1 /*- 2 * Copyright (c) 1982, 1986, 1988, 1990, 1993, 1995 3 * The Regents of the University of California. 4 * Copyright (c) 2008 Robert N. M. Watson 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 4. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 * 31 * @(#)udp_usrreq.c 8.6 (Berkeley) 5/23/95 32 */ 33 34 #include <sys/cdefs.h> 35 __FBSDID("$FreeBSD$"); 36 37 #include "opt_ipfw.h" 38 #include "opt_inet6.h" 39 #include "opt_ipsec.h" 40 #include "opt_mac.h" 41 42 #include <sys/param.h> 43 #include <sys/domain.h> 44 #include <sys/eventhandler.h> 45 #include <sys/jail.h> 46 #include <sys/kernel.h> 47 #include <sys/lock.h> 48 #include <sys/malloc.h> 49 #include <sys/mbuf.h> 50 #include <sys/priv.h> 51 #include <sys/proc.h> 52 #include <sys/protosw.h> 53 #include <sys/signalvar.h> 54 #include <sys/socket.h> 55 #include <sys/socketvar.h> 56 #include <sys/sx.h> 57 #include <sys/sysctl.h> 58 #include <sys/syslog.h> 59 #include <sys/systm.h> 60 #include <sys/vimage.h> 61 62 #include <vm/uma.h> 63 64 #include <net/if.h> 65 #include <net/route.h> 66 67 #include <netinet/in.h> 68 #include <netinet/in_pcb.h> 69 #include <netinet/in_systm.h> 70 #include <netinet/in_var.h> 71 #include <netinet/ip.h> 72 #ifdef INET6 73 #include <netinet/ip6.h> 74 #endif 75 #include <netinet/ip_icmp.h> 76 #include <netinet/icmp_var.h> 77 #include <netinet/ip_var.h> 78 #include <netinet/ip_options.h> 79 #ifdef INET6 80 #include <netinet6/ip6_var.h> 81 #endif 82 #include <netinet/udp.h> 83 #include <netinet/udp_var.h> 84 85 #ifdef IPSEC 86 #include <netipsec/ipsec.h> 87 #endif 88 89 #include <machine/in_cksum.h> 90 91 #include <security/mac/mac_framework.h> 92 93 /* 94 * UDP protocol implementation. 95 * Per RFC 768, August, 1980. 96 */ 97 98 /* 99 * BSD 4.2 defaulted the udp checksum to be off. Turning off udp checksums 100 * removes the only data integrity mechanism for packets and malformed 101 * packets that would otherwise be discarded due to bad checksums, and may 102 * cause problems (especially for NFS data blocks). 103 */ 104 static int udp_cksum = 1; 105 SYSCTL_INT(_net_inet_udp, UDPCTL_CHECKSUM, checksum, CTLFLAG_RW, &udp_cksum, 106 0, "compute udp checksum"); 107 108 int udp_log_in_vain = 0; 109 SYSCTL_INT(_net_inet_udp, OID_AUTO, log_in_vain, CTLFLAG_RW, 110 &udp_log_in_vain, 0, "Log all incoming UDP packets"); 111 112 int udp_blackhole = 0; 113 SYSCTL_INT(_net_inet_udp, OID_AUTO, blackhole, CTLFLAG_RW, &udp_blackhole, 0, 114 "Do not send port unreachables for refused connects"); 115 116 u_long udp_sendspace = 9216; /* really max datagram size */ 117 /* 40 1K datagrams */ 118 SYSCTL_ULONG(_net_inet_udp, UDPCTL_MAXDGRAM, maxdgram, CTLFLAG_RW, 119 &udp_sendspace, 0, "Maximum outgoing UDP datagram size"); 120 121 u_long udp_recvspace = 40 * (1024 + 122 #ifdef INET6 123 sizeof(struct sockaddr_in6) 124 #else 125 sizeof(struct sockaddr_in) 126 #endif 127 ); 128 129 SYSCTL_ULONG(_net_inet_udp, UDPCTL_RECVSPACE, recvspace, CTLFLAG_RW, 130 &udp_recvspace, 0, "Maximum space for incoming UDP datagrams"); 131 132 struct inpcbhead udb; /* from udp_var.h */ 133 struct inpcbinfo udbinfo; 134 135 #ifndef UDBHASHSIZE 136 #define UDBHASHSIZE 128 137 #endif 138 139 struct udpstat udpstat; /* from udp_var.h */ 140 SYSCTL_V_STRUCT(V_NET, vnet_inet, _net_inet_udp, UDPCTL_STATS, stats, 141 CTLFLAG_RW, udpstat, udpstat, 142 "UDP statistics (struct udpstat, netinet/udp_var.h)"); 143 144 static void udp_detach(struct socket *so); 145 static int udp_output(struct inpcb *, struct mbuf *, struct sockaddr *, 146 struct mbuf *, struct thread *); 147 148 static void 149 udp_zone_change(void *tag) 150 { 151 152 uma_zone_set_max(V_udbinfo.ipi_zone, maxsockets); 153 } 154 155 static int 156 udp_inpcb_init(void *mem, int size, int flags) 157 { 158 struct inpcb *inp; 159 160 inp = mem; 161 INP_LOCK_INIT(inp, "inp", "udpinp"); 162 return (0); 163 } 164 165 void 166 udp_init(void) 167 { 168 INIT_VNET_INET(curvnet); 169 170 INP_INFO_LOCK_INIT(&V_udbinfo, "udp"); 171 LIST_INIT(&V_udb); 172 V_udbinfo.ipi_listhead = &V_udb; 173 V_udbinfo.ipi_hashbase = hashinit(UDBHASHSIZE, M_PCB, 174 &V_udbinfo.ipi_hashmask); 175 V_udbinfo.ipi_porthashbase = hashinit(UDBHASHSIZE, M_PCB, 176 &V_udbinfo.ipi_porthashmask); 177 V_udbinfo.ipi_zone = uma_zcreate("udpcb", sizeof(struct inpcb), NULL, 178 