search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
IMPORT openssh-9.8p1
[dragonfly.git] / sys / netinet6 / ip6_input.c
blob18f682f6982fc5cb1d8195359a23d671d60732eb
1 /* $FreeBSD: src/sys/netinet6/ip6_input.c,v 1.11.2.15 2003/01/24 05:11:35 sam Exp $ */
2 /* $KAME: ip6_input.c,v 1.259 2002/01/21 04:58:09 jinmei Exp $ */
3
4 /*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 /*
34 * Copyright (c) 1982, 1986, 1988, 1993
35 * The Regents of the University of California. All rights reserved.
36 *
37 * Redistribution and use in source and binary forms, with or without
38 * modification, are permitted provided that the following conditions
39 * are met:
40 * 1. Redistributions of source code must retain the above copyright
41 * notice, this list of conditions and the following disclaimer.
42 * 2. Redistributions in binary form must reproduce the above copyright
43 * notice, this list of conditions and the following disclaimer in the
44 * documentation and/or other materials provided with the distribution.
45 * 3. Neither the name of the University nor the names of its contributors
46 * may be used to endorse or promote products derived from this software
47 * without specific prior written permission.
48 *
49 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
50 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
51 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
52 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
53 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
54 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
55 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
56 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
57 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
58 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
59 * SUCH DAMAGE.
60 *
61 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94
62 */
63
64 #include "opt_ip6fw.h"
65 #include "opt_inet.h"
66 #include "opt_inet6.h"
67
68 #include <sys/param.h>
69 #include <sys/systm.h>
70 #include <sys/malloc.h>
71 #include <sys/mbuf.h>
72 #include <sys/domain.h>
73 #include <sys/protosw.h>
74 #include <sys/socket.h>
75 #include <sys/socketvar.h>
76 #include <sys/errno.h>
77 #include <sys/time.h>
78 #include <sys/kernel.h>
79 #include <sys/syslog.h>
80 #include <sys/proc.h>
81 #include <sys/caps.h>
82
83 #include <net/if.h>
84 #include <net/if_types.h>
85 #include <net/if_dl.h>
86 #include <net/route.h>
87 #include <net/netisr.h>
88 #include <net/pfil.h>
89
90 #include <sys/msgport2.h>
91 #include <net/netmsg2.h>
92 #include <net/netisr2.h>
93
94 #include <netinet/in.h>
95 #include <netinet/in_systm.h>
96 #ifdef INET
97 #include <netinet/ip.h>
98 #include <netinet/ip_icmp.h>
99 #endif /* INET */
100 #include <netinet/ip6.h>
101 #include <netinet6/in6_var.h>
102 #include <netinet6/ip6_var.h>
103 #include <netinet/in_pcb.h>
104 #include <netinet/icmp6.h>
105 #include <netinet6/scope6_var.h>
106 #include <netinet6/in6_ifattach.h>
107 #include <netinet6/nd6.h>
108
109 #include <net/ip6fw/ip6_fw.h>
110
111 #include <netinet6/ip6protosw.h>
112
113 #include <net/net_osdep.h>
114
115 extern struct domain inet6domain;
116 extern struct protosw inet6sw[];
117
118 u_char ip6_protox[IPPROTO_MAX];
119 struct in6_ifaddr *in6_ifaddr;
120
121 int ip6_forward_srcrt; /* XXX */
122 int ip6_sourcecheck; /* XXX */
123 int ip6_sourcecheck_interval; /* XXX */
124
125 int ip6_ours_check_algorithm;
126
127 struct pfil_head inet6_pfil_hook;
128
129 /* firewall hooks */
130 ip6_fw_chk_t *ip6_fw_chk_ptr;
131 ip6_fw_ctl_t *ip6_fw_ctl_ptr;
132 int ip6_fw_enable = 1;
133
134 struct ip6stat ip6stat;
135
136 static void ip6_init2 (void *);
137 static struct ip6aux *ip6_setdstifaddr (struct mbuf *, struct in6_ifaddr *);
138 static int ip6_hopopts_input (u_int32_t *, u_int32_t *, struct mbuf **, int *);
139 static void ip6_input(netmsg_t msg);
140 #ifdef PULLDOWN_TEST
141 static struct mbuf *ip6_pullexthdr (struct mbuf *, size_t, int);
142 #endif
143 static void transport6_processing_handler(netmsg_t netmsg);
144
145 /*
146 * IP6 initialization: fill in IP6 protocol switch table.
147 * All protocols not implemented in kernel go to raw IP6 protocol handler.
148 */
149 void
150 ip6_init(void)
151 {
152 struct protosw *pr;
153 int i;
154 struct timeval tv;
155
156 pr = pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW);
157 if (pr == NULL)
158 panic("ip6_init");
159 for (i = 0; i < IPPROTO_MAX; i++)
160 ip6_protox[i] = pr - inet6sw;
161 for (pr = inet6domain.dom_protosw;
162 pr < inet6domain.dom_protoswNPROTOSW; pr++)
163 if (pr->pr_domain->dom_family == PF_INET6 &&
164 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW)
165 ip6_protox[pr->pr_protocol] = pr - inet6sw;
166
167 inet6_pfil_hook.ph_type = PFIL_TYPE_AF;
168 inet6_pfil_hook.ph_af = AF_INET6;
169 if ((i = pfil_head_register(&inet6_pfil_hook)) != 0) {
170 kprintf("%s: WARNING: unable to register pfil hook, "
171 "error %d\n", __func__, i);
172 }
173
174 netisr_register(NETISR_IPV6, ip6_input, NULL); /* XXX hashfn */
175 scope6_init();
176 addrsel_policy_init();
177 nd6_init();
178 frag6_init();
179 /*
180 * in many cases, random() here does NOT return random number
181 * as initialization during bootstrap time occur in fixed order.
182 */
183 microtime(&tv);
184 ip6_flow_seq = krandom() ^ tv.tv_usec;
185 microtime(&tv);
186 ip6_desync_factor = (krandom() ^ tv.tv_usec) % MAX_TEMP_DESYNC_FACTOR;
187 }
188
189 static void
190 ip6_init2(void *dummy)
191 {
192 nd6_timer_init();
193 in6_tmpaddrtimer_init();
194 }
195
196 /* cheat */
197 /* This must be after route_init(), which is now SI_ORDER_THIRD */
198 SYSINIT(netinet6init2, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ip6_init2, NULL);
199
200 extern struct route_in6 ip6_forward_rt;
201
202 static void
203 ip6_input(netmsg_t msg)
204 {
205 struct mbuf *m = msg->packet.nm_packet;
206 struct ip6_hdr *ip6;
207 int off = sizeof(struct ip6_hdr), nest;
208 u_int32_t plen;
209 u_int32_t rtalert = ~0;
210 int nxt, ours = 0, rh_present = 0;
211 struct ifnet *deliverifp = NULL;
212 struct in6_addr odst;
213 int srcrt = 0;
214
215 /*
216 * make sure we don't have onion peering information into m_aux.
