66 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 67 */ 68 69 #include "opt_ip6fw.h" 70 #include "opt_inet.h" 71 #include "opt_inet6.h" 72 #include "opt_ipsec.h" 73 74 #include <sys/param.h> 75 #include <sys/systm.h> 76 #include <sys/malloc.h> 77 #include <sys/mbuf.h> 78 #include <sys/domain.h> 79 #include <sys/protosw.h> 80 #include <sys/socket.h> 81 #include <sys/socketvar.h> 82 #include <sys/errno.h> 83 #include <sys/time.h> 84 #include <sys/kernel.h> 85 #include <sys/syslog.h> 86 #include <sys/proc.h> 87 88 #include <sys/thread2.h> 89 #include <sys/msgport2.h> 90 91 #include <net/if.h> 92 #include <net/if_types.h> 93 #include <net/if_dl.h> 94 #include <net/route.h> 95 #include <net/netisr.h> 96 #include <net/pfil.h> 97 98 #include <netinet/in.h> 99 #include <netinet/in_systm.h> 100 #ifdef INET 101 #include <netinet/ip.h> 102 #include <netinet/ip_icmp.h> 103 #endif /* INET */ 104 #include <netinet/ip6.h> 105 #include <netinet6/in6_var.h> 106 #include <netinet6/ip6_var.h> 107 #include <netinet/in_pcb.h> 108 #include <netinet/icmp6.h> 109 #include <netinet6/scope6_var.h> 110 #include <netinet6/in6_ifattach.h> 111 #include <netinet6/nd6.h> 112 #include <netinet6/in6_prefix.h> 113 114 #ifdef IPSEC 115 #include <netinet6/ipsec.h> 116 #ifdef INET6 117 #include <netinet6/ipsec6.h> 118 #endif 119 #endif 120 121 #ifdef FAST_IPSEC 122 #include <netproto/ipsec/ipsec.h> 123 #include <netproto/ipsec/ipsec6.h> 124 #define IPSEC 125 #endif /* FAST_IPSEC */ 126 127 #include <net/ip6fw/ip6_fw.h> 128 129 #include <netinet6/ip6protosw.h> 130 131 /* we need it for NLOOP. */ 132 #include "use_loop.h" 133 134 #include <net/net_osdep.h> 135 136 extern struct domain inet6domain; 137 extern struct ip6protosw inet6sw[]; 138 139 u_char ip6_protox[IPPROTO_MAX]; 140 struct in6_ifaddr *in6_ifaddr; 141 142 extern struct callout in6_tmpaddrtimer_ch; 143 144 int ip6_forward_srcrt; /* XXX */ 145 int ip6_sourcecheck; /* XXX */ 146 int ip6_sourcecheck_interval; /* XXX */ 147 148 int ip6_ours_check_algorithm; 149 150 struct pfil_head inet6_pfil_hook; 151 152 /* firewall hooks */ 153 ip6_fw_chk_t *ip6_fw_chk_ptr; 154 ip6_fw_ctl_t *ip6_fw_ctl_ptr; 155 int ip6_fw_enable = 1; 156 157 struct ip6stat ip6stat; 158 159 static void ip6_init2 (void *); 160 static struct ip6aux *ip6_setdstifaddr (struct mbuf *, struct in6_ifaddr *); 161 static int ip6_hopopts_input (u_int32_t *, u_int32_t *, struct mbuf **, int *); 162 static int ip6_input(struct netmsg *msg); 163 #ifdef PULLDOWN_TEST 164 static struct mbuf *ip6_pullexthdr (struct mbuf *, size_t, int); 165 #endif 166 167 /* 168 * IP6 initialization: fill in IP6 protocol switch table. 169 * All protocols not implemented in kernel go to raw IP6 protocol handler. 170 */ 171 void 172 ip6_init(void) 173 { 174 struct ip6protosw *pr; 175 int i; 176 struct timeval tv; 177 178 #ifdef DIAGNOSTIC 179 if (sizeof(struct protosw) != sizeof(struct ip6protosw)) 180 panic("sizeof(protosw) != sizeof(ip6protosw)"); 181 #endif 182 pr = (struct ip6protosw *)pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW); 183 if (pr == 0) 184 panic("ip6_init"); 185 for (i = 0; i < IPPROTO_MAX; i++) 186 ip6_protox[i] = pr - inet6sw; 187 for (pr = (struct ip6protosw *)inet6domain.dom_protosw; 188 pr < (struct ip6protosw *)inet6domain.dom_protoswNPROTOSW; pr++) 189 if (pr->pr_domain->dom_family == PF_INET6 && 190 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) 191 ip6_protox[pr->pr_protocol] = pr - inet6sw; 192 193 inet6_pfil_hook.ph_type = PFIL_TYPE_AF; 194 inet6_pfil_hook.ph_af = AF_INET6; 195 if ((i = pfil_head_register(&inet6_pfil_hook)) != 0) { 196 printf("%s: WARNING: unable to register pfil hook, " 197 "error %d\n", __func__, i); 198 } 199 200 netisr_register(NETISR_IPV6, cpu0_portfn, ip6_input); 201 scope6_init(); 202 nd6_init(); 203 frag6_init(); 204 /* 205 * in many cases, random() here does NOT return random number 206 * as initialization during bootstrap time occur in fixed order. 207 */ 208 microtime(&tv); 209 ip6_flow_seq = random() ^ tv.tv_usec; 210 microtime(&tv); 211 ip6_desync_factor = (random() ^ tv.tv_usec) % MAX_TEMP_DESYNC_FACTOR; 212 } 213 214 static void 215 ip6_init2(void *dummy) 216 { 217 /* nd6_timer_init */ 218 callout_init(&nd6_timer_ch); 219 callout_reset(&nd6_timer_ch, hz, nd6_timer, NULL); 220 221 /* router renumbering prefix list maintenance */ 222 callout_init(&in6_rr_timer_ch); 223 callout_reset(&in6_rr_timer_ch, hz, in6_rr_timer, NULL); 224 225 /* timer for regeneranation of temporary addresses randomize ID */ 226 callout_init(&in6_tmpaddrtimer_ch); 227 callout_reset(&in6_tmpaddrtimer_ch, 228 (ip6_temp_preferred_lifetime - ip6_desync_factor - 229 ip6_temp_regen_advance) * hz, 230 in6_tmpaddrtimer, NULL); 231 } 232 233 /* cheat */ 234 /* This must be after route_init(), which is now SI_ORDER_THIRD */ 235 SYSINIT(netinet6init2, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ip6_init2, NULL); 236 237 extern struct route_in6 ip6_forward_rt; 238 239 static 240 int 241 ip6_input(struct netmsg *msg) 242 { 243 struct mbuf *m = ((struct netmsg_packet *)msg)->nm_packet; 244 struct ip6_hdr *ip6; 245 int off = sizeof(struct ip6_hdr), nest; 246 u_int32_t plen; 247 u_int32_t rtalert = ~0; 248 int nxt, ours = 0; 249 struct ifnet *deliverifp = NULL; 250 struct in6_addr odst; 251 int srcrt = 0; 252 253 #ifdef IPSEC 254 /* 255 * should the inner packet be considered authentic? 256 * see comment in ah4_input(). 