1/* 2 * Copyright (c) 2003-2007 Apple Inc. All rights reserved. 3 * 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. The rights granted to you under the License 10 * may not be used to create, or enable the creation or redistribution of, 11 * unlawful or unlicensed copies of an Apple operating system, or to 12 * circumvent, violate, or enable the circumvention or violation of, any 13 * terms of an Apple operating system software license agreement. 14 * 15 * Please obtain a copy of the License at 16 * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 * 18 * The Original Code and all software distributed under the License are 19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 * Please see the License for the specific language governing rights and 24 * limitations under the License. 25 * 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 */ 28/* $FreeBSD: src/sys/netinet6/ip6_input.c,v 1.11.2.10 2001/07/24 19:10:18 brooks Exp $ */ 29/* $KAME: ip6_input.c,v 1.194 2001/05/27 13:28:35 itojun Exp $ */ 30 31/* 32 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 33 * All rights reserved. 34 * 35 * Redistribution and use in source and binary forms, with or without 36 * modification, are permitted provided that the following conditions 37 * are met: 38 * 1. Redistributions of source code must retain the above copyright 39 * notice, this list of conditions and the following disclaimer. 40 * 2. Redistributions in binary form must reproduce the above copyright 41 * notice, this list of conditions and the following disclaimer in the 42 * documentation and/or other materials provided with the distribution. 43 * 3. Neither the name of the project nor the names of its contributors 44 * may be used to endorse or promote products derived from this software 45 * without specific prior written permission. 46 * 47 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 48 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 49 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 50 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 51 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 52 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 53 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 54 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 55 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 56 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 57 * SUCH DAMAGE. 58 */ 59 60/* 61 * Copyright (c) 1982, 1986, 1988, 1993 62 * The Regents of the University of California. All rights reserved. 63 * 64 * Redistribution and use in source and binary forms, with or without 65 * modification, are permitted provided that the following conditions 66 * are met: 67 * 1. Redistributions of source code must retain the above copyright 68 * notice, this list of conditions and the following disclaimer. 69 * 2. Redistributions in binary form must reproduce the above copyright 70 * notice, this list of conditions and the following disclaimer in the 71 * documentation and/or other materials provided with the distribution. 72 * 3. All advertising materials mentioning features or use of this software 73 * must display the following acknowledgement: 74 * This product includes software developed by the University of 75 * California, Berkeley and its contributors. 76 * 4. Neither the name of the University nor the names of its contributors 77 * may be used to endorse or promote products derived from this software 78 * without specific prior written permission. 79 * 80 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 81 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 82 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 83 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 84 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 85 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 86 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 87 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 88 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 89 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 90 * SUCH DAMAGE. 91 * 92 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 93 */ 94 95 96#include <sys/param.h> 97#include <sys/systm.h> 98#include <sys/malloc.h> 99#include <sys/mbuf.h> 100#include <sys/domain.h> 101#include <sys/protosw.h> 102#include <sys/socket.h> 103#include <sys/socketvar.h> 104#include <sys/errno.h> 105#include <sys/time.h> 106#include <sys/kernel.h> 107#include <sys/syslog.h> 108#include <sys/proc.h> 109#include <sys/kauth.h> 110 111#include <net/if.h> 112#include <net/if_var.h> 113#include <net/if_types.h> 114#include <net/if_dl.h> 115#include <net/route.h> 116#include <net/kpi_protocol.h> 117 118#include <netinet/in.h> 119#include <netinet/in_systm.h> 120#if INET 121#include <netinet/ip.h> 122#include <netinet/ip_icmp.h> 123#endif /*INET*/ 124#include <netinet/ip6.h> 125#include <netinet6/in6_var.h> 126#include <netinet6/ip6_var.h> 127#include <netinet/in_pcb.h> 128#include <netinet/icmp6.h> 129#include <netinet6/in6_ifattach.h> 130#include <netinet6/nd6.h> 131#include <netinet6/in6_prefix.h> 132 133#if IPSEC 134#include <netinet6/ipsec.h> 135#if INET6 136#include <netinet6/ipsec6.h> 137#endif 138extern int ipsec_bypass; 139#endif 140 141#include <netinet6/ip6_fw.h> 142 143#include <netinet/kpi_ipfilter_var.h> 144 145#include <netinet6/ip6protosw.h> 146 147/* we need it for NLOOP. */ 148#include "loop.h" 149#include "faith.h" 150 151#include <net/net_osdep.h> 152 153extern struct domain inet6domain; 154extern struct ip6protosw inet6sw[]; 155 156struct ip6protosw * ip6_protox[IPPROTO_MAX]; 157static int ip6qmaxlen = IFQ_MAXLEN; 158struct in6_ifaddr *in6_ifaddrs; 159 160int ip6_forward_srcrt; /* XXX */ 161int ip6_sourcecheck; /* XXX */ 162int ip6_sourcecheck_interval; /* XXX */ 163const int int6intrq_present = 1; 164 165int ip6_ours_check_algorithm; 166int in6_init2done = 0; 167 168 169/* firewall hooks */ 170ip6_fw_chk_t *ip6_fw_chk_ptr; 171ip6_fw_ctl_t *ip6_fw_ctl_ptr; 172int ip6_fw_enable = 1; 173 174struct ip6stat ip6stat; 175 176#ifdef __APPLE__ 177struct ifqueue ip6intrq; 178lck_mtx_t *ip6_mutex; 179lck_mtx_t *dad6_mutex; 180lck_mtx_t *nd6_mutex; 181lck_mtx_t *prefix6_mutex; 182lck_attr_t *ip6_mutex_attr; 183lck_grp_t *ip6_mutex_grp; 184lck_grp_attr_t *ip6_mutex_grp_attr; 185extern lck_mtx_t *inet6_domain_mutex; 186#endif 187extern int loopattach_done; 188 189static void ip6_init2(void *); 190static struct ip6aux *ip6_setdstifaddr(struct mbuf *, struct in6_ifaddr *); 191 192static int ip6_hopopts_input(u_int32_t *, u_int32_t *, struct mbuf **, int *); 193#if PULLDOWN_TEST 194static struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int); 195#endif 196 197#ifdef __APPLE__ 198void gifattach(void); 199void faithattach(void); 200void stfattach(void); 201#endif 202 203extern lck_mtx_t *domain_proto_mtx; 204 205 206static void 207ip6_proto_input( 208 __unused protocol_family_t protocol, 209 mbuf_t packet) 210{ 211 ip6_input(packet); 212} 213 214/* 215 * IP6 initialization: fill in IP6 protocol switch table. 