1 /* 2 * Extension Header handling for IPv6 3 * Linux INET6 implementation 4 * 5 * Authors: 6 * Pedro Roque <roque@di.fc.ul.pt> 7 * Andi Kleen <ak@muc.de> 8 * Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> 9 * 10 * This program is free software; you can redistribute it and/or 11 * modify it under the terms of the GNU General Public License 12 * as published by the Free Software Foundation; either version 13 * 2 of the License, or (at your option) any later version. 14 */ 15 16 /* Changes: 17 * yoshfuji : ensure not to overrun while parsing 18 * tlv options. 19 * Mitsuru KANDA @USAGI and: Remove ipv6_parse_exthdrs(). 20 * YOSHIFUJI Hideaki @USAGI Register inbound extension header 21 * handlers as inet6_protocol{}. 22 */ 23 24 #include <linux/errno.h> 25 #include <linux/types.h> 26 #include <linux/socket.h> 27 #include <linux/sockios.h> 28 #include <linux/net.h> 29 #include <linux/netdevice.h> 30 #include <linux/in6.h> 31 #include <linux/icmpv6.h> 32 #include <linux/slab.h> 33 #include <linux/export.h> 34 35 #include <net/dst.h> 36 #include <net/sock.h> 37 #include <net/snmp.h> 38 39 #include <net/ipv6.h> 40 #include <net/protocol.h> 41 #include <net/transp_v6.h> 42 #include <net/rawv6.h> 43 #include <net/ndisc.h> 44 #include <net/ip6_route.h> 45 #include <net/addrconf.h> 46 #include <net/calipso.h> 47 #if IS_ENABLED(CONFIG_IPV6_MIP6) 48 #include <net/xfrm.h> 49 #endif 50 #include <linux/seg6.h> 51 #include <net/seg6.h> 52 #ifdef CONFIG_IPV6_SEG6_HMAC 53 #include <net/seg6_hmac.h> 54 #endif 55 56 #include <linux/uaccess.h> 57 58 /* 59 * Parsing tlv encoded headers. 60 * 61 * Parsing function "func" returns true, if parsing succeed 62 * and false, if it failed. 63 * It MUST NOT touch skb->h. 64 */ 65 66 struct tlvtype_proc { 67 int type; 68 bool (*func)(struct sk_buff *skb, int offset); 69 }; 70 71 /********************* 72 Generic functions 73 *********************/ 74 75 /* An unknown option is detected, decide what to do */ 76 77 static bool ip6_tlvopt_unknown(struct sk_buff *skb, int optoff, 78 bool disallow_unknowns) 79 { 80 if (disallow_unknowns) { 81 /* If unknown TLVs are disallowed by configuration 82 * then always silently drop packet. Note this also 83 * means no ICMP parameter problem is sent which 84 * could be a good property to mitigate a reflection DOS 85 * attack. 86 */ 87 88 goto drop; 89 } 90 91 switch ((skb_network_header(skb)[optoff] & 0xC0) >> 6) { 92 case 0: /* ignore */ 93 return true; 94 95 case 1: /* drop packet */ 96 break; 97 98 case 3: /* Send ICMP if not a multicast address and drop packet */ 99 /* Actually, it is redundant check. icmp_send 100 will recheck in any case. 101 */ 102 if (ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr)) 103 break; 104 /* fall through */ 105 case 2: /* send ICMP PARM PROB regardless and drop packet */ 106 icmpv6_param_prob(skb, ICMPV6_UNK_OPTION, optoff); 107 return false; 108 } 109 110 drop: 111 kfree_skb(skb); 112 return false; 113 } 114 115 /* Parse tlv encoded option header (hop-by-hop or destination) */ 116 117 static bool ip6_parse_tlv(const struct tlvtype_proc *procs, 118 struct sk_buff *skb, 119 int max_count) 120 { 121 int len = (skb_transport_header(skb)[1] + 1) << 3; 122 const unsigned char *nh = skb_network_header(skb); 123 int off = skb_network_header_len(skb); 124 const struct tlvtype_proc *curr; 125 bool disallow_unknowns = false; 126 int tlv_count = 0; 127 int padlen = 0; 128 129 if (unlikely(max_count < 0)) { 130 disallow_unknowns = true; 131 max_count = -max_count; 132 } 133 134 if (skb_transport_offset(skb) + len > skb_headlen(skb)) 135 goto bad; 136 137 off += 2; 138 len -= 2; 139 140 while (len > 0) { 141 int optlen = nh[off + 1] + 2; 142 int i; 143 144 switch (nh[off]) { 145 case IPV6_TLV_PAD1: 146 optlen = 1; 147 padlen++; 148 if (padlen > 7) 149 goto bad; 150 break; 151 152 case IPV6_TLV_PADN: 153 /* RFC 2460 states that the purpose of PadN is 154 * to align the containing header to multiples 155 * of 8. 7 is therefore the highest valid value. 156 * See also RFC 4942, Section 2.1.9.5. 