1 /*- 2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the project nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 * $KAME: ip6_input.c,v 1.259 2002/01/21 04:58:09 jinmei Exp $ 30 */ 31 32 /*- 33 * Copyright (c) 1982, 1986, 1988, 1993 34 * The Regents of the University of California. All rights reserved. 35 * 36 * Redistribution and use in source and binary forms, with or without 37 * modification, are permitted provided that the following conditions 38 * are met: 39 * 1. Redistributions of source code must retain the above copyright 40 * notice, this list of conditions and the following disclaimer. 41 * 2. Redistributions in binary form must reproduce the above copyright 42 * notice, this list of conditions and the following disclaimer in the 43 * documentation and/or other materials provided with the distribution. 44 * 4. Neither the name of the University nor the names of its contributors 45 * may be used to endorse or promote products derived from this software 46 * without specific prior written permission. 47 * 48 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 49 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 50 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 51 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 52 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 53 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 54 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 55 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 56 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 57 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 58 * SUCH DAMAGE. 59 * 60 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 61 */ 62 63 #include <sys/cdefs.h> 64 __FBSDID("$FreeBSD$"); 65 66 #include "opt_inet.h" 67 #include "opt_inet6.h" 68 #include "opt_ipfw.h" 69 #include "opt_ipsec.h" 70 #include "opt_route.h" 71 #include "opt_rss.h" 72 73 #include <sys/param.h> 74 #include <sys/systm.h> 75 #include <sys/malloc.h> 76 #include <sys/mbuf.h> 77 #include <sys/proc.h> 78 #include <sys/domain.h> 79 #include <sys/protosw.h> 80 #include <sys/sdt.h> 81 #include <sys/socket.h> 82 #include <sys/socketvar.h> 83 #include <sys/errno.h> 84 #include <sys/time.h> 85 #include <sys/kernel.h> 86 #include <sys/lock.h> 87 #include <sys/rmlock.h> 88 #include <sys/syslog.h> 89 90 #include <net/if.h> 91 #include <net/if_var.h> 92 #include <net/if_types.h> 93 #include <net/if_dl.h> 94 #include <net/route.h> 95 #include <net/netisr.h> 96 #include <net/pfil.h> 97 #include <net/vnet.h> 98 99 #include <netinet/in.h> 100 #include <netinet/in_kdtrace.h> 101 #include <netinet/ip_var.h> 102 #include <netinet/in_systm.h> 103 #include <net/if_llatbl.h> 104 #ifdef INET 105 #include <netinet/ip.h> 106 #include <netinet/ip_icmp.h> 107 #endif /* INET */ 108 #include <netinet/ip6.h> 109 #include <netinet6/in6_var.h> 110 #include <netinet6/ip6_var.h> 111 #include <netinet/in_pcb.h> 112 #include <netinet/icmp6.h> 113 #include <netinet6/scope6_var.h> 114 #include <netinet6/in6_ifattach.h> 115 #include <netinet6/nd6.h> 116 #include <netinet6/in6_rss.h> 117 118 #ifdef IPSEC 119 #include <netipsec/ipsec.h> 120 #include <netinet6/ip6_ipsec.h> 121 #include <netipsec/ipsec6.h> 122 #endif /* IPSEC */ 123 124 #include <netinet6/ip6protosw.h> 125 126 extern struct domain inet6domain; 127 128 u_char ip6_protox[IPPROTO_MAX]; 129 VNET_DEFINE(struct in6_ifaddrhead, in6_ifaddrhead); 130 VNET_DEFINE(struct in6_ifaddrlisthead *, in6_ifaddrhashtbl); 131 VNET_DEFINE(u_long, in6_ifaddrhmask); 132 133 static struct netisr_handler ip6_nh = { 134 .nh_name = "ip6", 135 .nh_handler = ip6_input, 136 .nh_proto = NETISR_IPV6, 137 #ifdef RSS 138 .nh_m2cpuid = rss_soft_m2cpuid_v6, 139 .nh_policy = NETISR_POLICY_CPU, 140 .nh_dispatch = NETISR_DISPATCH_HYBRID, 141 #else 142 .nh_policy = NETISR_POLICY_FLOW, 143 #endif 144 }; 145 146 VNET_DECLARE(struct callout, in6_tmpaddrtimer_ch); 147 #define V_in6_tmpaddrtimer_ch VNET(in6_tmpaddrtimer_ch) 148 149 VNET_DEFINE(struct pfil_head, inet6_pfil_hook); 150 151 VNET_PCPUSTAT_DEFINE(struct ip6stat, ip6stat); 152 VNET_PCPUSTAT_SYSINIT(ip6stat); 153 #ifdef VIMAGE 154 VNET_PCPUSTAT_SYSUNINIT(ip6stat); 155 #endif /* VIMAGE */ 156 157 struct rmlock in6_ifaddr_lock; 158 RM_SYSINIT(in6_ifaddr_lock, &in6_ifaddr_lock, "in6_ifaddr_lock"); 159 160 static void ip6_init2(void *); 161 static int ip6_hopopts_input(u_int32_t *, u_int32_t *, struct mbuf **, int *); 162 #ifdef PULLDOWN_TEST 163 static struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int); 164 #endif 165 166 /* 167 * IP6 initialization: fill in IP6 protocol switch table. 168 * All protocols not implemented in kernel go to raw IP6 protocol handler. 169 */ 170 void 171 ip6_init(void) 172 { 173 struct protosw *pr; 174 int i; 175 176 TUNABLE_INT_FETCH("net.inet6.ip6.auto_linklocal", 177 &V_ip6_auto_linklocal); 178 TUNABLE_INT_FETCH("net.inet6.ip6.accept_rtadv", &V_ip6_accept_rtadv); 179 TUNABLE_INT_FETCH("net.inet6.ip6.no_radr", &V_ip6_no_radr); 180 181 TAILQ_INIT(&V_in6_ifaddrhead); 182 V_in6_ifaddrhashtbl = hashinit(IN6ADDR_NHASH, M_IFADDR, 183 &V_in6_ifaddrhmask); 184 185 /* Initialize packet filter hooks. */ 186 V_inet6_pfil_hook.ph_type = PFIL_TYPE_AF; 187 V_inet6_pfil_hook.ph_af = AF_INET6; 188 if ((i = pfil_head_register(&V_inet6_pfil_hook)) != 0) 189 printf("%s: WARNING: unable to register pfil hook, " 190 "error %d\n", __func__, i); 191 192 scope6_init(); 193 addrsel_policy_init(); 194 nd6_init(); 195 frag6_init(); 196 197 V_ip6_desync_factor = arc4random() % MAX_TEMP_DESYNC_FACTOR; 198 199 /* Skip global initialization stuff for non-default instances. */ 200 if (!IS_DEFAULT_VNET(curvnet)) 201 return; 202 203 pr = pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW); 204 if (pr == NULL) 205 panic("ip6_init"); 206 207 /* Initialize the entire ip6_protox[] array to IPPROTO_RAW. */ 208 for (i = 0; i < IPPROTO_MAX; i++) 209 ip6_protox[i] = pr - inet6sw; 210 /* 211 * Cycle through IP protocols and put them into the appropriate place 212 * in ip6_protox[]. 