216 * All protocols not implemented in kernel go to raw IP6 protocol handler. 217 */ 218void 219ip6_init() 220{ 221 struct ip6protosw *pr; 222 int i; 223 struct timeval tv; 224 225#if DIAGNOSTIC 226 if (sizeof(struct protosw) != sizeof(struct ip6protosw)) 227 panic("sizeof(protosw) != sizeof(ip6protosw)"); 228#endif 229 pr = (struct ip6protosw *)pffindproto_locked(PF_INET6, IPPROTO_RAW, SOCK_RAW); 230 if (pr == 0) 231 panic("ip6_init"); 232 for (i = 0; i < IPPROTO_MAX; i++) 233 ip6_protox[i] = pr; 234 for (pr = (struct ip6protosw*)inet6domain.dom_protosw; pr; pr = pr->pr_next) { 235 if(!((unsigned int)pr->pr_domain)) continue; /* If uninitialized, skip */ 236 if (pr->pr_domain->dom_family == PF_INET6 && 237 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) { 238 ip6_protox[pr->pr_protocol] = pr; 239 } 240 } 241 242 ip6_mutex_grp_attr = lck_grp_attr_alloc_init(); 243 244 ip6_mutex_grp = lck_grp_alloc_init("ip6", ip6_mutex_grp_attr); 245 ip6_mutex_attr = lck_attr_alloc_init(); 246 247 if ((ip6_mutex = lck_mtx_alloc_init(ip6_mutex_grp, ip6_mutex_attr)) == NULL) { 248 printf("ip6_init: can't alloc ip6_mutex\n"); 249 return; 250 } 251 if ((dad6_mutex = lck_mtx_alloc_init(ip6_mutex_grp, ip6_mutex_attr)) == NULL) { 252 printf("ip6_init: can't alloc dad6_mutex\n"); 253 return; 254 } 255 if ((nd6_mutex = lck_mtx_alloc_init(ip6_mutex_grp, ip6_mutex_attr)) == NULL) { 256 printf("ip6_init: can't alloc nd6_mutex\n"); 257 return; 258 } 259 260 if ((prefix6_mutex = lck_mtx_alloc_init(ip6_mutex_grp, ip6_mutex_attr)) == NULL) { 261 printf("ip6_init: can't alloc prefix6_mutex\n"); 262 return; 263 } 264 265 inet6domain.dom_flags = DOM_REENTRANT; 266 267 ip6intrq.ifq_maxlen = ip6qmaxlen; 268 nd6_init(); 269 frag6_init(); 270 icmp6_init(); 271 /* 272 * in many cases, random() here does NOT return random number 273 * as initialization during bootstrap time occur in fixed order. 274 */ 275 microtime(&tv); 276 ip6_flow_seq = random() ^ tv.tv_usec; 277 microtime(&tv); 278 ip6_desync_factor = (random() ^ tv.tv_usec) % MAX_TEMP_DESYNC_FACTOR; 279 timeout(ip6_init2, (caddr_t)0, 1 * hz); 280 281 lck_mtx_unlock(domain_proto_mtx); 282 proto_register_input(PF_INET6, ip6_proto_input, NULL, 0); 283 lck_mtx_lock(domain_proto_mtx); 284} 285 286static void 287ip6_init2( 288 __unused void *dummy) 289{ 290 /* 291 * to route local address of p2p link to loopback, 292 * assign loopback address first. 293 */ 294 if (loopattach_done == 0) { 295 timeout(ip6_init2, (caddr_t)0, 1 * hz); 296 return; 297 } 298 in6_ifattach(lo_ifp, NULL, NULL); 299 300#ifdef __APPLE__ 301 /* nd6_timer_init */ 302 timeout(nd6_timer, (caddr_t)0, hz); 303 304 /* router renumbering prefix list maintenance */ 305 timeout(in6_rr_timer, (caddr_t)0, hz); 306 307 /* timer for regeneranation of temporary addresses randomize ID */ 308 timeout(in6_tmpaddrtimer, (caddr_t)0, 309 (ip6_temp_preferred_lifetime - ip6_desync_factor - 310 ip6_temp_regen_advance) * hz); 311 312#if NGIF 313 gifattach(); 314#endif 315#if NFAITH 316 faithattach(); 317#endif 318#if NSTF 319 stfattach(); 320#endif 321#else 322 /* nd6_timer_init */ 323 324 callout_init(&nd6_timer_ch); 325 callout_reset(&nd6_timer_ch, hz, nd6_timer, NULL); 326 327 /* router renumbering prefix list maintenance */ 328 callout_init(&in6_rr_timer_ch); 329 callout_reset(&in6_rr_timer_ch, hz, in6_rr_timer, NULL); 330 331 /* timer for regeneranation of temporary addresses randomize ID */ 332 callout_reset(&in6_tmpaddrtimer_ch, 333 (ip6_temp_preferred_lifetime - ip6_desync_factor - 334 ip6_temp_regen_advance) * hz, 335 in6_tmpaddrtimer, NULL); 336#endif 337 338 in6_init2done = 1; 339} 340 341#if __FreeBSD__ 342/* cheat */ 343/* This must be after route_init(), which is now SI_ORDER_THIRD */ 344SYSINIT(netinet6init2, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ip6_init2, NULL); 345#endif 346 347/* 348 * ip6_forward_rt contains the route entry that was recently used during 349 * the forwarding of an IPv6 packet and thus acts as a route cache. Access 350 * to this variable is protected by the global lock ip6_mutex. 351 */ 352static struct route_in6 ip6_forward_rt; 353 354void 355ip6_input(m) 356 struct mbuf *m; 357{ 358 struct ip6_hdr *ip6; 359 int off = sizeof(struct ip6_hdr), nest; 360 u_int32_t plen; 361 u_int32_t rtalert = ~0; 362 int nxt = 0, ours = 0; 363 struct ifnet *deliverifp = NULL; 364 ipfilter_t inject_ipfref = 0; 365 int seen; 366 367 /* 368 * No need to proccess packet twice if we've 369 * already seen it 370 */ 371 inject_ipfref = ipf_get_inject_filter(m); 372 if (inject_ipfref != 0) { 373 ip6 = mtod(m, struct ip6_hdr *); 374 nxt = ip6->ip6_nxt; 375 seen = 0; 376 goto injectit; 377 } else 378 seen = 1; 379 380#if IPSEC 381 /* 382 * should the inner packet be considered authentic? 383 * see comment in ah4_input(). 384 */ 385 if (m) { 386 m->m_flags &= ~M_AUTHIPHDR; 387 m->m_flags &= ~M_AUTHIPDGM; 388 } 389#endif 390 391 /* 392 * make sure we don't have onion peering information into m_aux. 393 */ 394 ip6_delaux(m); 395 396 lck_mtx_lock(ip6_mutex); 397 /* 398 * mbuf statistics 399 */ 400 if (m->m_flags & M_EXT) { 401 if (m->m_next) 402 ip6stat.ip6s_mext2m++; 403 else 404 ip6stat.ip6s_mext1++; 405 } else { 406#define M2MMAX (sizeof(ip6stat.ip6s_m2m)/sizeof(ip6stat.ip6s_m2m[0])) 407 if (m->m_next) { 408 if (m->m_flags & M_LOOP) { 409 ip6stat.ip6s_m2m[ifnet_index(lo_ifp)]++; /* XXX */ 410 } else if (m->m_pkthdr.rcvif->if_index < M2MMAX) 411 ip6stat.ip6s_m2m[m->m_pkthdr.rcvif->if_index]++; 412 else 413 ip6stat.ip6s_m2m[0]++; 414 } else 415 ip6stat.ip6s_m1++; 416#undef M2MMAX 417 } 418 419 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_receive); 420 ip6stat.ip6s_total++; 421 422#ifndef PULLDOWN_TEST 423 /* 424 * L2 bridge code and some other code can return mbuf chain 425 * that does not conform to KAME requirement. too bad. 426 * XXX: fails to join if interface MTU > MCLBYTES. jumbogram? 