217 */
218 ip6_delaux(m);
219
220 /*
221 * mbuf statistics
222 */
223 if (m->m_flags & M_EXT) {
224 if (m->m_next)
225 ip6stat.ip6s_mext2m++;
226 else
227 ip6stat.ip6s_mext1++;
228 } else {
229 #define M2MMAX NELEM(ip6stat.ip6s_m2m)
230 if (m->m_next) {
231 if (m->m_flags & M_LOOP) {
232 ip6stat.ip6s_m2m[loif->if_index]++; /* XXX */
233 } else if (m->m_pkthdr.rcvif->if_index < M2MMAX)
234 ip6stat.ip6s_m2m[m->m_pkthdr.rcvif->if_index]++;
235 else
236 ip6stat.ip6s_m2m[0]++;
237 } else
238 ip6stat.ip6s_m1++;
239 #undef M2MMAX
240 }
241
242 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_receive);
243 ip6stat.ip6s_total++;
244
245 #ifndef PULLDOWN_TEST
246 /*
247 * L2 bridge code and some other code can return mbuf chain
248 * that does not conform to KAME requirement. too bad.
249 * XXX: fails to join if interface MTU > MCLBYTES. jumbogram?
250 */
251 if (m && m->m_next != NULL && m->m_pkthdr.len < MCLBYTES) {
252 struct mbuf *n;
253
254 n = m_getb(m->m_pkthdr.len, M_NOWAIT, MT_DATA, M_PKTHDR);
255 if (n == NULL)
256 goto bad;
257 M_MOVE_PKTHDR(n, m);
258
259 m_copydata(m, 0, n->m_pkthdr.len, mtod(n, void *));
260 n->m_len = n->m_pkthdr.len;
261 m_freem(m);
262 m = n;
263 }
264 IP6_EXTHDR_CHECK_VOIDRET(m, 0, sizeof(struct ip6_hdr));
265 #endif
266
267 if (m->m_len < sizeof(struct ip6_hdr)) {
268 struct ifnet *inifp;
269 inifp = m->m_pkthdr.rcvif;
270 if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
271 ip6stat.ip6s_toosmall++;
272 in6_ifstat_inc(inifp, ifs6_in_hdrerr);
273 goto bad2;
274 }
275 }
276
277 ip6 = mtod(m, struct ip6_hdr *);
278
279 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) {
280 ip6stat.ip6s_badvers++;
281 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
282 goto bad;
283 }
284
285 /*
286 * Run through list of hooks for input packets.
287 *
288 * NB: Beware of the destination address changing
289 * (e.g. by NAT rewriting). When this happens,
290 * tell ip6_forward to do the right thing.
291 */
292 if (pfil_has_hooks(&inet6_pfil_hook)) {
293 odst = ip6->ip6_dst;
294 if (pfil_run_hooks(&inet6_pfil_hook, &m,
295 m->m_pkthdr.rcvif, PFIL_IN)) {
296 goto bad2;
297 }
298 if (m == NULL) /* consumed by filter */
299 goto bad2;
300 ip6 = mtod(m, struct ip6_hdr *);
301 srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst);
302 }
303
304 ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
305
306 #ifdef ALTQ
307 if (altq_input != NULL && (*altq_input)(m, AF_INET6) == 0) {
308 /* packet is dropped by traffic conditioner */
309 return;
310 }
311 #endif
312
313 /*
314 * Check with the firewall...
315 */
316 if (ip6_fw_enable && ip6_fw_chk_ptr) {
317 u_short port = 0;
318 /* If ipfw says divert, we have to just drop packet */
319 /* use port as a dummy argument */
320 if ((*ip6_fw_chk_ptr)(&ip6, NULL, &port, &m)) {
321 m_freem(m);
322 m = NULL;
323 }
324 if (!m)
325 goto bad2;
326 }
327
328 /*
329 * Check against address spoofing/corruption.
330 */
331 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) ||
332 IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) {
333 /*
334 * XXX: "badscope" is not very suitable for a multicast source.
335 */
336 ip6stat.ip6s_badscope++;
337 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
338 goto bad;
339 }
340 if ((IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) ||
341 IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) &&
342 (m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {
343 ip6stat.ip6s_badscope++;
344 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
345 goto bad;
346 }
347
348 /*
349 * The following check is not documented in specs. A malicious
350 * party may be able to use IPv4 mapped addr to confuse tcp/udp stack
351 * and bypass security checks (act as if it was from 127.0.0.1 by using
352 * IPv6 src ::ffff:127.0.0.1). Be cautious.
353 *
354 * This check chokes if we are in an SIIT cloud. As none of BSDs
355 * support IPv4-less kernel compilation, we cannot support SIIT
356 * environment at all. So, it makes more sense for us to reject any
357 * malicious packets for non-SIIT environment, than try to do a
358 * partial support for SIIT environment.
359 */
360 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
361 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
362 ip6stat.ip6s_badscope++;
363 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
364 goto bad;
365 }
366 #if 0
367 /*
368 * Reject packets with IPv4 compatible addresses (auto tunnel).
369 *
370 * The code forbids auto tunnel relay case in RFC1933 (the check is
371 * stronger than RFC1933). We may want to re-enable it if mech-xx
372 * is revised to forbid relaying case.
373 */
374 if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) ||
375 IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) {
376 ip6stat.ip6s_badscope++;
377 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
378 goto bad;
379 }
380 #endif
381
382 /* drop packets if interface ID portion is already filled */
383 if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {
384 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src) &&
385 ip6->ip6_src.s6_addr16[1]) {
386 ip6stat.ip6s_badscope++;
387 goto bad;
388 }
389 if ((IN6_IS_ADDR_MC_INTFACELOCAL(&ip6->ip6_dst) ||
390 IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) &&
391 ip6->ip6_dst.s6_addr16[1]) {
392 ip6stat.ip6s_badscope++;
393 goto bad;
394 }
395 }
396
397 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src))
398 ip6->ip6_src.s6_addr16[1]
399 = htons(m->m_pkthdr.rcvif->if_index);
400 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
401 ip6->ip6_dst.s6_addr16[1]
402 = htons(m->m_pkthdr.rcvif->if_index);
403
404 /*
405 * Multicast check
406 *
407 * WARNING! For general subnet proxying the interface hw will
408 * likely filter out the multicast solicitations, so
409 * the interface must be in promiscuous mode.
