1 /* $FreeBSD$ */ 2 /* $KAME: ip6_input.c,v 1.259 2002/01/21 04:58:09 jinmei Exp $ */ 3 4 /* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 /* 34 * Copyright (c) 1982, 1986, 1988, 1993 35 * The Regents of the University of California. All rights reserved. 36 * 37 * Redistribution and use in source and binary forms, with or without 38 * modification, are permitted provided that the following conditions 39 * are met: 40 * 1. Redistributions of source code must retain the above copyright 41 * notice, this list of conditions and the following disclaimer. 42 * 2. Redistributions in binary form must reproduce the above copyright 43 * notice, this list of conditions and the following disclaimer in the 44 * documentation and/or other materials provided with the distribution. 45 * 3. All advertising materials mentioning features or use of this software 46 * must display the following acknowledgement: 47 * This product includes software developed by the University of 48 * California, Berkeley and its contributors. 49 * 4. Neither the name of the University nor the names of its contributors 50 * may be used to endorse or promote products derived from this software 51 * without specific prior written permission. 52 * 53 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 54 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 56 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 63 * SUCH DAMAGE. 64 * 65 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 66 */ 67 68 #include "opt_ip6fw.h" 69 #include "opt_inet.h" 70 #include "opt_inet6.h" 71 #include "opt_ipsec.h" 72 #include "opt_pfil_hooks.h" 73 74 #include <sys/param.h> 75 #include <sys/systm.h> 76 #include <sys/malloc.h> 77 #include <sys/mbuf.h> 78 #include <sys/proc.h> 79 #include <sys/domain.h> 80 #include <sys/protosw.h> 81 #include <sys/socket.h> 82 #include <sys/socketvar.h> 83 #include <sys/errno.h> 84 #include <sys/time.h> 85 #include <sys/kernel.h> 86 #include <sys/syslog.h> 87 88 #include <net/if.h> 89 #include <net/if_types.h> 90 #include <net/if_dl.h> 91 #include <net/route.h> 92 #include <net/netisr.h> 93 #include <net/intrq.h> 94 #ifdef PFIL_HOOKS 95 #include <net/pfil.h> 96 #endif 97 98 #include <netinet/in.h> 99 #include <netinet/in_systm.h> 100 #ifdef INET 101 #include <netinet/ip.h> 102 #include <netinet/ip_icmp.h> 103 #endif /* INET */ 104 #include <netinet/ip6.h> 105 #include <netinet6/in6_var.h> 106 #include <netinet6/ip6_var.h> 107 #include <netinet/in_pcb.h> 108 #include <netinet/icmp6.h> 109 #include <netinet6/in6_ifattach.h> 110 #include <netinet6/nd6.h> 111 #include <netinet6/in6_prefix.h> 112 113 #ifdef IPSEC 114 #include <netinet6/ipsec.h> 115 #ifdef INET6 116 #include <netinet6/ipsec6.h> 117 #endif 118 #endif 119 120 #ifdef FAST_IPSEC 121 #include <netipsec/ipsec.h> 122 #include <netipsec/ipsec6.h> 123 #define IPSEC 124 #endif /* FAST_IPSEC */ 125 126 #include <netinet6/ip6_fw.h> 127 128 #include <netinet6/ip6protosw.h> 129 130 #include <net/net_osdep.h> 131 132 extern struct domain inet6domain; 133 134 u_char ip6_protox[IPPROTO_MAX]; 135 static int ip6qmaxlen = IFQ_MAXLEN; 136 struct in6_ifaddr *in6_ifaddr; 137 138 extern struct callout in6_tmpaddrtimer_ch; 139 140 int ip6_forward_srcrt; /* XXX */ 141 int ip6_sourcecheck; /* XXX */ 142 int ip6_sourcecheck_interval; /* XXX */ 143 144 int ip6_ours_check_algorithm; 145 146 147 /* firewall hooks */ 148 ip6_fw_chk_t *ip6_fw_chk_ptr; 149 ip6_fw_ctl_t *ip6_fw_ctl_ptr; 150 int ip6_fw_enable = 1; 151 152 struct ip6stat ip6stat; 153 154 static void ip6_init2 __P((void *)); 155 static struct ip6aux *ip6_setdstifaddr __P((struct mbuf *, struct in6_ifaddr *)); 156 static int ip6_hopopts_input __P((u_int32_t *, u_int32_t *, struct mbuf **, int *)); 157 #ifdef PULLDOWN_TEST 158 static struct mbuf *ip6_pullexthdr __P((struct mbuf *, size_t, int)); 159 #endif 160 161 162 /* 163 * IP6 initialization: fill in IP6 protocol switch table. 164 * All protocols not implemented in kernel go to raw IP6 protocol handler. 165 */ 166 void 167 ip6_init() 168 { 169 struct ip6protosw *pr; 170 int i; 171 struct timeval tv; 172 173 #ifdef DIAGNOSTIC 174 if (sizeof(struct protosw) != sizeof(struct ip6protosw)) 175 panic("sizeof(protosw) != sizeof(ip6protosw)"); 176 #endif 177 pr = (struct ip6protosw *)pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW); 178 if (pr == 0) 179 panic("ip6_init"); 180 for (i = 0; i < IPPROTO_MAX; i++) 181 ip6_protox[i] = pr - inet6sw; 182 for (pr = (struct ip6protosw *)inet6domain.dom_protosw; 183 pr < (struct ip6protosw *)inet6domain.dom_protoswNPROTOSW; pr++) 184 if (pr->pr_domain->dom_family == PF_INET6 && 185 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) 186 ip6_protox[pr->pr_protocol] = pr - inet6sw; 187 ip6intrq.ifq_maxlen = ip6qmaxlen; 188 mtx_init(&ip6intrq.ifq_mtx, "ip6_inq", NULL, MTX_DEF); 189 ip6intrq_present = 1; 190 register_netisr(NETISR_IPV6, ip6intr); 191 nd6_init(); 192 frag6_init(); 193 /* 194 * in many cases, random() here does NOT return random number 195 * as initialization during bootstrap time occur in fixed order. 196 */ 197 microtime(&tv); 198 ip6_flow_seq = random() ^ tv.tv_usec; 199 microtime(&tv); 200 ip6_desync_factor = (random() ^ tv.tv_usec) % MAX_TEMP_DESYNC_FACTOR; 201 } 202 203 static void 204 ip6_init2(dummy) 205 void *dummy; 206 { 207 208 /* 209 * to route local address of p2p link to loopback, 210 * assign loopback address first. 