427 */ 428 if (m && m->m_next != NULL && m->m_pkthdr.len < MCLBYTES) { 429 struct mbuf *n; 430 431 MGETHDR(n, M_DONTWAIT, MT_HEADER); /* MAC-OK */ 432 if (n) 433 M_COPY_PKTHDR(n, m); 434 if (n && m->m_pkthdr.len > MHLEN) { 435 MCLGET(n, M_DONTWAIT); 436 if ((n->m_flags & M_EXT) == 0) { 437 m_freem(n); 438 n = NULL; 439 } 440 } 441 if (n == NULL) { 442 m_freem(m); 443 lck_mtx_unlock(ip6_mutex); 444 return; /*ENOBUFS*/ 445 } 446 447 m_copydata(m, 0, m->m_pkthdr.len, mtod(n, caddr_t)); 448 n->m_len = m->m_pkthdr.len; 449 m_freem(m); 450 m = n; 451 } 452 IP6_EXTHDR_CHECK(m, 0, sizeof(struct ip6_hdr), 453 {lck_mtx_unlock(ip6_mutex); return;}); 454#endif 455 456 if (m->m_len < sizeof(struct ip6_hdr)) { 457 struct ifnet *inifp; 458 inifp = m->m_pkthdr.rcvif; 459 if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == 0) { 460 ip6stat.ip6s_toosmall++; 461 in6_ifstat_inc(inifp, ifs6_in_hdrerr); 462 lck_mtx_unlock(ip6_mutex); 463 return; 464 } 465 } 466 467 ip6 = mtod(m, struct ip6_hdr *); 468 469 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 470 ip6stat.ip6s_badvers++; 471 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); 472 goto bad; 473 } 474 475 ip6stat.ip6s_nxthist[ip6->ip6_nxt]++; 476 477 /* 478 * Check with the firewall... 479 */ 480 if (ip6_fw_enable && ip6_fw_chk_ptr) { 481 u_short port = 0; 482 /* If ipfw says divert, we have to just drop packet */ 483 /* use port as a dummy argument */ 484 if ((*ip6_fw_chk_ptr)(&ip6, NULL, &port, &m)) { 485 m_freem(m); 486 m = NULL; 487 } 488 if (!m) { 489 lck_mtx_unlock(ip6_mutex); 490 return; 491 } 492 } 493 494 /* 495 * Check against address spoofing/corruption. 496 */ 497 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) || 498 IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) { 499 /* 500 * XXX: "badscope" is not very suitable for a multicast source. 501 */ 502 ip6stat.ip6s_badscope++; 503 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 504 goto bad; 505 } 506 if ((IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) || 507 IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) && 508 (m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) { 509 ip6stat.ip6s_badscope++; 510 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 511 goto bad; 512 } 513 514 /* 515 * The following check is not documented in specs. A malicious 516 * party may be able to use IPv4 mapped addr to confuse tcp/udp stack 517 * and bypass security checks (act as if it was from 127.0.0.1 by using 518 * IPv6 src ::ffff:127.0.0.1). Be cautious. 519 * 520 * This check chokes if we are in an SIIT cloud. As none of BSDs 521 * support IPv4-less kernel compilation, we cannot support SIIT 522 * environment at all. So, it makes more sense for us to reject any 523 * malicious packets for non-SIIT environment, than try to do a 524 * partical support for SIIT environment. 525 */ 526 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 527 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 528 ip6stat.ip6s_badscope++; 529 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 530 goto bad; 531 } 532#if 0 533 /* 534 * Reject packets with IPv4 compatible addresses (auto tunnel). 535 * 536 * The code forbids auto tunnel relay case in RFC1933 (the check is 537 * stronger than RFC1933). We may want to re-enable it if mech-xx 538 * is revised to forbid relaying case. 539 */ 540 if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) || 541 IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) { 542 ip6stat.ip6s_badscope++; 543 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 544 goto bad; 545 } 546#endif 547 548 /* drop packets if interface ID portion is already filled */ 549 if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) { 550 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src) && 551 ip6->ip6_src.s6_addr16[1]) { 552 ip6stat.ip6s_badscope++; 553 goto bad; 554 } 555 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst) && 556 ip6->ip6_dst.s6_addr16[1]) { 557 ip6stat.ip6s_badscope++; 558 goto bad; 559 } 560 } 561 562 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) 563 ip6->ip6_src.s6_addr16[1] 564 = htons(m->m_pkthdr.rcvif->if_index); 565 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) 566 ip6->ip6_dst.s6_addr16[1] 567 = htons(m->m_pkthdr.rcvif->if_index); 568 569#if 0 /* this case seems to be unnecessary. (jinmei, 20010401) */ 570 /* 571 * We use rt->rt_ifp to determine if the address is ours or not. 572 * If rt_ifp is lo0, the address is ours. 573 * The problem here is, rt->rt_ifp for fe80::%lo0/64 is set to lo0, 574 * so any address under fe80::%lo0/64 will be mistakenly considered 575 * local. The special case is supplied to handle the case properly 576 * by actually looking at interface addresses 577 * (using in6ifa_ifpwithaddr). 578 */ 579 if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) != 0 && 580 IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_dst)) { 581 struct in6_ifaddr *ia6; 582 if (!(ia6 = in6ifa_ifpwithaddr(m->m_pkthdr.rcvif, &ip6->ip6_dst))) { 583 lck_mtx_unlock(ip6_mutex); 584 icmp6_error(m, ICMP6_DST_UNREACH, 585 ICMP6_DST_UNREACH_ADDR, 0); 586 /* m is already freed */ 587 return; 588 } 589 ifafree(&ia6->ia_ifa); 590 591 ours = 1; 592 deliverifp = m->m_pkthdr.rcvif; 593 goto hbhcheck; 594 } 595#endif 596 597 /* 598 * Multicast check 599 */ 600 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 601 struct in6_multi *in6m = 0; 602 603 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_mcast); 604 /* 605 * See if we belong to the destination multicast group on the 606 * arrival interface. 607 */ 608 IN6_LOOKUP_MULTI(ip6->ip6_dst, m->m_pkthdr.rcvif, in6m); 609 if (in6m) 610 ours = 1; 611 else if (!ip6_mrouter) { 612 ip6stat.ip6s_notmember++; 613 ip6stat.ip6s_cantforward++; 614 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 615 goto bad; 616 } 617 deliverifp = m->m_pkthdr.rcvif; 618 goto hbhcheck; 619 } 620 621 /* 622 * Unicast check 623 */ 624 if (ip6_forward_rt.ro_rt != NULL && 625 (ip6_forward_rt.ro_rt->rt_flags & RTF_UP) != 0 && 626 IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, 627 &((struct sockaddr_in6 *)(&ip6_forward_rt.ro_dst))->sin6_addr)) 628 ip6stat.ip6s_forward_cachehit++; 629 else { 630 struct sockaddr_in6 *dst6; 631 632 if (ip6_forward_rt.ro_rt) { 633 /* route is down or destination is different */ 634 ip6stat.ip6s_forward_cachemiss++; 635 rtfree(ip6_forward_rt.ro_rt); 636 ip6_forward_rt.ro_rt = 0; 637 } 638 639 bzero(&ip6_forward_rt.ro_dst, sizeof(struct sockaddr_in6)); 640 dst6 = (struct sockaddr_in6 *)&ip6_forward_rt.ro_dst; 641 dst6->sin6_len = sizeof(struct sockaddr_in6); 642 dst6->sin6_family = AF_INET6; 643 dst6->sin6_addr = ip6->ip6_dst; 644#if SCOPEDROUTING 645 ip6_forward_rt.ro_dst.sin6_scope_id = 646 in6_addr2scopeid(m->m_pkthdr.rcvif, &ip6->ip6_dst); 647#endif 648 649 rtalloc_ign((struct route *)&ip6_forward_rt, RTF_PRCLONING); 650 } 651 652#define rt6_key(r) ((struct sockaddr_in6 *)((r)->rt_nodes->rn_key)) 653 654 /* 655 * Accept the packet if the forwarding interface to the destination 656 * according to the routing table is the loopback interface, 657 * unless the associated route has a gateway. 