NULL, udp_inpcb_init, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE); 179 uma_zone_set_max(V_udbinfo.ipi_zone, maxsockets); 180 EVENTHANDLER_REGISTER(maxsockets_change, udp_zone_change, NULL, 181 EVENTHANDLER_PRI_ANY); 182 } 183 184 /* 185 * Subroutine of udp_input(), which appends the provided mbuf chain to the 186 * passed pcb/socket. The caller must provide a sockaddr_in via udp_in that 187 * contains the source address. If the socket ends up being an IPv6 socket, 188 * udp_append() will convert to a sockaddr_in6 before passing the address 189 * into the socket code. 190 */ 191 static void 192 udp_append(struct inpcb *inp, struct ip *ip, struct mbuf *n, int off, 193 struct sockaddr_in *udp_in) 194 { 195 struct sockaddr *append_sa; 196 struct socket *so; 197 struct mbuf *opts = 0; 198 #ifdef INET6 199 struct sockaddr_in6 udp_in6; 200 #endif 201 202 INP_RLOCK_ASSERT(inp); 203 204 #ifdef IPSEC 205 /* Check AH/ESP integrity. */ 206 if (ipsec4_in_reject(n, inp)) { 207 INIT_VNET_IPSEC(curvnet); 208 m_freem(n); 209 V_ipsec4stat.in_polvio++; 210 return; 211 } 212 #endif /* IPSEC */ 213 #ifdef MAC 214 if (mac_inpcb_check_deliver(inp, n) != 0) { 215 m_freem(n); 216 return; 217 } 218 #endif 219 if (inp->inp_flags & INP_CONTROLOPTS || 220 inp->inp_socket->so_options & (SO_TIMESTAMP | SO_BINTIME)) { 221 #ifdef INET6 222 if (inp->inp_vflag & INP_IPV6) 223 (void)ip6_savecontrol_v4(inp, n, &opts, NULL); 224 else 225 #endif 226 ip_savecontrol(inp, &opts, ip, n); 227 } 228 #ifdef INET6 229 if (inp->inp_vflag & INP_IPV6) { 230 bzero(&udp_in6, sizeof(udp_in6)); 231 udp_in6.sin6_len = sizeof(udp_in6); 232 udp_in6.sin6_family = AF_INET6; 233 in6_sin_2_v4mapsin6(udp_in, &udp_in6); 234 append_sa = (struct sockaddr *)&udp_in6; 235 } else 236 #endif 237 append_sa = (struct sockaddr *)udp_in; 238 m_adj(n, off); 239 240 so = inp->inp_socket; 241 SOCKBUF_LOCK(&so->so_rcv); 242 if (sbappendaddr_locked(&so->so_rcv, append_sa, n, opts) == 0) { 243 INIT_VNET_INET(so->so_vnet); 244 SOCKBUF_UNLOCK(&so->so_rcv); 245 m_freem(n); 246 if (opts) 247 m_freem(opts); 248 V_udpstat.udps_fullsock++; 249 } else 250 sorwakeup_locked(so); 251 } 252 253 void 254 udp_input(struct mbuf *m, int off) 255 { 256 INIT_VNET_INET(curvnet); 257 int iphlen = off; 258 struct ip *ip; 259 struct udphdr *uh; 260 struct ifnet *ifp; 261 struct inpcb *inp; 262 int len; 263 struct ip save_ip; 264 struct sockaddr_in udp_in; 265 #ifdef IPFIREWALL_FORWARD 266 struct m_tag *fwd_tag; 267 #endif 268 269 ifp = m->m_pkthdr.rcvif; 270 V_udpstat.udps_ipackets++; 271 272 /* 273 * Strip IP options, if any; should skip this, make available to 274 * user, and use on returned packets, but we don't yet have a way to 275 * check the checksum with options still present. 276 */ 277 if (iphlen > sizeof (struct ip)) { 278 ip_stripoptions(m, (struct mbuf *)0); 279 iphlen = sizeof(struct ip); 280 } 281 282 /* 283 * Get IP and UDP header together in first mbuf. 284 */ 285 ip = mtod(m, struct ip *); 286 if (m->m_len < iphlen + sizeof(struct udphdr)) { 287 if ((m = m_pullup(m, iphlen + sizeof(struct udphdr))) == 0) { 288 V_udpstat.udps_hdrops++; 289 return; 290 } 291 ip = mtod(m, struct ip *); 292 } 293 uh = (struct udphdr *)((caddr_t)ip + iphlen); 294 295 /* 296 * Destination port of 0 is illegal, based on RFC768. 297 */ 298 if (uh->uh_dport == 0) 299 goto badunlocked; 300 301 /* 302 * Construct sockaddr format source address. Stuff source address 303 * and datagram in user buffer. 304 */ 305 bzero(&udp_in, sizeof(udp_in)); 306 udp_in.sin_len = sizeof(udp_in); 307 udp_in.sin_family = AF_INET; 308 udp_in.sin_port = uh->uh_sport; 309 udp_in.sin_addr = ip->ip_src; 310 311 /* 312 * Make mbuf data length reflect UDP length. If not enough data to 313 * reflect UDP length, drop. 314 */ 315 len = ntohs((u_short)uh->uh_ulen); 316 if (ip->ip_len != len) { 317 if (len > ip->ip_len || len < sizeof(struct udphdr)) { 318 V_udpstat.udps_badlen++; 319 goto badunlocked; 320 } 321 m_adj(m, len - ip->ip_len); 322 /* ip->ip_len = len; */ 323 } 324 325 /* 326 * Save a copy of the IP header in case we want restore it for 327 * sending an ICMP error message in response. 