157 */ 158 padlen += optlen; 159 if (padlen > 7) 160 goto bad; 161 /* RFC 4942 recommends receiving hosts to 162 * actively check PadN payload to contain 163 * only zeroes. 164 */ 165 for (i = 2; i < optlen; i++) { 166 if (nh[off + i] != 0) 167 goto bad; 168 } 169 break; 170 171 default: /* Other TLV code so scan list */ 172 if (optlen > len) 173 goto bad; 174 175 tlv_count++; 176 if (tlv_count > max_count) 177 goto bad; 178 179 for (curr = procs; curr->type >= 0; curr++) { 180 if (curr->type == nh[off]) { 181 /* type specific length/alignment 182 checks will be performed in the 183 func(). */ 184 if (curr->func(skb, off) == false) 185 return false; 186 break; 187 } 188 } 189 if (curr->type < 0 && 190 !ip6_tlvopt_unknown(skb, off, disallow_unknowns)) 191 return false; 192 193 padlen = 0; 194 break; 195 } 196 off += optlen; 197 len -= optlen; 198 } 199 200 if (len == 0) 201 return true; 202 bad: 203 kfree_skb(skb); 204 return false; 205 } 206 207 /***************************** 208 Destination options header. 209 *****************************/ 210 211 #if IS_ENABLED(CONFIG_IPV6_MIP6) 212 static bool ipv6_dest_hao(struct sk_buff *skb, int optoff) 213 { 214 struct ipv6_destopt_hao *hao; 215 struct inet6_skb_parm *opt = IP6CB(skb); 216 struct ipv6hdr *ipv6h = ipv6_hdr(skb); 217 int ret; 218 219 if (opt->dsthao) { 220 net_dbg_ratelimited("hao duplicated\n"); 221 goto discard; 222 } 223 opt->dsthao = opt->dst1; 224 opt->dst1 = 0; 225 226 hao = (struct ipv6_destopt_hao *)(skb_network_header(skb) + optoff); 227 228 if (hao->length != 16) { 229 net_dbg_ratelimited("hao invalid option length = %d\n", 230 hao->length); 231 goto discard; 232 } 233 234 if (!(ipv6_addr_type(&hao->addr) & IPV6_ADDR_UNICAST)) { 235 net_dbg_ratelimited("hao is not an unicast addr: %pI6\n", 236 &hao->addr); 237 goto discard; 238 } 239 240 ret = xfrm6_input_addr(skb, (xfrm_address_t *)&ipv6h->daddr, 241 (xfrm_address_t *)&hao->addr, IPPROTO_DSTOPTS); 242 if (unlikely(ret < 0)) 243 goto discard; 244 245 if (skb_cloned(skb)) { 246 if (pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) 247 goto discard; 248 249 /* update all variable using below by copied skbuff */ 250 hao = (struct ipv6_destopt_hao *)(skb_network_header(skb) + 251 optoff); 252 ipv6h = ipv6_hdr(skb); 253 } 254 255 if (skb->ip_summed == CHECKSUM_COMPLETE) 256 skb->ip_summed = CHECKSUM_NONE; 257 258 swap(ipv6h->saddr, hao->addr); 259 260 if (skb->tstamp == 0) 261 __net_timestamp(skb); 262 263 return true; 264 265 discard: 266 kfree_skb(skb); 267 return false; 268 } 269 #endif 270 271 static const struct tlvtype_proc tlvprocdestopt_lst[] = { 272 #if IS_ENABLED(CONFIG_IPV6_MIP6) 273 { 274 .type = IPV6_TLV_HAO, 275 .func = ipv6_dest_hao, 276 }, 277 #endif 278 {-1, NULL} 279 }; 280 281 static int ipv6_destopt_rcv(struct sk_buff *skb) 282 { 283 struct inet6_dev *idev = __in6_dev_get(skb->dev); 284 struct inet6_skb_parm *opt = IP6CB(skb); 285 #if IS_ENABLED(CONFIG_IPV6_MIP6) 286 __u16 dstbuf; 287 #endif 288 struct dst_entry *dst = skb_dst(skb); 289 struct net *net = dev_net(skb->dev); 290 int extlen; 291 292 if (!pskb_may_pull(skb, skb_transport_offset(skb) + 8) || 293 !pskb_may_pull(skb, (skb_transport_offset(skb) + 294 ((skb_transport_header(skb)[1] + 1) << 3)))) { 295 __IP6_INC_STATS(dev_net(dst->dev), idev, 296 IPSTATS_MIB_INHDRERRORS); 297 fail_and_free: 298 kfree_skb(skb); 299 return -1; 300 } 301 302 extlen = (skb_transport_header(skb)[1] + 1) << 3; 303 if (extlen > net->ipv6.sysctl.max_dst_opts_len) 304 goto fail_and_free; 305 306 opt->lastopt = opt->dst1 = skb_network_header_len(skb); 307 #if IS_ENABLED(CONFIG_IPV6_MIP6) 308 dstbuf = opt->dst1; 309 #endif 310 311 if (ip6_parse_tlv(tlvprocdestopt_lst, skb, 312 init_net.ipv6.sysctl.max_dst_opts_cnt)) { 313 skb->transport_header += extlen; 314 opt = IP6CB(skb); 315 #if IS_ENABLED(CONFIG_IPV6_MIP6) 316 opt->nhoff = dstbuf; 317 #else 318 opt->nhoff = opt->dst1; 319 #endif 320 return 1; 321 } 322 323 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS); 324 return -1; 325 } 326 327 static void seg6_update_csum(struct