]> git.saurik.com Git - apple/xnu.git/blob - bsd/netinet6/ip6_input.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-1228.7.58.tar.gz
[apple/xnu.git] / bsd / netinet6 / ip6_input.c
1 /*
2 * Copyright (c) 2003-2007 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28 /* $FreeBSD: src/sys/netinet6/ip6_input.c,v 1.11.2.10 2001/07/24 19:10:18 brooks Exp $ */
29 /* $KAME: ip6_input.c,v 1.194 2001/05/27 13:28:35 itojun Exp $ */
30
31 /*
32 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
33 * All rights reserved.
34 *
35 * Redistribution and use in source and binary forms, with or without
36 * modification, are permitted provided that the following conditions
37 * are met:
38 * 1. Redistributions of source code must retain the above copyright
39 * notice, this list of conditions and the following disclaimer.
40 * 2. Redistributions in binary form must reproduce the above copyright
41 * notice, this list of conditions and the following disclaimer in the
42 * documentation and/or other materials provided with the distribution.
43 * 3. Neither the name of the project nor the names of its contributors
44 * may be used to endorse or promote products derived from this software
45 * without specific prior written permission.
46 *
47 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
48 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
49 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
50 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
51 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
52 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
53 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
54 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
55 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
56 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
57 * SUCH DAMAGE.
58 */
59
60 /*
61 * Copyright (c) 1982, 1986, 1988, 1993
62 * The Regents of the University of California. All rights reserved.
63 *
64 * Redistribution and use in source and binary forms, with or without
65 * modification, are permitted provided that the following conditions
66 * are met:
67 * 1. Redistributions of source code must retain the above copyright
68 * notice, this list of conditions and the following disclaimer.
69 * 2. Redistributions in binary form must reproduce the above copyright
70 * notice, this list of conditions and the following disclaimer in the
71 * documentation and/or other materials provided with the distribution.
72 * 3. All advertising materials mentioning features or use of this software
73 * must display the following acknowledgement:
74 * This product includes software developed by the University of
75 * California, Berkeley and its contributors.
76 * 4. Neither the name of the University nor the names of its contributors
77 * may be used to endorse or promote products derived from this software
78 * without specific prior written permission.
79 *
80 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
81 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
82 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
83 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
84 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
85 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
86 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
87 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
88 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
89 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
90 * SUCH DAMAGE.
91 *
92 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94