328 */ 329 if (!V_udp_blackhole) 330 save_ip = *ip; 331 else 332 memset(&save_ip, 0, sizeof(save_ip)); 333 334 /* 335 * Checksum extended UDP header and data. 336 */ 337 if (uh->uh_sum) { 338 u_short uh_sum; 339 340 if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) { 341 if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR) 342 uh_sum = m->m_pkthdr.csum_data; 343 else 344 uh_sum = in_pseudo(ip->ip_src.s_addr, 345 ip->ip_dst.s_addr, htonl((u_short)len + 346 m->m_pkthdr.csum_data + IPPROTO_UDP)); 347 uh_sum ^= 0xffff; 348 } else { 349 char b[9]; 350 351 bcopy(((struct ipovly *)ip)->ih_x1, b, 9); 352 bzero(((struct ipovly *)ip)->ih_x1, 9); 353 ((struct ipovly *)ip)->ih_len = uh->uh_ulen; 354 uh_sum = in_cksum(m, len + sizeof (struct ip)); 355 bcopy(b, ((struct ipovly *)ip)->ih_x1, 9); 356 } 357 if (uh_sum) { 358 V_udpstat.udps_badsum++; 359 m_freem(m); 360 return; 361 } 362 } else 363 V_udpstat.udps_nosum++; 364 365 #ifdef IPFIREWALL_FORWARD 366 /* 367 * Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain. 368 */ 369 fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); 370 if (fwd_tag != NULL) { 371 struct sockaddr_in *next_hop; 372 373 /* 374 * Do the hack. 375 */ 376 next_hop = (struct sockaddr_in *)(fwd_tag + 1); 377 ip->ip_dst = next_hop->sin_addr; 378 uh->uh_dport = ntohs(next_hop->sin_port); 379 380 /* 381 * Remove the tag from the packet. We don't need it anymore. 382 */ 383 m_tag_delete(m, fwd_tag); 384 } 385 #endif 386 387 INP_INFO_RLOCK(&V_udbinfo); 388 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) || 389 in_broadcast(ip->ip_dst, ifp)) { 390 struct inpcb *last; 391 struct ip_moptions *imo; 392 393 last = NULL; 394 LIST_FOREACH(inp, &V_udb, inp_list) { 395 if (inp->inp_lport != uh->uh_dport) 396 continue; 397 #ifdef INET6 398 if ((inp->inp_vflag & INP_IPV4) == 0) 399 continue; 400 #endif 401 if (inp->inp_laddr.s_addr != INADDR_ANY && 402 inp->inp_laddr.s_addr != ip->ip_dst.s_addr) 403 continue; 404 if (inp->inp_faddr.s_addr != INADDR_ANY && 405 inp->inp_faddr.s_addr != ip->ip_src.s_addr) 406 continue; 407 /* 408 * XXX: Do not check source port of incoming datagram 409 * unless inp_connect() has been called to bind the 410 * fport part of the 4-tuple; the source could be 411 * trying to talk to us with an ephemeral port. 412 */ 413 if (inp->inp_fport != 0 && 414 inp->inp_fport != uh->uh_sport) 415 continue; 416 417 INP_RLOCK(inp); 418 419 /* 420 * Handle socket delivery policy for any-source 421 * and source-specific multicast. [RFC3678] 422 */ 423 imo = inp->inp_moptions; 424 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) && 425 imo != NULL) { 426 struct sockaddr_in sin; 427 struct in_msource *ims; 428 int blocked, mode; 429 size_t idx; 430 431 bzero(&sin, sizeof(struct sockaddr_in)); 432 sin.sin_len = sizeof(struct sockaddr_in); 433 sin.sin_family = AF_INET; 434 sin.sin_addr = ip->ip_dst; 435 436 blocked = 0; 437 idx = imo_match_group(imo, ifp, 438 (struct sockaddr *)&sin); 439 if (idx == -1) { 440 /* 441 * No group membership for this socket. 442 * Do not bump udps_noportbcast, as 443 * this will happen further down. 444 */ 445 blocked++; 446 } else { 447 /* 448 * Check for a multicast source filter 449 * entry on this socket for this group. 450 * MCAST_EXCLUDE is the default 451 * behaviour. It means default accept; 452 * entries, if present, denote sources 453 * to be excluded from delivery. 454 */ 455 ims = imo_match_source(imo, idx, 456 (struct sockaddr *)&udp_in); 457 mode = imo->imo_mfilters[idx].imf_fmode; 458 if ((ims != NULL && 459 mode == MCAST_EXCLUDE) || 460 (ims == NULL && 461 mode == MCAST_INCLUDE)) { 462 #ifdef DIAGNOSTIC 463 if (bootverbose) { 464 printf("%s: blocked by" 465 " source filter\n", 466 __func__); 467 } 468 #endif 469 V_udpstat.udps_filtermcast++; 470 blocked++; 471 } 472 } 473 if (blocked != 0) { 474 INP_RUNLOCK(inp); 475 continue; 476 } 477 } 478 if (last != NULL) { 479 struct mbuf *n; 480 481 n = m_copy(m, 0, M_COPYALL); 482 if (n != NULL) 483 udp_append(last, ip, n, iphlen + 484 sizeof(struct udphdr), &udp_in); 485 INP_RUNLOCK(last); 486 } 487 last = inp; 488 /* 489 * Don't look for additional matches if this one does 490 * not have either the SO_REUSEPORT or SO_REUSEADDR 491 * socket options set. This heuristic avoids 492 * searching through all pcbs in the common case of a 493 * non-shared port. It assumes that an application 494 * will never clear these options after setting them. 495 */ 496 if ((last->inp_socket->so_options & 497 (SO_REUSEPORT|SO_REUSEADDR)) == 0) 498 break; 499 } 500 501 if (last == NULL) { 502 /* 503 * No matching pcb found; discard datagram. (No need 504 * to send an ICMP Port Unreachable for a broadcast 505 * or multicast datgram.) 