213 */ 214 for (pr = inet6domain.dom_protosw; 215 pr < inet6domain.dom_protoswNPROTOSW; pr++) 216 if (pr->pr_domain->dom_family == PF_INET6 && 217 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) { 218 /* Be careful to only index valid IP protocols. */ 219 if (pr->pr_protocol < IPPROTO_MAX) 220 ip6_protox[pr->pr_protocol] = pr - inet6sw; 221 } 222 223 netisr_register(&ip6_nh); 224 } 225 226 /* 227 * The protocol to be inserted into ip6_protox[] must be already registered 228 * in inet6sw[], either statically or through pf_proto_register(). 229 */ 230 int 231 ip6proto_register(short ip6proto) 232 { 233 struct protosw *pr; 234 235 /* Sanity checks. */ 236 if (ip6proto <= 0 || ip6proto >= IPPROTO_MAX) 237 return (EPROTONOSUPPORT); 238 239 /* 240 * The protocol slot must not be occupied by another protocol 241 * already. An index pointing to IPPROTO_RAW is unused. 242 */ 243 pr = pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW); 244 if (pr == NULL) 245 return (EPFNOSUPPORT); 246 if (ip6_protox[ip6proto] != pr - inet6sw) /* IPPROTO_RAW */ 247 return (EEXIST); 248 249 /* 250 * Find the protocol position in inet6sw[] and set the index. 251 */ 252 for (pr = inet6domain.dom_protosw; 253 pr < inet6domain.dom_protoswNPROTOSW; pr++) { 254 if (pr->pr_domain->dom_family == PF_INET6 && 255 pr->pr_protocol && pr->pr_protocol == ip6proto) { 256 ip6_protox[pr->pr_protocol] = pr - inet6sw; 257 return (0); 258 } 259 } 260 return (EPROTONOSUPPORT); 261 } 262 263 int 264 ip6proto_unregister(short ip6proto) 265 { 266 struct protosw *pr; 267 268 /* Sanity checks. */ 269 if (ip6proto <= 0 || ip6proto >= IPPROTO_MAX) 270 return (EPROTONOSUPPORT); 271 272 /* Check if the protocol was indeed registered. */ 273 pr = pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW); 274 if (pr == NULL) 275 return (EPFNOSUPPORT); 276 if (ip6_protox[ip6proto] == pr - inet6sw) /* IPPROTO_RAW */ 277 return (ENOENT); 278 279 /* Reset the protocol slot to IPPROTO_RAW. */ 280 ip6_protox[ip6proto] = pr - inet6sw; 281 return (0); 282 } 283 284 #ifdef VIMAGE 285 void 286 ip6_destroy() 287 { 288 int i; 289 290 if ((i = pfil_head_unregister(&V_inet6_pfil_hook)) != 0) 291 printf("%s: WARNING: unable to unregister pfil hook, " 292 "error %d\n", __func__, i); 293 hashdestroy(V_in6_ifaddrhashtbl, M_IFADDR, V_in6_ifaddrhmask); 294 nd6_destroy(); 295 callout_drain(&V_in6_tmpaddrtimer_ch); 296 } 297 #endif 298 299 static int 300 ip6_init2_vnet(const void *unused __unused) 301 { 302 303 /* nd6_timer_init */ 304 callout_init(&V_nd6_timer_ch, 0); 305 callout_reset(&V_nd6_timer_ch, hz, nd6_timer, curvnet); 306 307 /* timer for regeneranation of temporary addresses randomize ID */ 308 callout_init(&V_in6_tmpaddrtimer_ch, 0); 309 callout_reset(&V_in6_tmpaddrtimer_ch, 310 (V_ip6_temp_preferred_lifetime - V_ip6_desync_factor - 311 V_ip6_temp_regen_advance) * hz, 312 in6_tmpaddrtimer, curvnet); 313 314 return (0); 315 } 316 317 static void 318 ip6_init2(void *dummy) 319 { 320 321 ip6_init2_vnet(NULL); 322 } 323 324 /* cheat */ 325 /* This must be after route_init(), which is now SI_ORDER_THIRD */ 326 SYSINIT(netinet6init2, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ip6_init2, NULL); 327 328 static int 329 ip6_input_hbh(struct mbuf *m, uint32_t *plen, uint32_t *rtalert, int *off, 330 int *nxt, int *ours) 331 { 332 struct ip6_hdr *ip6; 333 struct ip6_hbh *hbh; 334 335 if (ip6_hopopts_input(plen, rtalert, &m, off)) { 336 #if 0 /*touches NULL pointer*/ 337 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 338 #endif 339 goto out; /* m have already been freed */ 340 } 341 342 /* adjust pointer */ 343 ip6 = mtod(m, struct ip6_hdr *); 344 345 /* 346 * if the payload length field is 0 and the next header field 347 * indicates Hop-by-Hop Options header, then a Jumbo Payload 348 * option MUST be included. 349 */ 350 if (ip6->ip6_plen == 0 && *plen == 0) { 351 /* 352 * Note that if a valid jumbo payload option is 353 * contained, ip6_hopopts_input() must set a valid 354 * (non-zero) payload length to the variable plen. 355 */ 356 IP6STAT_INC(ip6s_badoptions); 357 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 358 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); 359 icmp6_error(m, ICMP6_PARAM_PROB, 360 ICMP6_PARAMPROB_HEADER, 361 (caddr_t)&ip6->ip6_plen - (caddr_t)ip6); 362 goto out; 363 } 364 #ifndef PULLDOWN_TEST 365 /* ip6_hopopts_input() ensures that mbuf is contiguous */ 366 hbh = (struct ip6_hbh *)(ip6 + 1); 367 #else 368 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 369 sizeof(struct ip6_hbh)); 370 if (hbh == NULL) { 371 IP6STAT_INC(ip6s_tooshort); 372 goto out; 373 } 374 #endif 375 *nxt = hbh->ip6h_nxt; 376 377 /* 378 * If we are acting as a router and the packet contains a 379 * router alert option, see if we know the option value. 380 * Currently, we only support the option value for MLD, in which 381 * case we should pass the packet to the multicast routing 382 * daemon. 383 */ 384 if (*rtalert != ~0) { 385 switch (*rtalert) { 386 case IP6OPT_RTALERT_MLD: 387 if (V_ip6_forwarding) 388 *ours = 1; 389 break; 390 default: 391 /* 392 * RFC2711 requires unrecognized values must be 393 * silently ignored. 