211 */ 212 in6_ifattach(&loif[0], NULL); 213 214 /* nd6_timer_init */ 215 callout_init(&nd6_timer_ch, 0); 216 callout_reset(&nd6_timer_ch, hz, nd6_timer, NULL); 217 218 /* router renumbering prefix list maintenance */ 219 callout_init(&in6_rr_timer_ch, 0); 220 callout_reset(&in6_rr_timer_ch, hz, in6_rr_timer, NULL); 221 222 /* timer for regeneranation of temporary addresses randomize ID */ 223 callout_reset(&in6_tmpaddrtimer_ch, 224 (ip6_temp_preferred_lifetime - ip6_desync_factor - 225 ip6_temp_regen_advance) * hz, 226 in6_tmpaddrtimer, NULL); 227 } 228 229 /* cheat */ 230 /* This must be after route_init(), which is now SI_ORDER_THIRD */ 231 SYSINIT(netinet6init2, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ip6_init2, NULL); 232 233 /* 234 * IP6 input interrupt handling. Just pass the packet to ip6_input. 235 */ 236 void 237 ip6intr() 238 { 239 int s; 240 struct mbuf *m; 241 242 for (;;) { 243 s = splimp(); 244 IF_DEQUEUE(&ip6intrq, m); 245 splx(s); 246 if (m == 0) 247 return; 248 ip6_input(m); 249 } 250 } 251 252 extern struct route_in6 ip6_forward_rt; 253 254 void 255 ip6_input(m) 256 struct mbuf *m; 257 { 258 struct ip6_hdr *ip6; 259 int off = sizeof(struct ip6_hdr), nest; 260 u_int32_t plen; 261 u_int32_t rtalert = ~0; 262 int nxt, ours = 0; 263 struct ifnet *deliverifp = NULL; 264 #ifdef PFIL_HOOKS 265 struct packet_filter_hook *pfh; 266 struct mbuf *m0; 267 int rv; 268 #endif /* PFIL_HOOKS */ 269 270 #ifdef IPSEC 271 /* 272 * should the inner packet be considered authentic? 273 * see comment in ah4_input(). 274 */ 275 if (m) { 276 m->m_flags &= ~M_AUTHIPHDR; 277 m->m_flags &= ~M_AUTHIPDGM; 278 } 279 #endif 280 281 /* 282 * make sure we don't have onion peering information into m_aux. 283 */ 284 ip6_delaux(m); 285 286 /* 287 * mbuf statistics 288 */ 289 if (m->m_flags & M_EXT) { 290 if (m->m_next) 291 ip6stat.ip6s_mext2m++; 292 else 293 ip6stat.ip6s_mext1++; 294 } else { 295 #define M2MMAX (sizeof(ip6stat.ip6s_m2m)/sizeof(ip6stat.ip6s_m2m[0])) 296 if (m->m_next) { 297 if (m->m_flags & M_LOOP) { 298 ip6stat.ip6s_m2m[loif[0].if_index]++; /* XXX */ 299 } else if (m->m_pkthdr.rcvif->if_index < M2MMAX) 300 ip6stat.ip6s_m2m[m->m_pkthdr.rcvif->if_index]++; 301 else 302 ip6stat.ip6s_m2m[0]++; 303 } else 304 ip6stat.ip6s_m1++; 305 #undef M2MMAX 306 } 307 308 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_receive); 309 ip6stat.ip6s_total++; 310 311 #ifndef PULLDOWN_TEST 312 /* 313 * L2 bridge code and some other code can return mbuf chain 314 * that does not conform to KAME requirement. too bad. 315 * XXX: fails to join if interface MTU > MCLBYTES. jumbogram? 316 */ 317 if (m && m->m_next != NULL && m->m_pkthdr.len < MCLBYTES) { 318 struct mbuf *n; 319 320 MGETHDR(n, M_DONTWAIT, MT_HEADER); 321 if (n) 322 M_MOVE_PKTHDR(n, m); 323 if (n && n->m_pkthdr.len > MHLEN) { 324 MCLGET(n, M_DONTWAIT); 325 if ((n->m_flags & M_EXT) == 0) { 326 m_freem(n); 327 n = NULL; 328 } 329 } 330 if (n == NULL) { 331 m_freem(m); 332 return; /*ENOBUFS*/ 333 } 334 335 m_copydata(m, 0, n->m_pkthdr.len, mtod(n, caddr_t)); 336 n->m_len = n->m_pkthdr.len; 337 m_freem(m); 338 m = n; 339 } 340 IP6_EXTHDR_CHECK(m, 0, sizeof(struct ip6_hdr), /*nothing*/); 341 #endif 342 343 if (m->m_len < sizeof(struct ip6_hdr)) { 344 struct ifnet *inifp; 345 inifp = m->m_pkthdr.rcvif; 346 if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == 0) { 347 ip6stat.ip6s_toosmall++; 348 in6_ifstat_inc(inifp, ifs6_in_hdrerr); 349 return; 350 } 351 } 352 353 ip6 = mtod(m, struct ip6_hdr *); 354 355 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 356 ip6stat.ip6s_badvers++; 357 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); 358 goto bad; 359 } 360 361 #ifdef PFIL_HOOKS 362 /* 363 * Run through list of hooks for input packets. If there are any 364 * filters which require that additional packets in the flow are 365 * not fast-forwarded, they must clear the M_CANFASTFWD flag. 366 * Note that filters must _never_ set this flag, as another filter 367 * in the list may have previously cleared it. 368 */ 369 m0 = m; 370 pfh = pfil_hook_get(PFIL_IN, &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh); 371 for (; pfh; pfh = pfh->pfil_link.tqe_next) 372 if (pfh->pfil_func) { 373 rv = pfh->pfil_func(ip6, sizeof(*ip6), 374 m->m_pkthdr.rcvif, 0, &m0); 375 if (rv) 376 return; 377 m = m0; 378 if (m == NULL) 379 return; 380 ip6 = mtod(m, struct ip6_hdr *); 381 } 382 #endif /* PFIL_HOOKS */ 383 384 ip6stat.ip6s_nxthist[ip6->ip6_nxt]++; 385 386 /* 387 * Check with the firewall... 388 */ 389 if (ip6_fw_enable && ip6_fw_chk_ptr) { 390 u_short port = 0; 391 /* If ipfw says divert, we have to just drop packet */ 392 /* use port as a dummy argument */ 393 if ((*ip6_fw_chk_ptr)(&ip6, NULL, &port, &m)) { 394 m_freem(m); 395 m = NULL; 396 } 397 if (!m) 398 return; 399 } 400 401 /* 402 * Check against address spoofing/corruption. 403 */ 404 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) || 405 IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) { 406 /* 407 * XXX: "badscope" is not very suitable for a multicast source. 408 */ 409 ip6stat.ip6s_badscope++; 410 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 411 goto bad; 412 } 413 if ((IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) || 414 IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) && 415 (m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) { 416 ip6stat.ip6s_badscope++; 417 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 418 goto bad; 419 } 420 421 /* 422 * The following check is not documented in specs. A malicious 423 * party may be able to use IPv4 mapped addr to confuse tcp/udp stack 424 * and bypass security checks (act as if it was from 127.0.0.1 by using 425 * IPv6 src ::ffff:127.0.0.1). Be cautious. 426 * 427 * This check chokes if we are in an SIIT cloud. As none of BSDs 428 * support IPv4-less kernel compilation, we cannot support SIIT 429 * environment at all. So, it makes more sense for us to reject any 430 * malicious packets for non-SIIT environment, than try to do a 431 * partical support for SIIT environment. 