658 * Note that this approach causes to accept a packet if there is a 659 * route to the loopback interface for the destination of the packet. 660 * But we think it's even useful in some situations, e.g. when using 661 * a special daemon which wants to intercept the packet. 662 * 663 * XXX: some OSes automatically make a cloned route for the destination 664 * of an outgoing packet. If the outgoing interface of the packet 665 * is a loopback one, the kernel would consider the packet to be 666 * accepted, even if we have no such address assinged on the interface. 667 * We check the cloned flag of the route entry to reject such cases, 668 * assuming that route entries for our own addresses are not made by 669 * cloning (it should be true because in6_addloop explicitly installs 670 * the host route). However, we might have to do an explicit check 671 * while it would be less efficient. Or, should we rather install a 672 * reject route for such a case? 673 */ 674 if (ip6_forward_rt.ro_rt && 675 (ip6_forward_rt.ro_rt->rt_flags & 676 (RTF_HOST|RTF_GATEWAY)) == RTF_HOST && 677#if RTF_WASCLONED 678 !(ip6_forward_rt.ro_rt->rt_flags & RTF_WASCLONED) && 679#endif 680#if RTF_CLONED 681 !(ip6_forward_rt.ro_rt->rt_flags & RTF_CLONED) && 682#endif 683#if 0 684 /* 685 * The check below is redundant since the comparison of 686 * the destination and the key of the rtentry has 687 * already done through looking up the routing table. 688 */ 689 IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, 690 &rt6_key(ip6_forward_rt.ro_rt)->sin6_addr) 691#endif 692 ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_LOOP) { 693 struct in6_ifaddr *ia6 = 694 (struct in6_ifaddr *)ip6_forward_rt.ro_rt->rt_ifa; 695 696 /* 697 * record address information into m_aux. 698 */ 699 (void)ip6_setdstifaddr(m, ia6); 700 701 /* 702 * packets to a tentative, duplicated, or somehow invalid 703 * address must not be accepted. 704 */ 705 if (!(ia6->ia6_flags & IN6_IFF_NOTREADY)) { 706 /* this address is ready */ 707 ours = 1; 708 deliverifp = ia6->ia_ifp; /* correct? */ 709 /* Count the packet in the ip address stats */ 710#ifndef __APPLE__ 711 712 ia6->ia_ifa.if_ipackets++; 713 ia6->ia_ifa.if_ibytes += m->m_pkthdr.len; 714#endif 715 goto hbhcheck; 716 } else { 717 /* address is not ready, so discard the packet. */ 718 nd6log((LOG_INFO, 719 "ip6_input: packet to an unready address %s->%s\n", 720 ip6_sprintf(&ip6->ip6_src), 721 ip6_sprintf(&ip6->ip6_dst))); 722 goto bad; 723 } 724 } 725 726 /* 727 * FAITH(Firewall Aided Internet Translator) 728 */ 729#if defined(NFAITH) && 0 < NFAITH 730 if (ip6_keepfaith) { 731 if (ip6_forward_rt.ro_rt && ip6_forward_rt.ro_rt->rt_ifp 732 && ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_FAITH) { 733 /* XXX do we need more sanity checks? */ 734 ours = 1; 735 deliverifp = ip6_forward_rt.ro_rt->rt_ifp; /* faith */ 736 goto hbhcheck; 737 } 738 } 739#endif 740 741 /* 742 * Now there is no reason to process the packet if it's not our own 743 * and we're not a router. 744 */ 745 if (!ip6_forwarding) { 746 ip6stat.ip6s_cantforward++; 747 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 748 goto bad; 749 } 750 751 hbhcheck: 752 /* 753 * record address information into m_aux, if we don't have one yet. 754 * note that we are unable to record it, if the address is not listed 755 * as our interface address (e.g. multicast addresses, addresses 756 * within FAITH prefixes and such). 757 */ 758 if (deliverifp && !ip6_getdstifaddr(m)) { 759 struct in6_ifaddr *ia6; 760 761 ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst); 762 if (ia6) { 763 if (!ip6_setdstifaddr(m, ia6)) { 764 /* 765 * XXX maybe we should drop the packet here, 766 * as we could not provide enough information 767 * to the upper layers. 768 */ 769 } 770 } 771 } 772 773 /* 774 * Process Hop-by-Hop options header if it's contained. 775 * m may be modified in ip6_hopopts_input(). 776 * If a JumboPayload option is included, plen will also be modified. 777 */ 778 plen = (u_int32_t)ntohs(ip6->ip6_plen); 779 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 780 struct ip6_hbh *hbh; 781 782 if (ip6_hopopts_input(&plen, &rtalert, &m, &off)) { 783#if 0 /*touches NULL pointer*/ 784 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 785#endif 786 lck_mtx_unlock(ip6_mutex); 787 return; /* m have already been freed */ 788 } 789 790 /* adjust pointer */ 791 ip6 = mtod(m, struct ip6_hdr *); 792 793 /* 794 * if the payload length field is 0 and the next header field 795 * indicates Hop-by-Hop Options header, then a Jumbo Payload 796 * option MUST be included. 797 */ 798 if (ip6->ip6_plen == 0 && plen == 0) { 799 /* 800 * Note that if a valid jumbo payload option is 801 * contained, ip6_hoptops_input() must set a valid 802 * (non-zero) payload length to the variable plen. 803 */ 804 ip6stat.ip6s_badoptions++; 805 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 806 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); 807 lck_mtx_unlock(ip6_mutex); 808 icmp6_error(m, ICMP6_PARAM_PROB, 809 ICMP6_PARAMPROB_HEADER, 810 (caddr_t)&ip6->ip6_plen - (caddr_t)ip6); 811 return; 812 } 813#ifndef PULLDOWN_TEST 814 /* ip6_hopopts_input() ensures that mbuf is contiguous */ 815 hbh = (struct ip6_hbh *)(ip6 + 1); 816#else 817 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 818 sizeof(struct ip6_hbh)); 819 if (hbh == NULL) { 820 ip6stat.ip6s_tooshort++; 821 lck_mtx_unlock(ip6_mutex); 822 return; 823 } 824#endif 825 nxt = hbh->ip6h_nxt; 826 827 /* 828 * accept the packet if a router alert option is included 829 * and we act as an IPv6 router. 