257 */ 258 if (m) { 259 m->m_flags &= ~M_AUTHIPHDR; 260 m->m_flags &= ~M_AUTHIPDGM; 261 } 262 #endif 263 264 /* 265 * make sure we don't have onion peering information into m_aux. 266 */ 267 ip6_delaux(m); 268 269 /* 270 * mbuf statistics 271 */ 272 if (m->m_flags & M_EXT) { 273 if (m->m_next) 274 ip6stat.ip6s_mext2m++; 275 else 276 ip6stat.ip6s_mext1++; 277 } else { 278 #define M2MMAX (sizeof(ip6stat.ip6s_m2m)/sizeof(ip6stat.ip6s_m2m[0])) 279 if (m->m_next) { 280 if (m->m_flags & M_LOOP) { 281 ip6stat.ip6s_m2m[loif[0].if_index]++; /* XXX */ 282 } else if (m->m_pkthdr.rcvif->if_index < M2MMAX) 283 ip6stat.ip6s_m2m[m->m_pkthdr.rcvif->if_index]++; 284 else 285 ip6stat.ip6s_m2m[0]++; 286 } else 287 ip6stat.ip6s_m1++; 288 #undef M2MMAX 289 } 290 291 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_receive); 292 ip6stat.ip6s_total++; 293 294 #ifndef PULLDOWN_TEST 295 /* 296 * L2 bridge code and some other code can return mbuf chain 297 * that does not conform to KAME requirement. too bad. 298 * XXX: fails to join if interface MTU > MCLBYTES. jumbogram? 299 */ 300 if (m && m->m_next != NULL && m->m_pkthdr.len < MCLBYTES) { 301 struct mbuf *n; 302 303 MGETHDR(n, MB_DONTWAIT, MT_HEADER); 304 if (n) 305 M_MOVE_PKTHDR(n, m); 306 if (n && n->m_pkthdr.len > MHLEN) { 307 MCLGET(n, MB_DONTWAIT); 308 if ((n->m_flags & M_EXT) == 0) { 309 m_freem(n); 310 n = NULL; 311 } 312 } 313 if (n == NULL) 314 goto bad; 315 316 m_copydata(m, 0, n->m_pkthdr.len, mtod(n, caddr_t)); 317 n->m_len = n->m_pkthdr.len; 318 m_freem(m); 319 m = n; 320 } 321 IP6_EXTHDR_CHECK(m, 0, sizeof(struct ip6_hdr), EASYNC); 322 #endif 323 324 if (m->m_len < sizeof(struct ip6_hdr)) { 325 struct ifnet *inifp; 326 inifp = m->m_pkthdr.rcvif; 327 if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == 0) { 328 ip6stat.ip6s_toosmall++; 329 in6_ifstat_inc(inifp, ifs6_in_hdrerr); 330 goto bad2; 331 } 332 } 333 334 ip6 = mtod(m, struct ip6_hdr *); 335 336 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 337 ip6stat.ip6s_badvers++; 338 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); 339 goto bad; 340 } 341 342 /* 343 * Run through list of hooks for input packets. 344 * 345 * NB: Beware of the destination address changing 346 * (e.g. by NAT rewriting). When this happens, 347 * tell ip6_forward to do the right thing. 348 */ 349 if (pfil_has_hooks(&inet6_pfil_hook)) { 350 odst = ip6->ip6_dst; 351 if (pfil_run_hooks(&inet6_pfil_hook, &m, 352 m->m_pkthdr.rcvif, PFIL_IN)) { 353 goto bad2; 354 } 355 if (m == NULL) /* consumed by filter */ 356 goto bad2; 357 ip6 = mtod(m, struct ip6_hdr *); 358 srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); 359 } 360 361 ip6stat.ip6s_nxthist[ip6->ip6_nxt]++; 362 363 #ifdef ALTQ 364 if (altq_input != NULL && (*altq_input)(m, AF_INET6) == 0) { 365 /* packet is dropped by traffic conditioner */ 366 return(ENOBUFS); 367 } 368 #endif 369 370 /* 371 * Check with the firewall... 372 */ 373 if (ip6_fw_enable && ip6_fw_chk_ptr) { 374 u_short port = 0; 375 /* If ipfw says divert, we have to just drop packet */ 376 /* use port as a dummy argument */ 377 if ((*ip6_fw_chk_ptr)(&ip6, NULL, &port, &m)) { 378 m_freem(m); 379 m = NULL; 380 } 381 if (!m) 382 goto bad2; 383 } 384 385 /* 386 * Check against address spoofing/corruption. 387 */ 388 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) || 389 IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) { 390 /* 391 * XXX: "badscope" is not very suitable for a multicast source. 392 */ 393 ip6stat.ip6s_badscope++; 394 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 395 goto bad; 396 } 397 if ((IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) || 398 IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) && 399 (m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) { 400 ip6stat.ip6s_badscope++; 401 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 402 goto bad; 403 } 404 405 /* 406 * The following check is not documented in specs. A malicious 407 * party may be able to use IPv4 mapped addr to confuse tcp/udp stack 408 * and bypass security checks (act as if it was from 127.0.0.1 by using 409 * IPv6 src ::ffff:127.0.0.1). Be cautious. 410 * 411 * This check chokes if we are in an SIIT cloud. As none of BSDs 412 * support IPv4-less kernel compilation, we cannot support SIIT 413 * environment at all. So, it makes more sense for us to reject any 414 * malicious packets for non-SIIT environment, than try to do a 415 * partical support for SIIT environment. 416 */ 417 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 418 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 419 ip6stat.ip6s_badscope++; 420 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 421 goto bad; 422 } 423 #if 0 424 /* 425 * Reject packets with IPv4 compatible addresses (auto tunnel). 