432 */ 433 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 434 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 435 ip6stat.ip6s_badscope++; 436 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 437 goto bad; 438 } 439 #if 0 440 /* 441 * Reject packets with IPv4 compatible addresses (auto tunnel). 442 * 443 * The code forbids auto tunnel relay case in RFC1933 (the check is 444 * stronger than RFC1933). We may want to re-enable it if mech-xx 445 * is revised to forbid relaying case. 446 */ 447 if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) || 448 IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) { 449 ip6stat.ip6s_badscope++; 450 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 451 goto bad; 452 } 453 #endif 454 455 /* drop packets if interface ID portion is already filled */ 456 if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) { 457 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src) && 458 ip6->ip6_src.s6_addr16[1]) { 459 ip6stat.ip6s_badscope++; 460 goto bad; 461 } 462 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst) && 463 ip6->ip6_dst.s6_addr16[1]) { 464 ip6stat.ip6s_badscope++; 465 goto bad; 466 } 467 } 468 469 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) 470 ip6->ip6_src.s6_addr16[1] 471 = htons(m->m_pkthdr.rcvif->if_index); 472 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) 473 ip6->ip6_dst.s6_addr16[1] 474 = htons(m->m_pkthdr.rcvif->if_index); 475 476 #if 0 /* this case seems to be unnecessary. (jinmei, 20010401) */ 477 /* 478 * We use rt->rt_ifp to determine if the address is ours or not. 479 * If rt_ifp is lo0, the address is ours. 480 * The problem here is, rt->rt_ifp for fe80::%lo0/64 is set to lo0, 481 * so any address under fe80::%lo0/64 will be mistakenly considered 482 * local. The special case is supplied to handle the case properly 483 * by actually looking at interface addresses 484 * (using in6ifa_ifpwithaddr). 485 */ 486 if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) != 0 && 487 IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_dst)) { 488 if (!in6ifa_ifpwithaddr(m->m_pkthdr.rcvif, &ip6->ip6_dst)) { 489 icmp6_error(m, ICMP6_DST_UNREACH, 490 ICMP6_DST_UNREACH_ADDR, 0); 491 /* m is already freed */ 492 return; 493 } 494 495 ours = 1; 496 deliverifp = m->m_pkthdr.rcvif; 497 goto hbhcheck; 498 } 499 #endif 500 501 /* 502 * Multicast check 503 */ 504 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 505 struct in6_multi *in6m = 0; 506 507 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_mcast); 508 /* 509 * See if we belong to the destination multicast group on the 510 * arrival interface. 511 */ 512 IN6_LOOKUP_MULTI(ip6->ip6_dst, m->m_pkthdr.rcvif, in6m); 513 if (in6m) 514 ours = 1; 515 else if (!ip6_mrouter) { 516 ip6stat.ip6s_notmember++; 517 ip6stat.ip6s_cantforward++; 518 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 519 goto bad; 520 } 521 deliverifp = m->m_pkthdr.rcvif; 522 goto hbhcheck; 523 } 524 525 /* 526 * Unicast check 527 */ 528 switch (ip6_ours_check_algorithm) { 529 default: 530 /* 531 * XXX: I intentionally broke our indentation rule here, 532 * since this switch-case is just for measurement and 533 * therefore should soon be removed. 534 */ 535 if (ip6_forward_rt.ro_rt != NULL && 536 (ip6_forward_rt.ro_rt->rt_flags & RTF_UP) != 0 && 537 IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, 538 &((struct sockaddr_in6 *)(&ip6_forward_rt.ro_dst))->sin6_addr)) 539 ip6stat.ip6s_forward_cachehit++; 540 else { 541 struct sockaddr_in6 *dst6; 542 543 if (ip6_forward_rt.ro_rt) { 544 /* route is down or destination is different */ 545 ip6stat.ip6s_forward_cachemiss++; 546 RTFREE(ip6_forward_rt.ro_rt); 547 ip6_forward_rt.ro_rt = 0; 548 } 549 550 bzero(&ip6_forward_rt.ro_dst, sizeof(struct sockaddr_in6)); 551 dst6 = (struct sockaddr_in6 *)&ip6_forward_rt.ro_dst; 552 dst6->sin6_len = sizeof(struct sockaddr_in6); 553 dst6->sin6_family = AF_INET6; 554 dst6->sin6_addr = ip6->ip6_dst; 555 #ifdef SCOPEDROUTING 556 ip6_forward_rt.ro_dst.sin6_scope_id = 557 in6_addr2scopeid(m->m_pkthdr.rcvif, &ip6->ip6_dst); 558 #endif 559 560 rtalloc_ign((struct route *)&ip6_forward_rt, RTF_PRCLONING); 561 } 562 563 #define rt6_key(r) ((struct sockaddr_in6 *)((r)->rt_nodes->rn_key)) 564 565 /* 566 * Accept the packet if the forwarding interface to the destination 567 * according to the routing table is the loopback interface, 568 * unless the associated route has a gateway. 569 * Note that this approach causes to accept a packet if there is a 570 * route to the loopback interface for the destination of the packet. 571 * But we think it's even useful in some situations, e.g. when using 572 * a special daemon which wants to intercept the packet. 573 * 574 * XXX: some OSes automatically make a cloned route for the destination 575 * of an outgoing packet. If the outgoing interface of the packet 576 * is a loopback one, the kernel would consider the packet to be 577 * accepted, even if we have no such address assinged on the interface. 578 * We check the cloned flag of the route entry to reject such cases, 579 * assuming that route entries for our own addresses are not made by 580 * cloning (it should be true because in6_addloop explicitly installs 581 * the host route). However, we might have to do an explicit check 582 * while it would be less efficient. Or, should we rather install a 583 * reject route for such a case? 584 */ 585 if (ip6_forward_rt.ro_rt && 586 (ip6_forward_rt.ro_rt->rt_flags & 587 (RTF_HOST|RTF_GATEWAY)) == RTF_HOST && 588 #ifdef RTF_WASCLONED 589 !(ip6_forward_rt.ro_rt->rt_flags & RTF_WASCLONED) && 590 #endif 591 #ifdef RTF_CLONED 592 !