1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Internet Control Message Protocol (ICMPv6) 4 * Linux INET6 implementation 5 * 6 * Authors: 7 * Pedro Roque <roque@di.fc.ul.pt> 8 * 9 * Based on net/ipv4/icmp.c 10 * 11 * RFC 1885 12 */ 13 14 /* 15 * Changes: 16 * 17 * Andi Kleen : exception handling 18 * Andi Kleen add rate limits. never reply to a icmp. 19 * add more length checks and other fixes. 20 * yoshfuji : ensure to sent parameter problem for 21 * fragments. 22 * YOSHIFUJI Hideaki @USAGI: added sysctl for icmp rate limit. 23 * Randy Dunlap and 24 * YOSHIFUJI Hideaki @USAGI: Per-interface statistics support 25 * Kazunori MIYAZAWA @USAGI: change output process to use ip6_append_data 26 */ 27 28 #define pr_fmt(fmt) "IPv6: " fmt 29 30 #include <linux/module.h> 31 #include <linux/errno.h> 32 #include <linux/types.h> 33 #include <linux/socket.h> 34 #include <linux/in.h> 35 #include <linux/kernel.h> 36 #include <linux/sockios.h> 37 #include <linux/net.h> 38 #include <linux/skbuff.h> 39 #include <linux/init.h> 40 #include <linux/netfilter.h> 41 #include <linux/slab.h> 42 43 #ifdef CONFIG_SYSCTL 44 #include <linux/sysctl.h> 45 #endif 46 47 #include <linux/inet.h> 48 #include <linux/netdevice.h> 49 #include <linux/icmpv6.h> 50 51 #include <net/ip.h> 52 #include <net/sock.h> 53 54 #include <net/ipv6.h> 55 #include <net/ip6_checksum.h> 56 #include <net/ping.h> 57 #include <net/protocol.h> 58 #include <net/raw.h> 59 #include <net/rawv6.h> 60 #include <net/seg6.h> 61 #include <net/transp_v6.h> 62 #include <net/ip6_route.h> 63 #include <net/addrconf.h> 64 #include <net/icmp.h> 65 #include <net/xfrm.h> 66 #include <net/inet_common.h> 67 #include <net/dsfield.h> 68 #include <net/l3mdev.h> 69 70 #include <linux/uaccess.h> 71 72 static DEFINE_PER_CPU(struct sock *, ipv6_icmp_sk); 73 74 static int icmpv6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, 75 u8 type, u8 code, int offset, __be32 info) 76 { 77 /* icmpv6_notify checks 8 bytes can be pulled, icmp6hdr is 8 bytes */ 78 struct icmp6hdr *icmp6 = (struct icmp6hdr *) (skb->data + offset); 79 struct net *net = dev_net(skb->dev); 80 81 if (type == ICMPV6_PKT_TOOBIG) 82 ip6_update_pmtu(skb, net, info, skb->dev->ifindex, 0, sock_net_uid(net, NULL)); 83 else if (type == NDISC_REDIRECT) 84 ip6_redirect(skb, net, skb->dev->ifindex, 0, 85 sock_net_uid(net, NULL)); 86 87 if (!(type & ICMPV6_INFOMSG_MASK)) 88 if (icmp6->icmp6_type == ICMPV6_ECHO_REQUEST) 89 ping_err(skb, offset, ntohl(info)); 90 91 return 0; 92 } 93 94 static int icmpv6_rcv(struct sk_buff *skb); 95 96 static const struct inet6_protocol icmpv6_protocol = { 97 .handler = icmpv6_rcv, 98 .err_handler = icmpv6_err, 99 .flags = INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL, 100 }; 101 102 /* Called with BH disabled */ 103 static struct sock *icmpv6_xmit_lock(struct net *net) 104 { 105 struct sock *sk; 106 107 sk = this_cpu_read(ipv6_icmp_sk); 108 if (unlikely(!spin_trylock(&sk->sk_lock.slock))) { 109 /* This can happen if the output path (f.e. SIT or 110 * ip6ip6 tunnel) signals dst_link_failure() for an 111 * outgoing ICMP6 packet. 112 */ 113 return NULL; 114 } 115 sock_net_set(sk, net); 116 return sk; 117 } 118 119 static void icmpv6_xmit_unlock(struct sock *sk) 120 { 121 sock_net_set(sk, &init_net); 122 spin_unlock(&sk->sk_lock.slock); 123 } 124 125 /* 126 * Figure out, may we reply to this packet with icmp error. 127 * 128 * We do not reply, if: 129 * - it was icmp error message. 130 * - it is truncated, so that it is known, that protocol is ICMPV6 131 * (i.e. in the middle of some exthdr) 132 * 133 * --ANK (980726) 134 */ 135 136 static bool is_ineligible(const struct sk_buff *skb) 137 { 138 int ptr = (u8 *)(ipv6_hdr(skb) + 1) - skb->data; 139 int len = skb->len - ptr; 140 __u8 nexthdr = ipv6_hdr(skb)->nexthdr; 141 __be16 frag_off; 142 143 if (len < 0) 144 return true; 145 146 ptr = ipv6_skip_exthdr(skb, ptr, &nexthdr, &frag_off); 147 if (ptr < 0) 148 return false; 149 if (nexthdr == IPPROTO_ICMPV6) { 150 u8 _type, *tp; 151 tp = skb_header_pointer(skb, 152 ptr+offsetof(struct icmp6hdr, icmp6_type), 153 sizeof(_type), &_type); 154 155 /* Based on RFC 8200, Section 4.5 Fragment Header, return 156 * false if this is a fragment packet with no icmp header info. 157 */ 158 if (!tp && frag_off != 0) 159 return false; 160 else if (!tp || !