394 */ 395 break; 396 } 397 } 398 399 return (0); 400 401 out: 402 return (1); 403 } 404 405 void 406 ip6_input(struct mbuf *m) 407 { 408 struct in6_addr odst; 409 struct ip6_hdr *ip6; 410 struct in6_ifaddr *ia; 411 u_int32_t plen; 412 u_int32_t rtalert = ~0; 413 int off = sizeof(struct ip6_hdr), nest; 414 int nxt, ours = 0; 415 int srcrt = 0; 416 417 #ifdef IPSEC 418 /* 419 * should the inner packet be considered authentic? 420 * see comment in ah4_input(). 421 * NB: m cannot be NULL when passed to the input routine 422 */ 423 424 m->m_flags &= ~M_AUTHIPHDR; 425 m->m_flags &= ~M_AUTHIPDGM; 426 427 #endif /* IPSEC */ 428 429 if (m->m_flags & M_FASTFWD_OURS) { 430 /* 431 * Firewall changed destination to local. 432 */ 433 m->m_flags &= ~M_FASTFWD_OURS; 434 ours = 1; 435 ip6 = mtod(m, struct ip6_hdr *); 436 goto hbhcheck; 437 } 438 439 /* 440 * mbuf statistics 441 */ 442 if (m->m_flags & M_EXT) { 443 if (m->m_next) 444 IP6STAT_INC(ip6s_mext2m); 445 else 446 IP6STAT_INC(ip6s_mext1); 447 } else { 448 if (m->m_next) { 449 if (m->m_flags & M_LOOP) { 450 IP6STAT_INC(ip6s_m2m[V_loif->if_index]); 451 } else if (m->m_pkthdr.rcvif->if_index < IP6S_M2MMAX) 452 IP6STAT_INC( 453 ip6s_m2m[m->m_pkthdr.rcvif->if_index]); 454 else 455 IP6STAT_INC(ip6s_m2m[0]); 456 } else 457 IP6STAT_INC(ip6s_m1); 458 } 459 460 /* drop the packet if IPv6 operation is disabled on the IF */ 461 if ((ND_IFINFO(m->m_pkthdr.rcvif)->flags & ND6_IFF_IFDISABLED)) 462 goto bad; 463 464 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_receive); 465 IP6STAT_INC(ip6s_total); 466 467 #ifndef PULLDOWN_TEST 468 /* 469 * L2 bridge code and some other code can return mbuf chain 470 * that does not conform to KAME requirement. too bad. 471 * XXX: fails to join if interface MTU > MCLBYTES. jumbogram? 472 */ 473 if (m && m->m_next != NULL && m->m_pkthdr.len < MCLBYTES) { 474 struct mbuf *n; 475 476 if (m->m_pkthdr.len > MHLEN) 477 n = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR); 478 else 479 n = m_gethdr(M_NOWAIT, MT_DATA); 480 if (n == NULL) { 481 m_freem(m); 482 return; /* ENOBUFS */ 483 } 484 485 m_move_pkthdr(n, m); 486 m_copydata(m, 0, n->m_pkthdr.len, mtod(n, caddr_t)); 487 n->m_len = n->m_pkthdr.len; 488 m_freem(m); 489 m = n; 490 } 491 IP6_EXTHDR_CHECK(m, 0, sizeof(struct ip6_hdr), /* nothing */); 492 #endif 493 494 if (m->m_len < sizeof(struct ip6_hdr)) { 495 struct ifnet *inifp; 496 inifp = m->m_pkthdr.rcvif; 497 if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 498 IP6STAT_INC(ip6s_toosmall); 499 in6_ifstat_inc(inifp, ifs6_in_hdrerr); 500 return; 501 } 502 } 503 504 ip6 = mtod(m, struct ip6_hdr *); 505 506 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 507 IP6STAT_INC(ip6s_badvers); 508 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); 509 goto bad; 510 } 511 512 IP6STAT_INC(ip6s_nxthist[ip6->ip6_nxt]); 513 514 IP_PROBE(receive, NULL, NULL, ip6, m->m_pkthdr.rcvif, NULL, ip6); 515 516 /* 517 * Check against address spoofing/corruption. 518 */ 519 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) || 520 IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) { 521 /* 522 * XXX: "badscope" is not very suitable for a multicast source. 523 */ 524 IP6STAT_INC(ip6s_badscope); 525 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 526 goto bad; 527 } 528 if (IN6_IS_ADDR_MC_INTFACELOCAL(&ip6->ip6_dst) && 529 !(m->m_flags & M_LOOP)) { 530 /* 531 * In this case, the packet should come from the loopback 532 * interface. However, we cannot just check the if_flags, 533 * because ip6_mloopback() passes the "actual" interface 534 * as the outgoing/incoming interface. 535 */ 536 IP6STAT_INC(ip6s_badscope); 537 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 538 goto bad; 539 } 540 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) && 541 IPV6_ADDR_MC_SCOPE(&ip6->ip6_dst) == 0) { 542 /* 543 * RFC4291 2.7: 544 * Nodes must not originate a packet to a multicast address 545 * whose scop field contains the reserved value 0; if such 546 * a packet is received, it must be silently dropped. 547 */ 548 IP6STAT_INC(ip6s_badscope); 549 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 550 goto bad; 551 } 552 #ifdef ALTQ 553 if (altq_input != NULL && (*altq_input)(m, AF_INET6) == 0) { 554 /* packet is dropped by traffic conditioner */ 555 return; 556 } 557 #endif 558 /* 559 * The following check is not documented in specs. A malicious 560 * party may be able to use IPv4 mapped addr to confuse tcp/udp stack 561 * and bypass security checks (act as if it was from 127.0.0.1 by using 562 * IPv6 src ::ffff:127.0.0.1). Be cautious. 563 * 564 * This check chokes if we are in an SIIT cloud. As none of BSDs 565 * support IPv4-less kernel compilation, we cannot support SIIT 566 * environment at all. So, it makes more sense for us to reject any 567 * malicious packets for non-SIIT environment, than try to do a 568 * partial support for SIIT environment. 569 */ 570 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 571 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 572 IP6STAT_INC(ip6s_badscope); 573 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 574 goto bad; 575 } 576 #if 0 577 /* 578 * Reject packets with IPv4 compatible addresses (auto tunnel). 579 * 580 * The code forbids auto tunnel relay case in RFC1933 (the check is 581 * stronger than RFC1933). We may want to re-enable it if mech-xx 582 * is revised to forbid relaying case. 583 */ 584 if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) || 585 IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) { 586 IP6STAT_INC(ip6s_badscope); 587 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 588 goto bad; 589 } 590 #endif 591 #ifdef IPSEC 592 /* 593 * Bypass packet filtering for packets previously handled by IPsec. 