]> git.saurik.com Git - apple/xnu.git/blob - bsd/netinet6/frag6.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-3789.1.32.tar.gz
[apple/xnu.git] / bsd / netinet6 / frag6.c
1 /*
2 * Copyright (c) 2000-2015 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 /* $FreeBSD: src/sys/netinet6/frag6.c,v 1.2.2.5 2001/07/03 11:01:50 ume Exp $ */
30 /* $KAME: frag6.c,v 1.31 2001/05/17 13:45:34 jinmei Exp $ */
31
32 /*
33 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
34 * All rights reserved.
35 *
36 * Redistribution and use in source and binary forms, with or without
37 * modification, are permitted provided that the following conditions
38 * are met:
39 * 1. Redistributions of source code must retain the above copyright
40 * notice, this list of conditions and the following disclaimer.
41 * 2. Redistributions in binary form must reproduce the above copyright
42 * notice, this list of conditions and the following disclaimer in the
43 * documentation and/or other materials provided with the distribution.
44 * 3. Neither the name of the project nor the names of its contributors
45 * may be used to endorse or promote products derived from this software
46 * without specific prior written permission.
47 *
48 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
49 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
50 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
51 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
52 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
53 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
54 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
55 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
56 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
57 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
58 * SUCH DAMAGE.
59 */
60
61 #include <sys/param.h>
62 #include <sys/systm.h>
63 #include <sys/malloc.h>
64 #include <sys/mcache.h>
65 #include <sys/mbuf.h>
66 #include <sys/domain.h>
67 #include <sys/protosw.h>
68 #include <sys/socket.h>
69 #include <sys/errno.h>
70 #include <sys/time.h>
71 #include <sys/kernel.h>
72 #include <sys/syslog.h>
73 #include <kern/queue.h>
74 #include <kern/locks.h>
75
76 #include <net/if.h>
77 #include <net/route.h>
78
79 #include <netinet/in.h>
80 #include <netinet/in_var.h>
81 #include <netinet/ip.h>
82 #include <netinet/ip6.h>
83 #include <netinet6/ip6_var.h>
84 #include <netinet/icmp6.h>
85
86 #include <net/net_osdep.h>
87 #include <dev/random/randomdev.h>
88
89 /*
90 * Define it to get a correct behavior on per-interface statistics.
91 */
92 #define IN6_IFSTAT_STRICT
93
94 MBUFQ_HEAD(fq6_head);
95
96 static void frag6_save_context(struct mbuf *, int);
97 static void frag6_scrub_context(struct mbuf *);
98 static int frag6_restore_context(struct mbuf *);
99
100 static void frag6_icmp6_paramprob_error(struct fq6_head *);
101 static void frag6_icmp6_timeex_error(struct fq6_head *);
102
103 static void frag6_enq(struct ip6asfrag *, struct ip6asfrag *);
104 static void frag6_deq(struct ip6asfrag *);
105 static void frag6_insque(struct ip6q *, struct ip6q *);
106 static void frag6_remque(struct ip6q *);
107 static void frag6_freef(struct ip6q *, struct fq6_head *, struct fq6_head *);
108
109 static int frag6_timeout_run; /* frag6 timer is scheduled to run */
110 static void frag6_timeout(void *);
111 static void frag6_sched_timeout(void);
112
113 static struct ip6q *ip6q_alloc(int);
114 static void ip6q_free(struct ip6q *);
115 static void ip6q_updateparams(void);
116 static struct ip6asfrag *ip6af_alloc(int);
117 static void ip6af_free(struct ip6asfrag *);
118
119 decl_lck_mtx_data(static, ip6qlock);
120 static lck_attr_t *ip6qlock_attr;
121 static lck_grp_t *ip6qlock_grp;
122 static lck_grp_attr_t *ip6qlock_grp_attr;
123
124 /* IPv6 fragment reassembly queues (protected by ip6qlock) */
125 static struct ip6q ip6q; /* ip6 reassembly queues */
126 static int ip6_maxfragpackets; /* max packets in reass queues */
127 static u_int32_t frag6_nfragpackets; /* # of packets in reass queues */
128 static int ip6_maxfrags; /* max fragments in reass queues */
129 static u_int32_t frag6_nfrags; /* # of fragments in reass queues */
130 static u_int32_t ip6q_limit; /* ip6q allocation limit */
131 static u_int32_t ip6q_count; /* current # of allocated ip6q's */
132 static u_int32_t ip6af_limit; /* ip6asfrag allocation limit */
133 static u_int32_t ip6af_count; /* current # of allocated ip6asfrag's */
134
135 static int sysctl_maxfragpackets SYSCTL_HANDLER_ARGS;
136 static int sysctl_maxfrags SYSCTL_HANDLER_ARGS;
137
138 SYSCTL_DECL(_net_inet6_ip6);
139
140 SYSCTL_PROC(_net_inet6_ip6, IPV6CTL_MAXFRAGPACKETS, maxfragpackets,
141 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_maxfragpackets, 0,
142 sysctl_maxfragpackets, "I",
143 "Maximum number of IPv6 fragment reassembly queue entries");
144
145 SYSCTL_UINT(_net_inet6_ip6, OID_AUTO, fragpackets,
146 CTLFLAG_RD | CTLFLAG_LOCKED, &frag6_nfragpackets, 0,
147 "Current number of IPv6 fragment reassembly queue entries");
148
149 SYSCTL_PROC(_net_inet6_ip6, IPV6CTL_MAXFRAGS, maxfrags,
150 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_maxfrags, 0,
151 sysctl_maxfrags, "I", "Maximum number of IPv6 fragments allowed");
152
153 /*
154 * Initialise reassembly queue and fragment identifier.