830 */ 831 if (rtalert != ~0 && ip6_forwarding) 832 ours = 1; 833 } else 834 nxt = ip6->ip6_nxt; 835 836 /* 837 * Check that the amount of data in the buffers 838 * is as at least much as the IPv6 header would have us expect. 839 * Trim mbufs if longer than we expect. 840 * Drop packet if shorter than we expect. 841 */ 842 if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) { 843 ip6stat.ip6s_tooshort++; 844 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 845 goto bad; 846 } 847 if (m->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) { 848 if (m->m_len == m->m_pkthdr.len) { 849 m->m_len = sizeof(struct ip6_hdr) + plen; 850 m->m_pkthdr.len = sizeof(struct ip6_hdr) + plen; 851 } else 852 m_adj(m, sizeof(struct ip6_hdr) + plen - m->m_pkthdr.len); 853 } 854 855 /* 856 * Forward if desirable. 857 */ 858 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 859 /* 860 * If we are acting as a multicast router, all 861 * incoming multicast packets are passed to the 862 * kernel-level multicast forwarding function. 863 * The packet is returned (relatively) intact; if 864 * ip6_mforward() returns a non-zero value, the packet 865 * must be discarded, else it may be accepted below. 866 */ 867 if (ip6_mrouter && ip6_mforward(ip6, m->m_pkthdr.rcvif, m)) { 868 ip6stat.ip6s_cantforward++; 869 m_freem(m); 870 lck_mtx_unlock(ip6_mutex); 871 return; 872 } 873 if (!ours) { 874 m_freem(m); 875 lck_mtx_unlock(ip6_mutex); 876 return; 877 } 878 } else if (!ours) { 879 ip6_forward(m, &ip6_forward_rt, 0, 1); 880 lck_mtx_unlock(ip6_mutex); 881 return; 882 } 883 884 ip6 = mtod(m, struct ip6_hdr *); 885 886 /* 887 * Malicious party may be able to use IPv4 mapped addr to confuse 888 * tcp/udp stack and bypass security checks (act as if it was from 889 * 127.0.0.1 by using IPv6 src ::ffff:127.0.0.1). Be cautious. 890 * 891 * For SIIT end node behavior, you may want to disable the check. 892 * However, you will become vulnerable to attacks using IPv4 mapped 893 * source. 894 */ 895 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 896 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 897 ip6stat.ip6s_badscope++; 898 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 899 goto bad; 900 } 901 902 /* 903 * Tell launch routine the next header 904 */ 905 ip6stat.ip6s_delivered++; 906 in6_ifstat_inc(deliverifp, ifs6_in_deliver); 907 908 lck_mtx_unlock(ip6_mutex); 909injectit: 910 nest = 0; 911 912 while (nxt != IPPROTO_DONE) { 913 struct ipfilter *filter; 914 915 if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) { 916 ip6stat.ip6s_toomanyhdr++; 917 goto badunlocked; 918 } 919 920 /* 921 * protection against faulty packet - there should be 922 * more sanity checks in header chain processing. 923 */ 924 if (m->m_pkthdr.len < off) { 925 ip6stat.ip6s_tooshort++; 926 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 927 goto badunlocked; 928 } 929 930#if 0 931 /* 932 * do we need to do it for every header? yeah, other 933 * functions can play with it (like re-allocate and copy). 934 */ 935 mhist = ip6_addaux(m); 936 if (mhist && M_TRAILINGSPACE(mhist) >= sizeof(nxt)) { 937 hist = mtod(mhist, caddr_t) + mhist->m_len; 938 bcopy(&nxt, hist, sizeof(nxt)); 939 mhist->m_len += sizeof(nxt); 940 } else { 941 ip6stat.ip6s_toomanyhdr++; 942 goto bad; 943 } 944#endif 945 946#if IPSEC 947 /* 948 * enforce IPsec policy checking if we are seeing last header. 949 * note that we do not visit this with protocols with pcb layer 950 * code - like udp/tcp/raw ip. 951 */ 952 if ((ipsec_bypass == 0) && (ip6_protox[nxt]->pr_flags & PR_LASTHDR) != 0) { 953 if (ipsec6_in_reject(m, NULL)) { 954 IPSEC_STAT_INCREMENT(ipsec6stat.in_polvio); 955 goto badunlocked; 956 } 957 } 958#endif 959 960 /* 961 * Call IP filter 962 */ 963 if (!TAILQ_EMPTY(&ipv6_filters)) { 964 ipf_ref(); 965 TAILQ_FOREACH(filter, &ipv6_filters, ipf_link) { 966 if (seen == 0) { 967 if ((struct ipfilter *)inject_ipfref == filter) 968 seen = 1; 969 } else if (filter->ipf_filter.ipf_input) { 970 errno_t result; 971 972 result = filter->ipf_filter.ipf_input( 973 filter->ipf_filter.cookie, (mbuf_t*)&m, off, nxt); 974 if (result == EJUSTRETURN) { 975 ipf_unref(); 976 return; 977 } 978 if (result != 0) { 979 ipf_unref(); 980 m_freem(m); 981 return; 982 } 983 } 984 } 985 ipf_unref(); 986 } 987 if (!(ip6_protox[nxt]->pr_flags & PR_PROTOLOCK)) { 988 lck_mtx_lock(inet6_domain_mutex); 989 nxt = (*ip6_protox[nxt]->pr_input)(&m, &off); 990 lck_mtx_unlock(inet6_domain_mutex); 991 } 992 else 993 nxt = (*ip6_protox[nxt]->pr_input)(&m, &off); 994 } 995 return; 996 bad: 997 lck_mtx_unlock(ip6_mutex); 998 badunlocked: 999 m_freem(m); 1000 return; 1001} 1002 1003/* 1004 * set/grab in6_ifaddr correspond to IPv6 destination address. 1005 * XXX backward compatibility wrapper 1006 */ 1007static struct ip6aux * 1008ip6_setdstifaddr(struct mbuf *m, struct in6_ifaddr *ia6) 1009{ 1010 struct ip6aux *n; 1011 1012 n = ip6_addaux(m); 1013 if (n) 1014 n->ip6a_dstia6 = ia6; 1015 return (struct ip6aux *)n; /* NULL if failed to set */ 1016} 1017 1018struct in6_ifaddr * 1019ip6_getdstifaddr(m) 1020 struct mbuf *m; 1021{ 1022 struct ip6aux *n; 1023 1024 n = ip6_findaux(m); 1025 if (n) 1026 return n->ip6a_dstia6; 1027 else 1028 return NULL; 1029} 1030 1031/* 1032 * Hop-by-Hop options header processing. If a valid jumbo payload option is 1033 * included, the real payload length will be stored in plenp. 1034 */ 1035static int 1036ip6_hopopts_input(plenp, rtalertp, mp, offp) 1037 u_int32_t *plenp; 1038 u_int32_t *rtalertp; /* XXX: should be stored more smart way */ 1039 struct mbuf **mp; 1040 int *offp; 1041{ 1042 struct mbuf *m = *mp; 1043 int off = *offp, hbhlen; 1044 struct ip6_hbh *hbh; 1045 u_int8_t *opt; 1046 1047 /* validation of the length of the header */ 1048#ifndef PULLDOWN_TEST 1049 IP6_EXTHDR_CHECK(m, off, sizeof(*hbh), return -1); 1050 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off); 1051 hbhlen = (hbh->ip6h_len + 1) << 3; 1052 1053 IP6_EXTHDR_CHECK(m, off, hbhlen, return -1); 1054 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off); 1055#else 1056 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, 1057 sizeof(struct ip6_hdr), sizeof(struct ip6_hbh)); 1058 if (hbh == NULL) { 1059 ip6stat.ip6s_tooshort++; 1060 return -1; 1061 } 1062 hbhlen = (hbh->ip6h_len + 1) << 3; 1063 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 1064 hbhlen); 1065 if (hbh == NULL) { 1066 ip6stat.ip6s_tooshort++; 1067 return -1; 1068 } 1069#endif 1070 off += hbhlen; 1071 hbhlen -= sizeof(struct ip6_hbh); 1072 opt = (u_int8_t *)hbh + sizeof(struct ip6_hbh); 1073 1074 if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh), 1075 hbhlen, rtalertp, plenp) < 0) 1076 return(-1); 1077 1078 *offp = off; 1079 *mp = m; 1080 return(0); 1081} 1082 1083/* 1084 * Search header for all Hop-by-hop options and process each option. 