(ip6_forward_rt.ro_rt->rt_flags & RTF_CLONED) && 593 #endif 594 #if 0 595 /* 596 * The check below is redundant since the comparison of 597 * the destination and the key of the rtentry has 598 * already done through looking up the routing table. 599 */ 600 IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, 601 &rt6_key(ip6_forward_rt.ro_rt)->sin6_addr) 602 #endif 603 ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_LOOP) { 604 struct in6_ifaddr *ia6 = 605 (struct in6_ifaddr *)ip6_forward_rt.ro_rt->rt_ifa; 606 607 /* 608 * record address information into m_aux. 609 */ 610 (void)ip6_setdstifaddr(m, ia6); 611 612 /* 613 * packets to a tentative, duplicated, or somehow invalid 614 * address must not be accepted. 615 */ 616 if (!(ia6->ia6_flags & IN6_IFF_NOTREADY)) { 617 /* this address is ready */ 618 ours = 1; 619 deliverifp = ia6->ia_ifp; /* correct? */ 620 /* Count the packet in the ip address stats */ 621 ia6->ia_ifa.if_ipackets++; 622 ia6->ia_ifa.if_ibytes += m->m_pkthdr.len; 623 goto hbhcheck; 624 } else { 625 /* address is not ready, so discard the packet. */ 626 nd6log((LOG_INFO, 627 "ip6_input: packet to an unready address %s->%s\n", 628 ip6_sprintf(&ip6->ip6_src), 629 ip6_sprintf(&ip6->ip6_dst))); 630 631 goto bad; 632 } 633 } 634 } /* XXX indentation (see above) */ 635 636 /* 637 * FAITH(Firewall Aided Internet Translator) 638 */ 639 if (ip6_keepfaith) { 640 if (ip6_forward_rt.ro_rt && ip6_forward_rt.ro_rt->rt_ifp 641 && ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_FAITH) { 642 /* XXX do we need more sanity checks? */ 643 ours = 1; 644 deliverifp = ip6_forward_rt.ro_rt->rt_ifp; /* faith */ 645 goto hbhcheck; 646 } 647 } 648 649 /* 650 * Now there is no reason to process the packet if it's not our own 651 * and we're not a router. 652 */ 653 if (!ip6_forwarding) { 654 ip6stat.ip6s_cantforward++; 655 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 656 goto bad; 657 } 658 659 hbhcheck: 660 /* 661 * record address information into m_aux, if we don't have one yet. 662 * note that we are unable to record it, if the address is not listed 663 * as our interface address (e.g. multicast addresses, addresses 664 * within FAITH prefixes and such). 665 */ 666 if (deliverifp && !ip6_getdstifaddr(m)) { 667 struct in6_ifaddr *ia6; 668 669 ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst); 670 if (ia6) { 671 if (!ip6_setdstifaddr(m, ia6)) { 672 /* 673 * XXX maybe we should drop the packet here, 674 * as we could not provide enough information 675 * to the upper layers. 676 */ 677 } 678 } 679 } 680 681 /* 682 * Process Hop-by-Hop options header if it's contained. 683 * m may be modified in ip6_hopopts_input(). 684 * If a JumboPayload option is included, plen will also be modified. 685 */ 686 plen = (u_int32_t)ntohs(ip6->ip6_plen); 687 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 688 struct ip6_hbh *hbh; 689 690 if (ip6_hopopts_input(&plen, &rtalert, &m, &off)) { 691 #if 0 /*touches NULL pointer*/ 692 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 693 #endif 694 return; /* m have already been freed */ 695 } 696 697 /* adjust pointer */ 698 ip6 = mtod(m, struct ip6_hdr *); 699 700 /* 701 * if the payload length field is 0 and the next header field 702 * indicates Hop-by-Hop Options header, then a Jumbo Payload 703 * option MUST be included. 704 */ 705 if (ip6->ip6_plen == 0 && plen == 0) { 706 /* 707 * Note that if a valid jumbo payload option is 708 * contained, ip6_hoptops_input() must set a valid 709 * (non-zero) payload length to the variable plen. 710 */ 711 ip6stat.ip6s_badoptions++; 712 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 713 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); 714 icmp6_error(m, ICMP6_PARAM_PROB, 715 ICMP6_PARAMPROB_HEADER, 716 (caddr_t)&ip6->ip6_plen - (caddr_t)ip6); 717 return; 718 } 719 #ifndef PULLDOWN_TEST 720 /* ip6_hopopts_input() ensures that mbuf is contiguous */ 721 hbh = (struct ip6_hbh *)(ip6 + 1); 722 #else 723 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 724 sizeof(struct ip6_hbh)); 725 if (hbh == NULL) { 726 ip6stat.ip6s_tooshort++; 727 return; 728 } 729 #endif 730 nxt = hbh->ip6h_nxt; 731 732 /* 733 * accept the packet if a router alert option is included 734 * and we act as an IPv6 router. 735 */ 736 if (rtalert != ~0 && ip6_forwarding) 737 ours = 1; 738 } else 739 nxt = ip6->ip6_nxt; 740 741 /* 742 * Check that the amount of data in the buffers 743 * is as at least much as the IPv6 header would have us expect. 744 * Trim mbufs if longer than we expect. 745 * Drop packet if shorter than we expect. 746 */ 747 if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) { 748 ip6stat.ip6s_tooshort++; 749 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 750 goto bad; 751 } 752 if (m->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) { 753 if (m->m_len == m->m_pkthdr.len) { 754 m->m_len = sizeof(struct ip6_hdr) + plen; 755 m->m_pkthdr.len = sizeof(struct ip6_hdr) + plen; 756 } else 757 m_adj(m, sizeof(struct ip6_hdr) + plen - m->m_pkthdr.len); 758 } 759 760 /* 761 * Forward if desirable. 762 */ 763 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 764 /* 765 * If we are acting as a multicast router, all 766 * incoming multicast packets are passed to the 767 * kernel-level multicast forwarding function. 768 * The packet is returned (relatively) intact; if 769 * ip6_mforward() returns a non-zero value, the packet 770 * must be discarded, else it may be accepted below. 