155 */
156 void
157 frag6_init(void)
158 {
159 /* ip6q_alloc() uses mbufs for IPv6 fragment queue structures */
160 _CASSERT(sizeof (struct ip6q) <= _MLEN);
161 /* ip6af_alloc() uses mbufs for IPv6 fragment queue structures */
162 _CASSERT(sizeof (struct ip6asfrag) <= _MLEN);
163
164 /* IPv6 fragment reassembly queue lock */
165 ip6qlock_grp_attr = lck_grp_attr_alloc_init();
166 ip6qlock_grp = lck_grp_alloc_init("ip6qlock", ip6qlock_grp_attr);
167 ip6qlock_attr = lck_attr_alloc_init();
168 lck_mtx_init(&ip6qlock, ip6qlock_grp, ip6qlock_attr);
169
170 lck_mtx_lock(&ip6qlock);
171 /* Initialize IPv6 reassembly queue. */
172 ip6q.ip6q_next = ip6q.ip6q_prev = &ip6q;
173
174 /* same limits as IPv4 */
175 ip6_maxfragpackets = nmbclusters / 32;
176 ip6_maxfrags = ip6_maxfragpackets * 2;
177 ip6q_updateparams();
178 lck_mtx_unlock(&ip6qlock);
179 }
180
181 static void
182 frag6_save_context(struct mbuf *m, int val)
183 {
184 m->m_pkthdr.pkt_hdr = (void *)(uintptr_t)val;
185 }
186
187 static void
188 frag6_scrub_context(struct mbuf *m)
189 {
190 m->m_pkthdr.pkt_hdr = NULL;
191 }
192
193 static int
194 frag6_restore_context(struct mbuf *m)
195 {
196 return ((int)m->m_pkthdr.pkt_hdr);
197 }
198
199 /*
200 * Send any deferred ICMP param problem error messages; caller must not be
201 * holding ip6qlock and is expected to have saved the per-packet parameter
202 * value via frag6_save_context().
203 */
204 static void
205 frag6_icmp6_paramprob_error(struct fq6_head *diq6)
206 {
207 lck_mtx_assert(&ip6qlock, LCK_MTX_ASSERT_NOTOWNED);
208
209 if (!MBUFQ_EMPTY(diq6)) {
210 struct mbuf *merr, *merr_tmp;
211 int param;
212 MBUFQ_FOREACH_SAFE(merr, diq6, merr_tmp) {
213 MBUFQ_REMOVE(diq6, merr);
214 MBUFQ_NEXT(merr) = NULL;
215 param = frag6_restore_context(merr);
216 frag6_scrub_context(merr);
217 icmp6_error(merr, ICMP6_PARAM_PROB,
218 ICMP6_PARAMPROB_HEADER, param);
219 }
220 }
221 }
222
223 /*
224 * Send any deferred ICMP time exceeded error messages;
225 * caller must not be holding ip6qlock.
226 */
227 static void
228 frag6_icmp6_timeex_error(struct fq6_head *diq6)
229 {
230 lck_mtx_assert(&ip6qlock, LCK_MTX_ASSERT_NOTOWNED);
231
232 if (!MBUFQ_EMPTY(diq6)) {
233 struct mbuf *m, *m_tmp;
234 MBUFQ_FOREACH_SAFE(m, diq6, m_tmp) {
235 MBUFQ_REMOVE(diq6, m);
236 MBUFQ_NEXT(m) = NULL;
237 icmp6_error_flag(m, ICMP6_TIME_EXCEEDED,
238 ICMP6_TIME_EXCEED_REASSEMBLY, 0, 0);
239 }
240 }
241 }
242
243 /*
244 * In RFC2460, fragment and reassembly rule do not agree with each other,
245 * in terms of next header field handling in fragment header.
246 * While the sender will use the same value for all of the fragmented packets,
247 * receiver is suggested not to check the consistency.
248 *
249 * fragment rule (p20):
250 * (2) A Fragment header containing:
251 * The Next Header value that identifies the first header of
252 * the Fragmentable Part of the original packet.
253 * -> next header field is same for all fragments
254 *
255 * reassembly rule (p21):
256 * The Next Header field of the last header of the Unfragmentable
257 * Part is obtained from the Next Header field of the first
258 * fragment's Fragment header.
259 * -> should grab it from the first fragment only
260 *
261 * The following note also contradicts with fragment rule - noone is going to
262 * send different fragment with different next header field.
263 *
264 * additional note (p22):
265 * The Next Header values in the Fragment headers of different
266 * fragments of the same original packet may differ. Only the value
267 * from the Offset zero fragment packet is used for reassembly.
268 * -> should grab it from the first fragment only
269 *
270 * There is no explicit reason given in the RFC. Historical reason maybe?