sk_buff *skb) 328 { 329 struct ipv6_sr_hdr *hdr; 330 struct in6_addr *addr; 331 __be32 from, to; 332 333 /* srh is at transport offset and seg_left is already decremented 334 * but daddr is not yet updated with next segment 335 */ 336 337 hdr = (struct ipv6_sr_hdr *)skb_transport_header(skb); 338 addr = hdr->segments + hdr->segments_left; 339 340 hdr->segments_left++; 341 from = *(__be32 *)hdr; 342 343 hdr->segments_left--; 344 to = *(__be32 *)hdr; 345 346 /* update skb csum with diff resulting from seg_left decrement */ 347 348 update_csum_diff4(skb, from, to); 349 350 /* compute csum diff between current and next segment and update */ 351 352 update_csum_diff16(skb, (__be32 *)(&ipv6_hdr(skb)->daddr), 353 (__be32 *)addr); 354 } 355 356 static int ipv6_srh_rcv(struct sk_buff *skb) 357 { 358 struct inet6_skb_parm *opt = IP6CB(skb); 359 struct net *net = dev_net(skb->dev); 360 struct ipv6_sr_hdr *hdr; 361 struct inet6_dev *idev; 362 struct in6_addr *addr; 363 int accept_seg6; 364 365 hdr = (struct ipv6_sr_hdr *)skb_transport_header(skb); 366 367 idev = __in6_dev_get(skb->dev); 368 369 accept_seg6 = net->ipv6.devconf_all->seg6_enabled; 370 if (accept_seg6 > idev->cnf.seg6_enabled) 371 accept_seg6 = idev->cnf.seg6_enabled; 372 373 if (!accept_seg6) { 374 kfree_skb(skb); 375 return -1; 376 } 377 378 #ifdef CONFIG_IPV6_SEG6_HMAC 379 if (!seg6_hmac_validate_skb(skb)) { 380 kfree_skb(skb); 381 return -1; 382 } 383 #endif 384 385 looped_back: 386 if (hdr->segments_left == 0) { 387 if (hdr->nexthdr == NEXTHDR_IPV6) { 388 int offset = (hdr->hdrlen + 1) << 3; 389 390 skb_postpull_rcsum(skb, skb_network_header(skb), 391 skb_network_header_len(skb)); 392 393 if (!pskb_pull(skb, offset)) { 394 kfree_skb(skb); 395 return -1; 396 } 397 skb_postpull_rcsum(skb, skb_transport_header(skb), 398 offset); 399 400 skb_reset_network_header(skb); 401 skb_reset_transport_header(skb); 402 skb->encapsulation = 0; 403 404 __skb_tunnel_rx(skb, skb->dev, net); 405 406 netif_rx(skb); 407 return -1; 408 } 409 410 opt->srcrt = skb_network_header_len(skb); 411 opt->lastopt = opt->srcrt; 412 skb->transport_header += (hdr->hdrlen + 1) << 3; 413 opt->nhoff = (&hdr->nexthdr) - skb_network_header(skb); 414 415 return 1; 416 } 417 418 if (hdr->segments_left >= (hdr->hdrlen >> 1)) { 419 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS); 420 icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, 421 ((&hdr->segments_left) - 422 skb_network_header(skb))); 423 return -1; 424 } 425 426 if (skb_cloned(skb)) { 427 if (pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) { 428 __IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), 429 IPSTATS_MIB_OUTDISCARDS); 430 kfree_skb(skb); 431 return -1; 432 } 433 } 434 435 hdr = (struct ipv6_sr_hdr *)skb_transport_header(skb); 436 437 hdr->segments_left--; 438 addr = hdr->segments + hdr->segments_left; 439 440 skb_push(skb, sizeof(struct ipv6hdr)); 441 442 if (skb->ip_summed == CHECKSUM_COMPLETE) 443 seg6_update_csum(skb); 444 445 ipv6_hdr(skb)->daddr = *addr; 446 447 skb_dst_drop(skb); 448 449 ip6_route_input(skb); 450 451 if (skb_dst(skb)->error) { 452 dst_input(skb); 453 return -1; 454 } 455 456 if (skb_dst(skb)->dev->flags & IFF_LOOPBACK) { 457 if (ipv6_hdr(skb)->hop_limit <= 1) { 458 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS); 459 icmpv6_send(skb, ICMPV6_TIME_EXCEED, 460 ICMPV6_EXC_HOPLIMIT, 0); 461 kfree_skb(skb); 462 return -1; 463 } 464 ipv6_hdr(skb)->hop_limit--; 465 466 skb_pull(skb, sizeof(struct ipv6hdr)); 467 goto looped_back; 468 } 469 470 dst_input(skb); 471 472 return -1; 473 } 474 475 /******************************** 476 Routing header. 