506 */ 507 V_udpstat.udps_noportbcast++; 508 goto badheadlocked; 509 } 510 udp_append(last, ip, m, iphlen + sizeof(struct udphdr), 511 &udp_in); 512 INP_RUNLOCK(last); 513 INP_INFO_RUNLOCK(&V_udbinfo); 514 return; 515 } 516 517 /* 518 * Locate pcb for datagram. 519 */ 520 inp = in_pcblookup_hash(&V_udbinfo, ip->ip_src, uh->uh_sport, 521 ip->ip_dst, uh->uh_dport, 1, ifp); 522 if (inp == NULL) { 523 if (udp_log_in_vain) { 524 char buf[4*sizeof "123"]; 525 526 strcpy(buf, inet_ntoa(ip->ip_dst)); 527 log(LOG_INFO, 528 "Connection attempt to UDP %s:%d from %s:%d\n", 529 buf, ntohs(uh->uh_dport), inet_ntoa(ip->ip_src), 530 ntohs(uh->uh_sport)); 531 } 532 V_udpstat.udps_noport++; 533 if (m->m_flags & (M_BCAST | M_MCAST)) { 534 V_udpstat.udps_noportbcast++; 535 goto badheadlocked; 536 } 537 if (V_udp_blackhole) 538 goto badheadlocked; 539 if (badport_bandlim(BANDLIM_ICMP_UNREACH) < 0) 540 goto badheadlocked; 541 *ip = save_ip; 542 ip->ip_len += iphlen; 543 icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_PORT, 0, 0); 544 INP_INFO_RUNLOCK(&V_udbinfo); 545 return; 546 } 547 548 /* 549 * Check the minimum TTL for socket. 550 */ 551 INP_RLOCK(inp); 552 INP_INFO_RUNLOCK(&V_udbinfo); 553 if (inp->inp_ip_minttl && inp->inp_ip_minttl > ip->ip_ttl) { 554 INP_RUNLOCK(inp); 555 goto badunlocked; 556 } 557 udp_append(inp, ip, m, iphlen + sizeof(struct udphdr), &udp_in); 558 INP_RUNLOCK(inp); 559 return; 560 561 badheadlocked: 562 if (inp) 563 INP_RUNLOCK(inp); 564 INP_INFO_RUNLOCK(&V_udbinfo); 565 badunlocked: 566 m_freem(m); 567 } 568 569 /* 570 * Notify a udp user of an asynchronous error; just wake up so that they can 571 * collect error status. 572 */ 573 struct inpcb * 574 udp_notify(struct inpcb *inp, int errno) 575 { 576 577 /* 578 * While udp_ctlinput() always calls udp_notify() with a read lock 579 * when invoking it directly, in_pcbnotifyall() currently uses write 580 * locks due to sharing code with TCP. For now, accept either a read 581 * or a write lock, but a read lock is sufficient. 582 */ 583 INP_LOCK_ASSERT(inp); 584 585 inp->inp_socket->so_error = errno; 586 sorwakeup(inp->inp_socket); 587 sowwakeup(inp->inp_socket); 588 return (inp); 589 } 590 591 void 592 udp_ctlinput(int cmd, struct sockaddr *sa, void *vip) 593 { 594 INIT_VNET_INET(curvnet); 595 struct ip *ip = vip; 596 struct udphdr *uh; 597 struct in_addr faddr; 598 struct inpcb *inp; 599 600 faddr = ((struct sockaddr_in *)sa)->sin_addr; 601 if (sa->sa_family != AF_INET || faddr.s_addr == INADDR_ANY) 602 return; 603 604 /* 605 * Redirects don't need to be handled up here. 606 */ 607 if (PRC_IS_REDIRECT(cmd)) 608 return; 609 610 /* 611 * Hostdead is ugly because it goes linearly through all PCBs. 612 * 613 * XXX: We never get this from ICMP, otherwise it makes an excellent 614 * DoS attack on machines with many connections. 615 */ 616 if (cmd == PRC_HOSTDEAD) 617 ip = NULL; 618 else if ((unsigned)cmd >= PRC_NCMDS || inetctlerrmap[cmd] == 0) 619 return; 620 if (ip != NULL) { 621 uh = (struct udphdr *)((caddr_t)ip + (ip->ip_hl << 2)); 622 INP_INFO_RLOCK(&V_udbinfo); 623 inp = in_pcblookup_hash(&V_udbinfo, faddr, uh->uh_dport, 624 ip->ip_src, uh->uh_sport, 0, NULL); 625 if (inp != NULL) { 626 INP_RLOCK(inp); 627 if (inp->inp_socket != NULL) { 628 udp_notify(inp, inetctlerrmap[cmd]); 629 } 630 INP_RUNLOCK(inp); 631 } 632 INP_INFO_RUNLOCK(&V_udbinfo); 633 } else 634 in_pcbnotifyall(&V_udbinfo, faddr, inetctlerrmap[cmd], 635 udp_notify); 636 } 637 638 static int 639 udp_pcblist(SYSCTL_HANDLER_ARGS) 640 { 641 INIT_VNET_INET(curvnet); 642 int error, i, n; 643 struct inpcb *inp, **inp_list; 644 inp_gen_t gencnt; 645 struct xinpgen xig; 646 647 /* 648 * The process of preparing the PCB list is too time-consuming and 649 * resource-intensive to repeat twice on every request. 650 */ 651 if (req->oldptr == 0) { 652 n = V_udbinfo.ipi_count; 653 req->oldidx = 2 * (sizeof xig) 654 + (n + n/8) * sizeof(struct xinpcb); 655 return (0); 656 } 657 658 if (req->newptr != 0) 659 return (EPERM); 660 661 /* 662 * OK, now we're committed to doing something. 