271 */
272 /*
273 * Fragment input
274 */
275 int
276 frag6_input(struct mbuf **mp, int *offp, int proto)
277 {
278 #pragma unused(proto)
279 struct mbuf *m = *mp, *t;
280 struct ip6_hdr *ip6;
281 struct ip6_frag *ip6f;
282 struct ip6q *q6;
283 struct ip6asfrag *af6, *ip6af, *af6dwn;
284 int offset = *offp, nxt, i, next;
285 int first_frag = 0;
286 int fragoff, frgpartlen; /* must be larger than u_int16_t */
287 struct ifnet *dstifp = NULL;
288 u_int8_t ecn, ecn0;
289 uint32_t csum, csum_flags;
290 struct fq6_head diq6;
291 int locked = 0;
292
293 VERIFY(m->m_flags & M_PKTHDR);
294
295 MBUFQ_INIT(&diq6); /* for deferred ICMP param problem errors */
296
297 /* Expect 32-bit aligned data pointer on strict-align platforms */
298 MBUF_STRICT_DATA_ALIGNMENT_CHECK_32(m);
299
300 ip6 = mtod(m, struct ip6_hdr *);
301 IP6_EXTHDR_CHECK(m, offset, sizeof(struct ip6_frag), goto done);
302 ip6f = (struct ip6_frag *)((caddr_t)ip6 + offset);
303
304 #ifdef IN6_IFSTAT_STRICT
305 /* find the destination interface of the packet. */
306 if (m->m_pkthdr.pkt_flags & PKTF_IFAINFO) {
307 uint32_t idx;
308
309 if (ip6_getdstifaddr_info(m, &idx, NULL) == 0) {
310 if (idx > 0 && idx <= if_index) {
311 ifnet_head_lock_shared();
312 dstifp = ifindex2ifnet[idx];
313 ifnet_head_done();
314 }
315 }
316 }
317 #endif /* IN6_IFSTAT_STRICT */
318
319 /* we are violating the spec, this may not be the dst interface */
320 if (dstifp == NULL)
321 dstifp = m->m_pkthdr.rcvif;
322
323 /* jumbo payload can't contain a fragment header */
324 if (ip6->ip6_plen == 0) {
325 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, offset);
326 in6_ifstat_inc(dstifp, ifs6_reass_fail);
327 m = NULL;
328 goto done;
329 }
330
331 /*
332 * check whether fragment packet's fragment length is
333 * multiple of 8 octets.
334 * sizeof(struct ip6_frag) == 8
335 * sizeof(struct ip6_hdr) = 40
336 */
337 if ((ip6f->ip6f_offlg & IP6F_MORE_FRAG) &&
338 (((ntohs(ip6->ip6_plen) - offset) & 0x7) != 0)) {
339 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER,
340 offsetof(struct ip6_hdr, ip6_plen));
341 in6_ifstat_inc(dstifp, ifs6_reass_fail);
342 m = NULL;
343 goto done;
344 }
345
346 /* If ip6_maxfragpackets or ip6_maxfrags is 0, never accept fragments */
347 if (ip6_maxfragpackets == 0 || ip6_maxfrags == 0) {
348 ip6stat.ip6s_fragments++;
349 ip6stat.ip6s_fragdropped++;
350 in6_ifstat_inc(dstifp, ifs6_reass_fail);
351 m_freem(m);
352 m = NULL;
353 goto done;
354 }
355
356 /* offset now points to data portion */
357 offset += sizeof(struct ip6_frag);
358
359 /*
360 * RFC 6946: Handle "atomic" fragments (offset and m bit set to 0)
361 * upfront, unrelated to any reassembly. Just skip the fragment header.
362 */
363 if ((ip6f->ip6f_offlg & ~IP6F_RESERVED_MASK) == 0) {
364 /*
365 * In ICMPv6 processing, we drop certain
366 * NDP messages that are not expected to
367 * have fragment header based on recommendations
368 * against security vulnerability as described in
369 * RFC 6980.
370 * We set PKTF_REASSEMBLED flag to let ICMPv6 NDP
371 * drop such packets.
372 * However there are already devices running software
373 * that are creating interface with MTU < IPv6 Min
374 * MTU. We should not have allowed that but they are
375 * out, and sending atomic NDP fragments.
376 * For that reason, we do not set the same flag here
377 * and relax the check.
378 */
379 ip6stat.ip6s_atmfrag_rcvd++;
380 in6_ifstat_inc(dstifp, ifs6_atmfrag_rcvd);
381 *offp = offset;
382 return (ip6f->ip6f_nxt);
383 }
384
385 /*
386 * Leverage partial checksum offload for simple UDP/IP fragments,
387 * as that is the most common case.
388 *
389 * Perform 1's complement adjustment of octets that got included/
390 * excluded in the hardware-calculated checksum value.
391 */
392 if (ip6f->ip6f_nxt == IPPROTO_UDP &&
393 offset == (sizeof (*ip6) + sizeof (*ip6f)) &&
394 (m->m_pkthdr.csum_flags &
395 (CSUM_DATA_VALID | CSUM_PARTIAL | CSUM_PSEUDO_HDR)) ==
396 (CSUM_DATA_VALID | CSUM_PARTIAL)) {
397 uint32_t start;
398
399 start = m->m_pkthdr.csum_rx_start;
400 csum = m->m_pkthdr.csum_rx_val;
401
402 if (start != offset) {
403 uint16_t s, d;
404
405 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) {
406 s = ip6->ip6_src.s6_addr16[1];
407 ip6->ip6_src.s6_addr16[1] = 0 ;
408 }
409 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) {
410 d = ip6->ip6_dst.s6_addr16[1];
411 ip6->ip6_dst.s6_addr16[1] = 0;
412 }
413
414 /* callee folds in sum */
415 csum = m_adj_sum16(m, start, offset, csum);
416
417 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src))
418 ip6->ip6_src.s6_addr16[1] = s;
419 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst))
420 ip6->ip6_dst.s6_addr16[1] = d;
421
422 }
423 csum_flags = m->m_pkthdr.csum_flags;
424 } else {
425 csum = 0;
426 csum_flags = 0;
427 }
428
429 /* Invalidate checksum */
430 m->m_pkthdr.csum_flags &= ~CSUM_DATA_VALID;
431
432 ip6stat.ip6s_fragments++;
433 in6_ifstat_inc(dstifp, ifs6_reass_reqd);
434
435 lck_mtx_lock(&ip6qlock);
436 locked = 1;
437
438 for (q6 = ip6q.ip6q_next; q6 != &ip6q; q6 = q6->ip6q_next)
439 if (ip6f->ip6f_ident == q6->ip6q_ident &&
440 IN6_ARE_ADDR_EQUAL(&ip6->ip6_src, &q6->ip6q_src) &&
441 IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &q6->ip6q_dst))
442 break;
443
444 if (q6 == &ip6q) {
445 /*
446 * the first fragment to arrive, create a reassembly queue.