594 */ 595 if (ip6_ipsec_filtertunnel(m)) 596 goto passin; 597 #endif /* IPSEC */ 598 599 /* 600 * Run through list of hooks for input packets. 601 * 602 * NB: Beware of the destination address changing 603 * (e.g. by NAT rewriting). When this happens, 604 * tell ip6_forward to do the right thing. 605 */ 606 odst = ip6->ip6_dst; 607 608 /* Jump over all PFIL processing if hooks are not active. */ 609 if (!PFIL_HOOKED(&V_inet6_pfil_hook)) 610 goto passin; 611 612 if (pfil_run_hooks(&V_inet6_pfil_hook, &m, 613 m->m_pkthdr.rcvif, PFIL_IN, NULL)) 614 return; 615 if (m == NULL) /* consumed by filter */ 616 return; 617 ip6 = mtod(m, struct ip6_hdr *); 618 srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); 619 620 if (m->m_flags & M_FASTFWD_OURS) { 621 m->m_flags &= ~M_FASTFWD_OURS; 622 ours = 1; 623 goto hbhcheck; 624 } 625 if ((m->m_flags & M_IP6_NEXTHOP) && 626 m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL) { 627 /* 628 * Directly ship the packet on. This allows forwarding 629 * packets originally destined to us to some other directly 630 * connected host. 631 */ 632 ip6_forward(m, 1); 633 return; 634 } 635 636 passin: 637 /* 638 * Disambiguate address scope zones (if there is ambiguity). 639 * We first make sure that the original source or destination address 640 * is not in our internal form for scoped addresses. Such addresses 641 * are not necessarily invalid spec-wise, but we cannot accept them due 642 * to the usage conflict. 643 * in6_setscope() then also checks and rejects the cases where src or 644 * dst are the loopback address and the receiving interface 645 * is not loopback. 646 */ 647 if (in6_clearscope(&ip6->ip6_src) || in6_clearscope(&ip6->ip6_dst)) { 648 IP6STAT_INC(ip6s_badscope); /* XXX */ 649 goto bad; 650 } 651 if (in6_setscope(&ip6->ip6_src, m->m_pkthdr.rcvif, NULL) || 652 in6_setscope(&ip6->ip6_dst, m->m_pkthdr.rcvif, NULL)) { 653 IP6STAT_INC(ip6s_badscope); 654 goto bad; 655 } 656 /* 657 * Multicast check. Assume packet is for us to avoid 658 * prematurely taking locks. 659 */ 660 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 661 ours = 1; 662 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_mcast); 663 goto hbhcheck; 664 } 665 /* 666 * Unicast check 667 * XXX: For now we keep link-local IPv6 addresses with embedded 668 * scope zone id, therefore we use zero zoneid here. 669 */ 670 ia = in6ifa_ifwithaddr(&ip6->ip6_dst, 0 /* XXX */); 671 if (ia != NULL) { 672 if (ia->ia6_flags & IN6_IFF_NOTREADY) { 673 char ip6bufs[INET6_ADDRSTRLEN]; 674 char ip6bufd[INET6_ADDRSTRLEN]; 675 /* address is not ready, so discard the packet. */ 676 nd6log((LOG_INFO, 677 "ip6_input: packet to an unready address %s->%s\n", 678 ip6_sprintf(ip6bufs, &ip6->ip6_src), 679 ip6_sprintf(ip6bufd, &ip6->ip6_dst))); 680 ifa_free(&ia->ia_ifa); 681 goto bad; 682 } 683 /* Count the packet in the ip address stats */ 684 counter_u64_add(ia->ia_ifa.ifa_ipackets, 1); 685 counter_u64_add(ia->ia_ifa.ifa_ibytes, m->m_pkthdr.len); 686 ifa_free(&ia->ia_ifa); 687 ours = 1; 688 goto hbhcheck; 689 } 690 691 /* 692 * Now there is no reason to process the packet if it's not our own 693 * and we're not a router. 694 */ 695 if (!V_ip6_forwarding) { 696 IP6STAT_INC(ip6s_cantforward); 697 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 698 goto bad; 699 } 700 701 hbhcheck: 702 /* 703 * Process Hop-by-Hop options header if it's contained. 704 * m may be modified in ip6_hopopts_input(). 705 * If a JumboPayload option is included, plen will also be modified. 706 */ 707 plen = (u_int32_t)ntohs(ip6->ip6_plen); 708 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 709 if (ip6_input_hbh(m, &plen, &rtalert, &off, &nxt, &ours) != 0) 710 return; 711 } else 712 nxt = ip6->ip6_nxt; 713 714 /* 715 * Check that the amount of data in the buffers 716 * is as at least much as the IPv6 header would have us expect. 717 * Trim mbufs if longer than we expect. 718 * Drop packet if shorter than we expect. 719 */ 720 if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) { 721 IP6STAT_INC(ip6s_tooshort); 722 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 723 goto bad; 724 } 725 if (m->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) { 726 if (m->m_len == m->m_pkthdr.len) { 727 m->m_len = sizeof(struct ip6_hdr) + plen; 728 m->m_pkthdr.len = sizeof(struct ip6_hdr) + plen; 729 } else 730 m_adj(m, sizeof(struct ip6_hdr) + plen - m->m_pkthdr.len); 731 } 732 733 /* 734 * Forward if desirable. 735 */ 736 if (V_ip6_mrouter && 737 IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 738 /* 739 * If we are acting as a multicast router, all 740 * incoming multicast packets are passed to the 741 * kernel-level multicast forwarding function. 742 * The packet is returned (relatively) intact; if 743 * ip6_mforward() returns a non-zero value, the packet 744 * must be discarded, else it may be accepted below. 745 * 746 * XXX TODO: Check hlim and multicast scope here to avoid 747 * unnecessarily calling into ip6_mforward(). 748 */ 749 if (ip6_mforward && 750 ip6_mforward(ip6, m->m_pkthdr.rcvif, m)) { 751 IP6STAT_INC(ip6s_cantforward); 752 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 753 goto bad; 754 } 755 } else if (!ours) { 756 ip6_forward(m, srcrt); 757 return; 758 } 759 760 ip6 = mtod(m, struct ip6_hdr *); 761 762 /* 763 * Malicious party may be able to use IPv4 mapped addr to confuse 764 * tcp/udp stack and bypass security checks (act as if it was from 765 * 127.0.0.1 by using IPv6 src ::ffff:127.0.0.1). Be cautious. 766 * 767 * For SIIT end node behavior, you may want to disable the check. 768 * However, you will become vulnerable to attacks using IPv4 mapped 769 * source. 