1085 * This function is separate from ip6_hopopts_input() in order to 1086 * handle a case where the sending node itself process its hop-by-hop 1087 * options header. In such a case, the function is called from ip6_output(). 1088 * 1089 * The function assumes that hbh header is located right after the IPv6 header 1090 * (RFC2460 p7), opthead is pointer into data content in m, and opthead to 1091 * opthead + hbhlen is located in continuous memory region. 1092 */ 1093int 1094ip6_process_hopopts(m, opthead, hbhlen, rtalertp, plenp) 1095 struct mbuf *m; 1096 u_int8_t *opthead; 1097 int hbhlen; 1098 u_int32_t *rtalertp; 1099 u_int32_t *plenp; 1100{ 1101 struct ip6_hdr *ip6; 1102 int optlen = 0; 1103 u_int8_t *opt = opthead; 1104 u_int16_t rtalert_val; 1105 u_int32_t jumboplen; 1106 const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh); 1107 1108 for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) { 1109 switch (*opt) { 1110 case IP6OPT_PAD1: 1111 optlen = 1; 1112 break; 1113 case IP6OPT_PADN: 1114 if (hbhlen < IP6OPT_MINLEN) { 1115 ip6stat.ip6s_toosmall++; 1116 goto bad; 1117 } 1118 optlen = *(opt + 1) + 2; 1119 break; 1120 case IP6OPT_RTALERT: 1121 /* XXX may need check for alignment */ 1122 if (hbhlen < IP6OPT_RTALERT_LEN) { 1123 ip6stat.ip6s_toosmall++; 1124 goto bad; 1125 } 1126 if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) { 1127 /* XXX stat */ 1128 lck_mtx_unlock(ip6_mutex); 1129 icmp6_error(m, ICMP6_PARAM_PROB, 1130 ICMP6_PARAMPROB_HEADER, 1131 erroff + opt + 1 - opthead); 1132 lck_mtx_lock(ip6_mutex); 1133 return(-1); 1134 } 1135 optlen = IP6OPT_RTALERT_LEN; 1136 bcopy((caddr_t)(opt + 2), (caddr_t)&rtalert_val, 2); 1137 *rtalertp = ntohs(rtalert_val); 1138 break; 1139 case IP6OPT_JUMBO: 1140 /* XXX may need check for alignment */ 1141 if (hbhlen < IP6OPT_JUMBO_LEN) { 1142 ip6stat.ip6s_toosmall++; 1143 goto bad; 1144 } 1145 if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) { 1146 /* XXX stat */ 1147 lck_mtx_unlock(ip6_mutex); 1148 icmp6_error(m, ICMP6_PARAM_PROB, 1149 ICMP6_PARAMPROB_HEADER, 1150 erroff + opt + 1 - opthead); 1151 lck_mtx_lock(ip6_mutex); 1152 return(-1); 1153 } 1154 optlen = IP6OPT_JUMBO_LEN; 1155 1156 /* 1157 * IPv6 packets that have non 0 payload length 1158 * must not contain a jumbo payload option. 1159 */ 1160 ip6 = mtod(m, struct ip6_hdr *); 1161 if (ip6->ip6_plen) { 1162 ip6stat.ip6s_badoptions++; 1163 lck_mtx_unlock(ip6_mutex); 1164 icmp6_error(m, ICMP6_PARAM_PROB, 1165 ICMP6_PARAMPROB_HEADER, 1166 erroff + opt - opthead); 1167 lck_mtx_lock(ip6_mutex); 1168 return(-1); 1169 } 1170 1171 /* 1172 * We may see jumbolen in unaligned location, so 1173 * we'd need to perform bcopy(). 1174 */ 1175 bcopy(opt + 2, &jumboplen, sizeof(jumboplen)); 1176 jumboplen = (u_int32_t)htonl(jumboplen); 1177 1178#if 1 1179 /* 1180 * if there are multiple jumbo payload options, 1181 * *plenp will be non-zero and the packet will be 1182 * rejected. 1183 * the behavior may need some debate in ipngwg - 1184 * multiple options does not make sense, however, 1185 * there's no explicit mention in specification. 1186 */ 1187 if (*plenp != 0) { 1188 ip6stat.ip6s_badoptions++; 1189 lck_mtx_unlock(ip6_mutex); 1190 icmp6_error(m, ICMP6_PARAM_PROB, 1191 ICMP6_PARAMPROB_HEADER, 1192 erroff + opt + 2 - opthead); 1193 lck_mtx_lock(ip6_mutex); 1194 return(-1); 1195 } 1196#endif 1197 1198 /* 1199 * jumbo payload length must be larger than 65535. 1200 */ 1201 if (jumboplen <= IPV6_MAXPACKET) { 1202 ip6stat.ip6s_badoptions++; 1203 lck_mtx_unlock(ip6_mutex); 1204 icmp6_error(m, ICMP6_PARAM_PROB, 1205 ICMP6_PARAMPROB_HEADER, 1206 erroff + opt + 2 - opthead); 1207 lck_mtx_lock(ip6_mutex); 1208 return(-1); 1209 } 1210 *plenp = jumboplen; 1211 1212 break; 1213 default: /* unknown option */ 1214 if (hbhlen < IP6OPT_MINLEN) { 1215 ip6stat.ip6s_toosmall++; 1216 goto bad; 1217 } 1218 optlen = ip6_unknown_opt(opt, m, 1219 erroff + opt - opthead, 1); 1220 if (optlen == -1) { 1221 /* ip6_unknown opt unlocked ip6_mutex */ 1222 return(-1); 1223 } 1224 optlen += 2; 1225 break; 1226 } 1227 } 1228 1229 return(0); 1230 1231 bad: 1232 m_freem(m); 1233 return(-1); 1234} 1235 1236/* 1237 * Unknown option processing. 1238 * The third argument `off' is the offset from the IPv6 header to the option, 1239 * which is necessary if the IPv6 header the and option header and IPv6 header 1240 * is not continuous in order to return an ICMPv6 error. 1241 */ 1242int 1243ip6_unknown_opt(optp, m, off, locked) 1244 u_int8_t *optp; 1245 struct mbuf *m; 1246 int off; 1247 int locked; 1248{ 1249 struct ip6_hdr *ip6; 1250 1251 switch (IP6OPT_TYPE(*optp)) { 1252 case IP6OPT_TYPE_SKIP: /* ignore the option */ 1253 return((int)*(optp + 1)); 1254 case IP6OPT_TYPE_DISCARD: /* silently discard */ 1255 m_freem(m); 1256 return(-1); 1257 case IP6OPT_TYPE_FORCEICMP: /* send ICMP even if multicasted */ 1258 ip6stat.ip6s_badoptions++; 1259 if (locked) 1260 lck_mtx_unlock(ip6_mutex); 1261 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_OPTION, off); 1262 if (locked) 1263 lck_mtx_lock(ip6_mutex); 1264 return(-1); 1265 case IP6OPT_TYPE_ICMP: /* send ICMP if not multicasted */ 1266 ip6stat.ip6s_badoptions++; 1267 ip6 = mtod(m, struct ip6_hdr *); 1268 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || 1269 (m->m_flags & (M_BCAST|M_MCAST))) 1270 m_freem(m); 1271 else { 1272 if (locked) 1273 lck_mtx_unlock(ip6_mutex); 1274 icmp6_error(m, ICMP6_PARAM_PROB, 1275 ICMP6_PARAMPROB_OPTION, off); 1276 if (locked) 1277 lck_mtx_lock(ip6_mutex); 1278 } 1279 return(-1); 1280 } 1281 1282 m_freem(m); /* XXX: NOTREACHED */ 1283 return(-1); 1284} 1285 1286/* 1287 * Create the "control" list for this pcb. 1288 * The function will not modify mbuf chain at all. 1289 * 1290 * with KAME mbuf chain restriction: 1291 * The routine will be called from upper layer handlers like tcp6_input(). 1292 * Thus the routine assumes that the caller (tcp6_input) have already 1293 * called IP6_EXTHDR_CHECK() and all the extension headers are located in the 1294 * very first mbuf on the mbuf chain. 