447 */
448 first_frag = 1;
449
450 q6 = ip6q_alloc(M_DONTWAIT);
451 if (q6 == NULL)
452 goto dropfrag;
453
454 frag6_insque(q6, &ip6q);
455 frag6_nfragpackets++;
456
457 /* ip6q_nxt will be filled afterwards, from 1st fragment */
458 q6->ip6q_down = q6->ip6q_up = (struct ip6asfrag *)q6;
459 #ifdef notyet
460 q6->ip6q_nxtp = (u_char *)nxtp;
461 #endif
462 q6->ip6q_ident = ip6f->ip6f_ident;
463 q6->ip6q_ttl = IPV6_FRAGTTL;
464 q6->ip6q_src = ip6->ip6_src;
465 q6->ip6q_dst = ip6->ip6_dst;
466 q6->ip6q_ecn =
467 (ntohl(ip6->ip6_flow) >> 20) & IPTOS_ECN_MASK;
468 q6->ip6q_unfrglen = -1; /* The 1st fragment has not arrived. */
469
470 q6->ip6q_nfrag = 0;
471
472 /*
473 * If the first fragment has valid checksum offload
474 * info, the rest of fragments are eligible as well.
475 */
476 if (csum_flags != 0) {
477 q6->ip6q_csum = csum;
478 q6->ip6q_csum_flags = csum_flags;
479 }
480 }
481
482 /*
483 * If it's the 1st fragment, record the length of the
484 * unfragmentable part and the next header of the fragment header.
485 */
486 fragoff = ntohs(ip6f->ip6f_offlg & IP6F_OFF_MASK);
487 if (fragoff == 0) {
488 q6->ip6q_unfrglen = offset - sizeof(struct ip6_hdr) -
489 sizeof(struct ip6_frag);
490 q6->ip6q_nxt = ip6f->ip6f_nxt;
491 }
492
493 /*
494 * Check that the reassembled packet would not exceed 65535 bytes
495 * in size.
496 * If it would exceed, discard the fragment and return an ICMP error.
497 */
498 frgpartlen = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen) - offset;
499 if (q6->ip6q_unfrglen >= 0) {
500 /* The 1st fragment has already arrived. */
501 if (q6->ip6q_unfrglen + fragoff + frgpartlen > IPV6_MAXPACKET) {
502 lck_mtx_unlock(&ip6qlock);
503 locked = 0;
504 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER,
505 offset - sizeof(struct ip6_frag) +
506 offsetof(struct ip6_frag, ip6f_offlg));
507 m = NULL;
508 goto done;
509 }
510 } else if (fragoff + frgpartlen > IPV6_MAXPACKET) {
511 lck_mtx_unlock(&ip6qlock);
512 locked = 0;
513 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER,
514 offset - sizeof(struct ip6_frag) +
515 offsetof(struct ip6_frag, ip6f_offlg));
516 m = NULL;
517 goto done;
518 }
519 /*
520 * If it's the first fragment, do the above check for each
521 * fragment already stored in the reassembly queue.
522 */
523 if (fragoff == 0) {
524 for (af6 = q6->ip6q_down; af6 != (struct ip6asfrag *)q6;
525 af6 = af6dwn) {
526 af6dwn = af6->ip6af_down;
527
528 if (q6->ip6q_unfrglen + af6->ip6af_off + af6->ip6af_frglen >
529 IPV6_MAXPACKET) {
530 struct mbuf *merr = IP6_REASS_MBUF(af6);
531 struct ip6_hdr *ip6err;
532 int erroff = af6->ip6af_offset;
533
534 /* dequeue the fragment. */
535 frag6_deq(af6);
536 ip6af_free(af6);
537
538 /* adjust pointer. */
539 ip6err = mtod(merr, struct ip6_hdr *);
540
541 /*
542 * Restore source and destination addresses
543 * in the erroneous IPv6 header.
544 */
545 ip6err->ip6_src = q6->ip6q_src;
546 ip6err->ip6_dst = q6->ip6q_dst;
547
548 frag6_save_context(merr,
549 erroff - sizeof (struct ip6_frag) +
550 offsetof(struct ip6_frag, ip6f_offlg));
551
552 MBUFQ_ENQUEUE(&diq6, merr);
553 }
554 }
555 }
556
557 ip6af = ip6af_alloc(M_DONTWAIT);
558 if (ip6af == NULL)
559 goto dropfrag;
560
561 ip6af->ip6af_mff = ip6f->ip6f_offlg & IP6F_MORE_FRAG;
562 ip6af->ip6af_off = fragoff;
563 ip6af->ip6af_frglen = frgpartlen;
564 ip6af->ip6af_offset = offset;
565 IP6_REASS_MBUF(ip6af) = m;
566
567 if (first_frag) {
568 af6 = (struct ip6asfrag *)q6;
569 goto insert;
570 }
571
572 /*
573 * Handle ECN by comparing this segment with the first one;
574 * if CE is set, do not lose CE.
575 * drop if CE and not-ECT are mixed for the same packet.
576 */
577 ecn = (ntohl(ip6->ip6_flow) >> 20) & IPTOS_ECN_MASK;
578 ecn0 = q6->ip6q_ecn;
579 if (ecn == IPTOS_ECN_CE) {
580 if (ecn0 == IPTOS_ECN_NOTECT) {
581 ip6af_free(ip6af);
582 goto dropfrag;
583 }
584 if (ecn0 != IPTOS_ECN_CE)
585 q6->ip6q_ecn = IPTOS_ECN_CE;
586 }
587 if (ecn == IPTOS_ECN_NOTECT && ecn0 != IPTOS_ECN_NOTECT) {
588 ip6af_free(ip6af);
589 goto dropfrag;
590 }
591
592 /*
593 * Find a segment which begins after this one does.