663 */ 664 INP_INFO_RLOCK(&V_udbinfo); 665 gencnt = V_udbinfo.ipi_gencnt; 666 n = V_udbinfo.ipi_count; 667 INP_INFO_RUNLOCK(&V_udbinfo); 668 669 error = sysctl_wire_old_buffer(req, 2 * (sizeof xig) 670 + n * sizeof(struct xinpcb)); 671 if (error != 0) 672 return (error); 673 674 xig.xig_len = sizeof xig; 675 xig.xig_count = n; 676 xig.xig_gen = gencnt; 677 xig.xig_sogen = so_gencnt; 678 error = SYSCTL_OUT(req, &xig, sizeof xig); 679 if (error) 680 return (error); 681 682 inp_list = malloc(n * sizeof *inp_list, M_TEMP, M_WAITOK); 683 if (inp_list == 0) 684 return (ENOMEM); 685 686 INP_INFO_RLOCK(&V_udbinfo); 687 for (inp = LIST_FIRST(V_udbinfo.ipi_listhead), i = 0; inp && i < n; 688 inp = LIST_NEXT(inp, inp_list)) { 689 INP_RLOCK(inp); 690 if (inp->inp_gencnt <= gencnt && 691 cr_canseeinpcb(req->td->td_ucred, inp) == 0) 692 inp_list[i++] = inp; 693 INP_RUNLOCK(inp); 694 } 695 INP_INFO_RUNLOCK(&V_udbinfo); 696 n = i; 697 698 error = 0; 699 for (i = 0; i < n; i++) { 700 inp = inp_list[i]; 701 INP_RLOCK(inp); 702 if (inp->inp_gencnt <= gencnt) { 703 struct xinpcb xi; 704 bzero(&xi, sizeof(xi)); 705 xi.xi_len = sizeof xi; 706 /* XXX should avoid extra copy */ 707 bcopy(inp, &xi.xi_inp, sizeof *inp); 708 if (inp->inp_socket) 709 sotoxsocket(inp->inp_socket, &xi.xi_socket); 710 xi.xi_inp.inp_gencnt = inp->inp_gencnt; 711 INP_RUNLOCK(inp); 712 error = SYSCTL_OUT(req, &xi, sizeof xi); 713 } else 714 INP_RUNLOCK(inp); 715 } 716 if (!error) { 717 /* 718 * Give the user an updated idea of our state. If the 719 * generation differs from what we told her before, she knows 720 * that something happened while we were processing this 721 * request, and it might be necessary to retry. 722 */ 723 INP_INFO_RLOCK(&V_udbinfo); 724 xig.xig_gen = V_udbinfo.ipi_gencnt; 725 xig.xig_sogen = so_gencnt; 726 xig.xig_count = V_udbinfo.ipi_count; 727 INP_INFO_RUNLOCK(&V_udbinfo); 728 error = SYSCTL_OUT(req, &xig, sizeof xig); 729 } 730 free(inp_list, M_TEMP); 731 return (error); 732 } 733 734 SYSCTL_PROC(_net_inet_udp, UDPCTL_PCBLIST, pcblist, CTLFLAG_RD, 0, 0, 735 udp_pcblist, "S,xinpcb", "List of active UDP sockets"); 736 737 static int 738 udp_getcred(SYSCTL_HANDLER_ARGS) 739 { 740 INIT_VNET_INET(curvnet); 741 struct xucred xuc; 742 struct sockaddr_in addrs[2]; 743 struct inpcb *inp; 744 int error; 745 746 error = priv_check(req->td, PRIV_NETINET_GETCRED); 747 if (error) 748 return (error); 749 error = SYSCTL_IN(req, addrs, sizeof(addrs)); 750 if (error) 751 return (error); 752 INP_INFO_RLOCK(&V_udbinfo); 753 inp = in_pcblookup_hash(&V_udbinfo, addrs[1].sin_addr, addrs[1].sin_port, 754 addrs[0].sin_addr, addrs[0].sin_port, 1, NULL); 755 if (inp != NULL) { 756 INP_RLOCK(inp); 757 INP_INFO_RUNLOCK(&V_udbinfo); 758 if (inp->inp_socket == NULL) 759 error = ENOENT; 760 if (error == 0) 761 error = cr_canseeinpcb(req->td->td_ucred, inp); 762 if (error == 0) 763 cru2x(inp->inp_cred, &xuc); 764 INP_RUNLOCK(inp); 765 } else { 766 INP_INFO_RUNLOCK(&V_udbinfo); 767 error = ENOENT; 768 } 769 if (error == 0) 770 error = SYSCTL_OUT(req, &xuc, sizeof(struct xucred)); 771 return (error); 772 } 773 774 SYSCTL_PROC(_net_inet_udp, OID_AUTO, getcred, 775 CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0, 776 udp_getcred, "S,xucred", "Get the xucred of a UDP connection"); 777 778 static int 779 udp_output(struct inpcb *inp, struct mbuf *m, struct sockaddr *addr, 780 struct mbuf *control, struct thread *td) 781 { 782 INIT_VNET_INET(inp->inp_vnet); 783 struct udpiphdr *ui; 784 int len = m->m_pkthdr.len; 785 struct in_addr faddr, laddr; 786 struct cmsghdr *cm; 787 struct sockaddr_in *sin, src; 788 int error = 0; 789 int ipflags; 790 u_short fport, lport; 791 int unlock_udbinfo; 792 793 /* 794 * udp_output() may need to temporarily bind or connect the current 795 * inpcb. As such, we don't know up front whether we will need the 796 * pcbinfo lock or not. Do any work to decide what is needed up 797 * front before acquiring any locks. 