771 */ 772 if (ip6_mrouter && ip6_mforward(ip6, m->m_pkthdr.rcvif, m)) { 773 ip6stat.ip6s_cantforward++; 774 m_freem(m); 775 return; 776 } 777 if (!ours) { 778 m_freem(m); 779 return; 780 } 781 } else if (!ours) { 782 ip6_forward(m, 0); 783 return; 784 } 785 786 ip6 = mtod(m, struct ip6_hdr *); 787 788 /* 789 * Malicious party may be able to use IPv4 mapped addr to confuse 790 * tcp/udp stack and bypass security checks (act as if it was from 791 * 127.0.0.1 by using IPv6 src ::ffff:127.0.0.1). Be cautious. 792 * 793 * For SIIT end node behavior, you may want to disable the check. 794 * However, you will become vulnerable to attacks using IPv4 mapped 795 * source. 796 */ 797 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 798 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 799 ip6stat.ip6s_badscope++; 800 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 801 goto bad; 802 } 803 804 /* 805 * Tell launch routine the next header 806 */ 807 ip6stat.ip6s_delivered++; 808 in6_ifstat_inc(deliverifp, ifs6_in_deliver); 809 nest = 0; 810 811 while (nxt != IPPROTO_DONE) { 812 if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) { 813 ip6stat.ip6s_toomanyhdr++; 814 goto bad; 815 } 816 817 /* 818 * protection against faulty packet - there should be 819 * more sanity checks in header chain processing. 820 */ 821 if (m->m_pkthdr.len < off) { 822 ip6stat.ip6s_tooshort++; 823 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 824 goto bad; 825 } 826 827 #if 0 828 /* 829 * do we need to do it for every header? yeah, other 830 * functions can play with it (like re-allocate and copy). 831 */ 832 mhist = ip6_addaux(m); 833 if (mhist && M_TRAILINGSPACE(mhist) >= sizeof(nxt)) { 834 hist = mtod(mhist, caddr_t) + mhist->m_len; 835 bcopy(&nxt, hist, sizeof(nxt)); 836 mhist->m_len += sizeof(nxt); 837 } else { 838 ip6stat.ip6s_toomanyhdr++; 839 goto bad; 840 } 841 #endif 842 843 #ifdef IPSEC 844 /* 845 * enforce IPsec policy checking if we are seeing last header. 846 * note that we do not visit this with protocols with pcb layer 847 * code - like udp/tcp/raw ip. 848 */ 849 if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && 850 ipsec6_in_reject(m, NULL)) { 851 ipsec6stat.in_polvio++; 852 goto bad; 853 } 854 #endif 855 856 nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); 857 } 858 return; 859 bad: 860 m_freem(m); 861 } 862 863 /* 864 * set/grab in6_ifaddr correspond to IPv6 destination address. 865 * XXX backward compatibility wrapper 866 */ 867 static struct ip6aux * 868 ip6_setdstifaddr(m, ia6) 869 struct mbuf *m; 870 struct in6_ifaddr *ia6; 871 { 872 struct ip6aux *n; 873 874 n = ip6_addaux(m); 875 if (n) 876 n->ip6a_dstia6 = ia6; 877 return n; /* NULL if failed to set */ 878 } 879 880 struct in6_ifaddr * 881 ip6_getdstifaddr(m) 882 struct mbuf *m; 883 { 884 struct ip6aux *n; 885 886 n = ip6_findaux(m); 887 if (n) 888 return n->ip6a_dstia6; 889 else 890 return NULL; 891 } 892 893 /* 894 * Hop-by-Hop options header processing. If a valid jumbo payload option is 895 * included, the real payload length will be stored in plenp. 896 */ 897 static int 898 ip6_hopopts_input(plenp, rtalertp, mp, offp) 899 u_int32_t *plenp; 900 u_int32_t *rtalertp; /* XXX: should be stored more smart way */ 901 struct mbuf **mp; 902 int *offp; 903 { 904 struct mbuf *m = *mp; 905 int off = *offp, hbhlen; 906 struct ip6_hbh *hbh; 907 u_int8_t *opt; 908 909 /* validation of the length of the header */ 910 #ifndef PULLDOWN_TEST 911 IP6_EXTHDR_CHECK(m, off, sizeof(*hbh), -1); 912 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off); 913 hbhlen = (hbh->ip6h_len + 1) << 3; 914 915 IP6_EXTHDR_CHECK(m, off, hbhlen, -1); 916 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off); 917 #else 918 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, 919 sizeof(struct ip6_hdr), sizeof(struct ip6_hbh)); 920 if (hbh == NULL) { 921 ip6stat.ip6s_tooshort++; 922 return -1; 923 } 924 hbhlen = (hbh->ip6h_len + 1) << 3; 925 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 926 hbhlen); 927 if (hbh == NULL) { 928 ip6stat.ip6s_tooshort++; 929 return -1; 930 } 931 #endif 932 off += hbhlen; 933 hbhlen -= sizeof(struct ip6_hbh); 934 opt = (u_int8_t *)hbh + sizeof(struct ip6_hbh); 935 936 if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh), 937 hbhlen, rtalertp, plenp) < 0) 938 return(-1); 939 940 *offp = off; 941 *mp = m; 942 return(0); 943 } 944 945 /* 946 * Search header for all Hop-by-hop options and process each option. 947 * This function is separate from ip6_hopopts_input() in order to 948 * handle a case where the sending node itself process its hop-by-hop 949 * options header. In such a case, the function is called from ip6_output(). 950 * 951 * The function assumes that hbh header is located right after the IPv6 header 952 * (RFC2460 p7), opthead is pointer into data content in m, and opthead to 953 * opthead + hbhlen is located in continuous memory region. 954 */ 955 int 956 ip6_process_hopopts(m, opthead, hbhlen, rtalertp, plenp) 957 struct mbuf *m; 958 u_int8_t *opthead; 959 int hbhlen; 960 u_int32_t *rtalertp; 961 u_int32_t *plenp; 962 { 963 struct ip6_hdr *ip6; 964 int optlen = 0; 965 u_int8_t *opt = opthead; 966 u_int16_t rtalert_val; 967 u_int32_t jumboplen; 968 const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh); 969 970 for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) { 971 switch (*opt) { 972 case IP6OPT_PAD1: 973 optlen = 1; 974 break; 975 case IP6OPT_PADN: 976 if (hbhlen < IP6OPT_MINLEN) { 977 ip6stat.ip6s_toosmall++; 978 goto bad; 979 } 980 optlen = *(opt + 1) + 2; 981 break; 982 case IP6OPT_RTALERT: 983 /* XXX may need check for alignment */ 984 if (hbhlen < IP6OPT_RTALERT_LEN) { 985 ip6stat.ip6s_toosmall++; 986 goto bad; 987 } 988 if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) { 989 /* XXX stat */ 990 icmp6_error(m, ICMP6_PARAM_PROB, 991 ICMP6_PARAMPROB_HEADER, 992 erroff + opt + 1 - opthead); 993 return(-1); 994 } 995 optlen = IP6OPT_RTALERT_LEN; 996 bcopy((caddr_t)(opt + 2), (caddr_t)&rtalert_val, 2); 997 *rtalertp = ntohs(rtalert_val); 998 break; 999 case IP6OPT_JUMBO: 1000 /* XXX may need check for alignment */ 1001 if (hbhlen < IP6OPT_JUMBO_LEN) { 1002 ip6stat.ip6s_toosmall++; 1003 goto bad; 1004 } 1005 if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) { 1006 /* XXX stat */ 1007 icmp6_error(m, ICMP6_PARAM_PROB, 1008 ICMP6_PARAMPROB_HEADER, 1009 erroff + opt + 1 - opthead); 1010 return(-1); 1011 } 1012 optlen = IP6OPT_JUMBO_LEN; 1013 1014 /* 1015 * IPv6 packets that have non 0 payload length 1016 * must not contain a jumbo payload option. 