93 */
94
95
96 #include <sys/param.h>
97 #include <sys/systm.h>
98 #include <sys/malloc.h>
99 #include <sys/mbuf.h>
100 #include <sys/domain.h>
101 #include <sys/protosw.h>
102 #include <sys/socket.h>
103 #include <sys/socketvar.h>
104 #include <sys/errno.h>
105 #include <sys/time.h>
106 #include <sys/kernel.h>
107 #include <sys/syslog.h>
108 #include <sys/proc.h>
109 #include <sys/kauth.h>
110
111 #include <net/if.h>
112 #include <net/if_var.h>
113 #include <net/if_types.h>
114 #include <net/if_dl.h>
115 #include <net/route.h>
116 #include <net/kpi_protocol.h>
117
118 #include <netinet/in.h>
119 #include <netinet/in_systm.h>
120 #if INET
121 #include <netinet/ip.h>
122 #include <netinet/ip_icmp.h>
123 #endif /*INET*/
124 #include <netinet/ip6.h>
125 #include <netinet6/in6_var.h>
126 #include <netinet6/ip6_var.h>
127 #include <netinet/in_pcb.h>
128 #include <netinet/icmp6.h>
129 #include <netinet6/in6_ifattach.h>
130 #include <netinet6/nd6.h>
131 #include <netinet6/in6_prefix.h>
132
133 #if IPSEC
134 #include <netinet6/ipsec.h>
135 #if INET6
136 #include <netinet6/ipsec6.h>
137 #endif
138 extern int ipsec_bypass;
139 #endif
140
141 #include <netinet6/ip6_fw.h>
142
143 #include <netinet/kpi_ipfilter_var.h>
144
145 #include <netinet6/ip6protosw.h>
146
147 /* we need it for NLOOP. */
148 #include "loop.h"
149 #include "faith.h"
150
151 #include <net/net_osdep.h>
152
153 extern struct domain inet6domain;
154 extern struct ip6protosw inet6sw[];
155
156 struct ip6protosw * ip6_protox[IPPROTO_MAX];
157 static int ip6qmaxlen = IFQ_MAXLEN;
158 struct in6_ifaddr *in6_ifaddrs;
159
160 int ip6_forward_srcrt; /* XXX */
161 int ip6_sourcecheck; /* XXX */
162 int ip6_sourcecheck_interval; /* XXX */
163 const int int6intrq_present = 1;
164
165 int ip6_ours_check_algorithm;
166 int in6_init2done = 0;
167
168
169 /* firewall hooks */
170 ip6_fw_chk_t *ip6_fw_chk_ptr;
171 ip6_fw_ctl_t *ip6_fw_ctl_ptr;
172 int ip6_fw_enable = 1;
173
174 struct ip6stat ip6stat;
175
176 #ifdef __APPLE__
177 struct ifqueue ip6intrq;
178 lck_mtx_t *ip6_mutex;
179 lck_mtx_t *dad6_mutex;
180 lck_mtx_t *nd6_mutex;
181 lck_mtx_t *prefix6_mutex;
182 lck_attr_t *ip6_mutex_attr;
183 lck_grp_t *ip6_mutex_grp;
184 lck_grp_attr_t *ip6_mutex_grp_attr;
185 extern lck_mtx_t *inet6_domain_mutex;
186 #endif
187 extern int loopattach_done;
188
189 static void ip6_init2(void *);
190 static struct ip6aux *ip6_setdstifaddr(struct mbuf *, struct in6_ifaddr *);
191
192 static int ip6_hopopts_input(u_int32_t *, u_int32_t *, struct mbuf **, int *);
193 #if PULLDOWN_TEST
194 static struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int);
195 #endif
196
197 #ifdef __APPLE__
198 void gifattach(void);
199 void faithattach(void);
200 void stfattach(void);
201 #endif
202
203 extern lck_mtx_t *domain_proto_mtx;
204
205
206 static void
207 ip6_proto_input(
208 __unused protocol_family_t protocol,
209 mbuf_t packet)
210 {
211 ip6_input(packet);
212 }
213
214 /*
215 * IP6 initialization: fill in IP6 protocol switch table.
216 * All protocols not implemented in kernel go to raw IP6 protocol handler.
217 */
218 void
219 ip6_init()
220 {
221 struct ip6protosw *pr;
222 int i;
223 struct timeval tv;
224
225 #if DIAGNOSTIC
226 if (sizeof(struct protosw) != sizeof(struct ip6protosw))
227 panic("sizeof(protosw) != sizeof(ip6protosw)");
228 #endif
229 pr = (struct ip6protosw *)pffindproto_locked(PF_INET6, IPPROTO_RAW, SOCK_RAW);
230 if (pr == 0)
231 panic("ip6_init");
232 for (i = 0; i < IPPROTO_MAX; i++)
233 ip6_protox[i] = pr;