798 */ 799 if (len + sizeof(struct udpiphdr) > IP_MAXPACKET) { 800 if (control) 801 m_freem(control); 802 m_freem(m); 803 return (EMSGSIZE); 804 } 805 806 src.sin_family = 0; 807 if (control != NULL) { 808 /* 809 * XXX: Currently, we assume all the optional information is 810 * stored in a single mbuf. 811 */ 812 if (control->m_next) { 813 m_freem(control); 814 m_freem(m); 815 return (EINVAL); 816 } 817 for (; control->m_len > 0; 818 control->m_data += CMSG_ALIGN(cm->cmsg_len), 819 control->m_len -= CMSG_ALIGN(cm->cmsg_len)) { 820 cm = mtod(control, struct cmsghdr *); 821 if (control->m_len < sizeof(*cm) || cm->cmsg_len == 0 822 || cm->cmsg_len > control->m_len) { 823 error = EINVAL; 824 break; 825 } 826 if (cm->cmsg_level != IPPROTO_IP) 827 continue; 828 829 switch (cm->cmsg_type) { 830 case IP_SENDSRCADDR: 831 if (cm->cmsg_len != 832 CMSG_LEN(sizeof(struct in_addr))) { 833 error = EINVAL; 834 break; 835 } 836 bzero(&src, sizeof(src)); 837 src.sin_family = AF_INET; 838 src.sin_len = sizeof(src); 839 src.sin_port = inp->inp_lport; 840 src.sin_addr = 841 *(struct in_addr *)CMSG_DATA(cm); 842 break; 843 844 default: 845 error = ENOPROTOOPT; 846 break; 847 } 848 if (error) 849 break; 850 } 851 m_freem(control); 852 } 853 if (error) { 854 m_freem(m); 855 return (error); 856 } 857 858 /* 859 * Depending on whether or not the application has bound or connected 860 * the socket, we may have to do varying levels of work. The optimal 861 * case is for a connected UDP socket, as a global lock isn't 862 * required at all. 863 * 864 * In order to decide which we need, we require stability of the 865 * inpcb binding, which we ensure by acquiring a read lock on the 866 * inpcb. This doesn't strictly follow the lock order, so we play 867 * the trylock and retry game; note that we may end up with more 868 * conservative locks than required the second time around, so later 869 * assertions have to accept that. Further analysis of the number of 870 * misses under contention is required. 871 */ 872 sin = (struct sockaddr_in *)addr; 873 INP_RLOCK(inp); 874 if (sin != NULL && 875 (inp->inp_laddr.s_addr == INADDR_ANY && inp->inp_lport == 0)) { 876 INP_RUNLOCK(inp); 877 INP_INFO_WLOCK(&V_udbinfo); 878 INP_WLOCK(inp); 879 unlock_udbinfo = 2; 880 } else if ((sin != NULL && ( 881 (sin->sin_addr.s_addr == INADDR_ANY) || 882 (sin->sin_addr.s_addr == INADDR_BROADCAST) || 883 (inp->inp_laddr.s_addr == INADDR_ANY) || 884 (inp->inp_lport == 0))) || 885 (src.sin_family == AF_INET)) { 886 if (!INP_INFO_TRY_RLOCK(&V_udbinfo)) { 887 INP_RUNLOCK(inp); 888 INP_INFO_RLOCK(&V_udbinfo); 889 INP_RLOCK(inp); 890 } 891 unlock_udbinfo = 1; 892 } else 893 unlock_udbinfo = 0; 894 895 /* 896 * If the IP_SENDSRCADDR control message was specified, override the 897 * source address for this datagram. Its use is invalidated if the 898 * address thus specified is incomplete or clobbers other inpcbs. 899 */ 900 laddr = inp->inp_laddr; 901 lport = inp->inp_lport; 902 if (src.sin_family == AF_INET) { 903 INP_INFO_LOCK_ASSERT(&V_udbinfo); 904 if ((lport == 0) || 905 (laddr.s_addr == INADDR_ANY && 906 src.sin_addr.s_addr == INADDR_ANY)) { 907 error = EINVAL; 908 goto release; 909 } 910 error = in_pcbbind_setup(inp, (struct sockaddr *)&src, 911 &laddr.s_addr, &lport, td->td_ucred); 912 if (error) 913 goto release; 914 } 915 916 /* 917 * If a UDP socket has been connected, then a local address/port will 918 * have been selected and bound. 919 * 920 * If a UDP socket has not been connected to, then an explicit 921 * destination address must be used, in which case a local 922 * address/port may not have been selected and bound. 923 */ 924 if (sin != NULL) { 925 INP_LOCK_ASSERT(inp); 926 if (inp->inp_faddr.s_addr != INADDR_ANY) { 927 error = EISCONN; 928 goto release; 929 } 930 931 /* 932 * Jail may rewrite the destination address, so let it do 933 * that before we use it. 934 */ 935 if (jailed(td->td_ucred)) 936 prison_remote_ip(td->td_ucred, 0, 937 &sin->sin_addr.s_addr); 938 939 /* 940 * If a local address or port hasn't yet been selected, or if 941 * the destination address needs to be rewritten due to using 942 * a special INADDR_ constant, invoke in_pcbconnect_setup() 943 * to do the heavy lifting. Once a port is selected, we 944 * commit the binding back to the socket; we also commit the 945 * binding of the address if in jail. 946 * 947 * If we already have a valid binding and we're not 948 * requesting a destination address rewrite, use a fast path. 949 */ 950 if (inp->inp_laddr.s_addr == INADDR_ANY || 951 inp->inp_lport == 0 || 952 sin->sin_addr.s_addr == INADDR_ANY || 953 sin->sin_addr.s_addr == INADDR_BROADCAST) { 954 INP_INFO_LOCK_ASSERT(&V_udbinfo); 955 error = in_pcbconnect_setup(inp, addr, &laddr.s_addr, 956 &lport, &faddr.s_addr, &fport, NULL, 957 td->td_ucred); 958 if (error) 959 goto release; 960 961 /* 962 * XXXRW: Why not commit the port if the address is 963 * !INADDR_ANY? 964 */ 965 /* Commit the local port if newly assigned. */ 966 if (inp->inp_laddr.s_addr == INADDR_ANY && 967 inp->inp_lport == 0) { 968 INP_INFO_WLOCK_ASSERT(&V_udbinfo); 969 INP_WLOCK_ASSERT(inp); 970 /* 971 * Remember addr if jailed, to prevent 972 * rebinding. 