1 /* Copyright (C) 2010: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> 2 * Copyright (C) 2015: Linus Lüssing <linus.luessing@c0d3.blue> 3 * 4 * This program is free software; you can redistribute it and/or 5 * modify it under the terms of version 2 of the GNU General Public 6 * License as published by the Free Software Foundation. 7 * 8 * This program is distributed in the hope that it will be useful, but 9 * WITHOUT ANY WARRANTY; without even the implied warranty of 10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 * General Public License for more details. 12 * 13 * You should have received a copy of the GNU General Public License 14 * along with this program; if not, see <http://www.gnu.org/licenses/>. 15 * 16 * 17 * Based on the MLD support added to br_multicast.c by YOSHIFUJI Hideaki. 18 */ 19 20 #include <linux/skbuff.h> 21 #include <net/ipv6.h> 22 #include <net/mld.h> 23 #include <net/addrconf.h> 24 #include <net/ip6_checksum.h> 25 26 static int ipv6_mc_check_ip6hdr(struct sk_buff *skb) 27 { 28 const struct ipv6hdr *ip6h; 29 unsigned int len; 30 unsigned int offset = skb_network_offset(skb) + sizeof(*ip6h); 31 32 if (!pskb_may_pull(skb, offset)) 33 return -EINVAL; 34 35 ip6h = ipv6_hdr(skb); 36 37 if (ip6h->version != 6) 38 return -EINVAL; 39 40 len = offset + ntohs(ip6h->payload_len); 41 if (skb->len < len || len <= offset) 42 return -EINVAL; 43 44 return 0; 45 } 46 47 static int ipv6_mc_check_exthdrs(struct sk_buff *skb) 48 { 49 const struct ipv6hdr *ip6h; 50 int offset; 51 u8 nexthdr; 52 __be16 frag_off; 53 54 ip6h = ipv6_hdr(skb); 55 56 if (ip6h->nexthdr != IPPROTO_HOPOPTS) 57 return -ENOMSG; 58 59 nexthdr = ip6h->nexthdr; 60 offset = skb_network_offset(skb) + sizeof(*ip6h); 61 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 62 63 if (offset < 0) 64 return -EINVAL; 65 66 if (nexthdr != IPPROTO_ICMPV6) 67 return -ENOMSG; 68 69 skb_set_transport_header(skb, offset); 70 71 return 0; 72 } 73 74 static int ipv6_mc_check_mld_reportv2(struct sk_buff *skb) 75 { 76 unsigned int len = skb_transport_offset(skb); 77 78 len += sizeof(struct mld2_report); 79 80 return pskb_may_pull(skb, len) ? 0 : -EINVAL; 81 } 82 83 static int ipv6_mc_check_mld_query(struct sk_buff *skb) 84 { 85 struct mld_msg *mld; 86 unsigned int len = skb_transport_offset(skb); 87 88 /* RFC2710+RFC3810 (MLDv1+MLDv2) require link-local source addresses */ 89 if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL)) 90 return -EINVAL; 91 92 len += sizeof(struct mld_msg); 93 if (skb->len < len) 94 return -EINVAL; 95 96 /* MLDv1? */ 97 if (skb->len != len) { 98 /* or MLDv2? */ 99 len += sizeof(struct mld2_query) - sizeof(struct mld_msg); 100 if (skb->len < len || !pskb_may_pull(skb, len)) 101 return -EINVAL; 102 } 103 104 mld = (struct mld_msg *)skb_transport_header(skb); 105 106 /* RFC2710+RFC3810 (MLDv1+MLDv2) require the multicast link layer 107 * all-nodes destination address (ff02::1) for general queries 108 */ 109 if (ipv6_addr_any(&mld->mld_mca) && 110 !ipv6_addr_is_ll_all_nodes(&ipv6_hdr(skb)->daddr)) 111 return -EINVAL; 112 113 return 0; 114 } 115 116 static int ipv6_mc_check_mld_msg(struct sk_buff *skb) 117 { 118 struct mld_msg *mld = (struct mld_msg *)skb_transport_header(skb); 119 120 switch (mld->mld_type) { 121 case ICMPV6_MGM_REDUCTION: 122 case ICMPV6_MGM_REPORT: 123 /* fall through */ 124 return 0; 125 case ICMPV6_MLD2_REPORT: 126 return ipv6_mc_check_mld_reportv2(skb); 127 case ICMPV6_MGM_QUERY: 128 return ipv6_mc_check_mld_query(skb); 129 default: 130 return -ENOMSG; 131 } 132 } 133 134 static inline __sum16 ipv6_mc_validate_checksum(struct sk_buff *skb) 135 { 136 return skb_checksum_validate(skb, IPPROTO_ICMPV6, ip6_compute_pseudo); 137 } 138 139 static int __ipv6_mc_check_mld(struct sk_buff *skb, 140 struct sk_buff **skb_trimmed) 141 142 { 143 struct sk_buff *skb_chk = NULL; 144 unsigned int transport_len; 145 unsigned int len = skb_transport_offset(skb) + sizeof(struct mld_msg); 146 int ret; 147 148 transport_len = ntohs(ipv6_hdr(skb)->payload_len); 149 transport_len -= skb_transport_offset(skb) - sizeof(struct ipv6hdr); 150 151 skb_get(skb); 152 skb_chk = skb_checksum_trimmed(skb, transport_len, 153 ipv6_mc_validate_checksum); 154 if (!skb_chk) 155 return -EINVAL; 156 157 if (!pskb_may_pull(skb_chk, len)) { 158 kfree_skb(skb_chk); 159 return -EINVAL; 160 } 161 162 ret = ipv6_mc_check_mld_msg(skb_chk); 163 if (ret) { 164 kfree_skb(skb_chk); 165 return ret; 166 } 167 168 if (skb_trimmed) 169 *skb_trimmed = skb_chk; 170 else 171 kfree_skb(skb_chk); 172 173 return 0; 174 } 175 176 /** 177 * ipv6_mc_check_mld - checks whether this is a sane MLD packet 178 * @skb: the skb to validate 179 * @skb_trimmed: to store an skb pointer trimmed to IPv6 packet tail (optional) 180 * 181 * Checks whether an IPv6 packet is a valid MLD packet. If so sets 182 * skb network and transport headers accordingly and returns zero. 183 * 184 * -EINVAL: A broken packet was detected, i.e. it violates some internet 185 * standard 186 * -ENOMSG: IP header validation succeeded but it is not an MLD packet. 187 * -ENOMEM: A memory allocation failure happened. 188 * 189 * Optionally, an skb pointer might be provided via skb_trimmed (or set it 190 * to NULL): After parsing an MLD packet successfully it will point to 191 * an skb which has its tail aligned to the IP packet end. This might 192 * either be the originally provided skb or a trimmed, cloned version if 193 * the skb frame had data beyond the IP packet. A cloned skb allows us 194 * to leave the original skb and its full frame unchanged (which might be 195 * desirable for layer 2 frame jugglers). 196 * 197 * The caller needs to release a reference count from any returned skb_trimmed. 198 */ 199 int ipv6_mc_check_mld(struct sk_buff *skb, struct sk_buff **skb_trimmed) 200 { 201 int ret; 202 203 ret = ipv6_mc_check_ip6hdr(skb); 204 if (ret < 0) 205 return ret; 206 207 ret = ipv6_mc_check_exthdrs(skb); 208 if (ret < 0) 209 return ret; 210 211 return __ipv6_mc_check_mld(skb, skb_trimmed); 212 } 213 EXPORT_SYMBOL(ipv6_mc_check_mld); 214