234 for (pr = (struct ip6protosw*)inet6domain.dom_protosw; pr; pr = pr->pr_next) {
235 if(!((unsigned int)pr->pr_domain)) continue; /* If uninitialized, skip */
236 if (pr->pr_domain->dom_family == PF_INET6 &&
237 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) {
238 ip6_protox[pr->pr_protocol] = pr;
239 }
240 }
241
242 ip6_mutex_grp_attr = lck_grp_attr_alloc_init();
243
244 ip6_mutex_grp = lck_grp_alloc_init("ip6", ip6_mutex_grp_attr);
245 ip6_mutex_attr = lck_attr_alloc_init();
246
247 if ((ip6_mutex = lck_mtx_alloc_init(ip6_mutex_grp, ip6_mutex_attr)) == NULL) {
248 printf("ip6_init: can't alloc ip6_mutex\n");
249 return;
250 }
251 if ((dad6_mutex = lck_mtx_alloc_init(ip6_mutex_grp, ip6_mutex_attr)) == NULL) {
252 printf("ip6_init: can't alloc dad6_mutex\n");
253 return;
254 }
255 if ((nd6_mutex = lck_mtx_alloc_init(ip6_mutex_grp, ip6_mutex_attr)) == NULL) {
256 printf("ip6_init: can't alloc nd6_mutex\n");
257 return;
258 }
259
260 if ((prefix6_mutex = lck_mtx_alloc_init(ip6_mutex_grp, ip6_mutex_attr)) == NULL) {
261 printf("ip6_init: can't alloc prefix6_mutex\n");
262 return;
263 }
264
265 inet6domain.dom_flags = DOM_REENTRANT;
266
267 ip6intrq.ifq_maxlen = ip6qmaxlen;
268 nd6_init();
269 frag6_init();
270 icmp6_init();
271 /*
272 * in many cases, random() here does NOT return random number
273 * as initialization during bootstrap time occur in fixed order.
274 */
275 microtime(&tv);
276 ip6_flow_seq = random() ^ tv.tv_usec;
277 microtime(&tv);
278 ip6_desync_factor = (random() ^ tv.tv_usec) % MAX_TEMP_DESYNC_FACTOR;
279 timeout(ip6_init2, (caddr_t)0, 1 * hz);
280
281 lck_mtx_unlock(domain_proto_mtx);
282 proto_register_input(PF_INET6, ip6_proto_input, NULL, 0);
283 lck_mtx_lock(domain_proto_mtx);
284 }
285
286 static void
287 ip6_init2(
288 __unused void *dummy)
289 {
290 /*
291 * to route local address of p2p link to loopback,
292 * assign loopback address first.
293 */
294 if (loopattach_done == 0) {
295 timeout(ip6_init2, (caddr_t)0, 1 * hz);
296 return;
297 }
298 in6_ifattach(lo_ifp, NULL, NULL);
299
300 #ifdef __APPLE__
301 /* nd6_timer_init */
302 timeout(nd6_timer, (caddr_t)0, hz);
303
304 /* router renumbering prefix list maintenance */
305 timeout(in6_rr_timer, (caddr_t)0, hz);
306
307 /* timer for regeneranation of temporary addresses randomize ID */
308 timeout(in6_tmpaddrtimer, (caddr_t)0,
309 (ip6_temp_preferred_lifetime - ip6_desync_factor -
310 ip6_temp_regen_advance) * hz);
311
312 #if NGIF
313 gifattach();
314 #endif
315 #if NFAITH
316 faithattach();
317 #endif
318 #if NSTF
319 stfattach();
320 #endif
321 #else
322 /* nd6_timer_init */
323
324 callout_init(&nd6_timer_ch);
325 callout_reset(&nd6_timer_ch, hz, nd6_timer, NULL);
326
327 /* router renumbering prefix list maintenance */
328 callout_init(&in6_rr_timer_ch);
329 callout_reset(&in6_rr_timer_ch, hz, in6_rr_timer, NULL);
330
331 /* timer for regeneranation of temporary addresses randomize ID */
332 callout_reset(&in6_tmpaddrtimer_ch,
333 (ip6_temp_preferred_lifetime - ip6_desync_factor -
334 ip6_temp_regen_advance) * hz,
335 in6_tmpaddrtimer, NULL);
336 #endif
337
338 in6_init2done = 1;
339 }
340
341 #if __FreeBSD__
342 /* cheat */
343 /* This must be after route_init(), which is now SI_ORDER_THIRD */
344 SYSINIT(netinet6init2, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ip6_init2, NULL);
345 #endif
346
347 /*
348 * ip6_forward_rt contains the route entry that was recently used during
349 * the forwarding of an IPv6 packet and thus acts as a route cache. Access
350 * to this variable is protected by the global lock ip6_mutex.