770 */ 771 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 772 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 773 IP6STAT_INC(ip6s_badscope); 774 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 775 goto bad; 776 } 777 778 /* 779 * Tell launch routine the next header 780 */ 781 IP6STAT_INC(ip6s_delivered); 782 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_deliver); 783 nest = 0; 784 785 while (nxt != IPPROTO_DONE) { 786 if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) { 787 IP6STAT_INC(ip6s_toomanyhdr); 788 goto bad; 789 } 790 791 /* 792 * protection against faulty packet - there should be 793 * more sanity checks in header chain processing. 794 */ 795 if (m->m_pkthdr.len < off) { 796 IP6STAT_INC(ip6s_tooshort); 797 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 798 goto bad; 799 } 800 801 #ifdef IPSEC 802 /* 803 * enforce IPsec policy checking if we are seeing last header. 804 * note that we do not visit this with protocols with pcb layer 805 * code - like udp/tcp/raw ip. 806 */ 807 if (ip6_ipsec_input(m, nxt)) 808 goto bad; 809 #endif /* IPSEC */ 810 811 /* 812 * Use mbuf flags to propagate Router Alert option to 813 * ICMPv6 layer, as hop-by-hop options have been stripped. 814 */ 815 if (nxt == IPPROTO_ICMPV6 && rtalert != ~0) 816 m->m_flags |= M_RTALERT_MLD; 817 818 nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); 819 } 820 return; 821 bad: 822 m_freem(m); 823 } 824 825 /* 826 * Hop-by-Hop options header processing. If a valid jumbo payload option is 827 * included, the real payload length will be stored in plenp. 828 * 829 * rtalertp - XXX: should be stored more smart way 830 */ 831 static int 832 ip6_hopopts_input(u_int32_t *plenp, u_int32_t *rtalertp, 833 struct mbuf **mp, int *offp) 834 { 835 struct mbuf *m = *mp; 836 int off = *offp, hbhlen; 837 struct ip6_hbh *hbh; 838 839 /* validation of the length of the header */ 840 #ifndef PULLDOWN_TEST 841 IP6_EXTHDR_CHECK(m, off, sizeof(*hbh), -1); 842 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off); 843 hbhlen = (hbh->ip6h_len + 1) << 3; 844 845 IP6_EXTHDR_CHECK(m, off, hbhlen, -1); 846 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off); 847 #else 848 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, 849 sizeof(struct ip6_hdr), sizeof(struct ip6_hbh)); 850 if (hbh == NULL) { 851 IP6STAT_INC(ip6s_tooshort); 852 return -1; 853 } 854 hbhlen = (hbh->ip6h_len + 1) << 3; 855 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 856 hbhlen); 857 if (hbh == NULL) { 858 IP6STAT_INC(ip6s_tooshort); 859 return -1; 860 } 861 #endif 862 off += hbhlen; 863 hbhlen -= sizeof(struct ip6_hbh); 864 if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh), 865 hbhlen, rtalertp, plenp) < 0) 866 return (-1); 867 868 *offp = off; 869 *mp = m; 870 return (0); 871 } 872 873 /* 874 * Search header for all Hop-by-hop options and process each option. 875 * This function is separate from ip6_hopopts_input() in order to 876 * handle a case where the sending node itself process its hop-by-hop 877 * options header. In such a case, the function is called from ip6_output(). 878 * 879 * The function assumes that hbh header is located right after the IPv6 header 880 * (RFC2460 p7), opthead is pointer into data content in m, and opthead to 881 * opthead + hbhlen is located in contiguous memory region. 882 */ 883 int 884 ip6_process_hopopts(struct mbuf *m, u_int8_t *opthead, int hbhlen, 885 u_int32_t *rtalertp, u_int32_t *plenp) 886 { 887 struct ip6_hdr *ip6; 888 int optlen = 0; 889 u_int8_t *opt = opthead; 890 u_int16_t rtalert_val; 891 u_int32_t jumboplen; 892 const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh); 893 894 for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) { 895 switch (*opt) { 896 case IP6OPT_PAD1: 897 optlen = 1; 898 break; 899 case IP6OPT_PADN: 900 if (hbhlen < IP6OPT_MINLEN) { 901 IP6STAT_INC(ip6s_toosmall); 902 goto bad; 903 } 904 optlen = *(opt + 1) + 2; 905 break; 906 case IP6OPT_ROUTER_ALERT: 907 /* XXX may need check for alignment */ 908 if (hbhlen < IP6OPT_RTALERT_LEN) { 909 IP6STAT_INC(ip6s_toosmall); 910 goto bad; 911 } 912 if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) { 913 /* XXX stat */ 914 icmp6_error(m, ICMP6_PARAM_PROB, 915 ICMP6_PARAMPROB_HEADER, 916 erroff + opt + 1 - opthead); 917 return (-1); 918 } 919 optlen = IP6OPT_RTALERT_LEN; 920 bcopy((caddr_t)(opt + 2), (caddr_t)&rtalert_val, 2); 921 *rtalertp = ntohs(rtalert_val); 922 break; 923 case IP6OPT_JUMBO: 924 /* XXX may need check for alignment */ 925 if (hbhlen < IP6OPT_JUMBO_LEN) { 926 IP6STAT_INC(ip6s_toosmall); 927 goto bad; 928 } 929 if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) { 930 /* XXX stat */ 931 icmp6_error(m, ICMP6_PARAM_PROB, 932 ICMP6_PARAMPROB_HEADER, 933 erroff + opt + 1 - opthead); 934 return (-1); 935 } 936 optlen = IP6OPT_JUMBO_LEN; 937 938 /* 939 * IPv6 packets that have non 0 payload length 940 * must not contain a jumbo payload option. 941 */ 942 ip6 = mtod(m, struct ip6_hdr *); 943 if (ip6->ip6_plen) { 944 IP6STAT_INC(ip6s_badoptions); 945 icmp6_error(m, ICMP6_PARAM_PROB, 946 ICMP6_PARAMPROB_HEADER, 947 erroff + opt - opthead); 948 return (-1); 949 } 950 951 /* 952 * We may see jumbolen in unaligned location, so 953 * we'd need to perform bcopy(). 954 */ 955 bcopy(opt + 2, &jumboplen, sizeof(jumboplen)); 956 jumboplen = (u_int32_t)htonl(jumboplen); 957 958 #if 1 959 /* 960 * if there are multiple jumbo payload options, 961 * *plenp will be non-zero and the packet will be 962 * rejected. 963 * the behavior may need some debate in ipngwg - 964 * multiple options does not make sense, however, 965 * there's no explicit mention in specification. 