410 */
411 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
412 ours = 1;
413 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_mcast);
414 deliverifp = m->m_pkthdr.rcvif;
415 goto hbhcheck;
416 }
417
418 /*
419 * Unicast check
420 */
421 if (ip6_forward_rt.ro_rt != NULL &&
422 (ip6_forward_rt.ro_rt->rt_flags & RTF_UP) &&
423 IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst,
424 &((struct sockaddr_in6 *)(&ip6_forward_rt.ro_dst))->sin6_addr)) {
425 ip6stat.ip6s_forward_cachehit++;
426 } else {
427 struct sockaddr_in6 *dst6;
428
429 if (ip6_forward_rt.ro_rt) {
430 /* route is down or destination is different */
431 ip6stat.ip6s_forward_cachemiss++;
432 RTFREE(ip6_forward_rt.ro_rt);
433 ip6_forward_rt.ro_rt = 0;
434 }
435
436 bzero(&ip6_forward_rt.ro_dst, sizeof(struct sockaddr_in6));
437 dst6 = &ip6_forward_rt.ro_dst;
438 dst6->sin6_len = sizeof(struct sockaddr_in6);
439 dst6->sin6_family = AF_INET6;
440 dst6->sin6_addr = ip6->ip6_dst;
441
442 rtalloc_ign((struct route *)&ip6_forward_rt, RTF_PRCLONING);
443 }
444
445 #define rt6_key(r) ((struct sockaddr_in6 *)((r)->rt_nodes->rn_key))
446
447 /*
448 * Accept the packet if the forwarding interface to the destination
449 * according to the routing table is the loopback interface,
450 * unless the associated route has a gateway.
451 * Note that this approach causes to accept a packet if there is a
452 * route to the loopback interface for the destination of the packet.
453 * But we think it's even useful in some situations, e.g. when using
454 * a special daemon which wants to intercept the packet.
455 *
456 * XXX: some OSes automatically make a cloned route for the destination
457 * of an outgoing packet. If the outgoing interface of the packet
458 * is a loopback one, the kernel would consider the packet to be
459 * accepted, even if we have no such address assinged on the interface.
460 * We check the cloned flag of the route entry to reject such cases,
461 * assuming that route entries for our own addresses are not made by
462 * cloning (it should be true because in6_addloop explicitly installs
463 * the host route). However, we might have to do an explicit check
464 * while it would be less efficient. Or, should we rather install a
465 * reject route for such a case?
466 */
467 if (ip6_forward_rt.ro_rt &&
468 (ip6_forward_rt.ro_rt->rt_flags &
469 (RTF_HOST|RTF_GATEWAY)) == RTF_HOST &&
470 #ifdef RTF_WASCLONED
471 !(ip6_forward_rt.ro_rt->rt_flags & RTF_WASCLONED) &&
472 #endif
473 #ifdef RTF_CLONED
474 !(ip6_forward_rt.ro_rt->rt_flags & RTF_CLONED) &&
475 #endif
476 #if 0
477 /*
478 * The check below is redundant since the comparison of
479 * the destination and the key of the rtentry has
480 * already done through looking up the routing table.
481 */
482 IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst,
483 &rt6_key(ip6_forward_rt.ro_rt)->sin6_addr)
484 #endif
485 ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_LOOP) {
486 struct in6_ifaddr *ia6 =
487 (struct in6_ifaddr *)ip6_forward_rt.ro_rt->rt_ifa;
488
489 /*
490 * record address information into m_aux.
491 */
492 ip6_setdstifaddr(m, ia6);
493
494 /*
495 * packets to a tentative, duplicated, or somehow invalid
496 * address must not be accepted.
497 */
498 if (!(ia6->ia6_flags & IN6_IFF_NOTREADY)) {
499 /* this address is ready */
500 ours = 1;
501 deliverifp = ia6->ia_ifp; /* correct? */
502 /* Count the packet in the ip address stats */
503 IFA_STAT_INC(&ia6->ia_ifa, ipackets, 1);
504 IFA_STAT_INC(&ia6->ia_ifa, ibytes, m->m_pkthdr.len);
505 goto hbhcheck;
506 } else {
507 /* address is not ready, so discard the packet. */
508 nd6log((LOG_INFO,
509 "ip6_input: packet to an unready address %s->%s\n",
510 ip6_sprintf(&ip6->ip6_src),
511 ip6_sprintf(&ip6->ip6_dst)));
512
513 goto bad;
514 }
515 }
516
517 /*
518 * Now there is no reason to process the packet if it's not our own
519 * and we're not a router.
520 */
521 if (!ip6_forwarding) {
522 ip6stat.ip6s_cantforward++;
523 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
524 goto bad;
525 }
526
527 hbhcheck:
528 /*
529 * record address information into m_aux, if we don't have one yet.
530 * note that we are unable to record it, if the address is not listed
531 * as our interface address (e.g. multicast addresses and such).
532 */
533 if (deliverifp && !ip6_getdstifaddr(m)) {
534 struct in6_ifaddr *ia6;
535
536 ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst);
537 if (ia6) {
538 if (!ip6_setdstifaddr(m, ia6)) {
539 /*
540 * XXX maybe we should drop the packet here,
541 * as we could not provide enough information
542 * to the upper layers.
543 */
544 }
545 }
546 }
547
548 /*
549 * Process Hop-by-Hop options header if it's contained.
550 * m may be modified in ip6_hopopts_input(), catch this via mp
551 * If a JumboPayload option is included, plen will also be modified.
552 */
553 plen = (u_int32_t)ntohs(ip6->ip6_plen);
554 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) {
555 struct ip6_hbh *hbh;
556 struct mbuf **mp = &m;
557
558 if (ip6_hopopts_input(&plen, &rtalert, mp, &off)) {
559 #if 0 /*touches NULL pointer*/
560 in6_ifstat_inc((*mp)->m_pkthdr.rcvif, ifs6_in_discard);
561 #endif
562 goto bad2; /* m have already been freed */
563 }
564
565 /* adjust pointer */
566 m = *mp;
567 ip6 = mtod(m, struct ip6_hdr *);
568
569 /*
570 * if the payload length field is 0 and the next header field
571 * indicates Hop-by-Hop Options header, then a Jumbo Payload
572 * option MUST be included.
573 */
574 if (ip6->ip6_plen == 0 && plen == 0) {
575 /*
576 * Note that if a valid jumbo payload option is
577 * contained, ip6_hoptops_input() must set a valid
578 * (non-zero) payload length to the variable plen.
579 */
580 ip6stat.ip6s_badoptions++;
581 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
582 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
583 icmp6_error(m, ICMP6_PARAM_PROB,
584 ICMP6_PARAMPROB_HEADER,
585 (caddr_t)&ip6->ip6_plen - (caddr_t)ip6);
586 goto bad2;
587 }
588 #ifndef PULLDOWN_TEST
589 /* ip6_hopopts_input() ensures that mbuf is contiguous */
590 hbh = (struct ip6_hbh *)(ip6 + 1);
591 #else
592 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr),
593 sizeof(struct ip6_hbh));
594 if (hbh == NULL) {
595 ip6stat.ip6s_tooshort++;
596 goto bad2;
597 }
598 #endif
599 nxt = hbh->ip6h_nxt;
600
601 /*
602 * If we are acting as a router and the packet contains a
603 * router alert option, see if we know the option value.
604 * Currently, we only support the option value for MLD, in which
605 * case we should pass the packet to the multicast routing
606 * daemon.
607 */
608 if (rtalert != ~0 && ip6_forwarding) {
609 switch (rtalert) {
610 case IP6OPT_RTALERT_MLD:
611 ours = 1;
612 break;
613 default:
614 /*
615 * RFC2711 requires unrecognized values must be
616 * silently ignored.