(*tp & ICMPV6_INFOMSG_MASK)) 161 return true; 162 } 163 return false; 164 } 165 166 static bool icmpv6_mask_allow(struct net *net, int type) 167 { 168 if (type > ICMPV6_MSG_MAX) 169 return true; 170 171 /* Limit if icmp type is set in ratemask. */ 172 if (!test_bit(type, net->ipv6.sysctl.icmpv6_ratemask)) 173 return true; 174 175 return false; 176 } 177 178 static bool icmpv6_global_allow(struct net *net, int type) 179 { 180 if (icmpv6_mask_allow(net, type)) 181 return true; 182 183 if (icmp_global_allow()) 184 return true; 185 186 return false; 187 } 188 189 /* 190 * Check the ICMP output rate limit 191 */ 192 static bool icmpv6_xrlim_allow(struct sock *sk, u8 type, 193 struct flowi6 *fl6) 194 { 195 struct net *net = sock_net(sk); 196 struct dst_entry *dst; 197 bool res = false; 198 199 if (icmpv6_mask_allow(net, type)) 200 return true; 201 202 /* 203 * Look up the output route. 204 * XXX: perhaps the expire for routing entries cloned by 205 * this lookup should be more aggressive (not longer than timeout). 206 */ 207 dst = ip6_route_output(net, sk, fl6); 208 if (dst->error) { 209 IP6_INC_STATS(net, ip6_dst_idev(dst), 210 IPSTATS_MIB_OUTNOROUTES); 211 } else if (dst->dev && (dst->dev->flags&IFF_LOOPBACK)) { 212 res = true; 213 } else { 214 struct rt6_info *rt = (struct rt6_info *)dst; 215 int tmo = net->ipv6.sysctl.icmpv6_time; 216 struct inet_peer *peer; 217 218 /* Give more bandwidth to wider prefixes. */ 219 if (rt->rt6i_dst.plen < 128) 220 tmo >>= ((128 - rt->rt6i_dst.plen)>>5); 221 222 peer = inet_getpeer_v6(net->ipv6.peers, &fl6->daddr, 1); 223 res = inet_peer_xrlim_allow(peer, tmo); 224 if (peer) 225 inet_putpeer(peer); 226 } 227 dst_release(dst); 228 return res; 229 } 230 231 static bool icmpv6_rt_has_prefsrc(struct sock *sk, u8 type, 232 struct flowi6 *fl6) 233 { 234 struct net *net = sock_net(sk); 235 struct dst_entry *dst; 236 bool res = false; 237 238 dst = ip6_route_output(net, sk, fl6); 239 if (!dst->error) { 240 struct rt6_info *rt = (struct rt6_info *)dst; 241 struct in6_addr prefsrc; 242 243 rt6_get_prefsrc(rt, &prefsrc); 244 res = !ipv6_addr_any(&prefsrc); 245 } 246 dst_release(dst); 247 return res; 248 } 249 250 /* 251 * an inline helper for the "simple" if statement below 252 * checks if parameter problem report is caused by an 253 * unrecognized IPv6 option that has the Option Type 254 * highest-order two bits set to 10 255 */ 256 257 static bool opt_unrec(struct sk_buff *skb, __u32 offset) 258 { 259 u8 _optval, *op; 260 261 offset += skb_network_offset(skb); 262 op = skb_header_pointer(skb, offset, sizeof(_optval), &_optval); 263 if (!op) 264 return true; 265 return (*op & 0xC0) == 0x80; 266 } 267 268 void icmpv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6, 269 struct icmp6hdr *thdr, int len) 270 { 271 struct sk_buff *skb; 272 struct icmp6hdr *icmp6h; 273 274 skb = skb_peek(&sk->sk_write_queue); 275 if (!skb) 276 return; 277 278 icmp6h = icmp6_hdr(skb); 279 memcpy(icmp6h, thdr, sizeof(struct icmp6hdr)); 280 icmp6h->icmp6_cksum = 0; 281 282 if (skb_queue_len(&sk->sk_write_queue) == 1) { 283 skb->csum = csum_partial(icmp6h, 284 sizeof(struct icmp6hdr), skb->csum); 285 icmp6h->icmp6_cksum = csum_ipv6_magic(&fl6->saddr, 286 &fl6->daddr, 287 len, fl6->flowi6_proto, 288 skb->csum); 289 } else { 290 __wsum tmp_csum = 0; 291 292 skb_queue_walk(&sk->sk_write_queue, skb) { 293 tmp_csum = csum_add(tmp_csum, skb->csum); 294 } 295 296 tmp_csum = csum_partial(icmp6h, 297 sizeof(struct icmp6hdr), tmp_csum); 298 icmp6h->icmp6_cksum = csum_ipv6_magic(&fl6->saddr, 299 &fl6->daddr, 300 len, fl6->flowi6_proto, 301 tmp_csum); 302 } 303 ip6_push_pending_frames(sk); 304 } 305 306 struct icmpv6_msg { 307 struct sk_buff *skb; 308 int offset; 309 uint8_t type; 310 }; 311 312 static int icmpv6_getfrag(void *from, char *to, int offset, int len, int odd, struct sk_buff *skb) 313 { 314 struct icmpv6_msg *msg = (struct icmpv6_msg *) from; 315 struct sk_buff *org_skb = msg->skb; 316 __wsum csum; 317 318 csum = skb_copy_and_csum_bits(org_skb, msg->offset + offset, 319 to, len); 320 skb->csum = csum_block_add(skb->csum, csum, odd); 321 if (!