426 * 427 * The code forbids auto tunnel relay case in RFC1933 (the check is 428 * stronger than RFC1933). We may want to re-enable it if mech-xx 429 * is revised to forbid relaying case. 430 */ 431 if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) || 432 IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) { 433 ip6stat.ip6s_badscope++; 434 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 435 goto bad; 436 } 437 #endif 438 439 /* drop packets if interface ID portion is already filled */ 440 if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) { 441 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src) && 442 ip6->ip6_src.s6_addr16[1]) { 443 ip6stat.ip6s_badscope++; 444 goto bad; 445 } 446 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst) && 447 ip6->ip6_dst.s6_addr16[1]) { 448 ip6stat.ip6s_badscope++; 449 goto bad; 450 } 451 } 452 453 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) 454 ip6->ip6_src.s6_addr16[1] 455 = htons(m->m_pkthdr.rcvif->if_index); 456 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) 457 ip6->ip6_dst.s6_addr16[1] 458 = htons(m->m_pkthdr.rcvif->if_index); 459 460 #if 0 /* this case seems to be unnecessary. (jinmei, 20010401) */ 461 /* 462 * We use rt->rt_ifp to determine if the address is ours or not. 463 * If rt_ifp is lo0, the address is ours. 464 * The problem here is, rt->rt_ifp for fe80::%lo0/64 is set to lo0, 465 * so any address under fe80::%lo0/64 will be mistakenly considered 466 * local. The special case is supplied to handle the case properly 467 * by actually looking at interface addresses 468 * (using in6ifa_ifpwithaddr). 469 */ 470 if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) != 0 && 471 IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_dst)) { 472 if (!in6ifa_ifpwithaddr(m->m_pkthdr.rcvif, &ip6->ip6_dst)) { 473 icmp6_error(m, ICMP6_DST_UNREACH, 474 ICMP6_DST_UNREACH_ADDR, 0); 475 /* m is already freed */ 476 goto bad2; 477 } 478 479 ours = 1; 480 deliverifp = m->m_pkthdr.rcvif; 481 goto hbhcheck; 482 } 483 #endif 484 485 /* 486 * Multicast check 487 */ 488 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 489 struct in6_multi *in6m = 0; 490 491 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_mcast); 492 /* 493 * See if we belong to the destination multicast group on the 494 * arrival interface. 495 */ 496 IN6_LOOKUP_MULTI(ip6->ip6_dst, m->m_pkthdr.rcvif, in6m); 497 if (in6m) 498 ours = 1; 499 else if (!ip6_mrouter) { 500 ip6stat.ip6s_notmember++; 501 ip6stat.ip6s_cantforward++; 502 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 503 goto bad; 504 } 505 deliverifp = m->m_pkthdr.rcvif; 506 goto hbhcheck; 507 } 508 509 /* 510 * Unicast check 511 */ 512 switch (ip6_ours_check_algorithm) { 513 default: 514 /* 515 * XXX: I intentionally broke our indentation rule here, 516 * since this switch-case is just for measurement and 517 * therefore should soon be removed. 518 */ 519 if (ip6_forward_rt.ro_rt != NULL && 520 (ip6_forward_rt.ro_rt->rt_flags & RTF_UP) != 0 && 521 IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, 522 &((struct sockaddr_in6 *)(&ip6_forward_rt.ro_dst))->sin6_addr)) 523 ip6stat.ip6s_forward_cachehit++; 524 else { 525 struct sockaddr_in6 *dst6; 526 527 if (ip6_forward_rt.ro_rt) { 528 /* route is down or destination is different */ 529 ip6stat.ip6s_forward_cachemiss++; 530 RTFREE(ip6_forward_rt.ro_rt); 531 ip6_forward_rt.ro_rt = 0; 532 } 533 534 bzero(&ip6_forward_rt.ro_dst, sizeof(struct sockaddr_in6)); 535 dst6 = &ip6_forward_rt.ro_dst; 536 dst6->sin6_len = sizeof(struct sockaddr_in6); 537 dst6->sin6_family = AF_INET6; 538 dst6->sin6_addr = ip6->ip6_dst; 539 540 rtalloc_ign((struct route *)&ip6_forward_rt, RTF_PRCLONING); 541 } 542 543 #define rt6_key(r) ((struct sockaddr_in6 *)((r)->rt_nodes->rn_key)) 544 545 /* 546 * Accept the packet if the forwarding interface to the destination 547 * according to the routing table is the loopback interface, 548 * unless the associated route has a gateway. 549 * Note that this approach causes to accept a packet if there is a 550 * route to the loopback interface for the destination of the packet. 551 * But we think it's even useful in some situations, e.g. when using 552 * a special daemon which wants to intercept the packet. 553 * 554 * XXX: some OSes automatically make a cloned route for the destination 555 * of an outgoing packet. If the outgoing interface of the packet 556 * is a loopback one, the kernel would consider the packet to be 557 * accepted, even if we have no such address assinged on the interface. 558 * We check the cloned flag of the route entry to reject such cases, 559 * assuming that route entries for our own addresses are not made by 560 * cloning (it should be true because in6_addloop explicitly installs 561 * the host route). However, we might have to do an explicit check 562 * while it would be less efficient. Or, should we rather install a 563 * reject route for such a case? 564 */ 565 if (ip6_forward_rt.ro_rt && 566 (ip6_forward_rt.ro_rt->rt_flags & 567 (RTF_HOST|RTF_GATEWAY)) == RTF_HOST && 568 #ifdef RTF_WASCLONED 569 !(ip6_forward_rt.ro_rt->rt_flags & RTF_WASCLONED) && 570 #endif 571 #ifdef RTF_CLONED 572 !(ip6_forward_rt.ro_rt->rt_flags & RTF_CLONED) && 573 #endif 574 #if 0 575 /* 576 * The check below is redundant since the comparison of 577 * the destination and the key of the rtentry has 578 * already done through looking up the routing table. 579 */ 580 IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, 581 &rt6_key(ip6_forward_rt.ro_rt)->sin6_addr) 582 #endif 583 ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_LOOP) { 584 struct in6_ifaddr *ia6 = 585 (struct in6_ifaddr *)ip6_forward_rt.ro_rt->rt_ifa; 586 587 /* 588 * record address information into m_aux. 589 */ 590 ip6_setdstifaddr(m, ia6); 591 592 /* 593 * packets to a tentative, duplicated, or somehow invalid 594 * address must not be accepted. 595 */ 596 if (!