351 */
352 static struct route_in6 ip6_forward_rt;
353
354 void
355 ip6_input(m)
356 struct mbuf *m;
357 {
358 struct ip6_hdr *ip6;
359 int off = sizeof(struct ip6_hdr), nest;
360 u_int32_t plen;
361 u_int32_t rtalert = ~0;
362 int nxt = 0, ours = 0;
363 struct ifnet *deliverifp = NULL;
364 ipfilter_t inject_ipfref = 0;
365 int seen;
366
367 /*
368 * No need to proccess packet twice if we've
369 * already seen it
370 */
371 inject_ipfref = ipf_get_inject_filter(m);
372 if (inject_ipfref != 0) {
373 ip6 = mtod(m, struct ip6_hdr *);
374 nxt = ip6->ip6_nxt;
375 seen = 0;
376 goto injectit;
377 } else
378 seen = 1;
379
380 #if IPSEC
381 /*
382 * should the inner packet be considered authentic?
383 * see comment in ah4_input().
384 */
385 if (m) {
386 m->m_flags &= ~M_AUTHIPHDR;
387 m->m_flags &= ~M_AUTHIPDGM;
388 }
389 #endif
390
391 /*
392 * make sure we don't have onion peering information into m_aux.
393 */
394 ip6_delaux(m);
395
396 lck_mtx_lock(ip6_mutex);
397 /*
398 * mbuf statistics
399 */
400 if (m->m_flags & M_EXT) {
401 if (m->m_next)
402 ip6stat.ip6s_mext2m++;
403 else
404 ip6stat.ip6s_mext1++;
405 } else {
406 #define M2MMAX (sizeof(ip6stat.ip6s_m2m)/sizeof(ip6stat.ip6s_m2m[0]))
407 if (m->m_next) {
408 if (m->m_flags & M_LOOP) {
409 ip6stat.ip6s_m2m[ifnet_index(lo_ifp)]++; /* XXX */
410 } else if (m->m_pkthdr.rcvif->if_index < M2MMAX)
411 ip6stat.ip6s_m2m[m->m_pkthdr.rcvif->if_index]++;
412 else
413 ip6stat.ip6s_m2m[0]++;
414 } else
415 ip6stat.ip6s_m1++;
416 #undef M2MMAX
417 }
418
419 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_receive);
420 ip6stat.ip6s_total++;
421
422 #ifndef PULLDOWN_TEST
423 /*
424 * L2 bridge code and some other code can return mbuf chain
425 * that does not conform to KAME requirement. too bad.
426 * XXX: fails to join if interface MTU > MCLBYTES. jumbogram?
427 */
428 if (m && m->m_next != NULL && m->m_pkthdr.len < MCLBYTES) {
429 struct mbuf *n;
430
431 MGETHDR(n, M_DONTWAIT, MT_HEADER); /* MAC-OK */
432 if (n)
433 M_COPY_PKTHDR(n, m);
434 if (n && m->m_pkthdr.len > MHLEN) {
435 MCLGET(n, M_DONTWAIT);
436 if ((n->m_flags & M_EXT) == 0) {
437 m_freem(n);
438 n = NULL;
439 }
440 }
441 if (n == NULL) {
442 m_freem(m);
443 lck_mtx_unlock(ip6_mutex);
444 return; /*ENOBUFS*/
445 }
446
447 m_copydata(m, 0, m->m_pkthdr.len, mtod(n, caddr_t));
448 n->m_len = m->m_pkthdr.len;
449 m_freem(m);
450 m = n;
451 }
452 IP6_EXTHDR_CHECK(m, 0, sizeof(struct ip6_hdr),
453 {lck_mtx_unlock(ip6_mutex); return;});
454 #endif
455
456 if (m->m_len < sizeof(struct ip6_hdr)) {
457 struct ifnet *inifp;
458 inifp = m->m_pkthdr.rcvif;
459 if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == 0) {
460 ip6stat.ip6s_toosmall++;
461 in6_ifstat_inc(inifp, ifs6_in_hdrerr);
462 lck_mtx_unlock(ip6_mutex);
463 return;
464 }
465 }
466
467 ip6 = mtod(m, struct ip6_hdr *);
468
469 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) {
470 ip6stat.ip6s_badvers++;
471 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
472 goto bad;
473 }
474
475 ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
476
477 /*
478 * Check with the firewall...