1017 */ 1018 ip6 = mtod(m, struct ip6_hdr *); 1019 if (ip6->ip6_plen) { 1020 ip6stat.ip6s_badoptions++; 1021 icmp6_error(m, ICMP6_PARAM_PROB, 1022 ICMP6_PARAMPROB_HEADER, 1023 erroff + opt - opthead); 1024 return(-1); 1025 } 1026 1027 /* 1028 * We may see jumbolen in unaligned location, so 1029 * we'd need to perform bcopy(). 1030 */ 1031 bcopy(opt + 2, &jumboplen, sizeof(jumboplen)); 1032 jumboplen = (u_int32_t)htonl(jumboplen); 1033 1034 #if 1 1035 /* 1036 * if there are multiple jumbo payload options, 1037 * *plenp will be non-zero and the packet will be 1038 * rejected. 1039 * the behavior may need some debate in ipngwg - 1040 * multiple options does not make sense, however, 1041 * there's no explicit mention in specification. 1042 */ 1043 if (*plenp != 0) { 1044 ip6stat.ip6s_badoptions++; 1045 icmp6_error(m, ICMP6_PARAM_PROB, 1046 ICMP6_PARAMPROB_HEADER, 1047 erroff + opt + 2 - opthead); 1048 return(-1); 1049 } 1050 #endif 1051 1052 /* 1053 * jumbo payload length must be larger than 65535. 1054 */ 1055 if (jumboplen <= IPV6_MAXPACKET) { 1056 ip6stat.ip6s_badoptions++; 1057 icmp6_error(m, ICMP6_PARAM_PROB, 1058 ICMP6_PARAMPROB_HEADER, 1059 erroff + opt + 2 - opthead); 1060 return(-1); 1061 } 1062 *plenp = jumboplen; 1063 1064 break; 1065 default: /* unknown option */ 1066 if (hbhlen < IP6OPT_MINLEN) { 1067 ip6stat.ip6s_toosmall++; 1068 goto bad; 1069 } 1070 optlen = ip6_unknown_opt(opt, m, 1071 erroff + opt - opthead); 1072 if (optlen == -1) 1073 return(-1); 1074 optlen += 2; 1075 break; 1076 } 1077 } 1078 1079 return(0); 1080 1081 bad: 1082 m_freem(m); 1083 return(-1); 1084 } 1085 1086 /* 1087 * Unknown option processing. 1088 * The third argument `off' is the offset from the IPv6 header to the option, 1089 * which is necessary if the IPv6 header the and option header and IPv6 header 1090 * is not continuous in order to return an ICMPv6 error. 1091 */ 1092 int 1093 ip6_unknown_opt(optp, m, off) 1094 u_int8_t *optp; 1095 struct mbuf *m; 1096 int off; 1097 { 1098 struct ip6_hdr *ip6; 1099 1100 switch (IP6OPT_TYPE(*optp)) { 1101 case IP6OPT_TYPE_SKIP: /* ignore the option */ 1102 return((int)*(optp + 1)); 1103 case IP6OPT_TYPE_DISCARD: /* silently discard */ 1104 m_freem(m); 1105 return(-1); 1106 case IP6OPT_TYPE_FORCEICMP: /* send ICMP even if multicasted */ 1107 ip6stat.ip6s_badoptions++; 1108 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_OPTION, off); 1109 return(-1); 1110 case IP6OPT_TYPE_ICMP: /* send ICMP if not multicasted */ 1111 ip6stat.ip6s_badoptions++; 1112 ip6 = mtod(m, struct ip6_hdr *); 1113 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || 1114 (m->m_flags & (M_BCAST|M_MCAST))) 1115 m_freem(m); 1116 else 1117 icmp6_error(m, ICMP6_PARAM_PROB, 1118 ICMP6_PARAMPROB_OPTION, off); 1119 return(-1); 1120 } 1121 1122 m_freem(m); /* XXX: NOTREACHED */ 1123 return(-1); 1124 } 1125 1126 /* 1127 * Create the "control" list for this pcb. 1128 * The function will not modify mbuf chain at all. 1129 * 1130 * with KAME mbuf chain restriction: 1131 * The routine will be called from upper layer handlers like tcp6_input(). 1132 * Thus the routine assumes that the caller (tcp6_input) have already 1133 * called IP6_EXTHDR_CHECK() and all the extension headers are located in the 1134 * very first mbuf on the mbuf chain. 1135 */ 1136 void 1137 ip6_savecontrol(in6p, mp, ip6, m) 1138 struct inpcb *in6p; 1139 struct mbuf **mp; 1140 struct ip6_hdr *ip6; 1141 struct mbuf *m; 1142 { 1143 #if __FreeBSD_version >= 500000 1144 struct thread *td = curthread; /* XXX */ 1145 #else 1146 struct proc *td = curproc; /* XXX */ 1147 #endif 1148 int privileged = 0; 1149 int rthdr_exist = 0; 1150 1151 1152 if (td && !suser(td)) 1153 privileged++; 1154 1155 #ifdef SO_TIMESTAMP 1156 if ((in6p->in6p_socket->so_options & SO_TIMESTAMP) != 0) { 1157 struct timeval tv; 1158 1159 microtime(&tv); 1160 *mp = sbcreatecontrol((caddr_t) &tv, sizeof(tv), 1161 SCM_TIMESTAMP, SOL_SOCKET); 1162 if (*mp) { 1163 mp = &(*mp)->m_next; 1164 } 1165 } 1166 #endif 1167 1168 /* RFC 2292 sec. 5 */ 1169 if ((in6p->in6p_flags & IN6P_PKTINFO) != 0) { 1170 struct in6_pktinfo pi6; 1171 bcopy(&ip6->ip6_dst, &pi6.ipi6_addr, sizeof(struct in6_addr)); 1172 if (IN6_IS_SCOPE_LINKLOCAL(&pi6.ipi6_addr)) 1173 pi6.ipi6_addr.s6_addr16[1] = 0; 1174 pi6.ipi6_ifindex = (m && m->m_pkthdr.rcvif) 1175 ? m->m_pkthdr.rcvif->if_index 1176 : 0; 1177 *mp = sbcreatecontrol((caddr_t) &pi6, 1178 sizeof(struct in6_pktinfo), IPV6_PKTINFO, 1179 IPPROTO_IPV6); 1180 if (*mp) 1181 mp = &(*mp)->m_next; 1182 } 1183 1184 if ((in6p->in6p_flags & IN6P_HOPLIMIT) != 0) { 1185 int hlim = ip6->ip6_hlim & 0xff; 1186 *mp = sbcreatecontrol((caddr_t) &hlim, 1187 sizeof(int), IPV6_HOPLIMIT, IPPROTO_IPV6); 1188 if (*mp) 1189 mp = &(*mp)->m_next; 1190 } 1191 1192 /* 1193 * IPV6_HOPOPTS socket option. We require super-user privilege 1194 * for the option, but it might be too strict, since there might 1195 * be some hop-by-hop options which can be returned to normal user. 1196 * See RFC 2292 section 6. 