617 */
618 break;
619 }
620 }
621 } else
622 nxt = ip6->ip6_nxt;
623
624 /*
625 * Check that the amount of data in the buffers
626 * is as at least much as the IPv6 header would have us expect.
627 * Trim mbufs if longer than we expect.
628 * Drop packet if shorter than we expect.
629 */
630 if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) {
631 ip6stat.ip6s_tooshort++;
632 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
633 goto bad;
634 }
635 if (m->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) {
636 if (m->m_len == m->m_pkthdr.len) {
637 m->m_len = sizeof(struct ip6_hdr) + plen;
638 m->m_pkthdr.len = sizeof(struct ip6_hdr) + plen;
639 } else
640 m_adj(m, sizeof(struct ip6_hdr) + plen - m->m_pkthdr.len);
641 }
642
643 /*
644 * Forward if desirable.
645 */
646 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
647 /*
648 * If we are acting as a multicast router, all
649 * incoming multicast packets are passed to the
650 * kernel-level multicast forwarding function.
651 * The packet is returned (relatively) intact; if
652 * ip6_mforward() returns a non-zero value, the packet
653 * must be discarded, else it may be accepted below.
654 */
655 if (ip6_mrouter && ip6_mforward(ip6, m->m_pkthdr.rcvif, m)) {
656 ip6stat.ip6s_cantforward++;
657 goto bad;
658 }
659 if (!ours)
660 goto bad;
661 } else if (!ours) {
662 ip6_forward(m, srcrt);
663 goto bad2;
664 }
665
666 ip6 = mtod(m, struct ip6_hdr *);
667
668 /*
669 * Malicious party may be able to use IPv4 mapped addr to confuse
670 * tcp/udp stack and bypass security checks (act as if it was from
671 * 127.0.0.1 by using IPv6 src ::ffff:127.0.0.1). Be cautious.
672 *
673 * For SIIT end node behavior, you may want to disable the check.
674 * However, you will become vulnerable to attacks using IPv4 mapped
675 * source.
676 */
677 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
678 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
679 ip6stat.ip6s_badscope++;
680 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
681 goto bad;
682 }
683
684 /*
685 * Tell launch routine the next header
686 */
687 ip6stat.ip6s_delivered++;
688 in6_ifstat_inc(deliverifp, ifs6_in_deliver);
689 nest = 0;
690
691 rh_present = 0;
692 while (nxt != IPPROTO_DONE) {
693 struct protosw *sw6;
694
695 if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) {
696 ip6stat.ip6s_toomanyhdr++;
697 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
698 goto bad;
699 }
700
701 /*
702 * protection against faulty packet - there should be
703 * more sanity checks in header chain processing.
704 */
705 if (m->m_pkthdr.len < off) {
706 ip6stat.ip6s_tooshort++;
707 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
708 goto bad;
709 }
710
711 #if 0
712 /*
713 * do we need to do it for every header? yeah, other
714 * functions can play with it (like re-allocate and copy).
715 */
716 mhist = ip6_addaux(m);
717 if (mhist && M_TRAILINGSPACE(mhist) >= sizeof(nxt)) {
718 hist = mtod(mhist, caddr_t) + mhist->m_len;
719 bcopy(&nxt, hist, sizeof(nxt));
720 mhist->m_len += sizeof(nxt);
721 } else {
722 ip6stat.ip6s_toomanyhdr++;
723 goto bad;
724 }
725 #endif
726
727 if (nxt == IPPROTO_ROUTING) {
728 if (rh_present++) {
729 in6_ifstat_inc(m->m_pkthdr.rcvif,
730 ifs6_in_hdrerr);
731 ip6stat.ip6s_badoptions++;
732 goto bad;
733 }
734 }
735
736 sw6 = &inet6sw[ip6_protox[nxt]];
737 /*
738 * If this is a terminal header forward to the port, otherwise
739 * process synchronously for more headers.
740 */
741 if (sw6->pr_flags & PR_LASTHDR) {
742 struct netmsg_packet *pmsg;
743 lwkt_port_t port;
744
745 port = netisr_cpuport(0); /* XXX */
746 if ((m->m_flags & M_HASH) == 0)
747 m_sethash(m, 0); /* XXX */
748
749 KKASSERT(port != NULL);
750 pmsg = &m->m_hdr.mh_netmsg;
751 netmsg_init(&pmsg->base, NULL,
752 &netisr_apanic_rport,
753 0, transport6_processing_handler);
754 pmsg->nm_packet = m;
755 pmsg->nm_nxt = nxt;
756 pmsg->base.lmsg.u.ms_result = off;
757 lwkt_sendmsg(port, &pmsg->base.lmsg);
758 /* done with m */
759 nxt = IPPROTO_DONE;
760 } else {
761 nxt = sw6->pr_input(&m, &off, nxt);
762 }
763 }
764 goto bad2;
765 bad:
766 m_freem(m);
767 bad2:
768 ;
769 /* msg was embedded in the mbuf, do not reply! */
770 }
771
772 /*
773 * We have to call the pr_input() function from the correct protocol
774 * thread. The sw6->pr_soport() request at the end of ip6_input()
775 * returns the port and we forward a netmsg to the port to execute
776 * this function.
777 */
778 static void
779 transport6_processing_handler(netmsg_t netmsg)
780 {
781 struct netmsg_packet *pmsg = (struct netmsg_packet *)netmsg;
782 struct protosw *sw6;
783 int hlen;
784 int nxt;
785
786 sw6 = &inet6sw[ip6_protox[pmsg->nm_nxt]];
787 hlen = pmsg->base.lmsg.u.ms_result;
788
789 nxt = sw6->pr_input(&pmsg->nm_packet, &hlen, pmsg->nm_nxt);
790 KKASSERT(nxt == IPPROTO_DONE);
791 /* netmsg was embedded in the mbuf, do not reply! */
792 }
793
794 /*
795 * set/grab in6_ifaddr correspond to IPv6 destination address.
796 * XXX backward compatibility wrapper
797 */
798 static struct ip6aux *
799 ip6_setdstifaddr(struct mbuf *m, struct in6_ifaddr *ia6)
800 {
801 struct ip6aux *n;
802
803 n = ip6_addaux(m);
804 if (n)
805 n->ip6a_dstia6 = ia6;
806 return n; /* NULL if failed to set */
807 }
808
809 struct in6_ifaddr *
810 ip6_getdstifaddr(struct mbuf *m)
811 {
812 struct ip6aux *n;
813
814 n = ip6_findaux(m);
815 if (n)
816 return n->ip6a_dstia6;
817 else
818 return NULL;
819 }
820
821 /*
822 * Hop-by-Hop options header processing. If a valid jumbo payload option is
823 * included, the real payload length will be stored in plenp.