(ia6->ia6_flags & IN6_IFF_NOTREADY)) { 597 /* this address is ready */ 598 ours = 1; 599 deliverifp = ia6->ia_ifp; /* correct? */ 600 /* Count the packet in the ip address stats */ 601 ia6->ia_ifa.if_ipackets++; 602 ia6->ia_ifa.if_ibytes += m->m_pkthdr.len; 603 goto hbhcheck; 604 } else { 605 /* address is not ready, so discard the packet. */ 606 nd6log((LOG_INFO, 607 "ip6_input: packet to an unready address %s->%s\n", 608 ip6_sprintf(&ip6->ip6_src), 609 ip6_sprintf(&ip6->ip6_dst))); 610 611 goto bad; 612 } 613 } 614 } /* XXX indentation (see above) */ 615 616 /* 617 * FAITH(Firewall Aided Internet Translator) 618 */ 619 if (ip6_keepfaith) { 620 if (ip6_forward_rt.ro_rt && ip6_forward_rt.ro_rt->rt_ifp 621 && ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_FAITH) { 622 /* XXX do we need more sanity checks? */ 623 ours = 1; 624 deliverifp = ip6_forward_rt.ro_rt->rt_ifp; /* faith */ 625 goto hbhcheck; 626 } 627 } 628 629 /* 630 * Now there is no reason to process the packet if it's not our own 631 * and we're not a router. 632 */ 633 if (!ip6_forwarding) { 634 ip6stat.ip6s_cantforward++; 635 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 636 goto bad; 637 } 638 639 hbhcheck: 640 /* 641 * record address information into m_aux, if we don't have one yet. 642 * note that we are unable to record it, if the address is not listed 643 * as our interface address (e.g. multicast addresses, addresses 644 * within FAITH prefixes and such). 645 */ 646 if (deliverifp && !ip6_getdstifaddr(m)) { 647 struct in6_ifaddr *ia6; 648 649 ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst); 650 if (ia6) { 651 if (!ip6_setdstifaddr(m, ia6)) { 652 /* 653 * XXX maybe we should drop the packet here, 654 * as we could not provide enough information 655 * to the upper layers. 656 */ 657 } 658 } 659 } 660 661 /* 662 * Process Hop-by-Hop options header if it's contained. 663 * m may be modified in ip6_hopopts_input(). 664 * If a JumboPayload option is included, plen will also be modified. 665 */ 666 plen = (u_int32_t)ntohs(ip6->ip6_plen); 667 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 668 struct ip6_hbh *hbh; 669 670 if (ip6_hopopts_input(&plen, &rtalert, &m, &off)) { 671 #if 0 /*touches NULL pointer*/ 672 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 673 #endif 674 goto bad2; /* m have already been freed */ 675 } 676 677 /* adjust pointer */ 678 ip6 = mtod(m, struct ip6_hdr *); 679 680 /* 681 * if the payload length field is 0 and the next header field 682 * indicates Hop-by-Hop Options header, then a Jumbo Payload 683 * option MUST be included. 684 */ 685 if (ip6->ip6_plen == 0 && plen == 0) { 686 /* 687 * Note that if a valid jumbo payload option is 688 * contained, ip6_hoptops_input() must set a valid 689 * (non-zero) payload length to the variable plen. 690 */ 691 ip6stat.ip6s_badoptions++; 692 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 693 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); 694 icmp6_error(m, ICMP6_PARAM_PROB, 695 ICMP6_PARAMPROB_HEADER, 696 (caddr_t)&ip6->ip6_plen - (caddr_t)ip6); 697 goto bad2; 698 } 699 #ifndef PULLDOWN_TEST 700 /* ip6_hopopts_input() ensures that mbuf is contiguous */ 701 hbh = (struct ip6_hbh *)(ip6 + 1); 702 #else 703 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 704 sizeof(struct ip6_hbh)); 705 if (hbh == NULL) { 706 ip6stat.ip6s_tooshort++; 707 goto bad2; 708 } 709 #endif 710 nxt = hbh->ip6h_nxt; 711 712 /* 713 * accept the packet if a router alert option is included 714 * and we act as an IPv6 router. 715 */ 716 if (rtalert != ~0 && ip6_forwarding) 717 ours = 1; 718 } else 719 nxt = ip6->ip6_nxt; 720 721 /* 722 * Check that the amount of data in the buffers 723 * is as at least much as the IPv6 header would have us expect. 724 * Trim mbufs if longer than we expect. 725 * Drop packet if shorter than we expect. 726 */ 727 if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) { 728 ip6stat.ip6s_tooshort++; 729 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 730 goto bad; 731 } 732 if (m->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) { 733 if (m->m_len == m->m_pkthdr.len) { 734 m->m_len = sizeof(struct ip6_hdr) + plen; 735 m->m_pkthdr.len = sizeof(struct ip6_hdr) + plen; 736 } else 737 m_adj(m, sizeof(struct ip6_hdr) + plen - m->m_pkthdr.len); 738 } 739 740 /* 741 * Forward if desirable. 742 */ 743 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 744 /* 745 * If we are acting as a multicast router, all 746 * incoming multicast packets are passed to the 747 * kernel-level multicast forwarding function. 748 * The packet is returned (relatively) intact; if 749 * ip6_mforward() returns a non-zero value, the packet 750 * must be discarded, else it may be accepted below. 751 */ 752 if (ip6_mrouter && ip6_mforward(ip6, m->m_pkthdr.rcvif, m)) { 753 ip6stat.ip6s_cantforward++; 754 goto bad; 755 } 756 if (!ours) 757 goto bad; 758 } else if (!ours) { 759 ip6_forward(m, srcrt); 760 goto bad2; 761 } 762 763 ip6 = mtod(m, struct ip6_hdr *); 764 765 /* 766 * Malicious party may be able to use IPv4 mapped addr to confuse 767 * tcp/udp stack and bypass security checks (act as if it was from 768 * 127.0.0.1 by using IPv6 src ::ffff:127.0.0.1). Be cautious. 769 * 770 * For SIIT end node behavior, you may want to disable the check. 771 * However, you will become vulnerable to attacks using IPv4 mapped 772 * source. 