1197 */ 1198 if ((in6p->in6p_flags & IN6P_HOPOPTS) != 0 && privileged) { 1199 /* 1200 * Check if a hop-by-hop options header is contatined in the 1201 * received packet, and if so, store the options as ancillary 1202 * data. Note that a hop-by-hop options header must be 1203 * just after the IPv6 header, which fact is assured through 1204 * the IPv6 input processing. 1205 */ 1206 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1207 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 1208 struct ip6_hbh *hbh; 1209 int hbhlen = 0; 1210 #ifdef PULLDOWN_TEST 1211 struct mbuf *ext; 1212 #endif 1213 1214 #ifndef PULLDOWN_TEST 1215 hbh = (struct ip6_hbh *)(ip6 + 1); 1216 hbhlen = (hbh->ip6h_len + 1) << 3; 1217 #else 1218 ext = ip6_pullexthdr(m, sizeof(struct ip6_hdr), 1219 ip6->ip6_nxt); 1220 if (ext == NULL) { 1221 ip6stat.ip6s_tooshort++; 1222 return; 1223 } 1224 hbh = mtod(ext, struct ip6_hbh *); 1225 hbhlen = (hbh->ip6h_len + 1) << 3; 1226 if (hbhlen != ext->m_len) { 1227 m_freem(ext); 1228 ip6stat.ip6s_tooshort++; 1229 return; 1230 } 1231 #endif 1232 1233 /* 1234 * XXX: We copy whole the header even if a jumbo 1235 * payload option is included, which option is to 1236 * be removed before returning in the RFC 2292. 1237 * Note: this constraint is removed in 2292bis. 1238 */ 1239 *mp = sbcreatecontrol((caddr_t)hbh, hbhlen, 1240 IPV6_HOPOPTS, IPPROTO_IPV6); 1241 if (*mp) 1242 mp = &(*mp)->m_next; 1243 #ifdef PULLDOWN_TEST 1244 m_freem(ext); 1245 #endif 1246 } 1247 } 1248 1249 /* IPV6_DSTOPTS and IPV6_RTHDR socket options */ 1250 if ((in6p->in6p_flags & (IN6P_DSTOPTS | IN6P_RTHDRDSTOPTS)) != 0) { 1251 int proto, off, nxt; 1252 1253 /* 1254 * go through the header chain to see if a routing header is 1255 * contained in the packet. We need this information to store 1256 * destination options headers (if any) properly. 1257 * XXX: performance issue. We should record this info when 1258 * processing extension headers in incoming routine. 1259 * (todo) use m_aux? 1260 */ 1261 proto = IPPROTO_IPV6; 1262 off = 0; 1263 nxt = -1; 1264 while (1) { 1265 int newoff; 1266 1267 newoff = ip6_nexthdr(m, off, proto, &nxt); 1268 if (newoff < 0) 1269 break; 1270 if (newoff < off) /* invalid, check for safety */ 1271 break; 1272 if ((proto = nxt) == IPPROTO_ROUTING) { 1273 rthdr_exist = 1; 1274 break; 1275 } 1276 off = newoff; 1277 } 1278 } 1279 1280 if ((in6p->in6p_flags & 1281 (IN6P_RTHDR | IN6P_DSTOPTS | IN6P_RTHDRDSTOPTS)) != 0) { 1282 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1283 int nxt = ip6->ip6_nxt, off = sizeof(struct ip6_hdr); 1284 1285 /* 1286 * Search for destination options headers or routing 1287 * header(s) through the header chain, and stores each 1288 * header as ancillary data. 1289 * Note that the order of the headers remains in 1290 * the chain of ancillary data. 1291 */ 1292 while (1) { /* is explicit loop prevention necessary? */ 1293 struct ip6_ext *ip6e = NULL; 1294 int elen; 1295 #ifdef PULLDOWN_TEST 1296 struct mbuf *ext = NULL; 1297 #endif 1298 1299 /* 1300 * if it is not an extension header, don't try to 1301 * pull it from the chain. 1302 */ 1303 switch (nxt) { 1304 case IPPROTO_DSTOPTS: 1305 case IPPROTO_ROUTING: 1306 case IPPROTO_HOPOPTS: 1307 case IPPROTO_AH: /* is it possible? */ 1308 break; 1309 default: 1310 goto loopend; 1311 } 1312 1313 #ifndef PULLDOWN_TEST 1314 if (off + sizeof(*ip6e) > m->m_len) 1315 goto loopend; 1316 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + off); 1317 if (nxt == IPPROTO_AH) 1318 elen = (ip6e->ip6e_len + 2) << 2; 1319 else 1320 elen = (ip6e->ip6e_len + 1) << 3; 1321 if (off + elen > m->m_len) 1322 goto loopend; 1323 #else 1324 ext = ip6_pullexthdr(m, off, nxt); 1325 if (ext == NULL) { 1326 ip6stat.ip6s_tooshort++; 1327 return; 1328 } 1329 ip6e = mtod(ext, struct ip6_ext *); 1330 if (nxt == IPPROTO_AH) 1331 elen = (ip6e->ip6e_len + 2) << 2; 1332 else 1333 elen = (ip6e->ip6e_len + 1) << 3; 1334 if (elen != ext->m_len) { 1335 m_freem(ext); 1336 ip6stat.ip6s_tooshort++; 1337 return; 1338 } 1339 #endif 1340 1341 switch (nxt) { 1342 case IPPROTO_DSTOPTS: 1343 if ((in6p->in6p_flags & IN6P_DSTOPTS) == 0) 1344 break; 1345 1346 /* 1347 * We also require super-user privilege for 1348 * the option. 1349 * See the comments on IN6_HOPOPTS. 1350 */ 1351 if (!privileged) 1352 break; 1353 1354 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1355 IPV6_DSTOPTS, 1356 IPPROTO_IPV6); 1357 if (*mp) 1358 mp = &(*mp)->m_next; 1359 break; 1360 case IPPROTO_ROUTING: 1361 if (!in6p->in6p_flags & IN6P_RTHDR) 1362 break; 1363 1364 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1365 IPV6_RTHDR, 1366 IPPROTO_IPV6); 1367 if (*mp) 1368 mp = &(*mp)->m_next; 1369 break; 1370 case IPPROTO_HOPOPTS: 1371 case IPPROTO_AH: /* is it possible? */ 1372 break; 1373 1374 default: 1375 /* 1376 * other cases have been filtered in the above. 1377 * none will visit this case. here we supply 1378 * the code just in case (nxt overwritten or 1379 * other cases). 1380 */ 1381 #ifdef PULLDOWN_TEST 1382 m_freem(ext); 1383 #endif 1384 goto loopend; 1385 1386 } 1387 1388 /* proceed with the next header. */ 1389 off += elen; 1390 nxt = ip6e->ip6e_nxt; 1391 ip6e = NULL; 1392 #ifdef PULLDOWN_TEST 1393 m_freem(ext); 1394 ext = NULL; 1395 #endif 1396 } 1397 loopend: 1398 ; 1399 } 1400 1401 } 1402 1403 #ifdef PULLDOWN_TEST 1404 /* 1405 * pull single extension header from mbuf chain. returns single mbuf that 1406 * contains the result, or NULL on error. 