824 */
825 static int
826 ip6_hopopts_input(u_int32_t *plenp,
827 u_int32_t *rtalertp,/* XXX: should be stored more smart way */
828 struct mbuf **mp,
829 int *offp)
830 {
831 struct mbuf *m = *mp;
832 int off = *offp, hbhlen;
833 struct ip6_hbh *hbh;
834
835 /* validation of the length of the header */
836 #ifndef PULLDOWN_TEST
837 IP6_EXTHDR_CHECK(m, off, sizeof(*hbh), -1);
838 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off);
839 hbhlen = (hbh->ip6h_len + 1) << 3;
840
841 IP6_EXTHDR_CHECK(m, off, hbhlen, -1);
842 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off);
843 #else
844 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m,
845 sizeof(struct ip6_hdr), sizeof(struct ip6_hbh));
846 if (hbh == NULL) {
847 ip6stat.ip6s_tooshort++;
848 return -1;
849 }
850 hbhlen = (hbh->ip6h_len + 1) << 3;
851 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr),
852 hbhlen);
853 if (hbh == NULL) {
854 ip6stat.ip6s_tooshort++;
855 return -1;
856 }
857 #endif
858 off += hbhlen;
859 hbhlen -= sizeof(struct ip6_hbh);
860
861 if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh),
862 hbhlen, rtalertp, plenp) < 0)
863 return (-1);
864
865 *offp = off;
866 *mp = m;
867 return (0);
868 }
869
870 /*
871 * Search header for all Hop-by-hop options and process each option.
872 * This function is separate from ip6_hopopts_input() in order to
873 * handle a case where the sending node itself process its hop-by-hop
874 * options header. In such a case, the function is called from ip6_output().
875 *
876 * The function assumes that hbh header is located right after the IPv6 header
877 * (RFC2460 p7), opthead is pointer into data content in m, and opthead to
878 * opthead + hbhlen is located in continuous memory region.
879 */
880 int
881 ip6_process_hopopts(struct mbuf *m, u_int8_t *opthead, int hbhlen,
882 u_int32_t *rtalertp, u_int32_t *plenp)
883 {
884 struct ip6_hdr *ip6;
885 int optlen = 0;
886 u_int8_t *opt = opthead;
887 u_int16_t rtalert_val;
888 u_int32_t jumboplen;
889 const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh);
890
891 for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) {
892 switch (*opt) {
893 case IP6OPT_PAD1:
894 optlen = 1;
895 break;
896 case IP6OPT_PADN:
897 if (hbhlen < IP6OPT_MINLEN) {
898 ip6stat.ip6s_toosmall++;
899 goto bad;
900 }
901 optlen = *(opt + 1) + 2;
902 break;
903 case IP6OPT_RTALERT:
904 /* XXX may need check for alignment */
905 if (hbhlen < IP6OPT_RTALERT_LEN) {
906 ip6stat.ip6s_toosmall++;
907 goto bad;
908 }
909 if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) {
910 /* XXX stat */
911 icmp6_error(m, ICMP6_PARAM_PROB,
912 ICMP6_PARAMPROB_HEADER,
913 erroff + opt + 1 - opthead);
914 return (-1);
915 }
916 optlen = IP6OPT_RTALERT_LEN;
917 bcopy((caddr_t)(opt + 2), (caddr_t)&rtalert_val, 2);
918 *rtalertp = ntohs(rtalert_val);
919 break;
920 case IP6OPT_JUMBO:
921 /* XXX may need check for alignment */
922 if (hbhlen < IP6OPT_JUMBO_LEN) {
923 ip6stat.ip6s_toosmall++;
924 goto bad;
925 }
926 if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) {
927 /* XXX stat */
928 icmp6_error(m, ICMP6_PARAM_PROB,
929 ICMP6_PARAMPROB_HEADER,
930 erroff + opt + 1 - opthead);
931 return (-1);
932 }
933 optlen = IP6OPT_JUMBO_LEN;
934
935 /*
936 * IPv6 packets that have non 0 payload length
937 * must not contain a jumbo payload option.
938 */
939 ip6 = mtod(m, struct ip6_hdr *);
940 if (ip6->ip6_plen) {
941 ip6stat.ip6s_badoptions++;
942 icmp6_error(m, ICMP6_PARAM_PROB,
943 ICMP6_PARAMPROB_HEADER,
944 erroff + opt - opthead);
945 return (-1);
946 }
947
948 /*
949 * We may see jumbolen in unaligned location, so
950 * we'd need to perform bcopy().
951 */
952 bcopy(opt + 2, &jumboplen, sizeof(jumboplen));
953 jumboplen = (u_int32_t)htonl(jumboplen);
954
955 #if 1
956 /*
957 * if there are multiple jumbo payload options,
958 * *plenp will be non-zero and the packet will be
959 * rejected.
960 * the behavior may need some debate in ipngwg -
961 * multiple options does not make sense, however,
962 * there's no explicit mention in specification.
963 */
964 if (*plenp != 0) {
965 ip6stat.ip6s_badoptions++;
966 icmp6_error(m, ICMP6_PARAM_PROB,
967 ICMP6_PARAMPROB_HEADER,
968 erroff + opt + 2 - opthead);
969 return (-1);
970 }
971 #endif
972
973 /*
974 * jumbo payload length must be larger than 65535.
975 */
976 if (jumboplen <= IPV6_MAXPACKET) {
977 ip6stat.ip6s_badoptions++;
978 icmp6_error(m, ICMP6_PARAM_PROB,
979 ICMP6_PARAMPROB_HEADER,
980 erroff + opt + 2 - opthead);
981 return (-1);
982 }
983 *plenp = jumboplen;
984
985 break;
986 default: /* unknown option */
987 if (hbhlen < IP6OPT_MINLEN) {
988 ip6stat.ip6s_toosmall++;
989 goto bad;
990 }
991 optlen = ip6_unknown_opt(opt, m,
992 erroff + opt - opthead);
993 if (optlen == -1)
994 return (-1);
995 optlen += 2;
996 break;
997 }
998 }
999
1000 return (0);
1001
1002 bad:
1003 m_freem(m);
1004 return (-1);
1005 }
1006
1007 /*
1008 * Unknown option processing.
1009 * The third argument `off' is the offset from the IPv6 header to the option,
1010 * which is necessary if the IPv6 header the and option header and IPv6 header
1011 * is not continuous in order to return an ICMPv6 error.
1012 */
1013 int
1014 ip6_unknown_opt(u_int8_t *optp, struct mbuf *m, int off)
1015 {
1016 struct ip6_hdr *ip6;
1017
1018 switch (IP6OPT_TYPE(*optp)) {
1019 case IP6OPT_TYPE_SKIP: /* ignore the option */
1020 return ((int)*(optp + 1));
1021 case IP6OPT_TYPE_DISCARD: /* silently discard */
1022 m_freem(m);
1023 return (-1);
1024 case IP6OPT_TYPE_FORCEICMP: /* send ICMP even if multicasted */
1025 ip6stat.ip6s_badoptions++;
1026 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_OPTION, off);
1027 return (-1);
1028 case IP6OPT_TYPE_ICMP: /* send ICMP if not multicasted */
1029 ip6stat.ip6s_badoptions++;
1030 ip6 = mtod(m, struct ip6_hdr *);
1031 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
1032 (m->m_flags & (M_BCAST|M_MCAST)))
1033 m_freem(m);
1034 else
1035 icmp6_error(m, ICMP6_PARAM_PROB,
1036 ICMP6_PARAMPROB_OPTION, off);
1037 return (-1);
1038 }
1039
1040 m_freem(m); /* XXX: NOTREACHED */
1041 return (-1);
1042 }
1043
1044 /*
1045 * Create the "control" list for this pcb.