(msg->type & ICMPV6_INFOMSG_MASK)) 322 nf_ct_attach(skb, org_skb); 323 return 0; 324 } 325 326 #if IS_ENABLED(CONFIG_IPV6_MIP6) 327 static void mip6_addr_swap(struct sk_buff *skb, const struct inet6_skb_parm *opt) 328 { 329 struct ipv6hdr *iph = ipv6_hdr(skb); 330 struct ipv6_destopt_hao *hao; 331 struct in6_addr tmp; 332 int off; 333 334 if (opt->dsthao) { 335 off = ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO); 336 if (likely(off >= 0)) { 337 hao = (struct ipv6_destopt_hao *) 338 (skb_network_header(skb) + off); 339 tmp = iph->saddr; 340 iph->saddr = hao->addr; 341 hao->addr = tmp; 342 } 343 } 344 } 345 #else 346 static inline void mip6_addr_swap(struct sk_buff *skb, const struct inet6_skb_parm *opt) {} 347 #endif 348 349 static struct dst_entry *icmpv6_route_lookup(struct net *net, 350 struct sk_buff *skb, 351 struct sock *sk, 352 struct flowi6 *fl6) 353 { 354 struct dst_entry *dst, *dst2; 355 struct flowi6 fl2; 356 int err; 357 358 err = ip6_dst_lookup(net, sk, &dst, fl6); 359 if (err) 360 return ERR_PTR(err); 361 362 /* 363 * We won't send icmp if the destination is known 364 * anycast. 365 */ 366 if (ipv6_anycast_destination(dst, &fl6->daddr)) { 367 net_dbg_ratelimited("icmp6_send: acast source\n"); 368 dst_release(dst); 369 return ERR_PTR(-EINVAL); 370 } 371 372 /* No need to clone since we're just using its address. */ 373 dst2 = dst; 374 375 dst = xfrm_lookup(net, dst, flowi6_to_flowi(fl6), sk, 0); 376 if (!IS_ERR(dst)) { 377 if (dst != dst2) 378 return dst; 379 } else { 380 if (PTR_ERR(dst) == -EPERM) 381 dst = NULL; 382 else 383 return dst; 384 } 385 386 err = xfrm_decode_session_reverse(skb, flowi6_to_flowi(&fl2), AF_INET6); 387 if (err) 388 goto relookup_failed; 389 390 err = ip6_dst_lookup(net, sk, &dst2, &fl2); 391 if (err) 392 goto relookup_failed; 393 394 dst2 = xfrm_lookup(net, dst2, flowi6_to_flowi(&fl2), sk, XFRM_LOOKUP_ICMP); 395 if (!IS_ERR(dst2)) { 396 dst_release(dst); 397 dst = dst2; 398 } else { 399 err = PTR_ERR(dst2); 400 if (err == -EPERM) { 401 dst_release(dst); 402 return dst2; 403 } else 404 goto relookup_failed; 405 } 406 407 relookup_failed: 408 if (dst) 409 return dst; 410 return ERR_PTR(err); 411 } 412 413 static struct net_device *icmp6_dev(const struct sk_buff *skb) 414 { 415 struct net_device *dev = skb->dev; 416 417 /* for local traffic to local address, skb dev is the loopback 418 * device. Check if there is a dst attached to the skb and if so 419 * get the real device index. Same is needed for replies to a link 420 * local address on a device enslaved to an L3 master device 421 */ 422 if (unlikely(dev->ifindex == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) { 423 const struct rt6_info *rt6 = skb_rt6_info(skb); 424 425 if (rt6) 426 dev = rt6->rt6i_idev->dev; 427 } 428 429 return dev; 430 } 431 432 static int icmp6_iif(const struct sk_buff *skb) 433 { 434 return icmp6_dev(skb)->ifindex; 435 } 436 437 /* 438 * Send an ICMP message in response to a packet in error 439 */ 440 void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info, 441 const struct in6_addr *force_saddr, 442 const struct inet6_skb_parm *parm) 443 { 444 struct inet6_dev *idev = NULL; 445 struct ipv6hdr *hdr = ipv6_hdr(skb); 446 struct sock *sk; 447 struct net *net; 448 struct ipv6_pinfo *np; 449 const struct in6_addr *saddr = NULL; 450 struct dst_entry *dst; 451 struct icmp6hdr tmp_hdr; 452 struct flowi6 fl6; 453 struct icmpv6_msg msg; 454 struct ipcm6_cookie ipc6; 455 int iif = 0; 456 int addr_type = 0; 457 int len; 458 u32 mark; 459 460 if ((u8 *)hdr < skb->head || 461 (skb_network_header(skb) + sizeof(*hdr)) > skb_tail_pointer(skb)) 462 return; 463 464 if (!skb->dev) 465 return; 466 net = dev_net(skb->dev); 467 mark = IP6_REPLY_MARK(net, skb->mark); 468 /* 469 * Make sure we respect the rules 470 * i.e. RFC 1885 2.4(e) 471 * Rule (e.1) is enforced by not using icmp6_send 472 * in any code that processes icmp errors. 