773 */ 774 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 775 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 776 ip6stat.ip6s_badscope++; 777 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 778 goto bad; 779 } 780 781 /* 782 * Tell launch routine the next header 783 */ 784 ip6stat.ip6s_delivered++; 785 in6_ifstat_inc(deliverifp, ifs6_in_deliver); 786 nest = 0; 787 788 while (nxt != IPPROTO_DONE) { 789 if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) { 790 ip6stat.ip6s_toomanyhdr++; 791 goto bad; 792 } 793 794 /* 795 * protection against faulty packet - there should be 796 * more sanity checks in header chain processing. 797 */ 798 if (m->m_pkthdr.len < off) { 799 ip6stat.ip6s_tooshort++; 800 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 801 goto bad; 802 } 803 804 #if 0 805 /* 806 * do we need to do it for every header? yeah, other 807 * functions can play with it (like re-allocate and copy). 808 */ 809 mhist = ip6_addaux(m); 810 if (mhist && M_TRAILINGSPACE(mhist) >= sizeof(nxt)) { 811 hist = mtod(mhist, caddr_t) + mhist->m_len; 812 bcopy(&nxt, hist, sizeof(nxt)); 813 mhist->m_len += sizeof(nxt); 814 } else { 815 ip6stat.ip6s_toomanyhdr++; 816 goto bad; 817 } 818 #endif 819 820 #ifdef IPSEC 821 /* 822 * enforce IPsec policy checking if we are seeing last header. 823 * note that we do not visit this with protocols with pcb layer 824 * code - like udp/tcp/raw ip. 825 */ 826 if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && 827 ipsec6_in_reject(m, NULL)) { 828 ipsec6stat.in_polvio++; 829 goto bad; 830 } 831 #endif 832 833 nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); 834 } 835 goto bad2; 836 bad: 837 m_freem(m); 838 bad2: 839 /* msg was embedded in the mbuf, do not reply! */ 840 return(EASYNC); 841 } 842 843 /* 844 * set/grab in6_ifaddr correspond to IPv6 destination address. 845 * XXX backward compatibility wrapper 846 */ 847 static struct ip6aux * 848 ip6_setdstifaddr(struct mbuf *m, struct in6_ifaddr *ia6) 849 { 850 struct ip6aux *n; 851 852 n = ip6_addaux(m); 853 if (n) 854 n->ip6a_dstia6 = ia6; 855 return n; /* NULL if failed to set */ 856 } 857 858 struct in6_ifaddr * 859 ip6_getdstifaddr(struct mbuf *m) 860 { 861 struct ip6aux *n; 862 863 n = ip6_findaux(m); 864 if (n) 865 return n->ip6a_dstia6; 866 else 867 return NULL; 868 } 869 870 /* 871 * Hop-by-Hop options header processing. If a valid jumbo payload option is 872 * included, the real payload length will be stored in plenp. 873 */ 874 static int 875 ip6_hopopts_input(u_int32_t *plenp, 876 u_int32_t *rtalertp,/* XXX: should be stored more smart way */ 877 struct mbuf **mp, 878 int *offp) 879 { 880 struct mbuf *m = *mp; 881 int off = *offp, hbhlen; 882 struct ip6_hbh *hbh; 883 u_int8_t *opt; 884 885 /* validation of the length of the header */ 886 #ifndef PULLDOWN_TEST 887 IP6_EXTHDR_CHECK(m, off, sizeof(*hbh), -1); 888 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off); 889 hbhlen = (hbh->ip6h_len + 1) << 3; 890 891 IP6_EXTHDR_CHECK(m, off, hbhlen, -1); 892 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off); 893 #else 894 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, 895 sizeof(struct ip6_hdr), sizeof(struct ip6_hbh)); 896 if (hbh == NULL) { 897 ip6stat.ip6s_tooshort++; 898 return -1; 899 } 900 hbhlen = (hbh->ip6h_len + 1) << 3; 901 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 902 hbhlen); 903 if (hbh == NULL) { 904 ip6stat.ip6s_tooshort++; 905 return -1; 906 } 907 #endif 908 off += hbhlen; 909 hbhlen -= sizeof(struct ip6_hbh); 910 opt = (u_int8_t *)hbh + sizeof(struct ip6_hbh); 911 912 if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh), 913 hbhlen, rtalertp, plenp) < 0) 914 return(-1); 915 916 *offp = off; 917 *mp = m; 918 return(0); 919 } 920 921 /* 922 * Search header for all Hop-by-hop options and process each option. 923 * This function is separate from ip6_hopopts_input() in order to 924 * handle a case where the sending node itself process its hop-by-hop 925 * options header. In such a case, the function is called from ip6_output(). 926 * 927 * The function assumes that hbh header is located right after the IPv6 header 928 * (RFC2460 p7), opthead is pointer into data content in m, and opthead to 929 * opthead + hbhlen is located in continuous memory region. 930 */ 931 int 932 ip6_process_hopopts(struct mbuf *m, u_int8_t *opthead, int hbhlen, 933 u_int32_t *rtalertp, u_int32_t *plenp) 934 { 935 struct ip6_hdr *ip6; 936 int optlen = 0; 937 u_int8_t *opt = opthead; 938 u_int16_t rtalert_val; 939 u_int32_t jumboplen; 940 const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh); 941 942 for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) { 943 switch (*opt) { 944 case IP6OPT_PAD1: 945 optlen = 1; 946 break; 947 case IP6OPT_PADN: 948 if (hbhlen < IP6OPT_MINLEN) { 949 ip6stat.ip6s_toosmall++; 950 goto bad; 951 } 952 optlen = *(opt + 1) + 2; 953 break; 954 case IP6OPT_RTALERT: 955 /* XXX may need check for alignment */ 956 if (hbhlen < IP6OPT_RTALERT_LEN) { 957 ip6stat.ip6s_toosmall++; 958 goto bad; 959 } 960 if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) { 961 /* XXX stat */ 962 icmp6_error(m, ICMP6_PARAM_PROB, 963 ICMP6_PARAMPROB_HEADER, 964 erroff + opt + 1 - opthead); 965 return(-1); 966 } 967 optlen = IP6OPT_RTALERT_LEN; 968 bcopy((caddr_t)(opt + 2), (caddr_t)&rtalert_val, 2); 969 *rtalertp = ntohs(rtalert_val); 970 break; 971 case IP6OPT_JUMBO: 972 /* XXX may need check for alignment */ 973 if (hbhlen < IP6OPT_JUMBO_LEN) { 974 ip6stat.ip6s_toosmall++; 975 goto bad; 976 } 977 if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) { 978 /* XXX stat */ 979 icmp6_error(m, ICMP6_PARAM_PROB, 980 ICMP6_PARAMPROB_HEADER, 981 erroff + opt + 1 - opthead); 982 return(-1); 983 } 984 optlen = IP6OPT_JUMBO_LEN; 985 986 /* 987 * IPv6 packets that have non 0 payload length 988 * must not contain a jumbo payload option. 