1046 * The function will not modify mbuf chain at all.
1047 *
1048 * with KAME mbuf chain restriction:
1049 * The routine will be called from upper layer handlers like tcp6_input().
1050 * Thus the routine assumes that the caller (tcp6_input) have already
1051 * called IP6_EXTHDR_CHECK() and all the extension headers are located in the
1052 * very first mbuf on the mbuf chain.
1053 */
1054 void
1055 ip6_savecontrol(struct inpcb *in6p, struct mbuf **mp, struct ip6_hdr *ip6,
1056 struct mbuf *m)
1057 {
1058 #define IS2292(x, y) ((in6p->in6p_flags & IN6P_RFC2292) ? (x) : (y))
1059 struct thread *td = curthread; /* XXX */
1060 int privileged = 0;
1061
1062
1063 if (caps_priv_check_td(td, SYSCAP_RESTRICTEDROOT) == 0)
1064 privileged++;
1065
1066 #ifdef SO_TIMESTAMP
1067 if (in6p->in6p_socket->so_options & SO_TIMESTAMP) {
1068 struct timeval tv;
1069
1070 microtime(&tv);
1071 *mp = sbcreatecontrol(&tv, sizeof(tv),
1072 SCM_TIMESTAMP, SOL_SOCKET);
1073 if (*mp) {
1074 mp = &(*mp)->m_next;
1075 }
1076 }
1077 #endif
1078
1079 /* RFC 2292 sec. 5 */
1080 if (in6p->in6p_flags & IN6P_PKTINFO) {
1081 struct in6_pktinfo pi6;
1082
1083 bcopy(&ip6->ip6_dst, &pi6.ipi6_addr, sizeof(struct in6_addr));
1084 in6_clearscope(&pi6.ipi6_addr); /* XXX */
1085 pi6.ipi6_ifindex = (m && m->m_pkthdr.rcvif) ?
1086 m->m_pkthdr.rcvif->if_index : 0;
1087 *mp = sbcreatecontrol(&pi6, sizeof(struct in6_pktinfo),
1088 IS2292(IPV6_2292PKTINFO, IPV6_PKTINFO), IPPROTO_IPV6);
1089 if (*mp)
1090 mp = &(*mp)->m_next;
1091 }
1092
1093 if (in6p->in6p_flags & IN6P_HOPLIMIT) {
1094 int hlim = ip6->ip6_hlim & 0xff;
1095
1096 *mp = sbcreatecontrol(&hlim, sizeof(int),
1097 IS2292(IPV6_2292HOPLIMIT, IPV6_HOPLIMIT), IPPROTO_IPV6);
1098 if (*mp)
1099 mp = &(*mp)->m_next;
1100 }
1101
1102 if ((in6p->in6p_flags & IN6P_TCLASS) != 0) {
1103 u_int32_t flowinfo;
1104 int tclass;
1105
1106 flowinfo = (u_int32_t)ntohl(ip6->ip6_flow & IPV6_FLOWINFO_MASK);
1107 flowinfo >>= 20;
1108
1109 tclass = flowinfo & 0xff;
1110 *mp = sbcreatecontrol(&tclass, sizeof(tclass),
1111 IPV6_TCLASS, IPPROTO_IPV6);
1112 if (*mp)
1113 mp = &(*mp)->m_next;
1114 }
1115
1116 /*
1117 * IPV6_HOPOPTS socket option. We require super-user privilege
1118 * for the option, but it might be too strict, since there might
1119 * be some hop-by-hop options which can be returned to normal user.
1120 * See RFC 2292 section 6.
1121 */
1122 if ((in6p->in6p_flags & IN6P_HOPOPTS) && privileged) {
1123 /*
1124 * Check if a hop-by-hop options header is contatined in the
1125 * received packet, and if so, store the options as ancillary
1126 * data. Note that a hop-by-hop options header must be
1127 * just after the IPv6 header, which is assured through the
1128 * IPv6 input processing.
1129 */
1130 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
1131 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) {
1132 struct ip6_hbh *hbh;
1133 int hbhlen = 0;
1134 #ifdef PULLDOWN_TEST
1135 struct mbuf *ext;
1136 #endif
1137
1138 #ifndef PULLDOWN_TEST
1139 hbh = (struct ip6_hbh *)(ip6 + 1);
1140 hbhlen = (hbh->ip6h_len + 1) << 3;
1141 #else
1142 ext = ip6_pullexthdr(m, sizeof(struct ip6_hdr),
1143 ip6->ip6_nxt);
1144 if (ext == NULL) {
1145 ip6stat.ip6s_tooshort++;
1146 return;
1147 }
1148 hbh = mtod(ext, struct ip6_hbh *);
1149 hbhlen = (hbh->ip6h_len + 1) << 3;
1150 if (hbhlen != ext->m_len) {
1151 m_freem(ext);
1152 ip6stat.ip6s_tooshort++;
1153 return;
1154 }
1155 #endif
1156
1157 /*
1158 * XXX: We copy the whole header even if a
1159 * jumbo payload option is included, the option which
1160 * is to be removed before returning according to
1161 * RFC 2292.
1162 * Note: this constraint is removed in 2292bis.
1163 */
1164 *mp = sbcreatecontrol(hbh, hbhlen,
1165 IS2292(IPV6_2292HOPOPTS, IPV6_HOPOPTS),
1166 IPPROTO_IPV6);
1167 if (*mp)
1168 mp = &(*mp)->m_next;
1169 #ifdef PULLDOWN_TEST
1170 m_freem(ext);
1171 #endif
1172 }
1173 }
1174
1175 /* IPV6_DSTOPTS and IPV6_RTHDR socket options */
1176 if ((in6p->in6p_flags & (IN6P_DSTOPTS | IN6P_RTHDRDSTOPTS)) != 0) {
1177 int proto, off, nxt;
1178
1179 /*
1180 * go through the header chain to see if a routing header is
1181 * contained in the packet. We need this information to store
1182 * destination options headers (if any) properly.
1183 * XXX: performance issue. We should record this info when
1184 * processing extension headers in incoming routine.
1185 * (todo) use m_aux?