973 */ 974 if (jailed(td->td_ucred)) 975 inp->inp_laddr = laddr; 976 inp->inp_lport = lport; 977 if (in_pcbinshash(inp) != 0) { 978 inp->inp_lport = 0; 979 error = EAGAIN; 980 goto release; 981 } 982 inp->inp_flags |= INP_ANONPORT; 983 } 984 } else { 985 faddr = sin->sin_addr; 986 fport = sin->sin_port; 987 } 988 } else { 989 INP_LOCK_ASSERT(inp); 990 faddr = inp->inp_faddr; 991 fport = inp->inp_fport; 992 if (faddr.s_addr == INADDR_ANY) { 993 error = ENOTCONN; 994 goto release; 995 } 996 } 997 998 /* 999 * Calculate data length and get a mbuf for UDP, IP, and possible 1000 * link-layer headers. Immediate slide the data pointer back forward 1001 * since we won't use that space at this layer. 1002 */ 1003 M_PREPEND(m, sizeof(struct udpiphdr) + max_linkhdr, M_DONTWAIT); 1004 if (m == NULL) { 1005 error = ENOBUFS; 1006 goto release; 1007 } 1008 m->m_data += max_linkhdr; 1009 m->m_len -= max_linkhdr; 1010 m->m_pkthdr.len -= max_linkhdr; 1011 1012 /* 1013 * Fill in mbuf with extended UDP header and addresses and length put 1014 * into network format. 1015 */ 1016 ui = mtod(m, struct udpiphdr *); 1017 bzero(ui->ui_x1, sizeof(ui->ui_x1)); /* XXX still needed? */ 1018 ui->ui_pr = IPPROTO_UDP; 1019 ui->ui_src = laddr; 1020 ui->ui_dst = faddr; 1021 ui->ui_sport = lport; 1022 ui->ui_dport = fport; 1023 ui->ui_ulen = htons((u_short)len + sizeof(struct udphdr)); 1024 1025 /* 1026 * Set the Don't Fragment bit in the IP header. 1027 */ 1028 if (inp->inp_flags & INP_DONTFRAG) { 1029 struct ip *ip; 1030 1031 ip = (struct ip *)&ui->ui_i; 1032 ip->ip_off |= IP_DF; 1033 } 1034 1035 ipflags = 0; 1036 if (inp->inp_socket->so_options & SO_DONTROUTE) 1037 ipflags |= IP_ROUTETOIF; 1038 if (inp->inp_socket->so_options & SO_BROADCAST) 1039 ipflags |= IP_ALLOWBROADCAST; 1040 if (inp->inp_flags & INP_ONESBCAST) 1041 ipflags |= IP_SENDONES; 1042 1043 #ifdef MAC 1044 mac_inpcb_create_mbuf(inp, m); 1045 #endif 1046 1047 /* 1048 * Set up checksum and output datagram. 1049 */ 1050 if (udp_cksum) { 1051 if (inp->inp_flags & INP_ONESBCAST) 1052 faddr.s_addr = INADDR_BROADCAST; 1053 ui->ui_sum = in_pseudo(ui->ui_src.s_addr, faddr.s_addr, 1054 htons((u_short)len + sizeof(struct udphdr) + IPPROTO_UDP)); 1055 m->m_pkthdr.csum_flags = CSUM_UDP; 1056 m->m_pkthdr.csum_data = offsetof(struct udphdr, uh_sum); 1057 } else 1058 ui->ui_sum = 0; 1059 ((struct ip *)ui)->ip_len = sizeof (struct udpiphdr) + len; 1060 ((struct ip *)ui)->ip_ttl = inp->inp_ip_ttl; /* XXX */ 1061 ((struct ip *)ui)->ip_tos = inp->inp_ip_tos; /* XXX */ 1062 V_udpstat.udps_opackets++; 1063 1064 if (unlock_udbinfo == 2) 1065 INP_INFO_WUNLOCK(&V_udbinfo); 1066 else if (unlock_udbinfo == 1) 1067 INP_INFO_RUNLOCK(&V_udbinfo); 1068 error = ip_output(m, inp->inp_options, NULL, ipflags, 1069 inp->inp_moptions, inp); 1070 if (unlock_udbinfo == 2) 1071 INP_WUNLOCK(inp); 1072 else 1073 INP_RUNLOCK(inp); 1074 return (error); 1075 1076 release: 1077 if (unlock_udbinfo == 2) { 1078 INP_WUNLOCK(inp); 1079 INP_INFO_WUNLOCK(&V_udbinfo); 1080 } else if (unlock_udbinfo == 1) { 1081 INP_RUNLOCK(inp); 1082 INP_INFO_RUNLOCK(&V_udbinfo); 1083 } else 1084 INP_RUNLOCK(inp); 1085 m_freem(m); 1086 return (error); 1087 } 1088 1089 static void 1090 udp_abort(struct socket *so) 1091 { 1092 INIT_VNET_INET(so->so_vnet); 1093 struct inpcb *inp; 1094 1095 inp = sotoinpcb(so); 1096 KASSERT(inp != NULL, ("udp_abort: inp == NULL")); 1097 INP_INFO_WLOCK(&V_udbinfo); 1098 INP_WLOCK(inp); 1099 if (inp->inp_faddr.s_addr != INADDR_ANY) { 1100 in_pcbdisconnect(inp); 1101 inp->inp_laddr.s_addr = INADDR_ANY; 1102 soisdisconnected(so); 1103 } 1104 INP_WUNLOCK(inp); 1105 INP_INFO_WUNLOCK(&V_udbinfo); 1106 } 1107 1108 static int 1109 udp_attach(struct socket *so, int proto, struct thread *td) 1110 { 1111 INIT_VNET_INET(so->so_vnet); 1112 struct inpcb *inp; 1113 int error; 1114 1115 inp = sotoinpcb(so); 1116 KASSERT(inp == NULL, ("udp_attach: inp != NULL")); 1117 error = soreserve(so, udp_sendspace, udp_recvspace); 1118 if (error) 