1407 */ 1408 static struct mbuf * 1409 ip6_pullexthdr(m, off, nxt) 1410 struct mbuf *m; 1411 size_t off; 1412 int nxt; 1413 { 1414 struct ip6_ext ip6e; 1415 size_t elen; 1416 struct mbuf *n; 1417 1418 #ifdef DIAGNOSTIC 1419 switch (nxt) { 1420 case IPPROTO_DSTOPTS: 1421 case IPPROTO_ROUTING: 1422 case IPPROTO_HOPOPTS: 1423 case IPPROTO_AH: /* is it possible? */ 1424 break; 1425 default: 1426 printf("ip6_pullexthdr: invalid nxt=%d\n", nxt); 1427 } 1428 #endif 1429 1430 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1431 if (nxt == IPPROTO_AH) 1432 elen = (ip6e.ip6e_len + 2) << 2; 1433 else 1434 elen = (ip6e.ip6e_len + 1) << 3; 1435 1436 MGET(n, M_DONTWAIT, MT_DATA); 1437 if (n && elen >= MLEN) { 1438 MCLGET(n, M_DONTWAIT); 1439 if ((n->m_flags & M_EXT) == 0) { 1440 m_free(n); 1441 n = NULL; 1442 } 1443 } 1444 if (!n) 1445 return NULL; 1446 1447 n->m_len = 0; 1448 if (elen >= M_TRAILINGSPACE(n)) { 1449 m_free(n); 1450 return NULL; 1451 } 1452 1453 m_copydata(m, off, elen, mtod(n, caddr_t)); 1454 n->m_len = elen; 1455 return n; 1456 } 1457 #endif 1458 1459 /* 1460 * Get pointer to the previous header followed by the header 1461 * currently processed. 1462 * XXX: This function supposes that 1463 * M includes all headers, 1464 * the next header field and the header length field of each header 1465 * are valid, and 1466 * the sum of each header length equals to OFF. 1467 * Because of these assumptions, this function must be called very 1468 * carefully. Moreover, it will not be used in the near future when 1469 * we develop `neater' mechanism to process extension headers. 1470 */ 1471 char * 1472 ip6_get_prevhdr(m, off) 1473 struct mbuf *m; 1474 int off; 1475 { 1476 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1477 1478 if (off == sizeof(struct ip6_hdr)) 1479 return(&ip6->ip6_nxt); 1480 else { 1481 int len, nxt; 1482 struct ip6_ext *ip6e = NULL; 1483 1484 nxt = ip6->ip6_nxt; 1485 len = sizeof(struct ip6_hdr); 1486 while (len < off) { 1487 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + len); 1488 1489 switch (nxt) { 1490 case IPPROTO_FRAGMENT: 1491 len += sizeof(struct ip6_frag); 1492 break; 1493 case IPPROTO_AH: 1494 len += (ip6e->ip6e_len + 2) << 2; 1495 break; 1496 default: 1497 len += (ip6e->ip6e_len + 1) << 3; 1498 break; 1499 } 1500 nxt = ip6e->ip6e_nxt; 1501 } 1502 if (ip6e) 1503 return(&ip6e->ip6e_nxt); 1504 else 1505 return NULL; 1506 } 1507 } 1508 1509 /* 1510 * get next header offset. m will be retained. 1511 */ 1512 int 1513 ip6_nexthdr(m, off, proto, nxtp) 1514 struct mbuf *m; 1515 int off; 1516 int proto; 1517 int *nxtp; 1518 { 1519 struct ip6_hdr ip6; 1520 struct ip6_ext ip6e; 1521 struct ip6_frag fh; 1522 1523 /* just in case */ 1524 if (m == NULL) 1525 panic("ip6_nexthdr: m == NULL"); 1526 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off) 1527 return -1; 1528 1529 switch (proto) { 1530 case IPPROTO_IPV6: 1531 if (m->m_pkthdr.len < off + sizeof(ip6)) 1532 return -1; 1533 m_copydata(m, off, sizeof(ip6), (caddr_t)&ip6); 1534 if (nxtp) 1535 *nxtp = ip6.ip6_nxt; 1536 off += sizeof(ip6); 1537 return off; 1538 1539 case IPPROTO_FRAGMENT: 1540 /* 1541 * terminate parsing if it is not the first fragment, 1542 * it does not make sense to parse through it. 1543 */ 1544 if (m->m_pkthdr.len < off + sizeof(fh)) 1545 return -1; 1546 m_copydata(m, off, sizeof(fh), (caddr_t)&fh); 1547 if ((ntohs(fh.ip6f_offlg) & IP6F_OFF_MASK) != 0) 1548 return -1; 1549 if (nxtp) 1550 *nxtp = fh.ip6f_nxt; 1551 off += sizeof(struct ip6_frag); 1552 return off; 1553 1554 case IPPROTO_AH: 1555 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1556 return -1; 1557 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1558 if (nxtp) 1559 *nxtp = ip6e.ip6e_nxt; 1560 off += (ip6e.ip6e_len + 2) << 2; 1561 return off; 1562 1563 case IPPROTO_HOPOPTS: 1564 case IPPROTO_ROUTING: 1565 case IPPROTO_DSTOPTS: 1566 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1567 return -1; 1568 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1569 if (nxtp) 1570 *nxtp = ip6e.ip6e_nxt; 1571 off += (ip6e.ip6e_len + 1) << 3; 1572 return off; 1573 1574 case IPPROTO_NONE: 1575 case IPPROTO_ESP: 1576 case IPPROTO_IPCOMP: 1577 /* give up */ 1578 return -1; 1579 1580 default: 1581 return -1; 1582 } 1583 1584 return -1; 1585 } 1586 1587 /* 1588 * get offset for the last header in the chain. m will be kept untainted. 1589 */ 1590 int 1591 ip6_lasthdr(m, off, proto, nxtp) 1592 struct mbuf *m; 1593 int off; 1594 int proto; 1595 int *nxtp; 1596 { 1597 int newoff; 1598 int nxt; 1599 1600 if (!nxtp) { 1601 nxt = -1; 1602 nxtp = &nxt; 1603 } 1604 while (1) { 1605 newoff = ip6_nexthdr(m, off, proto, nxtp); 1606 if (newoff < 0) 1607 return off; 1608 else if (newoff < off) 1609 return -1; /* invalid */ 1610 else if (newoff == off) 1611 return newoff; 1612 1613 off = newoff; 1614 proto = *nxtp; 1615 } 1616 } 1617 1618 struct ip6aux * 1619 ip6_addaux(m) 1620 struct mbuf *m; 1621 { 1622 struct m_tag *tag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL); 1623 if (!tag) { 1624 tag = m_tag_get(PACKET_TAG_IPV6_INPUT, 1625 sizeof (struct ip6aux), 1626 M_DONTWAIT); 1627 if (tag) 1628 m_tag_prepend(m, tag); 1629 } 1630 if (tag) 1631 bzero(tag+1, sizeof (struct ip6aux)); 1632 return tag ? (struct ip6aux*)(tag+1) : NULL; 1633 } 1634 1635 struct ip6aux * 1636 ip6_findaux(m) 1637 struct mbuf *m; 1638 { 1639 struct m_tag *tag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL); 1640 return tag ? (struct ip6aux*)(tag+1) : NULL; 1641 } 1642 1643 void 1644 ip6_delaux(m) 1645 struct mbuf *m; 1646 { 1647 struct m_tag *tag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL); 1648 if (tag) 1649 m_tag_delete(m, tag); 1650 } 1651 1652 /* 1653 * System control for IP6 1654 */ 1655 1656 u_char inet6ctlerrmap[PRC_NCMDS] = { 1657 0, 0, 0, 0, 1658 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH, 1659 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, 1660 EMSGSIZE, EHOSTUNREACH, 0, 0, 1661 0, 0, 0, 0, 1662 ENOPROTOOPT 1663 }; 1664