989 */ 990 ip6 = mtod(m, struct ip6_hdr *); 991 if (ip6->ip6_plen) { 992 ip6stat.ip6s_badoptions++; 993 icmp6_error(m, ICMP6_PARAM_PROB, 994 ICMP6_PARAMPROB_HEADER, 995 erroff + opt - opthead); 996 return(-1); 997 } 998 999 /* 1000 * We may see jumbolen in unaligned location, so 1001 * we'd need to perform bcopy(). 1002 */ 1003 bcopy(opt + 2, &jumboplen, sizeof(jumboplen)); 1004 jumboplen = (u_int32_t)htonl(jumboplen); 1005 1006 #if 1 1007 /* 1008 * if there are multiple jumbo payload options, 1009 * *plenp will be non-zero and the packet will be 1010 * rejected. 1011 * the behavior may need some debate in ipngwg - 1012 * multiple options does not make sense, however, 1013 * there's no explicit mention in specification. 1014 */ 1015 if (*plenp != 0) { 1016 ip6stat.ip6s_badoptions++; 1017 icmp6_error(m, ICMP6_PARAM_PROB, 1018 ICMP6_PARAMPROB_HEADER, 1019 erroff + opt + 2 - opthead); 1020 return(-1); 1021 } 1022 #endif 1023 1024 /* 1025 * jumbo payload length must be larger than 65535. 1026 */ 1027 if (jumboplen <= IPV6_MAXPACKET) { 1028 ip6stat.ip6s_badoptions++; 1029 icmp6_error(m, ICMP6_PARAM_PROB, 1030 ICMP6_PARAMPROB_HEADER, 1031 erroff + opt + 2 - opthead); 1032 return(-1); 1033 } 1034 *plenp = jumboplen; 1035 1036 break; 1037 default: /* unknown option */ 1038 if (hbhlen < IP6OPT_MINLEN) { 1039 ip6stat.ip6s_toosmall++; 1040 goto bad; 1041 } 1042 optlen = ip6_unknown_opt(opt, m, 1043 erroff + opt - opthead); 1044 if (optlen == -1) 1045 return(-1); 1046 optlen += 2; 1047 break; 1048 } 1049 } 1050 1051 return(0); 1052 1053 bad: 1054 m_freem(m); 1055 return(-1); 1056 } 1057 1058 /* 1059 * Unknown option processing. 1060 * The third argument `off' is the offset from the IPv6 header to the option, 1061 * which is necessary if the IPv6 header the and option header and IPv6 header 1062 * is not continuous in order to return an ICMPv6 error. 1063 */ 1064 int 1065 ip6_unknown_opt(u_int8_t *optp, struct mbuf *m, int off) 1066 { 1067 struct ip6_hdr *ip6; 1068 1069 switch (IP6OPT_TYPE(*optp)) { 1070 case IP6OPT_TYPE_SKIP: /* ignore the option */ 1071 return((int)*(optp + 1)); 1072 case IP6OPT_TYPE_DISCARD: /* silently discard */ 1073 m_freem(m); 1074 return(-1); 1075 case IP6OPT_TYPE_FORCEICMP: /* send ICMP even if multicasted */ 1076 ip6stat.ip6s_badoptions++; 1077 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_OPTION, off); 1078 return(-1); 1079 case IP6OPT_TYPE_ICMP: /* send ICMP if not multicasted */ 1080 ip6stat.ip6s_badoptions++; 1081 ip6 = mtod(m, struct ip6_hdr *); 1082 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || 1083 (m->m_flags & (M_BCAST|M_MCAST))) 1084 m_freem(m); 1085 else 1086 icmp6_error(m, ICMP6_PARAM_PROB, 1087 ICMP6_PARAMPROB_OPTION, off); 1088 return(-1); 1089 } 1090 1091 m_freem(m); /* XXX: NOTREACHED */ 1092 return(-1); 1093 } 1094 1095 /* 1096 * Create the "control" list for this pcb. 1097 * The function will not modify mbuf chain at all. 1098 * 1099 * with KAME mbuf chain restriction: 1100 * The routine will be called from upper layer handlers like tcp6_input(). 1101 * Thus the routine assumes that the caller (tcp6_input) have already 1102 * called IP6_EXTHDR_CHECK() and all the extension headers are located in the 1103 * very first mbuf on the mbuf chain. 1104 */ 1105 void 1106 ip6_savecontrol(struct inpcb *in6p, struct mbuf **mp, struct ip6_hdr *ip6, 1107 struct mbuf *m) 1108 { 1109 struct thread *td = curthread; /* XXX */ 1110 int privileged = 0; 1111 int rthdr_exist = 0; 1112 1113 1114 if (suser(td) == 0) 1115 privileged++; 1116 1117 #ifdef SO_TIMESTAMP 1118 if ((in6p->in6p_socket->so_options & SO_TIMESTAMP) != 0) { 1119 struct timeval tv; 1120 1121 microtime(&tv); 1122 *mp = sbcreatecontrol((caddr_t) &tv, sizeof(tv), 1123 SCM_TIMESTAMP, SOL_SOCKET); 1124 if (*mp) { 1125 mp = &(*mp)->m_next; 1126 } 1127 } 1128 #endif 1129 1130 /* RFC 2292 sec. 5 */ 1131 if ((in6p->in6p_flags & IN6P_PKTINFO) != 0) { 1132 struct in6_pktinfo pi6; 1133 bcopy(&ip6->ip6_dst, &pi6.ipi6_addr, sizeof(struct in6_addr)); 1134 if (IN6_IS_SCOPE_LINKLOCAL(&pi6.ipi6_addr)) 1135 pi6.ipi6_addr.s6_addr16[1] = 0; 1136 pi6.ipi6_ifindex = (m && m->m_pkthdr.rcvif) 1137 ? m->m_pkthdr.rcvif->if_index 1138 : 0; 1139 *mp = sbcreatecontrol((caddr_t) &pi6, 1140 sizeof(struct in6_pktinfo), IPV6_PKTINFO, 1141 IPPROTO_IPV6); 1142 if (*mp) 1143 mp = &(*mp)->m_next; 1144 } 1145 1146 if ((in6p->in6p_flags & IN6P_HOPLIMIT) != 0) { 1147 int hlim = ip6->ip6_hlim & 0xff; 1148 *mp = sbcreatecontrol((caddr_t) &hlim, 1149 sizeof(int), IPV6_HOPLIMIT, IPPROTO_IPV6); 1150 if (*mp) 1151 mp = &(*mp)->m_next; 1152 } 1153 1154 /* 1155 * IPV6_HOPOPTS socket option. We require super-user privilege 1156 * for the option, but it might be too strict, since there might 1157 * be some hop-by-hop options which can be returned to normal user. 1158 * See RFC 2292 section 6. 1159 */ 1160 if ((in6p->in6p_flags & IN6P_HOPOPTS) != 0 && privileged) { 1161 /* 1162 * Check if a hop-by-hop options header is contatined in the 1163 * received packet, and if so, store the options as ancillary 1164 * data. Note that a hop-by-hop options header must be 1165 * just after the IPv6 header, which fact is assured through 1166 * the IPv6 input processing. 