966 */ 967 if (*plenp != 0) { 968 IP6STAT_INC(ip6s_badoptions); 969 icmp6_error(m, ICMP6_PARAM_PROB, 970 ICMP6_PARAMPROB_HEADER, 971 erroff + opt + 2 - opthead); 972 return (-1); 973 } 974 #endif 975 976 /* 977 * jumbo payload length must be larger than 65535. 978 */ 979 if (jumboplen <= IPV6_MAXPACKET) { 980 IP6STAT_INC(ip6s_badoptions); 981 icmp6_error(m, ICMP6_PARAM_PROB, 982 ICMP6_PARAMPROB_HEADER, 983 erroff + opt + 2 - opthead); 984 return (-1); 985 } 986 *plenp = jumboplen; 987 988 break; 989 default: /* unknown option */ 990 if (hbhlen < IP6OPT_MINLEN) { 991 IP6STAT_INC(ip6s_toosmall); 992 goto bad; 993 } 994 optlen = ip6_unknown_opt(opt, m, 995 erroff + opt - opthead); 996 if (optlen == -1) 997 return (-1); 998 optlen += 2; 999 break; 1000 } 1001 } 1002 1003 return (0); 1004 1005 bad: 1006 m_freem(m); 1007 return (-1); 1008 } 1009 1010 /* 1011 * Unknown option processing. 1012 * The third argument `off' is the offset from the IPv6 header to the option, 1013 * which is necessary if the IPv6 header the and option header and IPv6 header 1014 * is not contiguous in order to return an ICMPv6 error. 1015 */ 1016 int 1017 ip6_unknown_opt(u_int8_t *optp, struct mbuf *m, int off) 1018 { 1019 struct ip6_hdr *ip6; 1020 1021 switch (IP6OPT_TYPE(*optp)) { 1022 case IP6OPT_TYPE_SKIP: /* ignore the option */ 1023 return ((int)*(optp + 1)); 1024 case IP6OPT_TYPE_DISCARD: /* silently discard */ 1025 m_freem(m); 1026 return (-1); 1027 case IP6OPT_TYPE_FORCEICMP: /* send ICMP even if multicasted */ 1028 IP6STAT_INC(ip6s_badoptions); 1029 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_OPTION, off); 1030 return (-1); 1031 case IP6OPT_TYPE_ICMP: /* send ICMP if not multicasted */ 1032 IP6STAT_INC(ip6s_badoptions); 1033 ip6 = mtod(m, struct ip6_hdr *); 1034 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || 1035 (m->m_flags & (M_BCAST|M_MCAST))) 1036 m_freem(m); 1037 else 1038 icmp6_error(m, ICMP6_PARAM_PROB, 1039 ICMP6_PARAMPROB_OPTION, off); 1040 return (-1); 1041 } 1042 1043 m_freem(m); /* XXX: NOTREACHED */ 1044 return (-1); 1045 } 1046 1047 /* 1048 * Create the "control" list for this pcb. 1049 * These functions will not modify mbuf chain at all. 1050 * 1051 * With KAME mbuf chain restriction: 1052 * The routine will be called from upper layer handlers like tcp6_input(). 1053 * Thus the routine assumes that the caller (tcp6_input) have already 1054 * called IP6_EXTHDR_CHECK() and all the extension headers are located in the 1055 * very first mbuf on the mbuf chain. 1056 * 1057 * ip6_savecontrol_v4 will handle those options that are possible to be 1058 * set on a v4-mapped socket. 1059 * ip6_savecontrol will directly call ip6_savecontrol_v4 to handle those 1060 * options and handle the v6-only ones itself. 1061 */ 1062 struct mbuf ** 1063 ip6_savecontrol_v4(struct inpcb *inp, struct mbuf *m, struct mbuf **mp, 1064 int *v4only) 1065 { 1066 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1067 1068 #ifdef SO_TIMESTAMP 1069 if ((inp->inp_socket->so_options & SO_TIMESTAMP) != 0) { 1070 struct timeval tv; 1071 1072 microtime(&tv); 1073 *mp = sbcreatecontrol((caddr_t) &tv, sizeof(tv), 1074 SCM_TIMESTAMP, SOL_SOCKET); 1075 if (*mp) 1076 mp = &(*mp)->m_next; 1077 } 1078 #endif 1079 1080 #define IS2292(inp, x, y) (((inp)->inp_flags & IN6P_RFC2292) ? (x) : (y)) 1081 /* RFC 2292 sec. 5 */ 1082 if ((inp->inp_flags & IN6P_PKTINFO) != 0) { 1083 struct in6_pktinfo pi6; 1084 1085 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 1086 #ifdef INET 1087 struct ip *ip; 1088 1089 ip = mtod(m, struct ip *); 1090 pi6.ipi6_addr.s6_addr32[0] = 0; 1091 pi6.ipi6_addr.s6_addr32[1] = 0; 1092 pi6.ipi6_addr.s6_addr32[2] = IPV6_ADDR_INT32_SMP; 1093 pi6.ipi6_addr.s6_addr32[3] = ip->ip_dst.s_addr; 1094 #else 1095 /* We won't hit this code */ 1096 bzero(&pi6.ipi6_addr, sizeof(struct in6_addr)); 1097 #endif 1098 } else { 1099 bcopy(&ip6->ip6_dst, &pi6.ipi6_addr, sizeof(struct in6_addr)); 1100 in6_clearscope(&pi6.ipi6_addr); /* XXX */ 1101 } 1102 pi6.ipi6_ifindex = 1103 (m && m->m_pkthdr.rcvif) ? m->m_pkthdr.rcvif->if_index : 0; 1104 1105 *mp = sbcreatecontrol((caddr_t) &pi6, 1106 sizeof(struct in6_pktinfo), 1107 IS2292(inp, IPV6_2292PKTINFO, IPV6_PKTINFO), IPPROTO_IPV6); 1108 if (*mp) 1109 mp = &(*mp)->m_next; 1110 } 1111 1112 if ((inp->inp_flags & IN6P_HOPLIMIT) != 0) { 1113 int hlim; 1114 1115 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 1116 #ifdef INET 1117 struct ip *ip; 1118 1119 ip = mtod(m, struct ip *); 1120 hlim = ip->ip_ttl; 1121 #else 1122 /* We won't hit this code */ 1123 hlim = 0; 1124 #endif 1125 } else { 1126 hlim = ip6->ip6_hlim & 0xff; 1127 } 1128 *mp = sbcreatecontrol((caddr_t) &hlim, sizeof(int), 1129 IS2292(inp, IPV6_2292HOPLIMIT, IPV6_HOPLIMIT), 1130 IPPROTO_IPV6); 1131 if (*mp) 1132 mp = &(*mp)->m_next; 1133 } 1134 1135 if ((inp->inp_flags & IN6P_TCLASS) != 0) { 1136 int tclass; 1137 1138 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 1139 #ifdef INET 1140 struct ip *ip; 1141 1142 ip = mtod(m, struct ip *); 1143 tclass = ip->ip_tos; 1144 #else 1145 /* We won't hit this code */ 1146 tclass = 0; 1147 #endif 1148 } else { 1149 u_int32_t flowinfo; 1150 1151 flowinfo = (u_int32_t)ntohl(ip6->ip6_flow & IPV6_FLOWINFO_MASK); 1152 flowinfo >>= 20; 1153 tclass = flowinfo & 0xff; 1154 } 1155 *mp = sbcreatecontrol((caddr_t) &tclass, sizeof(int), 1156 IPV6_TCLASS, IPPROTO_IPV6); 1157 if (*mp) 1158 mp = &(*mp)->m_next; 1159 } 1160 1161 if (v4only != NULL) { 1162 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 1163 *v4only = 1; 1164 } else { 1165 *v4only = 0; 1166 } 1167 } 1168 1169 return (mp); 1170 } 1171 1172 void 1173 ip6_savecontrol(struct inpcb *in6p, struct mbuf *m, struct mbuf **mp) 1174 { 1175 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1176 int v4only = 0; 1177 1178 mp = ip6_savecontrol_v4(in6p, m, mp, &v4only); 1179 if (v4only) 1180 return; 1181 1182 /* 1183 * IPV6_HOPOPTS socket option. Recall that we required super-user 1184 * privilege for the option (see ip6_ctloutput), but it might be too 1185 * strict, since there might be some hop-by-hop options which can be 1186 * returned to normal user. 1187 * See also RFC 2292 section 6 (or RFC 3542 section 8). 