473 */ 474 addr_type = ipv6_addr_type(&hdr->daddr); 475 476 if (ipv6_chk_addr(net, &hdr->daddr, skb->dev, 0) || 477 ipv6_chk_acast_addr_src(net, skb->dev, &hdr->daddr)) 478 saddr = &hdr->daddr; 479 480 /* 481 * Dest addr check 482 */ 483 484 if (addr_type & IPV6_ADDR_MULTICAST || skb->pkt_type != PACKET_HOST) { 485 if (type != ICMPV6_PKT_TOOBIG && 486 !(type == ICMPV6_PARAMPROB && 487 code == ICMPV6_UNK_OPTION && 488 (opt_unrec(skb, info)))) 489 return; 490 491 saddr = NULL; 492 } 493 494 addr_type = ipv6_addr_type(&hdr->saddr); 495 496 /* 497 * Source addr check 498 */ 499 500 if (__ipv6_addr_needs_scope_id(addr_type)) { 501 iif = icmp6_iif(skb); 502 } else { 503 /* 504 * The source device is used for looking up which routing table 505 * to use for sending an ICMP error. 506 */ 507 iif = l3mdev_master_ifindex(skb->dev); 508 } 509 510 /* 511 * Must not send error if the source does not uniquely 512 * identify a single node (RFC2463 Section 2.4). 513 * We check unspecified / multicast addresses here, 514 * and anycast addresses will be checked later. 515 */ 516 if ((addr_type == IPV6_ADDR_ANY) || (addr_type & IPV6_ADDR_MULTICAST)) { 517 net_dbg_ratelimited("icmp6_send: addr_any/mcast source [%pI6c > %pI6c]\n", 518 &hdr->saddr, &hdr->daddr); 519 return; 520 } 521 522 /* 523 * Never answer to a ICMP packet. 524 */ 525 if (is_ineligible(skb)) { 526 net_dbg_ratelimited("icmp6_send: no reply to icmp error [%pI6c > %pI6c]\n", 527 &hdr->saddr, &hdr->daddr); 528 return; 529 } 530 531 /* Needed by both icmp_global_allow and icmpv6_xmit_lock */ 532 local_bh_disable(); 533 534 /* Check global sysctl_icmp_msgs_per_sec ratelimit */ 535 if (!(skb->dev->flags & IFF_LOOPBACK) && !icmpv6_global_allow(net, type)) 536 goto out_bh_enable; 537 538 mip6_addr_swap(skb, parm); 539 540 sk = icmpv6_xmit_lock(net); 541 if (!sk) 542 goto out_bh_enable; 543 544 memset(&fl6, 0, sizeof(fl6)); 545 fl6.flowi6_proto = IPPROTO_ICMPV6; 546 fl6.daddr = hdr->saddr; 547 if (force_saddr) 548 saddr = force_saddr; 549 if (saddr) { 550 fl6.saddr = *saddr; 551 } else if (!icmpv6_rt_has_prefsrc(sk, type, &fl6)) { 552 /* select a more meaningful saddr from input if */ 553 struct net_device *in_netdev; 554 555 in_netdev = dev_get_by_index(net, parm->iif); 556 if (in_netdev) { 557 ipv6_dev_get_saddr(net, in_netdev, &fl6.daddr, 558 inet6_sk(sk)->srcprefs, 559 &fl6.saddr); 560 dev_put(in_netdev); 561 } 562 } 563 fl6.flowi6_mark = mark; 564 fl6.flowi6_oif = iif; 565 fl6.fl6_icmp_type = type; 566 fl6.fl6_icmp_code = code; 567 fl6.flowi6_uid = sock_net_uid(net, NULL); 568 fl6.mp_hash = rt6_multipath_hash(net, &fl6, skb, NULL); 569 security_skb_classify_flow(skb, flowi6_to_flowi_common(&fl6)); 570 571 np = inet6_sk(sk); 572 573 if (!icmpv6_xrlim_allow(sk, type, &fl6)) 574 goto out; 575 576 tmp_hdr.icmp6_type = type; 577 tmp_hdr.icmp6_code = code; 578 tmp_hdr.icmp6_cksum = 0; 579 tmp_hdr.icmp6_pointer = htonl(info); 580 581 if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr)) 582 fl6.flowi6_oif = np->mcast_oif; 583 else if (!fl6.flowi6_oif) 584 fl6.flowi6_oif = np->ucast_oif; 585 586 ipcm6_init_sk(&ipc6, np); 587 ipc6.sockc.mark = mark; 588 fl6.flowlabel = ip6_make_flowinfo(ipc6.tclass, fl6.flowlabel); 589 590 dst = icmpv6_route_lookup(net, skb, sk, &fl6); 591 if (IS_ERR(dst)) 592 goto out; 593 594 ipc6.hlimit = ip6_sk_dst_hoplimit(np, &fl6, dst); 595 596 msg.skb = skb; 597 msg.offset = skb_network_offset(skb); 598 msg.type = type; 599 600 len = skb->len - msg.offset; 601 len = min_t(unsigned int, len, IPV6_MIN_MTU - sizeof(struct ipv6hdr) - sizeof(struct icmp6hdr)); 602 if (len < 0) { 603 net_dbg_ratelimited("icmp: len problem [%pI6c > %pI6c]\n", 604 &hdr->saddr, &hdr->daddr); 605 goto out_dst_release; 606 } 607 608 rcu_read_lock(); 609 idev = __in6_dev_get(skb->dev); 610 611 if (ip6_append_data(sk, icmpv6_getfrag, &msg, 612 len + sizeof(struct icmp6hdr), 613 sizeof(struct icmp6hdr), 614 &ipc6, &fl6, (struct rt6_info *)dst, 615 MSG_DONTWAIT)) { 616 ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTERRORS); 617 ip6_flush_pending_frames(sk); 618 } else { 619 icmpv6_push_pending_frames(sk, &fl6, &tmp_hdr, 620 len + sizeof(struct icmp6hdr)); 621 } 622 rcu_read_unlock(); 623 out_dst_release: 624 dst_release(dst); 625 out: 626 icmpv6_xmit_unlock(sk); 627 out_bh_enable: 628 local_bh_enable(); 629 } 630 EXPORT_SYMBOL(icmp6_send); 631 632 /* Slightly more convenient version of icmp6_send with drop reasons. 633 */ 634 void icmpv6_param_prob_reason(struct sk_buff *skb, u8 code, int pos, 635 enum skb_drop_reason reason) 636 { 637 icmp6_send(skb, ICMPV6_PARAMPROB, code, pos, NULL, IP6CB(skb)); 638 kfree_skb_reason(skb, reason); 639 } 640 641 /* Generate icmpv6 with type/code ICMPV6_DEST_UNREACH/ICMPV6_ADDR_UNREACH 642 * if sufficient data bytes are available 643 * @nhs is the size of the tunnel header(s) : 644 * Either an IPv4 header for SIT encap 645 * an IPv4 header + GRE header for GRE encap 646 */ 647 int ip6_err_gen_icmpv6_unreach(struct sk_buff *skb, int nhs, int type, 648 unsigned int data_len) 649 { 650 struct in6_addr temp_saddr; 651 struct rt6_info *rt; 652 struct sk_buff *skb2; 653 u32 info = 0; 654 655 if (!pskb_may_pull(skb, nhs + sizeof(struct ipv6hdr) + 8)) 656 return 1; 657 658 /* RFC 4884 (partial) support for ICMP extensions */ 659 if (data_len < 128 || (data_len & 7) || skb->len < data_len) 660 data_len = 0; 661 662 skb2 = data_len ? skb_copy(skb, GFP_ATOMIC) : skb_clone(skb, GFP_ATOMIC); 663 664 if (!skb2) 665 return 1; 666 667 skb_dst_drop(skb2); 668 skb_pull(skb2, nhs); 669 skb_reset_network_header(skb2); 670 671 rt = rt6_lookup(dev_net(skb->dev), &ipv6_hdr(skb2)->saddr, NULL, 0, 672 skb, 0); 673 674 if (rt && rt->dst.dev) 675 skb2->dev = rt->dst.dev; 676 677 ipv6_addr_set_v4mapped(ip_hdr(skb)->saddr, &temp_saddr); 678 679 if (data_len) { 680 /* RFC 4884 (partial) support : 681 * insert 0 padding at the end, before the extensions 682 */ 683 __skb_push(skb2, nhs); 684 skb_reset_network_header(skb2); 685 memmove(skb2->data, skb2->data + nhs, data_len - nhs); 686 memset(skb2->data + data_len - nhs, 0, nhs); 687 /* RFC 4884 4.5 : Length is measured in 64-bit words, 688 * and stored in reserved[0] 689 */ 690 info = (data_len/8) << 24; 691 } 692 if (type == ICMP_TIME_EXCEEDED) 693 icmp6_send(skb2, ICMPV6_TIME_EXCEED, ICMPV6_EXC_HOPLIMIT, 694 info, &temp_saddr, IP6CB(skb2)); 695 else 696 icmp6_send(skb2, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 697 info, &temp_saddr, IP6CB(skb2)); 698 if (rt) 699 ip6_rt_put(rt); 700 701 kfree_skb(skb2); 702 703 return 0; 704 } 705 EXPORT_SYMBOL(ip6_err_gen_icmpv6_unreach); 706 707 static void icmpv6_echo_reply(struct sk_buff *skb) 708 { 709 struct net *net = dev_net(skb->dev); 710 struct sock *sk; 711 struct inet6_dev *idev; 712 struct ipv6_pinfo *np; 713 const struct in6_addr *saddr = NULL; 714 struct icmp6hdr *icmph = icmp6_hdr(skb); 715 struct icmp6hdr tmp_hdr; 716 struct flowi6 fl6; 717 struct icmpv6_msg msg; 718 struct dst_entry *dst; 719 struct ipcm6_cookie ipc6; 720 u32 mark = IP6_REPLY_MARK(net, skb->mark); 721 bool acast; 722 u8 type; 723 724 if (ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr) && 725 net->ipv6.sysctl.icmpv6_echo_ignore_multicast) 726 return; 727 728 saddr = &ipv6_hdr(skb)->daddr; 729 730 acast = ipv6_anycast_destination(skb_dst(skb), saddr); 731 if (acast && net->ipv6.sysctl.icmpv6_echo_ignore_anycast) 732 return; 733 734 if (!ipv6_unicast_destination(skb) && 735 !