1167 */ 1168 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1169 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 1170 struct ip6_hbh *hbh; 1171 int hbhlen = 0; 1172 #ifdef PULLDOWN_TEST 1173 struct mbuf *ext; 1174 #endif 1175 1176 #ifndef PULLDOWN_TEST 1177 hbh = (struct ip6_hbh *)(ip6 + 1); 1178 hbhlen = (hbh->ip6h_len + 1) << 3; 1179 #else 1180 ext = ip6_pullexthdr(m, sizeof(struct ip6_hdr), 1181 ip6->ip6_nxt); 1182 if (ext == NULL) { 1183 ip6stat.ip6s_tooshort++; 1184 return; 1185 } 1186 hbh = mtod(ext, struct ip6_hbh *); 1187 hbhlen = (hbh->ip6h_len + 1) << 3; 1188 if (hbhlen != ext->m_len) { 1189 m_freem(ext); 1190 ip6stat.ip6s_tooshort++; 1191 return; 1192 } 1193 #endif 1194 1195 /* 1196 * XXX: We copy whole the header even if a jumbo 1197 * payload option is included, which option is to 1198 * be removed before returning in the RFC 2292. 1199 * Note: this constraint is removed in 2292bis. 1200 */ 1201 *mp = sbcreatecontrol((caddr_t)hbh, hbhlen, 1202 IPV6_HOPOPTS, IPPROTO_IPV6); 1203 if (*mp) 1204 mp = &(*mp)->m_next; 1205 #ifdef PULLDOWN_TEST 1206 m_freem(ext); 1207 #endif 1208 } 1209 } 1210 1211 /* IPV6_DSTOPTS and IPV6_RTHDR socket options */ 1212 if ((in6p->in6p_flags & (IN6P_DSTOPTS | IN6P_RTHDRDSTOPTS)) != 0) { 1213 int proto, off, nxt; 1214 1215 /* 1216 * go through the header chain to see if a routing header is 1217 * contained in the packet. We need this information to store 1218 * destination options headers (if any) properly. 1219 * XXX: performance issue. We should record this info when 1220 * processing extension headers in incoming routine. 1221 * (todo) use m_aux? 1222 */ 1223 proto = IPPROTO_IPV6; 1224 off = 0; 1225 nxt = -1; 1226 while (1) { 1227 int newoff; 1228 1229 newoff = ip6_nexthdr(m, off, proto, &nxt); 1230 if (newoff < 0) 1231 break; 1232 if (newoff < off) /* invalid, check for safety */ 1233 break; 1234 if ((proto = nxt) == IPPROTO_ROUTING) { 1235 rthdr_exist = 1; 1236 break; 1237 } 1238 off = newoff; 1239 } 1240 } 1241 1242 if ((in6p->in6p_flags & 1243 (IN6P_RTHDR | IN6P_DSTOPTS | IN6P_RTHDRDSTOPTS)) != 0) { 1244 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1245 int nxt = ip6->ip6_nxt, off = sizeof(struct ip6_hdr); 1246 1247 /* 1248 * Search for destination options headers or routing 1249 * header(s) through the header chain, and stores each 1250 * header as ancillary data. 1251 * Note that the order of the headers remains in 1252 * the chain of ancillary data. 1253 */ 1254 while (1) { /* is explicit loop prevention necessary? */ 1255 struct ip6_ext *ip6e = NULL; 1256 int elen; 1257 #ifdef PULLDOWN_TEST 1258 struct mbuf *ext = NULL; 1259 #endif 1260 1261 /* 1262 * if it is not an extension header, don't try to 1263 * pull it from the chain. 1264 */ 1265 switch (nxt) { 1266 case IPPROTO_DSTOPTS: 1267 case IPPROTO_ROUTING: 1268 case IPPROTO_HOPOPTS: 1269 case IPPROTO_AH: /* is it possible? */ 1270 break; 1271 default: 1272 goto loopend; 1273 } 1274 1275 #ifndef PULLDOWN_TEST 1276 if (off + sizeof(*ip6e) > m->m_len) 1277 goto loopend; 1278 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + off); 1279 if (nxt == IPPROTO_AH) 1280 elen = (ip6e->ip6e_len + 2) << 2; 1281 else 1282 elen = (ip6e->ip6e_len + 1) << 3; 1283 if (off + elen > m->m_len) 1284 goto loopend; 1285 #else 1286 ext = ip6_pullexthdr(m, off, nxt); 1287 if (ext == NULL) { 1288 ip6stat.ip6s_tooshort++; 1289 return; 1290 } 1291 ip6e = mtod(ext, struct ip6_ext *); 1292 if (nxt == IPPROTO_AH) 1293 elen = (ip6e->ip6e_len + 2) << 2; 1294 else 1295 elen = (ip6e->ip6e_len + 1) << 3; 1296 if (elen != ext->m_len) { 1297 m_freem(ext); 1298 ip6stat.ip6s_tooshort++; 1299 return; 1300 } 1301 #endif 1302 1303 switch (nxt) { 1304 case IPPROTO_DSTOPTS: 1305 if ((in6p->in6p_flags & IN6P_DSTOPTS) == 0) 1306 break; 1307 1308 /* 1309 * We also require super-user privilege for 1310 * the option. 1311 * See the comments on IN6_HOPOPTS. 1312 */ 1313 if (!privileged) 1314 break; 1315 1316 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1317 IPV6_DSTOPTS, 1318 IPPROTO_IPV6); 1319 if (*mp) 1320 mp = &(*mp)->m_next; 1321 break; 1322 case IPPROTO_ROUTING: 1323 if (!in6p->in6p_flags & IN6P_RTHDR) 1324 break; 1325 1326 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1327 IPV6_RTHDR, 1328 IPPROTO_IPV6); 1329 if (*mp) 1330 mp = &(*mp)->m_next; 1331 break; 1332 case IPPROTO_HOPOPTS: 1333 case IPPROTO_AH: /* is it possible? */ 1334 break; 1335 1336 default: 1337 /* 1338 * other cases have been filtered in the above. 1339 * none will visit this case. here we supply 1340 * the code just in case (nxt overwritten or 1341 * other cases). 1342 */ 1343 #ifdef PULLDOWN_TEST 1344 m_freem(ext); 1345 #endif 1346 goto loopend; 1347 1348 } 1349 1350 /* proceed with the next header. */ 1351 off += elen; 1352 nxt = ip6e->ip6e_nxt; 1353 ip6e = NULL; 1354 #ifdef PULLDOWN_TEST 1355 m_freem(ext); 1356 ext = NULL; 1357 #endif 1358 } 1359 loopend: 1360 ; 1361 } 1362 1363 } 1364 1365 #ifdef PULLDOWN_TEST 1366 /* 1367 * pull single extension header from mbuf chain. returns single mbuf that 1368 * contains the result, or NULL on error. 