ip_input.c (77969) | ip_input.c (78064) |
---|---|
1/* 2 * Copyright (c) 1982, 1986, 1988, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 17 unchanged lines hidden (view full) --- 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 * 33 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 | 1/* 2 * Copyright (c) 1982, 1986, 1988, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 17 unchanged lines hidden (view full) --- 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 * 33 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 |
34 * $FreeBSD: head/sys/netinet/ip_input.c 77969 2001-06-10 11:04:10Z jesper $ | 34 * $FreeBSD: head/sys/netinet/ip_input.c 78064 2001-06-11 12:39:29Z ume $ |
35 */ 36 37#define _IP_VHL 38 39#include "opt_bootp.h" 40#include "opt_ipfw.h" 41#include "opt_ipdn.h" 42#include "opt_ipdivert.h" --- 302 unchanged lines hidden (view full) --- 345 } 346 if (hlen > m->m_len) { 347 if ((m = m_pullup(m, hlen)) == 0) { 348 ipstat.ips_badhlen++; 349 return; 350 } 351 ip = mtod(m, struct ip *); 352 } | 35 */ 36 37#define _IP_VHL 38 39#include "opt_bootp.h" 40#include "opt_ipfw.h" 41#include "opt_ipdn.h" 42#include "opt_ipdivert.h" --- 302 unchanged lines hidden (view full) --- 345 } 346 if (hlen > m->m_len) { 347 if ((m = m_pullup(m, hlen)) == 0) { 348 ipstat.ips_badhlen++; 349 return; 350 } 351 ip = mtod(m, struct ip *); 352 } |
353 354 /* 127/8 must not appear on wire - RFC1122 */ 355 if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET || 356 (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) { 357 if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) { 358 ipstat.ips_badaddr++; 359 goto bad; 360 } 361 } 362 |
|
353 if (m->m_pkthdr.csum_flags & CSUM_IP_CHECKED) { 354 sum = !(m->m_pkthdr.csum_flags & CSUM_IP_VALID); 355 } else { 356 if (hlen == sizeof(struct ip)) { 357 sum = in_cksum_hdr(ip); 358 } else { 359 sum = in_cksum(m, hlen); 360 } --- 27 unchanged lines hidden (view full) --- 388 if (m->m_pkthdr.len > ip->ip_len) { 389 if (m->m_len == m->m_pkthdr.len) { 390 m->m_len = ip->ip_len; 391 m->m_pkthdr.len = ip->ip_len; 392 } else 393 m_adj(m, ip->ip_len - m->m_pkthdr.len); 394 } 395 | 363 if (m->m_pkthdr.csum_flags & CSUM_IP_CHECKED) { 364 sum = !(m->m_pkthdr.csum_flags & CSUM_IP_VALID); 365 } else { 366 if (hlen == sizeof(struct ip)) { 367 sum = in_cksum_hdr(ip); 368 } else { 369 sum = in_cksum(m, hlen); 370 } --- 27 unchanged lines hidden (view full) --- 398 if (m->m_pkthdr.len > ip->ip_len) { 399 if (m->m_len == m->m_pkthdr.len) { 400 m->m_len = ip->ip_len; 401 m->m_pkthdr.len = ip->ip_len; 402 } else 403 m_adj(m, ip->ip_len - m->m_pkthdr.len); 404 } 405 |
396 /* 397 * Don't accept packets with a loopback destination address 398 * unless they arrived via the loopback interface. 399 */ 400 if ((ntohl(ip->ip_dst.s_addr) & IN_CLASSA_NET) == 401 (IN_LOOPBACKNET << IN_CLASSA_NSHIFT) && 402 (m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) { 403 goto bad; 404 } | 406#ifdef IPSEC 407 if (ipsec_gethist(m, NULL)) 408 goto pass; 409#endif |