1295 */ 1296void 1297ip6_savecontrol(in6p, mp, ip6, m) 1298 struct inpcb *in6p; 1299 struct mbuf **mp; 1300 struct ip6_hdr *ip6; 1301 struct mbuf *m; 1302{ 1303 int rthdr_exist = 0; 1304 1305#if SO_TIMESTAMP 1306 if ((in6p->in6p_socket->so_options & SO_TIMESTAMP) != 0) { 1307 struct timeval tv; 1308 1309 microtime(&tv); 1310 *mp = sbcreatecontrol((caddr_t) &tv, sizeof(tv), 1311 SCM_TIMESTAMP, SOL_SOCKET); 1312 if (*mp) { 1313 mp = &(*mp)->m_next; 1314 } 1315 } 1316#endif 1317 1318 /* some OSes call this logic with IPv4 packet, for SO_TIMESTAMP */ 1319 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) 1320 return; 1321 1322 /* RFC 2292 sec. 5 */ 1323 if ((in6p->in6p_flags & IN6P_PKTINFO) != 0) { 1324 struct in6_pktinfo pi6; 1325 bcopy(&ip6->ip6_dst, &pi6.ipi6_addr, sizeof(struct in6_addr)); 1326 if (IN6_IS_SCOPE_LINKLOCAL(&pi6.ipi6_addr)) 1327 pi6.ipi6_addr.s6_addr16[1] = 0; 1328 pi6.ipi6_ifindex = (m && m->m_pkthdr.rcvif) 1329 ? m->m_pkthdr.rcvif->if_index 1330 : 0; 1331 *mp = sbcreatecontrol((caddr_t) &pi6, 1332 sizeof(struct in6_pktinfo), IPV6_PKTINFO, 1333 IPPROTO_IPV6); 1334 if (*mp) 1335 mp = &(*mp)->m_next; 1336 } 1337 1338 if ((in6p->in6p_flags & IN6P_HOPLIMIT) != 0) { 1339 int hlim = ip6->ip6_hlim & 0xff; 1340 *mp = sbcreatecontrol((caddr_t) &hlim, 1341 sizeof(int), IPV6_HOPLIMIT, IPPROTO_IPV6); 1342 if (*mp) 1343 mp = &(*mp)->m_next; 1344 } 1345 1346 /* 1347 * IPV6_HOPOPTS socket option. Recall that we required super-user 1348 * privilege for the option (see ip6_ctloutput), but it might be too 1349 * strict, since there might be some hop-by-hop options which can be 1350 * returned to normal user. 1351 * See RFC 2292 section 6. 1352 */ 1353 if ((in6p->in6p_flags & IN6P_HOPOPTS) != 0) { 1354 /* 1355 * Check if a hop-by-hop options header is contatined in the 1356 * received packet, and if so, store the options as ancillary 1357 * data. Note that a hop-by-hop options header must be 1358 * just after the IPv6 header, which fact is assured through 1359 * the IPv6 input processing. 1360 */ 1361 ip6 = mtod(m, struct ip6_hdr *); 1362 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 1363 struct ip6_hbh *hbh; 1364 int hbhlen = 0; 1365#if PULLDOWN_TEST 1366 struct mbuf *ext; 1367#endif 1368 1369#ifndef PULLDOWN_TEST 1370 hbh = (struct ip6_hbh *)(ip6 + 1); 1371 hbhlen = (hbh->ip6h_len + 1) << 3; 1372#else 1373 ext = ip6_pullexthdr(m, sizeof(struct ip6_hdr), 1374 ip6->ip6_nxt); 1375 if (ext == NULL) { 1376 ip6stat.ip6s_tooshort++; 1377 return; 1378 } 1379 hbh = mtod(ext, struct ip6_hbh *); 1380 hbhlen = (hbh->ip6h_len + 1) << 3; 1381 if (hbhlen != ext->m_len) { 1382 m_freem(ext); 1383 ip6stat.ip6s_tooshort++; 1384 return; 1385 } 1386#endif 1387 1388 /* 1389 * XXX: We copy whole the header even if a jumbo 1390 * payload option is included, which option is to 1391 * be removed before returning in the RFC 2292. 1392 * Note: this constraint is removed in 2292bis. 1393 */ 1394 *mp = sbcreatecontrol((caddr_t)hbh, hbhlen, 1395 IPV6_HOPOPTS, IPPROTO_IPV6); 1396 if (*mp) 1397 mp = &(*mp)->m_next; 1398#if PULLDOWN_TEST 1399 m_freem(ext); 1400#endif 1401 } 1402 } 1403 1404 /* IPV6_DSTOPTS and IPV6_RTHDR socket options */ 1405 if ((in6p->in6p_flags & (IN6P_DSTOPTS | IN6P_RTHDRDSTOPTS)) != 0) { 1406 int proto, off, nxt; 1407 1408 /* 1409 * go through the header chain to see if a routing header is 1410 * contained in the packet. We need this information to store 1411 * destination options headers (if any) properly. 1412 * XXX: performance issue. We should record this info when 1413 * processing extension headers in incoming routine. 1414 * (todo) use m_aux? 1415 */ 1416 proto = IPPROTO_IPV6; 1417 off = 0; 1418 nxt = -1; 1419 while (1) { 1420 int newoff; 1421 1422 newoff = ip6_nexthdr(m, off, proto, &nxt); 1423 if (newoff < 0) 1424 break; 1425 if (newoff < off) /* invalid, check for safety */ 1426 break; 1427 if ((proto = nxt) == IPPROTO_ROUTING) { 1428 rthdr_exist = 1; 1429 break; 1430 } 1431 off = newoff; 1432 } 1433 } 1434 1435 if ((in6p->in6p_flags & 1436 (IN6P_RTHDR | IN6P_DSTOPTS | IN6P_RTHDRDSTOPTS)) != 0) { 1437 ip6 = mtod(m, struct ip6_hdr *); 1438 int nxt = ip6->ip6_nxt, off = sizeof(struct ip6_hdr); 1439 1440 /* 1441 * Search for destination options headers or routing 1442 * header(s) through the header chain, and stores each 1443 * header as ancillary data. 1444 * Note that the order of the headers remains in 1445 * the chain of ancillary data. 1446 */ 1447 while (1) { /* is explicit loop prevention necessary? */ 1448 struct ip6_ext *ip6e = NULL; 1449 int elen; 1450#if PULLDOWN_TEST 1451 struct mbuf *ext = NULL; 1452#endif 1453 1454 /* 1455 * if it is not an extension header, don't try to 1456 * pull it from the chain. 1457 */ 1458 switch (nxt) { 1459 case IPPROTO_DSTOPTS: 1460 case IPPROTO_ROUTING: 1461 case IPPROTO_HOPOPTS: 1462 case IPPROTO_AH: /* is it possible? */ 1463 break; 1464 default: 1465 goto loopend; 1466 } 1467 1468#ifndef PULLDOWN_TEST 1469 if (off + sizeof(*ip6e) > m->m_len) 1470 goto loopend; 1471 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + off); 1472 if (nxt == IPPROTO_AH) 1473 elen = (ip6e->ip6e_len + 2) << 2; 1474 else 1475 elen = (ip6e->ip6e_len + 1) << 3; 1476 if (off + elen > m->m_len) 1477 goto loopend; 1478#else 1479 ext = ip6_pullexthdr(m, off, nxt); 1480 if (ext == NULL) { 1481 ip6stat.ip6s_tooshort++; 1482 return; 1483 } 1484 ip6e = mtod(ext, struct ip6_ext *); 1485 if (nxt == IPPROTO_AH) 1486 elen = (ip6e->ip6e_len + 2) << 2; 1487 else 1488 elen = (ip6e->ip6e_len + 1) << 3; 1489 if (elen != ext->m_len) { 1490 m_freem(ext); 1491 ip6stat.ip6s_tooshort++; 1492 return; 1493 } 1494#endif 1495 1496 switch (nxt) { 1497 case IPPROTO_DSTOPTS: 1498 if ((in6p->in6p_flags & IN6P_DSTOPTS) == 0) 1499 break; 1500 1501 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1502 IPV6_DSTOPTS, 1503 IPPROTO_IPV6); 1504 if (*mp) 1505 mp = &(*mp)->m_next; 1506 break; 1507 case IPPROTO_ROUTING: 1508 if (!in6p->in6p_flags & IN6P_RTHDR) 1509 break; 1510 1511 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1512 IPV6_RTHDR, 1513 IPPROTO_IPV6); 1514 if (*mp) 1515 mp = &(*mp)->m_next; 1516 break; 1517 case IPPROTO_HOPOPTS: 1518 case IPPROTO_AH: /* is it possible? */ 1519 break; 1520 1521 default: 1522 /* 1523 * other cases have been filtered in the above. 1524 * none will visit this case. here we supply 1525 * the code just in case (nxt overwritten or 1526 * other cases). 