1188 */ 1189 if ((in6p->inp_flags & IN6P_HOPOPTS) != 0) { 1190 /* 1191 * Check if a hop-by-hop options header is contatined in the 1192 * received packet, and if so, store the options as ancillary 1193 * data. Note that a hop-by-hop options header must be 1194 * just after the IPv6 header, which is assured through the 1195 * IPv6 input processing. 1196 */ 1197 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 1198 struct ip6_hbh *hbh; 1199 int hbhlen = 0; 1200 #ifdef PULLDOWN_TEST 1201 struct mbuf *ext; 1202 #endif 1203 1204 #ifndef PULLDOWN_TEST 1205 hbh = (struct ip6_hbh *)(ip6 + 1); 1206 hbhlen = (hbh->ip6h_len + 1) << 3; 1207 #else 1208 ext = ip6_pullexthdr(m, sizeof(struct ip6_hdr), 1209 ip6->ip6_nxt); 1210 if (ext == NULL) { 1211 IP6STAT_INC(ip6s_tooshort); 1212 return; 1213 } 1214 hbh = mtod(ext, struct ip6_hbh *); 1215 hbhlen = (hbh->ip6h_len + 1) << 3; 1216 if (hbhlen != ext->m_len) { 1217 m_freem(ext); 1218 IP6STAT_INC(ip6s_tooshort); 1219 return; 1220 } 1221 #endif 1222 1223 /* 1224 * XXX: We copy the whole header even if a 1225 * jumbo payload option is included, the option which 1226 * is to be removed before returning according to 1227 * RFC2292. 1228 * Note: this constraint is removed in RFC3542 1229 */ 1230 *mp = sbcreatecontrol((caddr_t)hbh, hbhlen, 1231 IS2292(in6p, IPV6_2292HOPOPTS, IPV6_HOPOPTS), 1232 IPPROTO_IPV6); 1233 if (*mp) 1234 mp = &(*mp)->m_next; 1235 #ifdef PULLDOWN_TEST 1236 m_freem(ext); 1237 #endif 1238 } 1239 } 1240 1241 if ((in6p->inp_flags & (IN6P_RTHDR | IN6P_DSTOPTS)) != 0) { 1242 int nxt = ip6->ip6_nxt, off = sizeof(struct ip6_hdr); 1243 1244 /* 1245 * Search for destination options headers or routing 1246 * header(s) through the header chain, and stores each 1247 * header as ancillary data. 1248 * Note that the order of the headers remains in 1249 * the chain of ancillary data. 1250 */ 1251 while (1) { /* is explicit loop prevention necessary? */ 1252 struct ip6_ext *ip6e = NULL; 1253 int elen; 1254 #ifdef PULLDOWN_TEST 1255 struct mbuf *ext = NULL; 1256 #endif 1257 1258 /* 1259 * if it is not an extension header, don't try to 1260 * pull it from the chain. 1261 */ 1262 switch (nxt) { 1263 case IPPROTO_DSTOPTS: 1264 case IPPROTO_ROUTING: 1265 case IPPROTO_HOPOPTS: 1266 case IPPROTO_AH: /* is it possible? */ 1267 break; 1268 default: 1269 goto loopend; 1270 } 1271 1272 #ifndef PULLDOWN_TEST 1273 if (off + sizeof(*ip6e) > m->m_len) 1274 goto loopend; 1275 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + off); 1276 if (nxt == IPPROTO_AH) 1277 elen = (ip6e->ip6e_len + 2) << 2; 1278 else 1279 elen = (ip6e->ip6e_len + 1) << 3; 1280 if (off + elen > m->m_len) 1281 goto loopend; 1282 #else 1283 ext = ip6_pullexthdr(m, off, nxt); 1284 if (ext == NULL) { 1285 IP6STAT_INC(ip6s_tooshort); 1286 return; 1287 } 1288 ip6e = mtod(ext, struct ip6_ext *); 1289 if (nxt == IPPROTO_AH) 1290 elen = (ip6e->ip6e_len + 2) << 2; 1291 else 1292 elen = (ip6e->ip6e_len + 1) << 3; 1293 if (elen != ext->m_len) { 1294 m_freem(ext); 1295 IP6STAT_INC(ip6s_tooshort); 1296 return; 1297 } 1298 #endif 1299 1300 switch (nxt) { 1301 case IPPROTO_DSTOPTS: 1302 if (!(in6p->inp_flags & IN6P_DSTOPTS)) 1303 break; 1304 1305 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1306 IS2292(in6p, 1307 IPV6_2292DSTOPTS, IPV6_DSTOPTS), 1308 IPPROTO_IPV6); 1309 if (*mp) 1310 mp = &(*mp)->m_next; 1311 break; 1312 case IPPROTO_ROUTING: 1313 if (!(in6p->inp_flags & IN6P_RTHDR)) 1314 break; 1315 1316 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1317 IS2292(in6p, IPV6_2292RTHDR, IPV6_RTHDR), 1318 IPPROTO_IPV6); 1319 if (*mp) 1320 mp = &(*mp)->m_next; 1321 break; 1322 case IPPROTO_HOPOPTS: 1323 case IPPROTO_AH: /* is it possible? */ 1324 break; 1325 1326 default: 1327 /* 1328 * other cases have been filtered in the above. 1329 * none will visit this case. here we supply 1330 * the code just in case (nxt overwritten or 1331 * other cases). 1332 */ 1333 #ifdef PULLDOWN_TEST 1334 m_freem(ext); 1335 #endif 1336 goto loopend; 1337 1338 } 1339 1340 /* proceed with the next header. */ 1341 off += elen; 1342 nxt = ip6e->ip6e_nxt; 1343 ip6e = NULL; 1344 #ifdef PULLDOWN_TEST 1345 m_freem(ext); 1346 ext = NULL; 1347 #endif 1348 } 1349 loopend: 1350 ; 1351 } 1352 } 1353 #undef IS2292 1354 1355 void 1356 ip6_notify_pmtu(struct inpcb *inp, struct sockaddr_in6 *dst, u_int32_t mtu) 1357 { 1358 struct socket *so; 1359 struct mbuf *m_mtu; 1360 struct ip6_mtuinfo mtuctl; 1361 1362 KASSERT(inp != NULL, ("%s: inp == NULL", __func__)); 1363 /* 1364 * Notify the error by sending IPV6_PATHMTU ancillary data if 1365 * application wanted to know the MTU value. 1366 * NOTE: we notify disconnected sockets, because some udp 1367 * applications keep sending sockets disconnected. 1368 * NOTE: our implementation doesn't notify connected sockets that has 1369 * foreign address that is different than given destination addresses 1370 * (this is permitted by RFC 3542). 