405 406 /* 407 * IpHack's section. 408 * Right now when no processing on packet has done 409 * and it is still fresh out of network we do our black 410 * deals with it. 411 * - Firewall: deny/allow/divert 412 * - Xlate: translate packet's addr/port (NAT). --- 378 unchanged lines hidden (view full) --- 791 /* If 'tee', continue with original packet */ 792 if (clone == NULL) 793 return; 794 m = clone; 795 ip = mtod(m, struct ip *); 796 } 797#endif 798 | 410 411 /* 412 * IpHack's section. 413 * Right now when no processing on packet has done 414 * and it is still fresh out of network we do our black 415 * deals with it. 416 * - Firewall: deny/allow/divert 417 * - Xlate: translate packet's addr/port (NAT). --- 378 unchanged lines hidden (view full) --- 796 /* If 'tee', continue with original packet */ 797 if (clone == NULL) 798 return; 799 m = clone; 800 ip = mtod(m, struct ip *); 801 } 802#endif 803 |
804#ifdef IPSEC |
|
799 /* | 805 /* |
806 * enforce IPsec policy checking if we are seeing last header. 807 * note that we do not visit this with protocols with pcb layer 808 * code - like udp/tcp/raw ip. 809 */ 810 if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0 && 811 ipsec4_in_reject(m, NULL)) { 812 ipsecstat.in_polvio++; 813 goto bad; 814 } 815#endif 816 817 /* |
|
800 * Switch out to protocol's input routine. 801 */ 802 ipstat.ips_delivered++; 803 { 804 int off = hlen, nh = ip->ip_p; 805 806 (*inetsw[ip_protox[ip->ip_p]].pr_input)(m, off, nh); 807#ifdef IPFIREWALL_FORWARD --- 376 unchanged lines hidden (view full) --- 1184 * If none on this machine then drop if strictly routed, 1185 * or do nothing if loosely routed. 1186 * Record interface address and bring up next address 1187 * component. If strictly routed make sure next 1188 * address is on directly accessible net. 1189 */ 1190 case IPOPT_LSRR: 1191 case IPOPT_SSRR: | 818 * Switch out to protocol's input routine. 819 */ 820 ipstat.ips_delivered++; 821 { 822 int off = hlen, nh = ip->ip_p; 823 824 (*inetsw[ip_protox[ip->ip_p]].pr_input)(m, off, nh); 825#ifdef IPFIREWALL_FORWARD --- 376 unchanged lines hidden (view full) --- 1202 * If none on this machine then drop if strictly routed, 1203 * or do nothing if loosely routed. 1204 * Record interface address and bring up next address 1205 * component. If strictly routed make sure next 1206 * address is on directly accessible net. 1207 */ 1208 case IPOPT_LSRR: 1209 case IPOPT_SSRR: |
1210 if (optlen < IPOPT_OFFSET + sizeof(*cp)) { 1211 code = &cp[IPOPT_OLEN] - (u_char *)ip; 1212 goto bad; 1213 } |
|
1192 if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) { 1193 code = &cp[IPOPT_OFFSET] - (u_char *)ip; 1194 goto bad; 1195 } 1196 ipaddr.sin_addr = ip->ip_dst; 1197 ia = (struct in_ifaddr *) 1198 ifa_ifwithaddr((struct sockaddr *)&ipaddr); 1199 if (ia == 0) { --- 103 unchanged lines hidden (view full) --- 1303 (void)memcpy(cp + off, &(IA_SIN(ia)->sin_addr), 1304 sizeof(struct in_addr)); 1305 cp[IPOPT_OFFSET] += sizeof(struct in_addr); 1306 break; 1307 1308 case IPOPT_TS: 1309 code = cp - (u_char *)ip; 1310 ipt = (struct ip_timestamp *)cp; | 1214 if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) { 1215 code = &cp[IPOPT_OFFSET] - (u_char *)ip; 1216 goto bad; 1217 } 1218 ipaddr.sin_addr = ip->ip_dst; 1219 ia = (struct in_ifaddr *) 1220 ifa_ifwithaddr((struct sockaddr *)&ipaddr); 1221 if (ia == 0) { --- 103 unchanged lines hidden (view full) --- 1325 (void)memcpy(cp + off, &(IA_SIN(ia)->sin_addr), 1326 sizeof(struct in_addr)); 1327 cp[IPOPT_OFFSET] += sizeof(struct in_addr); 1328 break; 1329 1330 case IPOPT_TS: 1331 code = cp - (u_char *)ip; 1332 ipt = (struct ip_timestamp *)cp; |