477 ********************************/ 478 479 /* called with rcu_read_lock() */ 480 static int ipv6_rthdr_rcv(struct sk_buff *skb) 481 { 482 struct inet6_dev *idev = __in6_dev_get(skb->dev); 483 struct inet6_skb_parm *opt = IP6CB(skb); 484 struct in6_addr *addr = NULL; 485 struct in6_addr daddr; 486 int n, i; 487 struct ipv6_rt_hdr *hdr; 488 struct rt0_hdr *rthdr; 489 struct net *net = dev_net(skb->dev); 490 int accept_source_route = net->ipv6.devconf_all->accept_source_route; 491 492 idev = __in6_dev_get(skb->dev); 493 if (idev && accept_source_route > idev->cnf.accept_source_route) 494 accept_source_route = idev->cnf.accept_source_route; 495 496 if (!pskb_may_pull(skb, skb_transport_offset(skb) + 8) || 497 !pskb_may_pull(skb, (skb_transport_offset(skb) + 498 ((skb_transport_header(skb)[1] + 1) << 3)))) { 499 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS); 500 kfree_skb(skb); 501 return -1; 502 } 503 504 hdr = (struct ipv6_rt_hdr *)skb_transport_header(skb); 505 506 if (ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr) || 507 skb->pkt_type != PACKET_HOST) { 508 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INADDRERRORS); 509 kfree_skb(skb); 510 return -1; 511 } 512 513 /* segment routing */ 514 if (hdr->type == IPV6_SRCRT_TYPE_4) 515 return ipv6_srh_rcv(skb); 516 517 looped_back: 518 if (hdr->segments_left == 0) { 519 switch (hdr->type) { 520 #if IS_ENABLED(CONFIG_IPV6_MIP6) 521 case IPV6_SRCRT_TYPE_2: 522 /* Silently discard type 2 header unless it was 523 * processed by own 524 */ 525 if (!addr) { 526 __IP6_INC_STATS(net, idev, 527 IPSTATS_MIB_INADDRERRORS); 528 kfree_skb(skb); 529 return -1; 530 } 531 break; 532 #endif 533 default: 534 break; 535 } 536 537 opt->lastopt = opt->srcrt = skb_network_header_len(skb); 538 skb->transport_header += (hdr->hdrlen + 1) << 3; 539 opt->dst0 = opt->dst1; 540 opt->dst1 = 0; 541 opt->nhoff = (&hdr->nexthdr) - skb_network_header(skb); 542 return 1; 543 } 544 545 switch (hdr->type) { 546 #if IS_ENABLED(CONFIG_IPV6_MIP6) 547 case IPV6_SRCRT_TYPE_2: 548 if (accept_source_route < 0) 549 goto unknown_rh; 550 /* Silently discard invalid RTH type 2 */ 551 if (hdr->hdrlen != 2 || hdr->segments_left != 1) { 552 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS); 553 kfree_skb(skb); 554 return -1; 555 } 556 break; 557 #endif 558 default: 559 goto unknown_rh; 560 } 561 562 /* 563 * This is the routing header forwarding algorithm from 564 * RFC 2460, page 16. 565 */ 566 567 n = hdr->hdrlen >> 1; 568 569 if (hdr->segments_left > n) { 570 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS); 571 icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, 572 ((&hdr->segments_left) - 573 skb_network_header(skb))); 574 return -1; 575 } 576 577 /* We are about to mangle packet header. Be careful! 578 Do not damage packets queued somewhere. 579 */ 580 if (skb_cloned(skb)) { 581 /* the copy is a forwarded packet */ 582 if (pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) { 583 __IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), 584 IPSTATS_MIB_OUTDISCARDS); 585 kfree_skb(skb); 586 return -1; 587 } 588 hdr = (struct ipv6_rt_hdr *)skb_transport_header(skb); 589 } 590 591 if (skb->ip_summed == CHECKSUM_COMPLETE) 592 skb->ip_summed = CHECKSUM_NONE; 593 594 i = n - --hdr->segments_left; 595 596 rthdr = (struct rt0_hdr *) hdr; 597 addr = rthdr->addr; 598 addr += i - 1; 599 600 switch (hdr->type) { 601 #if IS_ENABLED(CONFIG_IPV6_MIP6) 602 case IPV6_SRCRT_TYPE_2: 603 if (xfrm6_input_addr(skb, (xfrm_address_t *)addr, 604 (xfrm_address_t *)&ipv6_hdr(skb)->saddr, 605 IPPROTO_ROUTING) < 0) { 606 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INADDRERRORS); 607 kfree_skb(skb); 608 return -1; 609 } 610 if (!ipv6_chk_home_addr(dev_net(skb_dst(skb)->dev), addr)) { 611 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INADDRERRORS); 612 kfree_skb(skb); 613 return -1; 614 } 615 break; 616 #endif 617 default: 618 break; 619 } 620 621 if (ipv6_addr_is_multicast(addr)) { 622 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INADDRERRORS); 623 kfree_skb(skb); 624 return -1; 625 } 626 627 daddr = *addr; 628 *addr = ipv6_hdr(skb)->daddr; 629 ipv6_hdr(skb)->daddr = daddr; 630 631 skb_dst_drop(skb); 632 ip6_route_input(skb); 633 if (skb_dst(skb)->error) { 634 skb_push(skb, skb->data - skb_network_header(skb)); 635 dst_input(skb); 636 return -1; 637 } 638 639 if (skb_dst(skb)->dev->flags&IFF_LOOPBACK) { 640 if (ipv6_hdr(skb)->hop_limit <= 