1186 */
1187 proto = IPPROTO_IPV6;
1188 off = 0;
1189 nxt = -1;
1190 while (1) {
1191 int newoff;
1192
1193 newoff = ip6_nexthdr(m, off, proto, &nxt);
1194 if (newoff < 0)
1195 break;
1196 if (newoff < off) /* invalid, check for safety */
1197 break;
1198 if ((proto = nxt) == IPPROTO_ROUTING)
1199 break;
1200 off = newoff;
1201 }
1202 }
1203
1204 if ((in6p->in6p_flags &
1205 (IN6P_RTHDR | IN6P_DSTOPTS | IN6P_RTHDRDSTOPTS)) != 0) {
1206 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
1207 int nxt = ip6->ip6_nxt, off = sizeof(struct ip6_hdr);
1208
1209 /*
1210 * Search for destination options headers or routing
1211 * header(s) through the header chain, and stores each
1212 * header as ancillary data.
1213 * Note that the order of the headers remains in
1214 * the chain of ancillary data.
1215 */
1216 while (1) { /* is explicit loop prevention necessary? */
1217 struct ip6_ext *ip6e = NULL;
1218 int elen;
1219 #ifdef PULLDOWN_TEST
1220 struct mbuf *ext = NULL;
1221 #endif
1222
1223 /*
1224 * if it is not an extension header, don't try to
1225 * pull it from the chain.
1226 */
1227 switch (nxt) {
1228 case IPPROTO_DSTOPTS:
1229 case IPPROTO_ROUTING:
1230 case IPPROTO_HOPOPTS:
1231 case IPPROTO_AH: /* is it possible? */
1232 break;
1233 default:
1234 goto loopend;
1235 }
1236
1237 #ifndef PULLDOWN_TEST
1238 if (off + sizeof(*ip6e) > m->m_len)
1239 goto loopend;
1240 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + off);
1241 if (nxt == IPPROTO_AH)
1242 elen = (ip6e->ip6e_len + 2) << 2;
1243 else
1244 elen = (ip6e->ip6e_len + 1) << 3;
1245 if (off + elen > m->m_len)
1246 goto loopend;
1247 #else
1248 ext = ip6_pullexthdr(m, off, nxt);
1249 if (ext == NULL) {
1250 ip6stat.ip6s_tooshort++;
1251 return;
1252 }
1253 ip6e = mtod(ext, struct ip6_ext *);
1254 if (nxt == IPPROTO_AH)
1255 elen = (ip6e->ip6e_len + 2) << 2;
1256 else
1257 elen = (ip6e->ip6e_len + 1) << 3;
1258 if (elen != ext->m_len) {
1259 m_freem(ext);
1260 ip6stat.ip6s_tooshort++;
1261 return;
1262 }
1263 #endif
1264
1265 switch (nxt) {
1266 case IPPROTO_DSTOPTS:
1267 if ((in6p->in6p_flags & IN6P_DSTOPTS) == 0)
1268 break;
1269
1270 /*
1271 * We also require super-user privilege for
1272 * the option. See comments on IN6_HOPOPTS.
1273 */
1274 if (!privileged)
1275 break;
1276
1277 *mp = sbcreatecontrol(ip6e, elen,
1278 IS2292(IPV6_2292DSTOPTS, IPV6_DSTOPTS),
1279 IPPROTO_IPV6);
1280 if (*mp)
1281 mp = &(*mp)->m_next;
1282 break;
1283 case IPPROTO_ROUTING:
1284 if (!(in6p->in6p_flags & IN6P_RTHDR))
1285 break;
1286
1287 *mp = sbcreatecontrol(ip6e, elen,
1288 IS2292(IPV6_2292RTHDR, IPV6_RTHDR),
1289 IPPROTO_IPV6);
1290 if (*mp)
1291 mp = &(*mp)->m_next;
1292 break;
1293 case IPPROTO_HOPOPTS:
1294 case IPPROTO_AH: /* is it possible? */
1295 break;
1296
1297 default:
1298 /*
1299 * other cases have been filtered in the above.
1300 * none will visit this case. here we supply
1301 * the code just in case (nxt overwritten or
1302 * other cases).
1303 */
1304 #ifdef PULLDOWN_TEST
1305 m_freem(ext);
1306 #endif
1307 goto loopend;
1308
1309 }
1310
1311 /* proceed with the next header. */
1312 off += elen;
1313 nxt = ip6e->ip6e_nxt;
1314 ip6e = NULL;
1315 #ifdef PULLDOWN_TEST
1316 m_freem(ext);
1317 ext = NULL;
1318 #endif
1319 }
1320 loopend:
1321 ;
1322 }
1323 #undef IS2292
1324 }
1325
1326 void
1327 ip6_notify_pmtu(struct inpcb *in6p, struct sockaddr_in6 *dst, u_int32_t *mtu)
1328 {
1329 struct socket *so;
1330 struct mbuf *m_mtu;
1331 struct ip6_mtuinfo mtuctl;
1332
1333 so = in6p->inp_socket;
1334
1335 if (mtu == NULL)
1336 return;
1337
1338 #ifdef DIAGNOSTIC
1339 if (so == NULL) /* I believe this is impossible */
1340 panic("ip6_notify_pmtu: socket is NULL");
1341 #endif
1342
1343 bzero(&mtuctl, sizeof(mtuctl)); /* zero-clear for safety */
1344 mtuctl.ip6m_mtu = *mtu;
1345 mtuctl.ip6m_addr = *dst;
1346
1347 if ((m_mtu = sbcreatecontrol(&mtuctl, sizeof(mtuctl),
1348 IPV6_PATHMTU, IPPROTO_IPV6)) == NULL)
1349 return;
1350
1351 lwkt_gettoken(&so->so_rcv.ssb_token);
1352 if (sbappendaddr(&so->so_rcv.sb, (struct sockaddr *)dst, NULL, m_mtu)
1353 == 0) {
1354 m_freem(m_mtu);
1355 /* XXX: should count statistics */
1356 } else {
1357 sorwakeup(so);
1358 }
1359 lwkt_reltoken(&so->so_rcv.ssb_token);
1360 }
1361
1362 #ifdef PULLDOWN_TEST
1363 /*
1364 * pull single extension header from mbuf chain. returns single mbuf that
1365 * contains the result, or NULL on error.
1366 */
1367 static struct mbuf *
1368 ip6_pullexthdr(struct mbuf *m, size_t off, int nxt)
1369 {
1370 struct ip6_ext ip6e;
1371 size_t elen;
1372 struct mbuf *n;
1373
1374 #ifdef DIAGNOSTIC
1375 switch (nxt) {
1376 case IPPROTO_DSTOPTS:
1377 case IPPROTO_ROUTING:
1378 case IPPROTO_HOPOPTS:
1379 case IPPROTO_AH: /* is it possible? */
1380 break;
1381 default:
1382 kprintf("ip6_pullexthdr: invalid nxt=%d\n", nxt);
1383 }
1384 #endif
1385
1386 m_copydata(m, off, sizeof(ip6e), &ip6e);
1387 if (nxt == IPPROTO_AH)
1388 elen = (ip6e.ip6e_len + 2) << 2;
1389 else
1390 elen = (ip6e.ip6e_len + 1) << 3;
1391
1392 n = m_getb(elen, M_NOWAIT, MT_DATA, 0);
1393 if (n == NULL)
1394 return NULL;
1395 n->m_len = 0;
1396
1397 if (elen >= M_TRAILINGSPACE(n)) {
1398 m_free(n);
1399 return NULL;
1400 }
1401
1402 m_copydata(m, off, elen, mtod(n, void *));
1403 n->m_len = elen;
1404 return n;
1405 }
1406 #endif
1407
1408 /*
1409 * Get pointer to the previous header followed by the header
1410 * currently processed.