(net->ipv6.sysctl.anycast_src_echo_reply && acast)) 736 saddr = NULL; 737 738 if (icmph->icmp6_type == ICMPV6_EXT_ECHO_REQUEST) 739 type = ICMPV6_EXT_ECHO_REPLY; 740 else 741 type = ICMPV6_ECHO_REPLY; 742 743 memcpy(&tmp_hdr, icmph, sizeof(tmp_hdr)); 744 tmp_hdr.icmp6_type = type; 745 746 memset(&fl6, 0, sizeof(fl6)); 747 if (net->ipv6.sysctl.flowlabel_reflect & FLOWLABEL_REFLECT_ICMPV6_ECHO_REPLIES) 748 fl6.flowlabel = ip6_flowlabel(ipv6_hdr(skb)); 749 750 fl6.flowi6_proto = IPPROTO_ICMPV6; 751 fl6.daddr = ipv6_hdr(skb)->saddr; 752 if (saddr) 753 fl6.saddr = *saddr; 754 fl6.flowi6_oif = icmp6_iif(skb); 755 fl6.fl6_icmp_type = type; 756 fl6.flowi6_mark = mark; 757 fl6.flowi6_uid = sock_net_uid(net, NULL); 758 security_skb_classify_flow(skb, flowi6_to_flowi_common(&fl6)); 759 760 local_bh_disable(); 761 sk = icmpv6_xmit_lock(net); 762 if (!sk) 763 goto out_bh_enable; 764 np = inet6_sk(sk); 765 766 if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr)) 767 fl6.flowi6_oif = np->mcast_oif; 768 else if (!fl6.flowi6_oif) 769 fl6.flowi6_oif = np->ucast_oif; 770 771 if (ip6_dst_lookup(net, sk, &dst, &fl6)) 772 goto out; 773 dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), sk, 0); 774 if (IS_ERR(dst)) 775 goto out; 776 777 /* Check the ratelimit */ 778 if ((!(skb->dev->flags & IFF_LOOPBACK) && !icmpv6_global_allow(net, ICMPV6_ECHO_REPLY)) || 779 !icmpv6_xrlim_allow(sk, ICMPV6_ECHO_REPLY, &fl6)) 780 goto out_dst_release; 781 782 idev = __in6_dev_get(skb->dev); 783 784 msg.skb = skb; 785 msg.offset = 0; 786 msg.type = type; 787 788 ipcm6_init_sk(&ipc6, np); 789 ipc6.hlimit = ip6_sk_dst_hoplimit(np, &fl6, dst); 790 ipc6.tclass = ipv6_get_dsfield(ipv6_hdr(skb)); 791 ipc6.sockc.mark = mark; 792 793 if (icmph->icmp6_type == ICMPV6_EXT_ECHO_REQUEST) 794 if (!icmp_build_probe(skb, (struct icmphdr *)&tmp_hdr)) 795 goto out_dst_release; 796 797 if (ip6_append_data(sk, icmpv6_getfrag, &msg, 798 skb->len + sizeof(struct icmp6hdr), 799 sizeof(struct icmp6hdr), &ipc6, &fl6, 800 (struct rt6_info *)dst, MSG_DONTWAIT)) { 801 __ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTERRORS); 802 ip6_flush_pending_frames(sk); 803 } else { 804 icmpv6_push_pending_frames(sk, &fl6, &tmp_hdr, 805 skb->len + sizeof(struct icmp6hdr)); 806 } 807 out_dst_release: 808 dst_release(dst); 809 out: 810 icmpv6_xmit_unlock(sk); 811 out_bh_enable: 812 local_bh_enable(); 813 } 814 815 void icmpv6_notify(struct sk_buff *skb, u8 type, u8 code, __be32 info) 816 { 817 struct inet6_skb_parm *opt = IP6CB(skb); 818 const struct inet6_protocol *ipprot; 819 int inner_offset; 820 __be16 frag_off; 821 u8 nexthdr; 822 struct net *net = dev_net(skb->dev); 823 824 if (!pskb_may_pull(skb, sizeof(struct ipv6hdr))) 825 goto out; 826 827 seg6_icmp_srh(skb, opt); 828 829 nexthdr = ((struct ipv6hdr *)skb->data)->nexthdr; 830 if (ipv6_ext_hdr(nexthdr)) { 831 /* now skip over extension headers */ 832 inner_offset = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), 833 &nexthdr, &frag_off); 834 if (inner_offset < 0) 835 goto out; 836 } else { 837 inner_offset = sizeof(struct ipv6hdr); 838 } 839 840 /* Checkin header including 8 bytes of inner protocol header. */ 841 if (!pskb_may_pull(skb, inner_offset+8)) 842 goto out; 843 844 /* BUGGG_FUTURE: we should try to parse exthdrs in this packet. 845 Without this we will not able f.e. to make source routed 846 pmtu discovery. 847 Corresponding argument (opt) to notifiers is already added. 848 --ANK (980726) 849 */ 850 851 ipprot = rcu_dereference(inet6_protos[nexthdr]); 852 if (ipprot && ipprot->err_handler) 853 ipprot->err_handler(skb, opt, type, code, inner_offset, info); 854 855 raw6_icmp_error(skb, nexthdr, type, code, inner_offset, info); 856 return; 857 858 out: 859 __ICMP6_INC_STATS(net, __in6_dev_get(skb->dev), ICMP6_MIB_INERRORS); 860 } 861 862 /* 863 * Handle icmp messages 864 */ 865 866 static int icmpv6_rcv(struct sk_buff *skb) 867 { 868 enum skb_drop_reason reason = SKB_DROP_REASON_NOT_SPECIFIED; 869 struct net *net = dev_net(skb->dev); 870 struct net_device *dev = icmp6_dev(skb); 871 struct inet6_dev *idev = __in6_dev_get(dev); 872 const struct in6_addr *saddr, *daddr; 873 struct icmp6hdr *hdr; 874 u8 type; 875 876 if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) { 877 struct sec_path *sp = skb_sec_path(skb); 878 int nh; 879 880 if (!