1) { 641 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS); 642 icmpv6_send(skb, ICMPV6_TIME_EXCEED, ICMPV6_EXC_HOPLIMIT, 643 0); 644 kfree_skb(skb); 645 return -1; 646 } 647 ipv6_hdr(skb)->hop_limit--; 648 goto looped_back; 649 } 650 651 skb_push(skb, skb->data - skb_network_header(skb)); 652 dst_input(skb); 653 return -1; 654 655 unknown_rh: 656 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS); 657 icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, 658 (&hdr->type) - skb_network_header(skb)); 659 return -1; 660 } 661 662 static const struct inet6_protocol rthdr_protocol = { 663 .handler = ipv6_rthdr_rcv, 664 .flags = INET6_PROTO_NOPOLICY, 665 }; 666 667 static const struct inet6_protocol destopt_protocol = { 668 .handler = ipv6_destopt_rcv, 669 .flags = INET6_PROTO_NOPOLICY, 670 }; 671 672 static const struct inet6_protocol nodata_protocol = { 673 .handler = dst_discard, 674 .flags = INET6_PROTO_NOPOLICY, 675 }; 676 677 int __init ipv6_exthdrs_init(void) 678 { 679 int ret; 680 681 ret = inet6_add_protocol(&rthdr_protocol, IPPROTO_ROUTING); 682 if (ret) 683 goto out; 684 685 ret = inet6_add_protocol(&destopt_protocol, IPPROTO_DSTOPTS); 686 if (ret) 687 goto out_rthdr; 688 689 ret = inet6_add_protocol(&nodata_protocol, IPPROTO_NONE); 690 if (ret) 691 goto out_destopt; 692 693 out: 694 return ret; 695 out_destopt: 696 inet6_del_protocol(&destopt_protocol, IPPROTO_DSTOPTS); 697 out_rthdr: 698 inet6_del_protocol(&rthdr_protocol, IPPROTO_ROUTING); 699 goto out; 700 }; 701 702 void ipv6_exthdrs_exit(void) 703 { 704 inet6_del_protocol(&nodata_protocol, IPPROTO_NONE); 705 inet6_del_protocol(&destopt_protocol, IPPROTO_DSTOPTS); 706 inet6_del_protocol(&rthdr_protocol, IPPROTO_ROUTING); 707 } 708 709 /********************************** 710 Hop-by-hop options. 711 **********************************/ 712 713 /* 714 * Note: we cannot rely on skb_dst(skb) before we assign it in ip6_route_input(). 715 */ 716 static inline struct inet6_dev *ipv6_skb_idev(struct sk_buff *skb) 717 { 718 return skb_dst(skb) ? ip6_dst_idev(skb_dst(skb)) : __in6_dev_get(skb->dev); 719 } 720 721 static inline struct net *ipv6_skb_net(struct sk_buff *skb) 722 { 723 return skb_dst(skb) ? dev_net(skb_dst(skb)->dev) : dev_net(skb->dev); 724 } 725 726 /* Router Alert as of RFC 2711 */ 727 728 static bool ipv6_hop_ra(struct sk_buff *skb, int optoff) 729 { 730 const unsigned char *nh = skb_network_header(skb); 731 732 if (nh[optoff + 1] == 2) { 733 IP6CB(skb)->flags |= IP6SKB_ROUTERALERT; 734 memcpy(&IP6CB(skb)->ra, nh + optoff + 2, sizeof(IP6CB(skb)->ra)); 735 return true; 736 } 737 net_dbg_ratelimited("ipv6_hop_ra: wrong RA length %d\n", 738 nh[optoff + 1]); 739 kfree_skb(skb); 740 return false; 741 } 742 743 /* Jumbo payload */ 744 745 static bool ipv6_hop_jumbo(struct sk_buff *skb, int optoff) 746 { 747 const unsigned char *nh = skb_network_header(skb); 748 struct inet6_dev *idev = __in6_dev_get_safely(skb->dev); 749 struct net *net = ipv6_skb_net(skb); 750 u32 pkt_len; 751 752 if (nh[optoff + 1] != 4 || (optoff & 3) != 2) { 753 net_dbg_ratelimited("ipv6_hop_jumbo: wrong jumbo opt length/alignment %d\n", 754 nh[optoff+1]); 755 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS); 756 goto drop; 757 } 758 759 pkt_len = ntohl(*(__be32 *)(nh + optoff + 2)); 760 if (pkt_len <= IPV6_MAXPLEN) { 761 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS); 762 icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, optoff+2); 763 return false; 764 } 765 if (ipv6_hdr(skb)->payload_len) { 766 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS); 767 icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, optoff); 768 return false; 769 } 770 771 if (pkt_len > skb->len - sizeof(struct ipv6hdr)) { 772 __IP6_INC_STATS(net, idev, IPSTATS_MIB_INTRUNCATEDPKTS); 773 goto drop; 774 } 775 776 if (pskb_trim_rcsum(skb, pkt_len + sizeof(struct ipv6hdr))) 777 goto drop; 778 779 IP6CB(skb)->flags |= IP6SKB_JUMBOGRAM; 780 return true; 781 782 drop: 783 kfree_skb(skb); 784 return false; 785 } 786 787 /* CALIPSO RFC 5570 */ 