1119 return (error); 1120 INP_INFO_WLOCK(&V_udbinfo); 1121 error = in_pcballoc(so, &V_udbinfo); 1122 if (error) { 1123 INP_INFO_WUNLOCK(&V_udbinfo); 1124 return (error); 1125 } 1126 1127 inp = (struct inpcb *)so->so_pcb; 1128 INP_INFO_WUNLOCK(&V_udbinfo); 1129 inp->inp_vflag |= INP_IPV4; 1130 inp->inp_ip_ttl = V_ip_defttl; 1131 INP_WUNLOCK(inp); 1132 return (0); 1133 } 1134 1135 static int 1136 udp_bind(struct socket *so, struct sockaddr *nam, struct thread *td) 1137 { 1138 INIT_VNET_INET(so->so_vnet); 1139 struct inpcb *inp; 1140 int error; 1141 1142 inp = sotoinpcb(so); 1143 KASSERT(inp != NULL, ("udp_bind: inp == NULL")); 1144 INP_INFO_WLOCK(&V_udbinfo); 1145 INP_WLOCK(inp); 1146 error = in_pcbbind(inp, nam, td->td_ucred); 1147 INP_WUNLOCK(inp); 1148 INP_INFO_WUNLOCK(&V_udbinfo); 1149 return (error); 1150 } 1151 1152 static void 1153 udp_close(struct socket *so) 1154 { 1155 INIT_VNET_INET(so->so_vnet); 1156 struct inpcb *inp; 1157 1158 inp = sotoinpcb(so); 1159 KASSERT(inp != NULL, ("udp_close: inp == NULL")); 1160 INP_INFO_WLOCK(&V_udbinfo); 1161 INP_WLOCK(inp); 1162 if (inp->inp_faddr.s_addr != INADDR_ANY) { 1163 in_pcbdisconnect(inp); 1164 inp->inp_laddr.s_addr = INADDR_ANY; 1165 soisdisconnected(so); 1166 } 1167 INP_WUNLOCK(inp); 1168 INP_INFO_WUNLOCK(&V_udbinfo); 1169 } 1170 1171 static int 1172 udp_connect(struct socket *so, struct sockaddr *nam, struct thread *td) 1173 { 1174 INIT_VNET_INET(so->so_vnet); 1175 struct inpcb *inp; 1176 int error; 1177 struct sockaddr_in *sin; 1178 1179 inp = sotoinpcb(so); 1180 KASSERT(inp != NULL, ("udp_connect: inp == NULL")); 1181 INP_INFO_WLOCK(&V_udbinfo); 1182 INP_WLOCK(inp); 1183 if (inp->inp_faddr.s_addr != INADDR_ANY) { 1184 INP_WUNLOCK(inp); 1185 INP_INFO_WUNLOCK(&V_udbinfo); 1186 return (EISCONN); 1187 } 1188 sin = (struct sockaddr_in *)nam; 1189 if (jailed(td->td_ucred)) 1190 prison_remote_ip(td->td_ucred, 0, &sin->sin_addr.s_addr); 1191 error = in_pcbconnect(inp, nam, td->td_ucred); 1192 if (error == 0) 1193 soisconnected(so); 1194 INP_WUNLOCK(inp); 1195 INP_INFO_WUNLOCK(&V_udbinfo); 1196 return (error); 1197 } 1198 1199 static void 1200 udp_detach(struct socket *so) 1201 { 1202 INIT_VNET_INET(so->so_vnet); 1203 struct inpcb *inp; 1204 1205 inp = sotoinpcb(so); 1206 KASSERT(inp != NULL, ("udp_detach: inp == NULL")); 1207 KASSERT(inp->inp_faddr.s_addr == INADDR_ANY, 1208 ("udp_detach: not disconnected")); 1209 INP_INFO_WLOCK(&V_udbinfo); 1210 INP_WLOCK(inp); 1211 in_pcbdetach(inp); 1212 in_pcbfree(inp); 1213 INP_INFO_WUNLOCK(&V_udbinfo); 1214 } 1215 1216 static int 1217 udp_disconnect(struct socket *so) 1218 { 1219 INIT_VNET_INET(so->so_vnet); 1220 struct inpcb *inp; 1221 1222 inp = sotoinpcb(so); 1223 KASSERT(inp != NULL, ("udp_disconnect: inp == NULL")); 1224 INP_INFO_WLOCK(&V_udbinfo); 1225 INP_WLOCK(inp); 1226 if (inp->inp_faddr.s_addr == INADDR_ANY) { 1227 INP_WUNLOCK(inp); 1228 INP_INFO_WUNLOCK(&V_udbinfo); 1229 return (ENOTCONN); 1230 } 1231 1232 in_pcbdisconnect(inp); 1233 inp->inp_laddr.s_addr = INADDR_ANY; 1234 SOCK_LOCK(so); 1235 so->so_state &= ~SS_ISCONNECTED; /* XXX */ 1236 SOCK_UNLOCK(so); 1237 INP_WUNLOCK(inp); 1238 INP_INFO_WUNLOCK(&V_udbinfo); 1239 return (0); 1240 } 1241 1242 static int 1243 udp_send(struct socket *so, int flags, struct mbuf *m, struct sockaddr *addr, 1244 struct mbuf *control, struct thread *td) 1245 { 1246 struct inpcb *inp; 1247 1248 inp = sotoinpcb(so); 1249 KASSERT(inp != NULL, ("udp_send: inp == NULL")); 1250 return (udp_output(inp, m, addr, control, td)); 1251 } 1252 1253 int 1254 udp_shutdown(struct socket *so) 1255 { 1256 struct inpcb *inp; 1257 1258 inp = sotoinpcb(so); 1259 KASSERT(inp != NULL, ("udp_shutdown: inp == NULL")); 1260 INP_WLOCK(inp); 1261 socantsendmore(so); 1262 INP_WUNLOCK(inp); 1263 return (0); 1264 } 1265 1266 struct pr_usrreqs udp_usrreqs = { 1267 .pru_abort = udp_abort, 1268 .pru_attach = udp_attach, 1269 .pru_bind = udp_bind, 1270 .pru_connect = udp_connect, 1271 .pru_control = in_control, 1272 .pru_detach = udp_detach, 1273 .pru_disconnect = udp_disconnect, 1274 .pru_peeraddr = in_getpeeraddr, 1275 .pru_send = udp_send, 1276 .pru_soreceive = soreceive_dgram, 1277 .pru_sosend = sosend_dgram, 1278 .pru_shutdown = udp_shutdown, 1279 .pru_sockaddr = in_getsockaddr, 1280 .pru_sosetlabel = in_pcbsosetlabel, 1281 .pru_close = udp_close, 1282 }; 1283