1371 */ 1372 if ((inp->inp_flags & IN6P_MTU) == 0 || ( 1373 !IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_faddr) && 1374 !IN6_ARE_ADDR_EQUAL(&inp->in6p_faddr, &dst->sin6_addr))) 1375 return; 1376 1377 mtuctl.ip6m_mtu = mtu; 1378 mtuctl.ip6m_addr = *dst; 1379 if (sa6_recoverscope(&mtuctl.ip6m_addr)) 1380 return; 1381 1382 if ((m_mtu = sbcreatecontrol((caddr_t)&mtuctl, sizeof(mtuctl), 1383 IPV6_PATHMTU, IPPROTO_IPV6)) == NULL) 1384 return; 1385 1386 so = inp->inp_socket; 1387 if (sbappendaddr(&so->so_rcv, (struct sockaddr *)dst, NULL, m_mtu) 1388 == 0) { 1389 m_freem(m_mtu); 1390 /* XXX: should count statistics */ 1391 } else 1392 sorwakeup(so); 1393 } 1394 1395 #ifdef PULLDOWN_TEST 1396 /* 1397 * pull single extension header from mbuf chain. returns single mbuf that 1398 * contains the result, or NULL on error. 1399 */ 1400 static struct mbuf * 1401 ip6_pullexthdr(struct mbuf *m, size_t off, int nxt) 1402 { 1403 struct ip6_ext ip6e; 1404 size_t elen; 1405 struct mbuf *n; 1406 1407 #ifdef DIAGNOSTIC 1408 switch (nxt) { 1409 case IPPROTO_DSTOPTS: 1410 case IPPROTO_ROUTING: 1411 case IPPROTO_HOPOPTS: 1412 case IPPROTO_AH: /* is it possible? */ 1413 break; 1414 default: 1415 printf("ip6_pullexthdr: invalid nxt=%d\n", nxt); 1416 } 1417 #endif 1418 1419 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1420 if (nxt == IPPROTO_AH) 1421 elen = (ip6e.ip6e_len + 2) << 2; 1422 else 1423 elen = (ip6e.ip6e_len + 1) << 3; 1424 1425 if (elen > MLEN) 1426 n = m_getcl(M_NOWAIT, MT_DATA, 0); 1427 else 1428 n = m_get(M_NOWAIT, MT_DATA); 1429 if (n == NULL) 1430 return NULL; 1431 1432 m_copydata(m, off, elen, mtod(n, caddr_t)); 1433 n->m_len = elen; 1434 return n; 1435 } 1436 #endif 1437 1438 /* 1439 * Get pointer to the previous header followed by the header 1440 * currently processed. 1441 * XXX: This function supposes that 1442 * M includes all headers, 1443 * the next header field and the header length field of each header 1444 * are valid, and 1445 * the sum of each header length equals to OFF. 1446 * Because of these assumptions, this function must be called very 1447 * carefully. Moreover, it will not be used in the near future when 1448 * we develop `neater' mechanism to process extension headers. 1449 */ 1450 char * 1451 ip6_get_prevhdr(const struct mbuf *m, int off) 1452 { 1453 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1454 1455 if (off == sizeof(struct ip6_hdr)) 1456 return (&ip6->ip6_nxt); 1457 else { 1458 int len, nxt; 1459 struct ip6_ext *ip6e = NULL; 1460 1461 nxt = ip6->ip6_nxt; 1462 len = sizeof(struct ip6_hdr); 1463 while (len < off) { 1464 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + len); 1465 1466 switch (nxt) { 1467 case IPPROTO_FRAGMENT: 1468 len += sizeof(struct ip6_frag); 1469 break; 1470 case IPPROTO_AH: 1471 len += (ip6e->ip6e_len + 2) << 2; 1472 break; 1473 default: 1474 len += (ip6e->ip6e_len + 1) << 3; 1475 break; 1476 } 1477 nxt = ip6e->ip6e_nxt; 1478 } 1479 if (ip6e) 1480 return (&ip6e->ip6e_nxt); 1481 else 1482 return NULL; 1483 } 1484 } 1485 1486 /* 1487 * get next header offset. m will be retained. 1488 */ 1489 int 1490 ip6_nexthdr(const struct mbuf *m, int off, int proto, int *nxtp) 1491 { 1492 struct ip6_hdr ip6; 1493 struct ip6_ext ip6e; 1494 struct ip6_frag fh; 1495 1496 /* just in case */ 1497 if (m == NULL) 1498 panic("ip6_nexthdr: m == NULL"); 1499 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off) 1500 return -1; 1501 1502 switch (proto) { 1503 case IPPROTO_IPV6: 1504 if (m->m_pkthdr.len < off + sizeof(ip6)) 1505 return -1; 1506 m_copydata(m, off, sizeof(ip6), (caddr_t)&ip6); 1507 if (nxtp) 1508 *nxtp = ip6.ip6_nxt; 1509 off += sizeof(ip6); 1510 return off; 1511 1512 case IPPROTO_FRAGMENT: 1513 /* 1514 * terminate parsing if it is not the first fragment, 1515 * it does not make sense to parse through it. 1516 */ 1517 if (m->m_pkthdr.len < off + sizeof(fh)) 1518 return -1; 1519 m_copydata(m, off, sizeof(fh), (caddr_t)&fh); 1520 /* IP6F_OFF_MASK = 0xfff8(BigEndian), 0xf8ff(LittleEndian) */ 1521 if (fh.ip6f_offlg & IP6F_OFF_MASK) 1522 return -1; 1523 if (nxtp) 1524 *nxtp = fh.ip6f_nxt; 1525 off += sizeof(struct ip6_frag); 1526 return off; 1527 1528 case IPPROTO_AH: 1529 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1530 return -1; 1531 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1532 if (nxtp) 1533 *nxtp = ip6e.ip6e_nxt; 1534 off += (ip6e.ip6e_len + 2) << 2; 1535 return off; 1536 1537 case IPPROTO_HOPOPTS: 1538 case IPPROTO_ROUTING: 1539 case IPPROTO_DSTOPTS: 1540 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1541 return -1; 1542 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1543 if (nxtp) 1544 *nxtp = ip6e.ip6e_nxt; 1545 off += (ip6e.ip6e_len + 1) << 3; 1546 return off; 1547 1548 case IPPROTO_NONE: 1549 case IPPROTO_ESP: 1550 case IPPROTO_IPCOMP: 1551 /* give up */ 1552 return -1; 1553 1554 default: 1555 return -1; 1556 } 1557 1558 /* NOTREACHED */ 1559 } 1560 1561 /* 1562 * get offset for the last header in the chain. m will be kept untainted. 1563 */ 1564 int 1565 ip6_lasthdr(const struct mbuf *m, int off, int proto, int *nxtp) 1566 { 1567 int newoff; 1568 int nxt; 1569 1570 if (!nxtp) { 1571 nxt = -1; 1572 nxtp = &nxt; 1573 } 1574 while (1) { 1575 newoff = ip6_nexthdr(m, off, proto, nxtp); 1576 if (newoff < 0) 1577 return off; 1578 else if (newoff < off) 1579 return -1; /* invalid */ 1580 else if (newoff == off) 1581 return newoff; 1582 1583 off = newoff; 1584 proto = *nxtp; 1585 } 1586 } 1587 1588 /* 1589 * System control for IP6 1590 */ 1591 1592 u_char inet6ctlerrmap[PRC_NCMDS] = { 1593 0, 0, 0, 0, 1594 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH, 1595 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, 1596 EMSGSIZE, EHOSTUNREACH, 0, 0, 1597 0, 0, 0, 0, 1598 ENOPROTOOPT 1599 }; 1600