(sp && sp->xvec[sp->len - 1]->props.flags & 881 XFRM_STATE_ICMP)) { 882 reason = SKB_DROP_REASON_XFRM_POLICY; 883 goto drop_no_count; 884 } 885 886 if (!pskb_may_pull(skb, sizeof(*hdr) + sizeof(struct ipv6hdr))) 887 goto drop_no_count; 888 889 nh = skb_network_offset(skb); 890 skb_set_network_header(skb, sizeof(*hdr)); 891 892 if (!xfrm6_policy_check_reverse(NULL, XFRM_POLICY_IN, 893 skb)) { 894 reason = SKB_DROP_REASON_XFRM_POLICY; 895 goto drop_no_count; 896 } 897 898 skb_set_network_header(skb, nh); 899 } 900 901 __ICMP6_INC_STATS(dev_net(dev), idev, ICMP6_MIB_INMSGS); 902 903 saddr = &ipv6_hdr(skb)->saddr; 904 daddr = &ipv6_hdr(skb)->daddr; 905 906 if (skb_checksum_validate(skb, IPPROTO_ICMPV6, ip6_compute_pseudo)) { 907 net_dbg_ratelimited("ICMPv6 checksum failed [%pI6c > %pI6c]\n", 908 saddr, daddr); 909 goto csum_error; 910 } 911 912 if (!pskb_pull(skb, sizeof(*hdr))) 913 goto discard_it; 914 915 hdr = icmp6_hdr(skb); 916 917 type = hdr->icmp6_type; 918 919 ICMP6MSGIN_INC_STATS(dev_net(dev), idev, type); 920 921 switch (type) { 922 case ICMPV6_ECHO_REQUEST: 923 if (!net->ipv6.sysctl.icmpv6_echo_ignore_all) 924 icmpv6_echo_reply(skb); 925 break; 926 case ICMPV6_EXT_ECHO_REQUEST: 927 if (!net->ipv6.sysctl.icmpv6_echo_ignore_all && 928 net->ipv4.sysctl_icmp_echo_enable_probe) 929 icmpv6_echo_reply(skb); 930 break; 931 932 case ICMPV6_ECHO_REPLY: 933 reason = ping_rcv(skb); 934 break; 935 936 case ICMPV6_EXT_ECHO_REPLY: 937 reason = ping_rcv(skb); 938 break; 939 940 case ICMPV6_PKT_TOOBIG: 941 /* BUGGG_FUTURE: if packet contains rthdr, we cannot update 942 standard destination cache. Seems, only "advanced" 943 destination cache will allow to solve this problem 944 --ANK (980726) 945 */ 946 if (!pskb_may_pull(skb, sizeof(struct ipv6hdr))) 947 goto discard_it; 948 hdr = icmp6_hdr(skb); 949 950 /* to notify */ 951 fallthrough; 952 case ICMPV6_DEST_UNREACH: 953 case ICMPV6_TIME_EXCEED: 954 case ICMPV6_PARAMPROB: 955 icmpv6_notify(skb, type, hdr->icmp6_code, hdr->icmp6_mtu); 956 break; 957 958 case NDISC_ROUTER_SOLICITATION: 959 case NDISC_ROUTER_ADVERTISEMENT: 960 case NDISC_NEIGHBOUR_SOLICITATION: 961 case NDISC_NEIGHBOUR_ADVERTISEMENT: 962 case NDISC_REDIRECT: 963 ndisc_rcv(skb); 964 break; 965 966 case ICMPV6_MGM_QUERY: 967 igmp6_event_query(skb); 968 return 0; 969 970 case ICMPV6_MGM_REPORT: 971 igmp6_event_report(skb); 972 return 0; 973 974 case ICMPV6_MGM_REDUCTION: 975 case ICMPV6_NI_QUERY: 976 case ICMPV6_NI_REPLY: 977 case ICMPV6_MLD2_REPORT: 978 case ICMPV6_DHAAD_REQUEST: 979 case ICMPV6_DHAAD_REPLY: 980 case ICMPV6_MOBILE_PREFIX_SOL: 981 case ICMPV6_MOBILE_PREFIX_ADV: 982 break; 983 984 default: 985 /* informational */ 986 if (type & ICMPV6_INFOMSG_MASK) 987 break; 988 989 net_dbg_ratelimited("icmpv6: msg of unknown type [%pI6c > %pI6c]\n", 990 saddr, daddr); 991 992 /* 993 * error of unknown type. 994 * must pass to upper level 995 */ 996 997 icmpv6_notify(skb, type, hdr->icmp6_code, hdr->icmp6_mtu); 998 } 999 1000 /* until the v6 path can be better sorted assume failure and 1001 * preserve the status quo behaviour for the rest of the paths to here 1002 */ 1003 if (reason) 1004 kfree_skb_reason(skb, reason); 1005 else 1006 consume_skb(skb); 1007 1008 return 0; 1009 1010 csum_error: 1011 reason = SKB_DROP_REASON_ICMP_CSUM; 1012 __ICMP6_INC_STATS(dev_net(dev), idev, ICMP6_MIB_CSUMERRORS); 1013 discard_it: 1014 __ICMP6_INC_STATS(dev_net(dev), idev, ICMP6_MIB_INERRORS); 1015 drop_no_count: 1016 kfree_skb_reason(skb, reason); 1017 return 0; 1018 } 1019 1020 void icmpv6_flow_init(struct sock *sk, struct flowi6 *fl6, 1021 u8 type, 1022 const struct in6_addr *saddr, 1023 const struct in6_addr *daddr, 1024 int oif) 1025 { 1026 memset(fl6, 0, sizeof(*fl6)); 1027 fl6->saddr = *saddr; 1028 fl6->daddr = *daddr; 1029 fl6->flowi6_proto = IPPROTO_ICMPV6; 1030 fl6->fl6_icmp_type = type; 1031 fl6->fl6_icmp_code = 0; 1032 fl6->flowi6_oif = oif; 1033 security_sk_classify_flow(sk, flowi6_to_flowi_common(fl6)); 1034 } 1035 1036 int __init icmpv6_init(void) 1037 { 1038 struct sock *sk; 1039 int err, i; 1040 1041 for_each_possible_cpu(i) { 1042 err = inet_ctl_sock_create(&sk, PF_INET6, 1043 SOCK_RAW, IPPROTO_ICMPV6, &init_net); 1044 if (err < 0) { 1045 pr_err("Failed to initialize the ICMP6 control socket (err %d)\n", 1046 err); 1047 return err; 1048 } 1049 1050 per_cpu(ipv6_icmp_sk, i) = sk; 1051 1052 /* Enough space for 2 64K ICMP packets, including 1053 * sk_buff struct overhead. 