788 789 static bool ipv6_hop_calipso(struct sk_buff *skb, int optoff) 790 { 791 const unsigned char *nh = skb_network_header(skb); 792 793 if (nh[optoff + 1] < 8) 794 goto drop; 795 796 if (nh[optoff + 6] * 4 + 8 > nh[optoff + 1]) 797 goto drop; 798 799 if (!calipso_validate(skb, nh + optoff)) 800 goto drop; 801 802 return true; 803 804 drop: 805 kfree_skb(skb); 806 return false; 807 } 808 809 static const struct tlvtype_proc tlvprochopopt_lst[] = { 810 { 811 .type = IPV6_TLV_ROUTERALERT, 812 .func = ipv6_hop_ra, 813 }, 814 { 815 .type = IPV6_TLV_JUMBO, 816 .func = ipv6_hop_jumbo, 817 }, 818 { 819 .type = IPV6_TLV_CALIPSO, 820 .func = ipv6_hop_calipso, 821 }, 822 { -1, } 823 }; 824 825 int ipv6_parse_hopopts(struct sk_buff *skb) 826 { 827 struct inet6_skb_parm *opt = IP6CB(skb); 828 struct net *net = dev_net(skb->dev); 829 int extlen; 830 831 /* 832 * skb_network_header(skb) is equal to skb->data, and 833 * skb_network_header_len(skb) is always equal to 834 * sizeof(struct ipv6hdr) by definition of 835 * hop-by-hop options. 836 */ 837 if (!pskb_may_pull(skb, sizeof(struct ipv6hdr) + 8) || 838 !pskb_may_pull(skb, (sizeof(struct ipv6hdr) + 839 ((skb_transport_header(skb)[1] + 1) << 3)))) { 840 fail_and_free: 841 kfree_skb(skb); 842 return -1; 843 } 844 845 extlen = (skb_transport_header(skb)[1] + 1) << 3; 846 if (extlen > net->ipv6.sysctl.max_hbh_opts_len) 847 goto fail_and_free; 848 849 opt->flags |= IP6SKB_HOPBYHOP; 850 if (ip6_parse_tlv(tlvprochopopt_lst, skb, 851 init_net.ipv6.sysctl.max_hbh_opts_cnt)) { 852 skb->transport_header += extlen; 853 opt = IP6CB(skb); 854 opt->nhoff = sizeof(struct ipv6hdr); 855 return 1; 856 } 857 return -1; 858 } 859 860 /* 861 * Creating outbound headers. 862 * 863 * "build" functions work when skb is filled from head to tail (datagram) 864 * "push" functions work when headers are added from tail to head (tcp) 865 * 866 * In both cases we assume, that caller reserved enough room 867 * for headers. 868 */ 869 870 static void ipv6_push_rthdr0(struct sk_buff *skb, u8 *proto, 871 struct ipv6_rt_hdr *opt, 872 struct in6_addr **addr_p, struct in6_addr *saddr) 873 { 874 struct rt0_hdr *phdr, *ihdr; 875 int hops; 876 877 ihdr = (struct rt0_hdr *) opt; 878 879 phdr = skb_push(skb, (ihdr->rt_hdr.hdrlen + 1) << 3); 880 memcpy(phdr, ihdr, sizeof(struct rt0_hdr)); 881 882 hops = ihdr->rt_hdr.hdrlen >> 1; 883 884 if (hops > 1) 885 memcpy(phdr->addr, ihdr->addr + 1, 886 (hops - 1) * sizeof(struct in6_addr)); 887 888 phdr->addr[hops - 1] = **addr_p; 889 *addr_p = ihdr->addr; 890 891 phdr->rt_hdr.nexthdr = *proto; 892 *proto = NEXTHDR_ROUTING; 893 } 894 895 static void ipv6_push_rthdr4(struct sk_buff *skb, u8 *proto, 896 struct ipv6_rt_hdr *opt, 897 struct in6_addr **addr_p, struct in6_addr *saddr) 898 { 899 struct ipv6_sr_hdr *sr_phdr, *sr_ihdr; 900 int plen, hops; 901 902 sr_ihdr = (struct ipv6_sr_hdr *)opt; 903 plen = (sr_ihdr->hdrlen + 1) << 3; 904 905 sr_phdr = skb_push(skb, plen); 906 memcpy(sr_phdr, sr_ihdr, sizeof(struct ipv6_sr_hdr)); 907 908 hops = sr_ihdr->first_segment + 1; 909 memcpy(sr_phdr->segments + 1, sr_ihdr->segments + 1, 910 (hops - 1) * sizeof(struct in6_addr)); 911 912 sr_phdr->segments[0] = **addr_p; 913 *addr_p = &sr_ihdr->segments[sr_ihdr->segments_left]; 914 915 if (sr_ihdr->hdrlen > hops * 2) { 916 int tlvs_offset, tlvs_length; 917 918 tlvs_offset = (1 + hops * 2) << 3; 919 tlvs_length = (sr_ihdr->hdrlen - hops * 2) << 3; 920 memcpy((char *)sr_phdr + tlvs_offset, 921 (char *)sr_ihdr + tlvs_offset, tlvs_length); 922 } 923 924 #ifdef CONFIG_IPV6_SEG6_HMAC 925 if (sr_has_hmac(sr_phdr)) { 926 struct net *net = NULL; 927 928 if (skb->dev) 929 net = dev_net(skb->dev); 930 else if (skb->sk) 931 net = sock_net(skb->sk); 932 933 WARN_ON(!net); 934 935 if (net) 936 seg6_push_hmac(net, saddr, sr_phdr); 937 } 938 #endif 939 940 sr_phdr->nexthdr = *proto; 941 *proto = NEXTHDR_ROUTING; 942 } 943 944 static void ipv6_push_rthdr(struct sk_buff *skb, u8 *proto, 945 struct ipv6_rt_hdr *opt, 946 struct in6_addr **addr_p, struct in6_addr *saddr) 947 { 948 switch (opt->type) { 949 case IPV6_SRCRT_TYPE_0: 950 case IPV6_SRCRT_STRICT: 951 case IPV6_SRCRT_TYPE_2: 952 ipv6_push_rthdr0(skb, proto, opt, addr_p, saddr); 953 break; 954 case IPV6_SRCRT_TYPE_4: 955 ipv6_push_rthdr4(skb, proto, opt, addr_p, saddr); 956 break; 957 default: 958 break; 959 } 960 } 961 962 static void ipv6_push_exthdr(struct sk_buff *skb, u8 *proto, u8 type, struct ipv6_opt_hdr *opt) 963 { 964 struct ipv6_opt_hdr *h = skb_push(skb, ipv6_optlen(opt)); 965 966 memcpy(h, opt, ipv6_optlen(opt)); 967 h->nexthdr = *proto; 968 *proto = type; 969 } 970 971 void ipv6_push_nfrag_opts(struct sk_buff *skb, struct ipv6_txoptions *opt, 972 u8 *proto, 973 struct in6_addr **daddr, struct in6_addr *saddr) 974 { 975 if (opt->srcrt) { 976 ipv6_push_rthdr(skb, proto, opt->srcrt, daddr, saddr); 977 /* 978 * IPV6_RTHDRDSTOPTS is ignored 979 * unless IPV6_RTHDR is set (RFC3542). 980 */ 981 if (opt->dst0opt) 982 ipv6_push_exthdr(skb, proto, NEXTHDR_DEST, opt->dst0opt); 983 } 984 if (opt->hopopt) 985 ipv6_push_exthdr(skb, proto, NEXTHDR_HOP, opt->hopopt); 986 } 987 988 void ipv6_push_frag_opts(struct sk_buff *skb, struct ipv6_txoptions *opt, u8 *proto) 989 { 990 if (opt->dst1opt) 991 ipv6_push_exthdr(skb, proto, NEXTHDR_DEST, opt->dst1opt); 992 } 993 EXPORT_SYMBOL(ipv6_push_frag_opts); 994 995 struct ipv6_txoptions * 996 ipv6_dup_options(struct sock *sk, struct ipv6_txoptions *opt) 997 { 998 struct ipv6_txoptions *opt2; 999 1000 opt2 = sock_kmalloc(sk, opt->tot_len, GFP_ATOMIC); 1001 if (opt2) { 1002 long dif = (char *)opt2 - (char *)opt; 1003 memcpy(opt2, opt, opt->tot_len); 1004 if (opt2->hopopt) 1005 *((char **)&opt2->hopopt) += dif; 1006 if (opt2->dst0opt) 1007 *((char **)&opt2->dst0opt) += dif; 1008 if (opt2->dst1opt) 1009 *((char **)&opt2->dst1opt) += dif; 1010 if (opt2->srcrt) 1011 *((char **)&opt2->srcrt) += dif; 1012 refcount_set(&opt2->refcnt, 1); 1013 } 1014 return opt2; 1015 } 1016 EXPORT_SYMBOL_GPL(ipv6_dup_options); 1017 1018 static int ipv6_renew_option(void *ohdr, 1019 struct ipv6_opt_hdr __user *newopt, int newoptlen, 1020 int inherit, 1021 struct ipv6_opt_hdr **hdr, 1022 char **p) 1023 { 1024 if (inherit) { 1025 if (ohdr) { 1026 memcpy(*p, ohdr, ipv6_optlen((struct ipv6_opt_hdr *)ohdr)); 1027 *hdr = (struct ipv6_opt_hdr *)*p; 1028 *p += CMSG_ALIGN(ipv6_optlen(*hdr)); 1029 } 1030 } else { 1031 if (newopt) { 1032 if (copy_from_user(*p, newopt, newoptlen)) 1033 return -EFAULT; 1034 *hdr = (struct ipv6_opt_hdr *)*p; 1035 if (ipv6_optlen(*hdr) > newoptlen) 1036 return -EINVAL; 1037 *p += CMSG_ALIGN(newoptlen); 1038 } 1039 } 1040 return 0; 1041 } 1042 1043 /** 1044 * ipv6_renew_options - replace a specific ext hdr with a new one. 1045 * 1046 * @sk: sock from which to allocate memory 1047 * @opt: original options 1048 * @newtype: option type to replace in @opt 1049 * @newopt: new option of type @newtype to replace (user-mem) 1050 * @newoptlen: length of @newopt 1051 * 1052 * Returns a new set of options which is a copy of @opt with the 1053 * option type @newtype replaced with @newopt. 1054 * 1055 * @opt may be NULL, in which case a new set of options is returned 1056 * containing just @newopt. 1057 * 1058 * @newopt may be NULL, in which case the specified option type is 1059 * not copied into the new set of options. 1060 * 1061 * The new set of options is allocated from the socket option memory 1062 * buffer of @sk. 1063 */ 1064 struct ipv6_txoptions * 1065 ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt, 1066 int newtype, 1067 struct ipv6_opt_hdr __user *newopt, int newoptlen) 1068 { 1069 int tot_len = 0; 1070 char *p; 1071 struct ipv6_txoptions *opt2; 1072 int err; 1073 1074 if (opt) { 1075 if (newtype != IPV6_HOPOPTS && opt->hopopt) 1076 tot_len += CMSG_ALIGN(ipv6_optlen(opt->hopopt)); 1077 if (newtype != IPV6_RTHDRDSTOPTS && opt->dst0opt) 1078 tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst0opt)); 1079 if (newtype != IPV6_RTHDR && opt->srcrt) 1080 tot_len += CMSG_ALIGN(ipv6_optlen(opt->srcrt)); 1081 if (newtype != IPV6_DSTOPTS && opt->dst1opt) 1082 tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst1opt)); 1083 } 1084 1085 if (newopt && newoptlen) 1086 tot_len += CMSG_ALIGN(newoptlen); 1087 1088 if (!tot_len) 1089 return NULL; 1090 1091 tot_len += sizeof(*opt2); 1092 opt2 = sock_kmalloc(sk, tot_len, GFP_ATOMIC); 1093 if (!opt2) 1094 return ERR_PTR(-ENOBUFS); 1095 1096 memset(opt2, 0, tot_len); 1097 refcount_set(&opt2->refcnt, 1); 1098 opt2->tot_len = tot_len; 1099 p = (char *)(opt2 + 1); 1100 1101 err = ipv6_renew_option(opt ? opt->hopopt : NULL, newopt, newoptlen, 1102 newtype != IPV6_HOPOPTS, 1103 &opt2->hopopt, &p); 1104 if (err) 1105 goto out; 1106 1107 err = ipv6_renew_option(opt ? opt->dst0opt : NULL, newopt, newoptlen, 1108 newtype != IPV6_RTHDRDSTOPTS, 1109 &opt2->dst0opt, &p); 1110 if (err) 1111 goto out; 1112 1113 err = ipv6_renew_option(opt ? opt->srcrt : NULL, newopt, newoptlen, 1114 newtype != IPV6_RTHDR, 1115 (struct ipv6_opt_hdr **)&opt2->srcrt, &p); 1116 if (err) 1117 goto out; 1118 1119 err = ipv6_renew_option(opt ? opt->dst1opt : NULL, newopt, newoptlen, 1120 newtype != IPV6_DSTOPTS, 1121 &opt2->dst1opt, &p); 1122 if (err) 1123 goto out; 1124 1125 opt2->opt_nflen = (opt2->hopopt ? ipv6_optlen(opt2->hopopt) : 0) + 1126 (opt2->dst0opt ? ipv6_optlen(opt2->dst0opt) : 0) + 1127 (opt2->srcrt ? ipv6_optlen(opt2->srcrt) : 0); 1128 opt2->opt_flen = (opt2->dst1opt ? ipv6_optlen(opt2->dst1opt) : 0); 1129 1130 return opt2; 1131 out: 1132 sock_kfree_s(sk, opt2, opt2->tot_len); 1133 return ERR_PTR(err); 1134 } 1135 1136 /** 1137 * ipv6_renew_options_kern - replace a specific ext hdr with a new one. 1138 * 1139 * @sk: sock from which to allocate memory 1140 * @opt: original options 1141 * @newtype: option type to replace in @opt 1142 * @newopt: new option of type @newtype to replace (kernel-mem) 1143 * @newoptlen: length of @newopt 1144 * 1145 * See ipv6_renew_options(). The difference is that @newopt is 1146 * kernel memory, rather than user memory. 1147 */ 1148 struct ipv6_txoptions * 1149 ipv6_renew_options_kern(struct sock *sk, struct ipv6_txoptions *opt, 1150 int newtype, struct ipv6_opt_hdr *newopt, 1151 int newoptlen) 1152 { 1153 struct ipv6_txoptions *ret_val; 1154 const mm_segment_t old_fs = get_fs(); 1155 1156 set_fs(KERNEL_DS); 1157 ret_val = ipv6_renew_options(sk, opt, newtype, 1158 (struct ipv6_opt_hdr __user *)newopt, 1159 newoptlen); 1160 set_fs(old_fs); 1161 return ret_val; 1162 } 1163 1164 struct ipv6_txoptions *ipv6_fixup_options(struct ipv6_txoptions *opt_space, 1165 struct ipv6_txoptions *opt) 1166 { 1167 /* 1168 * ignore the dest before srcrt unless srcrt is being included. 1169 * --yoshfuji 1170 */ 1171 if (opt && opt->dst0opt && !opt->srcrt) { 1172 if (opt_space != opt) { 1173 memcpy(opt_space, opt, sizeof(*opt_space)); 1174 opt = opt_space; 1175 } 1176 opt->opt_nflen -= ipv6_optlen(opt->dst0opt); 1177 opt->dst0opt = NULL; 1178 } 1179 1180 return opt; 1181 } 1182 EXPORT_SYMBOL_GPL(ipv6_fixup_options); 1183 1184 /** 1185 * fl6_update_dst - update flowi destination address with info given 1186 * by srcrt option, if any. 1187 * 1188 * @fl6: flowi6 for which daddr is to be updated 1189 * @opt: struct ipv6_txoptions in which to look for srcrt opt 1190 * @orig: copy of original daddr address if modified 1191 * 1192 * Returns NULL if no txoptions or no srcrt, otherwise returns orig 1193 * and initial value of fl6->daddr set in orig 1194 */ 1195 struct in6_addr *fl6_update_dst(struct flowi6 *fl6, 1196 const struct ipv6_txoptions *opt, 1197 struct in6_addr *orig) 1198 { 1199 if (!opt || !opt->srcrt) 1200 return NULL; 1201 1202 *orig = fl6->daddr; 1203 1204 switch (opt->srcrt->type) { 1205 case IPV6_SRCRT_TYPE_0: 1206 case IPV6_SRCRT_STRICT: 1207 case IPV6_SRCRT_TYPE_2: 1208 fl6->daddr = *((struct rt0_hdr *)opt->srcrt)->addr; 1209 break; 1210 case IPV6_SRCRT_TYPE_4: 1211 { 1212 struct ipv6_sr_hdr *srh = (struct ipv6_sr_hdr *)opt->srcrt; 1213 1214 fl6->daddr = srh->segments[srh->segments_left]; 1215 break; 1216 } 1217 default: 1218 return NULL; 1219 } 1220 1221 return orig; 1222 } 1223 EXPORT_SYMBOL_GPL(fl6_update_dst); 1224