594 */
595 for (af6 = q6->ip6q_down; af6 != (struct ip6asfrag *)q6;
596 af6 = af6->ip6af_down)
597 if (af6->ip6af_off > ip6af->ip6af_off)
598 break;
599
600 #if 0
601 /*
602 * If there is a preceding segment, it may provide some of
603 * our data already. If so, drop the data from the incoming
604 * segment. If it provides all of our data, drop us.
605 *
606 * If some of the data is dropped from the preceding
607 * segment, then it's checksum is invalidated.
608 */
609 if (af6->ip6af_up != (struct ip6asfrag *)q6) {
610 i = af6->ip6af_up->ip6af_off + af6->ip6af_up->ip6af_frglen
611 - ip6af->ip6af_off;
612 if (i > 0) {
613 if (i >= ip6af->ip6af_frglen)
614 goto dropfrag;
615 m_adj(IP6_REASS_MBUF(ip6af), i);
616 q6->ip6q_csum_flags = 0;
617 ip6af->ip6af_off += i;
618 ip6af->ip6af_frglen -= i;
619 }
620 }
621
622 /*
623 * While we overlap succeeding segments trim them or,
624 * if they are completely covered, dequeue them.
625 */
626 while (af6 != (struct ip6asfrag *)q6 &&
627 ip6af->ip6af_off + ip6af->ip6af_frglen > af6->ip6af_off) {
628 i = (ip6af->ip6af_off + ip6af->ip6af_frglen) - af6->ip6af_off;
629 if (i < af6->ip6af_frglen) {
630 af6->ip6af_frglen -= i;
631 af6->ip6af_off += i;
632 m_adj(IP6_REASS_MBUF(af6), i);
633 q6->ip6q_csum_flags = 0;
634 break;
635 }
636 af6 = af6->ip6af_down;
637 m_freem(IP6_REASS_MBUF(af6->ip6af_up));
638 frag6_deq(af6->ip6af_up);
639 }
640 #else
641 /*
642 * If the incoming framgent overlaps some existing fragments in
643 * the reassembly queue, drop it, since it is dangerous to override
644 * existing fragments from a security point of view.
645 * We don't know which fragment is the bad guy - here we trust
646 * fragment that came in earlier, with no real reason.
647 *
648 * Note: due to changes after disabling this part, mbuf passed to
649 * m_adj() below now does not meet the requirement.
650 */
651 if (af6->ip6af_up != (struct ip6asfrag *)q6) {
652 i = af6->ip6af_up->ip6af_off + af6->ip6af_up->ip6af_frglen
653 - ip6af->ip6af_off;
654 if (i > 0) {
655 #if 0 /* suppress the noisy log */
656 log(LOG_ERR, "%d bytes of a fragment from %s "
657 "overlaps the previous fragment\n",
658 i, ip6_sprintf(&q6->ip6q_src));
659 #endif
660 ip6af_free(ip6af);
661 goto dropfrag;
662 }
663 }
664 if (af6 != (struct ip6asfrag *)q6) {
665 i = (ip6af->ip6af_off + ip6af->ip6af_frglen) - af6->ip6af_off;
666 if (i > 0) {
667 #if 0 /* suppress the noisy log */
668 log(LOG_ERR, "%d bytes of a fragment from %s "
669 "overlaps the succeeding fragment",
670 i, ip6_sprintf(&q6->ip6q_src));
671 #endif
672 ip6af_free(ip6af);
673 goto dropfrag;
674 }
675 }
676 #endif
677
678 /*
679 * If this fragment contains similar checksum offload info
680 * as that of the existing ones, accumulate checksum. Otherwise,
681 * invalidate checksum offload info for the entire datagram.
682 */
683 if (csum_flags != 0 && csum_flags == q6->ip6q_csum_flags)
684 q6->ip6q_csum += csum;
685 else if (q6->ip6q_csum_flags != 0)
686 q6->ip6q_csum_flags = 0;
687
688 insert:
689
690 /*
691 * Stick new segment in its place;
692 * check for complete reassembly.
693 * Move to front of packet queue, as we are
694 * the most recently active fragmented packet.
695 */
696 frag6_enq(ip6af, af6->ip6af_up);
697 frag6_nfrags++;
698 q6->ip6q_nfrag++;
699 #if 0 /* xxx */
700 if (q6 != ip6q.ip6q_next) {
701 frag6_remque(q6);
702 frag6_insque(q6, &ip6q);
703 }
704 #endif
705 next = 0;
706 for (af6 = q6->ip6q_down; af6 != (struct ip6asfrag *)q6;
707 af6 = af6->ip6af_down) {
708 if (af6->ip6af_off != next) {
709 lck_mtx_unlock(&ip6qlock);
710 locked = 0;
711 m = NULL;
712 goto done;
713 }
714 next += af6->ip6af_frglen;
715 }
716 if (af6->ip6af_up->ip6af_mff) {
717 lck_mtx_unlock(&ip6qlock);
718 locked = 0;
719 m = NULL;
720 goto done;
721 }
722
723 /*
724 * Reassembly is complete; concatenate fragments.
725 */
726 ip6af = q6->ip6q_down;
727 t = m = IP6_REASS_MBUF(ip6af);
728 af6 = ip6af->ip6af_down;
729 frag6_deq(ip6af);
730 while (af6 != (struct ip6asfrag *)q6) {
731 af6dwn = af6->ip6af_down;
732 frag6_deq(af6);
733 while (t->m_next)
734 t = t->m_next;
735 t->m_next = IP6_REASS_MBUF(af6);
736 m_adj(t->m_next, af6->ip6af_offset);
737 ip6af_free(af6);
738 af6 = af6dwn;
739 }
740
741 /*
742 * Store partial hardware checksum info from the fragment queue;
743 * the receive start offset is set to 40 bytes (see code at the
744 * top of this routine.)