1527 */ 1528#if PULLDOWN_TEST 1529 m_freem(ext); 1530#endif 1531 goto loopend; 1532 1533 } 1534 1535 /* proceed with the next header. */ 1536 off += elen; 1537 nxt = ip6e->ip6e_nxt; 1538 ip6e = NULL; 1539#if PULLDOWN_TEST 1540 m_freem(ext); 1541 ext = NULL; 1542#endif 1543 } 1544 loopend: 1545 ; 1546 } 1547 1548} 1549 1550#if PULLDOWN_TEST 1551/* 1552 * pull single extension header from mbuf chain. returns single mbuf that 1553 * contains the result, or NULL on error. 1554 */ 1555static struct mbuf * 1556ip6_pullexthdr(m, off, nxt) 1557 struct mbuf *m; 1558 size_t off; 1559 int nxt; 1560{ 1561 struct ip6_ext ip6e; 1562 size_t elen; 1563 struct mbuf *n; 1564 1565#if DIAGNOSTIC 1566 switch (nxt) { 1567 case IPPROTO_DSTOPTS: 1568 case IPPROTO_ROUTING: 1569 case IPPROTO_HOPOPTS: 1570 case IPPROTO_AH: /* is it possible? */ 1571 break; 1572 default: 1573 printf("ip6_pullexthdr: invalid nxt=%d\n", nxt); 1574 } 1575#endif 1576 1577 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1578 if (nxt == IPPROTO_AH) 1579 elen = (ip6e.ip6e_len + 2) << 2; 1580 else 1581 elen = (ip6e.ip6e_len + 1) << 3; 1582 1583 MGET(n, M_DONTWAIT, MT_DATA); 1584 if (n && elen >= MLEN) { 1585 MCLGET(n, M_DONTWAIT); 1586 if ((n->m_flags & M_EXT) == 0) { 1587 m_free(n); 1588 n = NULL; 1589 } 1590 } 1591 if (!n) 1592 return NULL; 1593 1594 n->m_len = 0; 1595 if (elen >= M_TRAILINGSPACE(n)) { 1596 m_free(n); 1597 return NULL; 1598 } 1599 1600 m_copydata(m, off, elen, mtod(n, caddr_t)); 1601 n->m_len = elen; 1602 return n; 1603} 1604#endif 1605 1606/* 1607 * Get pointer to the previous header followed by the header 1608 * currently processed. 1609 * XXX: This function supposes that 1610 * M includes all headers, 1611 * the next header field and the header length field of each header 1612 * are valid, and 1613 * the sum of each header length equals to OFF. 1614 * Because of these assumptions, this function must be called very 1615 * carefully. Moreover, it will not be used in the near future when 1616 * we develop `neater' mechanism to process extension headers. 1617 */ 1618char * 1619ip6_get_prevhdr(m, off) 1620 struct mbuf *m; 1621 int off; 1622{ 1623 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1624 1625 if (off == sizeof(struct ip6_hdr)) 1626 return((char *) &ip6->ip6_nxt); 1627 else { 1628 int len, nxt; 1629 struct ip6_ext *ip6e = NULL; 1630 1631 nxt = ip6->ip6_nxt; 1632 len = sizeof(struct ip6_hdr); 1633 while (len < off) { 1634 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + len); 1635 1636 switch (nxt) { 1637 case IPPROTO_FRAGMENT: 1638 len += sizeof(struct ip6_frag); 1639 break; 1640 case IPPROTO_AH: 1641 len += (ip6e->ip6e_len + 2) << 2; 1642 break; 1643 default: 1644 len += (ip6e->ip6e_len + 1) << 3; 1645 break; 1646 } 1647 nxt = ip6e->ip6e_nxt; 1648 } 1649 if (ip6e) 1650 return((char *) &ip6e->ip6e_nxt); 1651 else 1652 return NULL; 1653 } 1654} 1655 1656/* 1657 * get next header offset. m will be retained. 1658 */ 1659int 1660ip6_nexthdr(m, off, proto, nxtp) 1661 struct mbuf *m; 1662 int off; 1663 int proto; 1664 int *nxtp; 1665{ 1666 struct ip6_hdr ip6; 1667 struct ip6_ext ip6e; 1668 struct ip6_frag fh; 1669 1670 /* just in case */ 1671 if (m == NULL) 1672 panic("ip6_nexthdr: m == NULL"); 1673 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off) 1674 return -1; 1675 1676 switch (proto) { 1677 case IPPROTO_IPV6: 1678 if (m->m_pkthdr.len < off + sizeof(ip6)) 1679 return -1; 1680 m_copydata(m, off, sizeof(ip6), (caddr_t)&ip6); 1681 if (nxtp) 1682 *nxtp = ip6.ip6_nxt; 1683 off += sizeof(ip6); 1684 return off; 1685 1686 case IPPROTO_FRAGMENT: 1687 /* 1688 * terminate parsing if it is not the first fragment, 1689 * it does not make sense to parse through it. 1690 */ 1691 if (m->m_pkthdr.len < off + sizeof(fh)) 1692 return -1; 1693 m_copydata(m, off, sizeof(fh), (caddr_t)&fh); 1694 /* IP6F_OFF_MASK = 0xfff8(BigEndian), 0xf8ff(LittleEndian) */ 1695 if (fh.ip6f_offlg & IP6F_OFF_MASK) 1696 return -1; 1697 if (nxtp) 1698 *nxtp = fh.ip6f_nxt; 1699 off += sizeof(struct ip6_frag); 1700 return off; 1701 1702 case IPPROTO_AH: 1703 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1704 return -1; 1705 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1706 if (nxtp) 1707 *nxtp = ip6e.ip6e_nxt; 1708 off += (ip6e.ip6e_len + 2) << 2; 1709 return off; 1710 1711 case IPPROTO_HOPOPTS: 1712 case IPPROTO_ROUTING: 1713 case IPPROTO_DSTOPTS: 1714 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1715 return -1; 1716 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1717 if (nxtp) 1718 *nxtp = ip6e.ip6e_nxt; 1719 off += (ip6e.ip6e_len + 1) << 3; 1720 return off; 1721 1722 case IPPROTO_NONE: 1723 case IPPROTO_ESP: 1724 case IPPROTO_IPCOMP: 1725 /* give up */ 1726 return -1; 1727 1728 default: 1729 return -1; 1730 } 1731 1732 return -1; 1733} 1734 1735/* 1736 * get offset for the last header in the chain. m will be kept untainted. 1737 */ 1738int 1739ip6_lasthdr(m, off, proto, nxtp) 1740 struct mbuf *m; 1741 int off; 1742 int proto; 1743 int *nxtp; 1744{ 1745 int newoff; 1746 int nxt; 1747 1748 if (!nxtp) { 1749 nxt = -1; 1750 nxtp = &nxt; 1751 } 1752 while (1) { 1753 newoff = ip6_nexthdr(m, off, proto, nxtp); 1754 if (newoff < 0) 1755 return off; 1756 else if (newoff < off) 1757 return -1; /* invalid */ 1758 else if (newoff == off) 1759 return newoff; 1760 1761 off = newoff; 1762 proto = *nxtp; 1763 } 1764} 1765 1766struct ip6aux * 1767ip6_addaux( 1768 struct mbuf *m) 1769{ 1770 struct m_tag *tag; 1771 1772 /* Check if one is already allocated */ 1773 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_INET6, NULL); 1774 if (tag == NULL) { 1775 /* Allocate a tag */ 1776 tag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_INET6, 1777 sizeof(*tag), M_DONTWAIT); 1778 1779 /* Attach it to the mbuf */ 1780 if (tag) { 1781 m_tag_prepend(m, tag); 1782 } 1783 } 1784 1785 return tag ? (struct ip6aux*)(tag + 1) : NULL; 1786} 1787 1788struct ip6aux * 1789ip6_findaux( 1790 struct mbuf *m) 1791{ 1792 struct m_tag *tag; 1793 1794 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_ENCAP, NULL); 1795 1796 return tag ? (struct ip6aux*)(tag + 1) : NULL; 1797} 1798 1799void 1800ip6_delaux( 1801 struct mbuf *m) 1802{ 1803 struct m_tag *tag; 1804 1805 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_ENCAP, NULL); 1806 if (tag) { 1807 m_tag_delete(m, tag); 1808 } 1809} 1810 1811/* 1812 * System control for IP6 1813 */ 1814 1815u_char inet6ctlerrmap[PRC_NCMDS] = { 1816 0, 0, 0, 0, 1817 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH, 1818 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, 1819 EMSGSIZE, EHOSTUNREACH, 0, 0, 1820 0, 0, 0, 0, 1821 ENOPROTOOPT 1822}; 1823