1369 */ 1370 static struct mbuf * 1371 ip6_pullexthdr(struct mbuf *m, size_t off, int nxt) 1372 { 1373 struct ip6_ext ip6e; 1374 size_t elen; 1375 struct mbuf *n; 1376 1377 #ifdef DIAGNOSTIC 1378 switch (nxt) { 1379 case IPPROTO_DSTOPTS: 1380 case IPPROTO_ROUTING: 1381 case IPPROTO_HOPOPTS: 1382 case IPPROTO_AH: /* is it possible? */ 1383 break; 1384 default: 1385 printf("ip6_pullexthdr: invalid nxt=%d\n", nxt); 1386 } 1387 #endif 1388 1389 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1390 if (nxt == IPPROTO_AH) 1391 elen = (ip6e.ip6e_len + 2) << 2; 1392 else 1393 elen = (ip6e.ip6e_len + 1) << 3; 1394 1395 MGET(n, MB_DONTWAIT, MT_DATA); 1396 if (n && elen >= MLEN) { 1397 MCLGET(n, MB_DONTWAIT); 1398 if ((n->m_flags & M_EXT) == 0) { 1399 m_free(n); 1400 n = NULL; 1401 } 1402 } 1403 if (!n) 1404 return NULL; 1405 1406 n->m_len = 0; 1407 if (elen >= M_TRAILINGSPACE(n)) { 1408 m_free(n); 1409 return NULL; 1410 } 1411 1412 m_copydata(m, off, elen, mtod(n, caddr_t)); 1413 n->m_len = elen; 1414 return n; 1415 } 1416 #endif 1417 1418 /* 1419 * Get pointer to the previous header followed by the header 1420 * currently processed. 1421 * XXX: This function supposes that 1422 * M includes all headers, 1423 * the next header field and the header length field of each header 1424 * are valid, and 1425 * the sum of each header length equals to OFF. 1426 * Because of these assumptions, this function must be called very 1427 * carefully. Moreover, it will not be used in the near future when 1428 * we develop `neater' mechanism to process extension headers. 1429 */ 1430 char * 1431 ip6_get_prevhdr(struct mbuf *m, int off) 1432 { 1433 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1434 1435 if (off == sizeof(struct ip6_hdr)) 1436 return(&ip6->ip6_nxt); 1437 else { 1438 int len, nxt; 1439 struct ip6_ext *ip6e = NULL; 1440 1441 nxt = ip6->ip6_nxt; 1442 len = sizeof(struct ip6_hdr); 1443 while (len < off) { 1444 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + len); 1445 1446 switch (nxt) { 1447 case IPPROTO_FRAGMENT: 1448 len += sizeof(struct ip6_frag); 1449 break; 1450 case IPPROTO_AH: 1451 len += (ip6e->ip6e_len + 2) << 2; 1452 break; 1453 default: 1454 len += (ip6e->ip6e_len + 1) << 3; 1455 break; 1456 } 1457 nxt = ip6e->ip6e_nxt; 1458 } 1459 if (ip6e) 1460 return(&ip6e->ip6e_nxt); 1461 else 1462 return NULL; 1463 } 1464 } 1465 1466 /* 1467 * get next header offset. m will be retained. 1468 */ 1469 int 1470 ip6_nexthdr(struct mbuf *m, int off, int proto, int *nxtp) 1471 { 1472 struct ip6_hdr ip6; 1473 struct ip6_ext ip6e; 1474 struct ip6_frag fh; 1475 1476 /* just in case */ 1477 if (m == NULL) 1478 panic("ip6_nexthdr: m == NULL"); 1479 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off) 1480 return -1; 1481 1482 switch (proto) { 1483 case IPPROTO_IPV6: 1484 if (m->m_pkthdr.len < off + sizeof(ip6)) 1485 return -1; 1486 m_copydata(m, off, sizeof(ip6), (caddr_t)&ip6); 1487 if (nxtp) 1488 *nxtp = ip6.ip6_nxt; 1489 off += sizeof(ip6); 1490 return off; 1491 1492 case IPPROTO_FRAGMENT: 1493 /* 1494 * terminate parsing if it is not the first fragment, 1495 * it does not make sense to parse through it. 1496 */ 1497 if (m->m_pkthdr.len < off + sizeof(fh)) 1498 return -1; 1499 m_copydata(m, off, sizeof(fh), (caddr_t)&fh); 1500 /* IP6F_OFF_MASK = 0xfff8(BigEndian), 0xf8ff(LittleEndian) */ 1501 if (fh.ip6f_offlg & IP6F_OFF_MASK) 1502 return -1; 1503 if (nxtp) 1504 *nxtp = fh.ip6f_nxt; 1505 off += sizeof(struct ip6_frag); 1506 return off; 1507 1508 case IPPROTO_AH: 1509 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1510 return -1; 1511 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1512 if (nxtp) 1513 *nxtp = ip6e.ip6e_nxt; 1514 off += (ip6e.ip6e_len + 2) << 2; 1515 return off; 1516 1517 case IPPROTO_HOPOPTS: 1518 case IPPROTO_ROUTING: 1519 case IPPROTO_DSTOPTS: 1520 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1521 return -1; 1522 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1523 if (nxtp) 1524 *nxtp = ip6e.ip6e_nxt; 1525 off += (ip6e.ip6e_len + 1) << 3; 1526 return off; 1527 1528 case IPPROTO_NONE: 1529 case IPPROTO_ESP: 1530 case IPPROTO_IPCOMP: 1531 /* give up */ 1532 return -1; 1533 1534 default: 1535 return -1; 1536 } 1537 1538 return -1; 1539 } 1540 1541 /* 1542 * get offset for the last header in the chain. m will be kept untainted. 1543 */ 1544 int 1545 ip6_lasthdr(struct mbuf *m, int off, int proto, int *nxtp) 1546 { 1547 int newoff; 1548 int nxt; 1549 1550 if (!nxtp) { 1551 nxt = -1; 1552 nxtp = &nxt; 1553 } 1554 while (1) { 1555 newoff = ip6_nexthdr(m, off, proto, nxtp); 1556 if (newoff < 0) 1557 return off; 1558 else if (newoff < off) 1559 return -1; /* invalid */ 1560 else if (newoff == off) 1561 return newoff; 1562 1563 off = newoff; 1564 proto = *nxtp; 1565 } 1566 } 1567 1568 struct ip6aux * 1569 ip6_addaux(struct mbuf *m) 1570 { 1571 struct m_tag *tag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL); 1572 if (!tag) { 1573 tag = m_tag_get(PACKET_TAG_IPV6_INPUT, 1574 sizeof (struct ip6aux), 1575 MB_DONTWAIT); 1576 if (tag) 1577 m_tag_prepend(m, tag); 1578 } 1579 if (tag) 1580 bzero(m_tag_data(tag), sizeof (struct ip6aux)); 1581 return tag ? (struct ip6aux *)m_tag_data(tag) : NULL; 1582 } 1583 1584 struct ip6aux * 1585 ip6_findaux(struct mbuf *m) 1586 { 1587 struct m_tag *tag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL); 1588 return tag ? (struct ip6aux*)(tag+1) : NULL; 1589 } 1590 1591 void 1592 ip6_delaux(struct mbuf *m) 1593 { 1594 struct m_tag *tag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL); 1595 if (tag) 1596 m_tag_delete(m, tag); 1597 } 1598 1599 /* 1600 * System control for IP6 1601 */ 1602 1603 u_char inet6ctlerrmap[PRC_NCMDS] = { 1604 0, 0, 0, 0, 1605 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH, 1606 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, 1607 EMSGSIZE, EHOSTUNREACH, 0, 0, 1608 0, 0, 0, 0, 1609 ENOPROTOOPT 1610 }; 1611