745 */
746 if (q6->ip6q_csum_flags != 0) {
747 csum = q6->ip6q_csum;
748
749 ADDCARRY(csum);
750
751 m->m_pkthdr.csum_rx_val = csum;
752 m->m_pkthdr.csum_rx_start = sizeof (struct ip6_hdr);
753 m->m_pkthdr.csum_flags = q6->ip6q_csum_flags;
754 } else if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) ||
755 (m->m_pkthdr.pkt_flags & PKTF_LOOP)) {
756 /* loopback checksums are always OK */
757 m->m_pkthdr.csum_data = 0xffff;
758 m->m_pkthdr.csum_flags &= ~CSUM_PARTIAL;
759 m->m_pkthdr.csum_flags = CSUM_DATA_VALID | CSUM_PSEUDO_HDR;
760 }
761
762 /* adjust offset to point where the original next header starts */
763 offset = ip6af->ip6af_offset - sizeof(struct ip6_frag);
764 ip6af_free(ip6af);
765 ip6 = mtod(m, struct ip6_hdr *);
766 ip6->ip6_plen = htons((u_short)next + offset - sizeof(struct ip6_hdr));
767 ip6->ip6_src = q6->ip6q_src;
768 ip6->ip6_dst = q6->ip6q_dst;
769 if (q6->ip6q_ecn == IPTOS_ECN_CE)
770 ip6->ip6_flow |= htonl(IPTOS_ECN_CE << 20);
771
772 nxt = q6->ip6q_nxt;
773 #ifdef notyet
774 *q6->ip6q_nxtp = (u_char)(nxt & 0xff);
775 #endif
776
777 /* Delete frag6 header */
778 if (m->m_len >= offset + sizeof(struct ip6_frag)) {
779 /* This is the only possible case with !PULLDOWN_TEST */
780 ovbcopy((caddr_t)ip6, (caddr_t)ip6 + sizeof(struct ip6_frag),
781 offset);
782 m->m_data += sizeof(struct ip6_frag);
783 m->m_len -= sizeof(struct ip6_frag);
784 } else {
785 /* this comes with no copy if the boundary is on cluster */
786 if ((t = m_split(m, offset, M_DONTWAIT)) == NULL) {
787 frag6_remque(q6);
788 frag6_nfragpackets--;
789 frag6_nfrags -= q6->ip6q_nfrag;
790 ip6q_free(q6);
791 goto dropfrag;
792 }
793 m_adj(t, sizeof(struct ip6_frag));
794 m_cat(m, t);
795 }
796
797 /*
798 * Store NXT to the original.
799 */
800 {
801 char *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */
802 *prvnxtp = nxt;
803 }
804
805 frag6_remque(q6);
806 frag6_nfragpackets--;
807 frag6_nfrags -= q6->ip6q_nfrag;
808 ip6q_free(q6);
809
810 if (m->m_flags & M_PKTHDR) { /* Isn't it always true? */
811 m_fixhdr(m);
812 /*
813 * Mark packet as reassembled
814 * In ICMPv6 processing, we drop certain
815 * NDP messages that are not expected to
816 * have fragment header based on recommendations
817 * against security vulnerability as described in
818 * RFC 6980.
819 */
820 m->m_pkthdr.pkt_flags |= PKTF_REASSEMBLED;
821 }
822 ip6stat.ip6s_reassembled++;
823
824 /*
825 * Tell launch routine the next header
826 */
827 *mp = m;
828 *offp = offset;
829
830 /* arm the purge timer if not already and if there's work to do */
831 frag6_sched_timeout();
832 lck_mtx_unlock(&ip6qlock);
833 in6_ifstat_inc(dstifp, ifs6_reass_ok);
834 frag6_icmp6_paramprob_error(&diq6);
835 VERIFY(MBUFQ_EMPTY(&diq6));
836 return (nxt);
837
838 done:
839 VERIFY(m == NULL);
840 if (!locked) {
841 if (frag6_nfragpackets == 0) {
842 frag6_icmp6_paramprob_error(&diq6);
843 VERIFY(MBUFQ_EMPTY(&diq6));
844 return (IPPROTO_DONE);
845 }
846 lck_mtx_lock(&ip6qlock);
847 }
848 /* arm the purge timer if not already and if there's work to do */
849 frag6_sched_timeout();
850 lck_mtx_unlock(&ip6qlock);
851 frag6_icmp6_paramprob_error(&diq6);
852 VERIFY(MBUFQ_EMPTY(&diq6));
853 return (IPPROTO_DONE);
854
855 dropfrag:
856 ip6stat.ip6s_fragdropped++;
857 /* arm the purge timer if not already and if there's work to do */
858 frag6_sched_timeout();
859 lck_mtx_unlock(&ip6qlock);
860 in6_ifstat_inc(dstifp, ifs6_reass_fail);
861 m_freem(m);
862 frag6_icmp6_paramprob_error(&diq6);
863 VERIFY(MBUFQ_EMPTY(&diq6));
864 return (IPPROTO_DONE);
865 }
866
867 /*
868 * Free a fragment reassembly header and all
869 * associated datagrams.
870 */
871 void
872 frag6_freef(struct ip6q *q6, struct fq6_head *dfq6, struct fq6_head *diq6)
873 {
874 struct ip6asfrag *af6, *down6;
875
876 lck_mtx_assert(&ip6qlock, LCK_MTX_ASSERT_OWNED);
877
878 for (af6 = q6->ip6q_down; af6 != (struct ip6asfrag *)q6;
879 af6 = down6) {
880 struct mbuf *m = IP6_REASS_MBUF(af6);
881
882 down6 = af6->ip6af_down;
883 frag6_deq(af6);
884
885 /*
886 * Return ICMP time exceeded error for the 1st fragment.