1054 */ 1055 sk->sk_sndbuf = 2 * SKB_TRUESIZE(64 * 1024); 1056 } 1057 1058 err = -EAGAIN; 1059 if (inet6_add_protocol(&icmpv6_protocol, IPPROTO_ICMPV6) < 0) 1060 goto fail; 1061 1062 err = inet6_register_icmp_sender(icmp6_send); 1063 if (err) 1064 goto sender_reg_err; 1065 return 0; 1066 1067 sender_reg_err: 1068 inet6_del_protocol(&icmpv6_protocol, IPPROTO_ICMPV6); 1069 fail: 1070 pr_err("Failed to register ICMP6 protocol\n"); 1071 return err; 1072 } 1073 1074 void icmpv6_cleanup(void) 1075 { 1076 inet6_unregister_icmp_sender(icmp6_send); 1077 inet6_del_protocol(&icmpv6_protocol, IPPROTO_ICMPV6); 1078 } 1079 1080 1081 static const struct icmp6_err { 1082 int err; 1083 int fatal; 1084 } tab_unreach[] = { 1085 { /* NOROUTE */ 1086 .err = ENETUNREACH, 1087 .fatal = 0, 1088 }, 1089 { /* ADM_PROHIBITED */ 1090 .err = EACCES, 1091 .fatal = 1, 1092 }, 1093 { /* Was NOT_NEIGHBOUR, now reserved */ 1094 .err = EHOSTUNREACH, 1095 .fatal = 0, 1096 }, 1097 { /* ADDR_UNREACH */ 1098 .err = EHOSTUNREACH, 1099 .fatal = 0, 1100 }, 1101 { /* PORT_UNREACH */ 1102 .err = ECONNREFUSED, 1103 .fatal = 1, 1104 }, 1105 { /* POLICY_FAIL */ 1106 .err = EACCES, 1107 .fatal = 1, 1108 }, 1109 { /* REJECT_ROUTE */ 1110 .err = EACCES, 1111 .fatal = 1, 1112 }, 1113 }; 1114 1115 int icmpv6_err_convert(u8 type, u8 code, int *err) 1116 { 1117 int fatal = 0; 1118 1119 *err = EPROTO; 1120 1121 switch (type) { 1122 case ICMPV6_DEST_UNREACH: 1123 fatal = 1; 1124 if (code < ARRAY_SIZE(tab_unreach)) { 1125 *err = tab_unreach[code].err; 1126 fatal = tab_unreach[code].fatal; 1127 } 1128 break; 1129 1130 case ICMPV6_PKT_TOOBIG: 1131 *err = EMSGSIZE; 1132 break; 1133 1134 case ICMPV6_PARAMPROB: 1135 *err = EPROTO; 1136 fatal = 1; 1137 break; 1138 1139 case ICMPV6_TIME_EXCEED: 1140 *err = EHOSTUNREACH; 1141 break; 1142 } 1143 1144 return fatal; 1145 } 1146 EXPORT_SYMBOL(icmpv6_err_convert); 1147 1148 #ifdef CONFIG_SYSCTL 1149 static struct ctl_table ipv6_icmp_table_template[] = { 1150 { 1151 .procname = "ratelimit", 1152 .data = &init_net.ipv6.sysctl.icmpv6_time, 1153 .maxlen = sizeof(int), 1154 .mode = 0644, 1155 .proc_handler = proc_dointvec_ms_jiffies, 1156 }, 1157 { 1158 .procname = "echo_ignore_all", 1159 .data = &init_net.ipv6.sysctl.icmpv6_echo_ignore_all, 1160 .maxlen = sizeof(u8), 1161 .mode = 0644, 1162 .proc_handler = proc_dou8vec_minmax, 1163 }, 1164 { 1165 .procname = "echo_ignore_multicast", 1166 .data = &init_net.ipv6.sysctl.icmpv6_echo_ignore_multicast, 1167 .maxlen = sizeof(u8), 1168 .mode = 0644, 1169 .proc_handler = proc_dou8vec_minmax, 1170 }, 1171 { 1172 .procname = "echo_ignore_anycast", 1173 .data = &init_net.ipv6.sysctl.icmpv6_echo_ignore_anycast, 1174 .maxlen = sizeof(u8), 1175 .mode = 0644, 1176 .proc_handler = proc_dou8vec_minmax, 1177 }, 1178 { 1179 .procname = "ratemask", 1180 .data = &init_net.ipv6.sysctl.icmpv6_ratemask_ptr, 1181 .maxlen = ICMPV6_MSG_MAX + 1, 1182 .mode = 0644, 1183 .proc_handler = proc_do_large_bitmap, 1184 }, 1185 { }, 1186 }; 1187 1188 struct ctl_table * __net_init ipv6_icmp_sysctl_init(struct net *net) 1189 { 1190 struct ctl_table *table; 1191 1192 table = kmemdup(ipv6_icmp_table_template, 1193 sizeof(ipv6_icmp_table_template), 1194 GFP_KERNEL); 1195 1196 if (table) { 1197 table[0].data = &net->ipv6.sysctl.icmpv6_time; 1198 table[1].data = &net->ipv6.sysctl.icmpv6_echo_ignore_all; 1199 table[2].data = &net->ipv6.sysctl.icmpv6_echo_ignore_multicast; 1200 table[3].data = &net->ipv6.sysctl.icmpv6_echo_ignore_anycast; 1201 table[4].data = &net->ipv6.sysctl.icmpv6_ratemask_ptr; 1202 } 1203 return table; 1204 } 1205 #endif 1206