1411 * XXX: This function supposes that
1412 * M includes all headers,
1413 * the next header field and the header length field of each header
1414 * are valid, and
1415 * the sum of each header length equals to OFF.
1416 * Because of these assumptions, this function must be called very
1417 * carefully. Moreover, it will not be used in the near future when
1418 * we develop `neater' mechanism to process extension headers.
1419 */
1420 char *
1421 ip6_get_prevhdr(struct mbuf *m, int off)
1422 {
1423 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
1424
1425 if (off == sizeof(struct ip6_hdr))
1426 return (&ip6->ip6_nxt);
1427 else {
1428 int len, nxt;
1429 struct ip6_ext *ip6e = NULL;
1430
1431 nxt = ip6->ip6_nxt;
1432 len = sizeof(struct ip6_hdr);
1433 while (len < off) {
1434 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + len);
1435
1436 switch (nxt) {
1437 case IPPROTO_FRAGMENT:
1438 len += sizeof(struct ip6_frag);
1439 break;
1440 case IPPROTO_AH:
1441 len += (ip6e->ip6e_len + 2) << 2;
1442 break;
1443 default:
1444 len += (ip6e->ip6e_len + 1) << 3;
1445 break;
1446 }
1447 nxt = ip6e->ip6e_nxt;
1448 }
1449 if (ip6e)
1450 return (&ip6e->ip6e_nxt);
1451 else
1452 return NULL;
1453 }
1454 }
1455
1456 /*
1457 * get next header offset. m will be retained.
1458 */
1459 int
1460 ip6_nexthdr(struct mbuf *m, int off, int proto, int *nxtp)
1461 {
1462 struct ip6_hdr ip6;
1463 struct ip6_ext ip6e;
1464 struct ip6_frag fh;
1465
1466 /* just in case */
1467 if (m == NULL)
1468 panic("ip6_nexthdr: m == NULL");
1469 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off)
1470 return -1;
1471
1472 switch (proto) {
1473 case IPPROTO_IPV6:
1474 if (m->m_pkthdr.len < off + sizeof(ip6))
1475 return -1;
1476 m_copydata(m, off, sizeof(ip6), &ip6);
1477 if (nxtp)
1478 *nxtp = ip6.ip6_nxt;
1479 off += sizeof(ip6);
1480 return off;
1481
1482 case IPPROTO_FRAGMENT:
1483 /*
1484 * terminate parsing if it is not the first fragment,
1485 * it does not make sense to parse through it.
1486 */
1487 if (m->m_pkthdr.len < off + sizeof(fh))
1488 return -1;
1489 m_copydata(m, off, sizeof(fh), &fh);
1490 /* IP6F_OFF_MASK = 0xfff8(BigEndian), 0xf8ff(LittleEndian) */
1491 if (fh.ip6f_offlg & IP6F_OFF_MASK)
1492 return -1;
1493 if (nxtp)
1494 *nxtp = fh.ip6f_nxt;
1495 off += sizeof(struct ip6_frag);
1496 return off;
1497
1498 case IPPROTO_AH:
1499 if (m->m_pkthdr.len < off + sizeof(ip6e))
1500 return -1;
1501 m_copydata(m, off, sizeof(ip6e), &ip6e);
1502 if (nxtp)
1503 *nxtp = ip6e.ip6e_nxt;
1504 off += (ip6e.ip6e_len + 2) << 2;
1505 return off;
1506
1507 case IPPROTO_HOPOPTS:
1508 case IPPROTO_ROUTING:
1509 case IPPROTO_DSTOPTS:
1510 if (m->m_pkthdr.len < off + sizeof(ip6e))
1511 return -1;
1512 m_copydata(m, off, sizeof(ip6e), &ip6e);
1513 if (nxtp)
1514 *nxtp = ip6e.ip6e_nxt;
1515 off += (ip6e.ip6e_len + 1) << 3;
1516 return off;
1517
1518 case IPPROTO_NONE:
1519 case IPPROTO_ESP:
1520 case IPPROTO_IPCOMP:
1521 /* give up */
1522 return -1;
1523
1524 default:
1525 return -1;
1526 }
1527
1528 return -1;
1529 }
1530
1531 /*
1532 * get offset for the last header in the chain. m will be kept untainted.
1533 */
1534 int
1535 ip6_lasthdr(struct mbuf *m, int off, int proto, int *nxtp)
1536 {
1537 int newoff;
1538 int nxt;
1539
1540 if (!nxtp) {
1541 nxt = -1;
1542 nxtp = &nxt;
1543 }
1544 while (1) {
1545 newoff = ip6_nexthdr(m, off, proto, nxtp);
1546 if (newoff < 0)
1547 return off;
1548 else if (newoff < off)
1549 return -1; /* invalid */
1550 else if (newoff == off)
1551 return newoff;
1552
1553 off = newoff;
1554 proto = *nxtp;
1555 }
1556 }
1557
1558 struct ip6aux *
1559 ip6_addaux(struct mbuf *m)
1560 {
1561 struct m_tag *mtag;
1562
1563 mtag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL);
1564 if (!mtag) {
1565 mtag = m_tag_get(PACKET_TAG_IPV6_INPUT, sizeof(struct ip6aux),
1566 M_NOWAIT);
1567 if (mtag)
1568 m_tag_prepend(m, mtag);
1569 }
1570 if (mtag)
1571 bzero(m_tag_data(mtag), sizeof(struct ip6aux));
1572 return mtag ? (struct ip6aux *)m_tag_data(mtag) : NULL;
1573 }
1574
1575 struct ip6aux *
1576 ip6_findaux(struct mbuf *m)
1577 {
1578 struct m_tag *mtag;
1579
1580 mtag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL);
1581 return mtag ? (struct ip6aux *)m_tag_data(mtag) : NULL;
1582 }
1583
1584 void
1585 ip6_delaux(struct mbuf *m)
1586 {
1587 struct m_tag *mtag;
1588
1589 mtag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL);
1590 if (mtag)
1591 m_tag_delete(m, mtag);
1592 }
1593
1594 /*
1595 * System control for IP6
1596 */
1597
1598 u_char inet6ctlerrmap[PRC_NCMDS] = {
1599 0, 0, 0, 0,
1600 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH,
1601 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
1602 EMSGSIZE, EHOSTUNREACH, 0, 0,
1603 0, 0, 0, 0,
1604 ENOPROTOOPT
1605 };
DragonFly BSD