887 * Just free other fragments.
888 */
889 if (af6->ip6af_off == 0) {
890 struct ip6_hdr *ip6;
891
892 /* adjust pointer */
893 ip6 = mtod(m, struct ip6_hdr *);
894
895 /* restore source and destination addresses */
896 ip6->ip6_src = q6->ip6q_src;
897 ip6->ip6_dst = q6->ip6q_dst;
898
899 MBUFQ_ENQUEUE(diq6, m);
900 } else {
901 MBUFQ_ENQUEUE(dfq6, m);
902 }
903 ip6af_free(af6);
904
905 }
906 frag6_remque(q6);
907 frag6_nfragpackets--;
908 frag6_nfrags -= q6->ip6q_nfrag;
909 ip6q_free(q6);
910 }
911
912 /*
913 * Put an ip fragment on a reassembly chain.
914 * Like insque, but pointers in middle of structure.
915 */
916 void
917 frag6_enq(struct ip6asfrag *af6, struct ip6asfrag *up6)
918 {
919 lck_mtx_assert(&ip6qlock, LCK_MTX_ASSERT_OWNED);
920
921 af6->ip6af_up = up6;
922 af6->ip6af_down = up6->ip6af_down;
923 up6->ip6af_down->ip6af_up = af6;
924 up6->ip6af_down = af6;
925 }
926
927 /*
928 * To frag6_enq as remque is to insque.
929 */
930 void
931 frag6_deq(struct ip6asfrag *af6)
932 {
933 lck_mtx_assert(&ip6qlock, LCK_MTX_ASSERT_OWNED);
934
935 af6->ip6af_up->ip6af_down = af6->ip6af_down;
936 af6->ip6af_down->ip6af_up = af6->ip6af_up;
937 }
938
939 void
940 frag6_insque(struct ip6q *new, struct ip6q *old)
941 {
942 lck_mtx_assert(&ip6qlock, LCK_MTX_ASSERT_OWNED);
943
944 new->ip6q_prev = old;
945 new->ip6q_next = old->ip6q_next;
946 old->ip6q_next->ip6q_prev= new;
947 old->ip6q_next = new;
948 }
949
950 void
951 frag6_remque(struct ip6q *p6)
952 {
953 lck_mtx_assert(&ip6qlock, LCK_MTX_ASSERT_OWNED);
954
955 p6->ip6q_prev->ip6q_next = p6->ip6q_next;
956 p6->ip6q_next->ip6q_prev = p6->ip6q_prev;
957 }
958
959 /*
960 * IPv6 reassembling timer processing;
961 * if a timer expires on a reassembly
962 * queue, discard it.
963 */
964 static void
965 frag6_timeout(void *arg)
966 {
967 #pragma unused(arg)
968 struct fq6_head dfq6, diq6;
969 struct ip6q *q6;
970
971 MBUFQ_INIT(&dfq6); /* for deferred frees */
972 MBUFQ_INIT(&diq6); /* for deferred ICMP time exceeded errors */
973
974 /*
975 * Update coarse-grained networking timestamp (in sec.); the idea
976 * is to piggy-back on the timeout callout to update the counter
977 * returnable via net_uptime().
978 */
979 net_update_uptime();
980
981 lck_mtx_lock(&ip6qlock);
982 q6 = ip6q.ip6q_next;
983 if (q6)
984 while (q6 != &ip6q) {
985 --q6->ip6q_ttl;
986 q6 = q6->ip6q_next;
987 if (q6->ip6q_prev->ip6q_ttl == 0) {
988 ip6stat.ip6s_fragtimeout++;
989 /* XXX in6_ifstat_inc(ifp, ifs6_reass_fail) */
990 frag6_freef(q6->ip6q_prev, &dfq6, &diq6);
991 }
992 }
993 /*
994 * If we are over the maximum number of fragments
995 * (due to the limit being lowered), drain off
996 * enough to get down to the new limit.
997 */
998 if (ip6_maxfragpackets >= 0) {
999 while (frag6_nfragpackets > (unsigned)ip6_maxfragpackets &&
1000 ip6q.ip6q_prev) {
1001 ip6stat.ip6s_fragoverflow++;
1002 /* XXX in6_ifstat_inc(ifp, ifs6_reass_fail) */
1003 frag6_freef(ip6q.ip6q_prev, &dfq6, &diq6);
1004 }
1005 }
1006 /* re-arm the purge timer if there's work to do */
1007 frag6_timeout_run = 0;
1008 frag6_sched_timeout();
1009 lck_mtx_unlock(&ip6qlock);
1010
1011 /* free fragments that need to be freed */
1012 if (!MBUFQ_EMPTY(&dfq6))
1013 MBUFQ_DRAIN(&dfq6);
1014
1015 frag6_icmp6_timeex_error(&diq6);
1016
1017 VERIFY(MBUFQ_EMPTY(&dfq6));
1018 VERIFY(MBUFQ_EMPTY(&diq6));
1019 }
1020
1021 static void
1022 frag6_sched_timeout(void)
1023 {
1024 lck_mtx_assert(&ip6qlock, LCK_MTX_ASSERT_OWNED);
1025
1026 if (!frag6_timeout_run && frag6_nfragpackets > 0) {
1027 frag6_timeout_run = 1;
1028 timeout(frag6_timeout, NULL, hz);
1029 }
1030 }
1031
1032 /*
1033 * Drain off all datagram fragments.