1311 if (ipt->ipt_len < 5) | 1333 if (ipt->ipt_len < 4 || ipt->ipt_len > 40) { 1334 code = (u_char *)&ipt->ipt_len - (u_char *)ip; |
1312 goto bad; | 1335 goto bad; |
1336 } 1337 if (ipt->ipt_ptr < 5) { 1338 code = (u_char *)&ipt->ipt_ptr - (u_char *)ip; 1339 goto bad; 1340 } |
|
1313 if (ipt->ipt_ptr > 1314 ipt->ipt_len - (int)sizeof(int32_t)) { | 1341 if (ipt->ipt_ptr > 1342 ipt->ipt_len - (int)sizeof(int32_t)) { |
1315 if (++ipt->ipt_oflw == 0) | 1343 if (++ipt->ipt_oflw == 0) { 1344 code = (u_char *)&ipt->ipt_ptr - 1345 (u_char *)ip; |
1316 goto bad; | 1346 goto bad; |
1347 } |
|
1317 break; 1318 } 1319 sin = (struct in_addr *)(cp + ipt->ipt_ptr - 1); 1320 switch (ipt->ipt_flg) { 1321 1322 case IPOPT_TS_TSONLY: 1323 break; 1324 1325 case IPOPT_TS_TSANDADDR: 1326 if (ipt->ipt_ptr - 1 + sizeof(n_time) + | 1348 break; 1349 } 1350 sin = (struct in_addr *)(cp + ipt->ipt_ptr - 1); 1351 switch (ipt->ipt_flg) { 1352 1353 case IPOPT_TS_TSONLY: 1354 break; 1355 1356 case IPOPT_TS_TSANDADDR: 1357 if (ipt->ipt_ptr - 1 + sizeof(n_time) + |
1327 sizeof(struct in_addr) > ipt->ipt_len) | 1358 sizeof(struct in_addr) > ipt->ipt_len) { 1359 code = (u_char *)&ipt->ipt_ptr - 1360 (u_char *)ip; |
1328 goto bad; | 1361 goto bad; |
1362 } |
|
1329 ipaddr.sin_addr = dst; 1330 ia = (INA)ifaof_ifpforaddr((SA)&ipaddr, 1331 m->m_pkthdr.rcvif); 1332 if (ia == 0) 1333 continue; 1334 (void)memcpy(sin, &IA_SIN(ia)->sin_addr, 1335 sizeof(struct in_addr)); 1336 ipt->ipt_ptr += sizeof(struct in_addr); 1337 break; 1338 1339 case IPOPT_TS_PRESPEC: 1340 if (ipt->ipt_ptr - 1 + sizeof(n_time) + | 1363 ipaddr.sin_addr = dst; 1364 ia = (INA)ifaof_ifpforaddr((SA)&ipaddr, 1365 m->m_pkthdr.rcvif); 1366 if (ia == 0) 1367 continue; 1368 (void)memcpy(sin, &IA_SIN(ia)->sin_addr, 1369 sizeof(struct in_addr)); 1370 ipt->ipt_ptr += sizeof(struct in_addr); 1371 break; 1372 1373 case IPOPT_TS_PRESPEC: 1374 if (ipt->ipt_ptr - 1 + sizeof(n_time) + |
1341 sizeof(struct in_addr) > ipt->ipt_len) | 1375 sizeof(struct in_addr) > ipt->ipt_len) { 1376 code = (u_char *)&ipt->ipt_ptr - 1377 (u_char *)ip; |
1342 goto bad; | 1378 goto bad; |
1379 } |
|
1343 (void)memcpy(&ipaddr.sin_addr, sin, 1344 sizeof(struct in_addr)); 1345 if (ifa_ifwithaddr((SA)&ipaddr) == 0) 1346 continue; 1347 ipt->ipt_ptr += sizeof(struct in_addr); 1348 break; 1349 1350 default: | 1380 (void)memcpy(&ipaddr.sin_addr, sin, 1381 sizeof(struct in_addr)); 1382 if (ifa_ifwithaddr((SA)&ipaddr) == 0) 1383 continue; 1384 ipt->ipt_ptr += sizeof(struct in_addr); 1385 break; 1386 1387 default: |
1388 /* XXX can't take &ipt->ipt_flg */ 1389 code = (u_char *)&ipt->ipt_ptr - 1390 (u_char *)ip + 1; |
|
1351 goto bad; 1352 } 1353 ntime = iptime(); 1354 (void)memcpy(cp + ipt->ipt_ptr - 1, &ntime, 1355 sizeof(n_time)); 1356 ipt->ipt_ptr += sizeof(n_time); 1357 } 1358 } --- 510 unchanged lines hidden --- | 1391 goto bad; 1392 } 1393 ntime = iptime(); 1394 (void)memcpy(cp + ipt->ipt_ptr - 1, &ntime, 1395 sizeof(n_time)); 1396 ipt->ipt_ptr += sizeof(n_time); 1397 } 1398 } --- 510 unchanged lines hidden --- |