1034 */
1035 void
1036 frag6_drain(void)
1037 {
1038 struct fq6_head dfq6, diq6;
1039
1040 MBUFQ_INIT(&dfq6); /* for deferred frees */
1041 MBUFQ_INIT(&diq6); /* for deferred ICMP time exceeded errors */
1042
1043 lck_mtx_lock(&ip6qlock);
1044 while (ip6q.ip6q_next != &ip6q) {
1045 ip6stat.ip6s_fragdropped++;
1046 /* XXX in6_ifstat_inc(ifp, ifs6_reass_fail) */
1047 frag6_freef(ip6q.ip6q_next, &dfq6, &diq6);
1048 }
1049 lck_mtx_unlock(&ip6qlock);
1050
1051 /* free fragments that need to be freed */
1052 if (!MBUFQ_EMPTY(&dfq6))
1053 MBUFQ_DRAIN(&dfq6);
1054
1055 frag6_icmp6_timeex_error(&diq6);
1056
1057 VERIFY(MBUFQ_EMPTY(&dfq6));
1058 VERIFY(MBUFQ_EMPTY(&diq6));
1059 }
1060
1061 static struct ip6q *
1062 ip6q_alloc(int how)
1063 {
1064 struct mbuf *t;
1065 struct ip6q *q6;
1066
1067 /*
1068 * See comments in ip6q_updateparams(). Keep the count separate
1069 * from frag6_nfragpackets since the latter represents the elements
1070 * already in the reassembly queues.
1071 */
1072 if (ip6q_limit > 0 && ip6q_count > ip6q_limit)
1073 return (NULL);
1074
1075 t = m_get(how, MT_FTABLE);
1076 if (t != NULL) {
1077 atomic_add_32(&ip6q_count, 1);
1078 q6 = mtod(t, struct ip6q *);
1079 bzero(q6, sizeof (*q6));
1080 } else {
1081 q6 = NULL;
1082 }
1083 return (q6);
1084 }
1085
1086 static void
1087 ip6q_free(struct ip6q *q6)
1088 {
1089 (void) m_free(dtom(q6));
1090 atomic_add_32(&ip6q_count, -1);
1091 }
1092
1093 static struct ip6asfrag *
1094 ip6af_alloc(int how)
1095 {
1096 struct mbuf *t;
1097 struct ip6asfrag *af6;
1098
1099 /*
1100 * See comments in ip6q_updateparams(). Keep the count separate
1101 * from frag6_nfrags since the latter represents the elements
1102 * already in the reassembly queues.
1103 */
1104 if (ip6af_limit > 0 && ip6af_count > ip6af_limit)
1105 return (NULL);
1106
1107 t = m_get(how, MT_FTABLE);
1108 if (t != NULL) {
1109 atomic_add_32(&ip6af_count, 1);
1110 af6 = mtod(t, struct ip6asfrag *);
1111 bzero(af6, sizeof (*af6));
1112 } else {
1113 af6 = NULL;
1114 }
1115 return (af6);
1116 }
1117
1118 static void
1119 ip6af_free(struct ip6asfrag *af6)
1120 {
1121 (void) m_free(dtom(af6));
1122 atomic_add_32(&ip6af_count, -1);
1123 }
1124
1125 static void
1126 ip6q_updateparams(void)
1127 {
1128 lck_mtx_assert(&ip6qlock, LCK_MTX_ASSERT_OWNED);
1129 /*
1130 * -1 for unlimited allocation.
1131 */
1132 if (ip6_maxfragpackets < 0)
1133 ip6q_limit = 0;
1134 if (ip6_maxfrags < 0)
1135 ip6af_limit = 0;
1136 /*
1137 * Positive number for specific bound.
1138 */
1139 if (ip6_maxfragpackets > 0)
1140 ip6q_limit = ip6_maxfragpackets;
1141 if (ip6_maxfrags > 0)
1142 ip6af_limit = ip6_maxfrags;
1143 /*
1144 * Zero specifies no further fragment queue allocation -- set the
1145 * bound very low, but rely on implementation elsewhere to actually
1146 * prevent allocation and reclaim current queues.
1147 */
1148 if (ip6_maxfragpackets == 0)
1149 ip6q_limit = 1;
1150 if (ip6_maxfrags == 0)
1151 ip6af_limit = 1;
1152 /*
1153 * Arm the purge timer if not already and if there's work to do
1154 */
1155 frag6_sched_timeout();
1156 }
1157
1158 static int
1159 sysctl_maxfragpackets SYSCTL_HANDLER_ARGS
1160 {
1161 #pragma unused(arg1, arg2)
1162 int error, i;
1163
1164 lck_mtx_lock(&ip6qlock);
1165 i = ip6_maxfragpackets;
1166 error = sysctl_handle_int(oidp, &i, 0, req);
1167 if (error || req->newptr == USER_ADDR_NULL)
1168 goto done;
1169 /* impose bounds */
1170 if (i < -1 || i > (nmbclusters / 4)) {
1171 error = EINVAL;
1172 goto done;
1173 }
1174 ip6_maxfragpackets = i;
1175 ip6q_updateparams();
1176 done:
1177 lck_mtx_unlock(&ip6qlock);
1178 return (error);
1179 }
1180
1181 static int
1182 sysctl_maxfrags SYSCTL_HANDLER_ARGS
1183 {
1184 #pragma unused(arg1, arg2)
1185 int error, i;
1186
1187 lck_mtx_lock(&ip6qlock);
1188 i = ip6_maxfrags;
1189 error = sysctl_handle_int(oidp, &i, 0, req);
1190 if (error || req->newptr == USER_ADDR_NULL)
1191 goto done;
1192 /* impose bounds */
1193 if (i < -1 || i > (nmbclusters / 4)) {
1194 error = EINVAL;
1195 goto done;
1196 }
1197 ip6_maxfrags= i;
1198 ip6q_updateparams(); /* see if we need to arm timer */
1199 done:
1200 lck_mtx_unlock(&ip6qlock);
1201 return (error);
1202 }
mirror of XNU