479 */
480 if (ip6_fw_enable && ip6_fw_chk_ptr) {
481 u_short port = 0;
482 /* If ipfw says divert, we have to just drop packet */
483 /* use port as a dummy argument */
484 if ((*ip6_fw_chk_ptr)(&ip6, NULL, &port, &m)) {
485 m_freem(m);
486 m = NULL;
487 }
488 if (!m) {
489 lck_mtx_unlock(ip6_mutex);
490 return;
491 }
492 }
493
494 /*
495 * Check against address spoofing/corruption.
496 */
497 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) ||
498 IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) {
499 /*
500 * XXX: "badscope" is not very suitable for a multicast source.
501 */
502 ip6stat.ip6s_badscope++;
503 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
504 goto bad;
505 }
506 if ((IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) ||
507 IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) &&
508 (m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {
509 ip6stat.ip6s_badscope++;
510 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
511 goto bad;
512 }
513
514 /*
515 * The following check is not documented in specs. A malicious
516 * party may be able to use IPv4 mapped addr to confuse tcp/udp stack
517 * and bypass security checks (act as if it was from 127.0.0.1 by using
518 * IPv6 src ::ffff:127.0.0.1). Be cautious.
519 *
520 * This check chokes if we are in an SIIT cloud. As none of BSDs
521 * support IPv4-less kernel compilation, we cannot support SIIT
522 * environment at all. So, it makes more sense for us to reject any
523 * malicious packets for non-SIIT environment, than try to do a
524 * partical support for SIIT environment.
525 */
526 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
527 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
528 ip6stat.ip6s_badscope++;
529 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
530 goto bad;
531 }
532 #if 0
533 /*
534 * Reject packets with IPv4 compatible addresses (auto tunnel).
535 *
536 * The code forbids auto tunnel relay case in RFC1933 (the check is
537 * stronger than RFC1933). We may want to re-enable it if mech-xx
538 * is revised to forbid relaying case.
539 */
540 if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) ||
541 IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) {
542 ip6stat.ip6s_badscope++;
543 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
544 goto bad;
545 }
546 #endif
547
548 /* drop packets if interface ID portion is already filled */
549 if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {
550 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src) &&
551 ip6->ip6_src.s6_addr16[1]) {
552 ip6stat.ip6s_badscope++;
553 goto bad;
554 }
555 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst) &&
556 ip6->ip6_dst.s6_addr16[1]) {
557 ip6stat.ip6s_badscope++;
558 goto bad;
559 }
560 }
561
562 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src))
563 ip6->ip6_src.s6_addr16[1]
564 = htons(m->m_pkthdr.rcvif->if_index);
565 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
566 ip6->ip6_dst.s6_addr16[1]
567 = htons(m->m_pkthdr.rcvif->if_index);
568
569 #if 0 /* this case seems to be unnecessary. (jinmei, 20010401) */
570 /*
571 * We use rt->rt_ifp to determine if the address is ours or not.
572 * If rt_ifp is lo0, the address is ours.
573 * The problem here is, rt->rt_ifp for fe80::%lo0/64 is set to lo0,
574 * so any address under fe80::%lo0/64 will be mistakenly considered
575 * local. The special case is supplied to handle the case properly
576 * by actually looking at interface addresses
577 * (using in6ifa_ifpwithaddr).
578 */
579 if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) != 0 &&
580 IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_dst)) {
581 struct in6_ifaddr *ia6;
582 if (!(ia6 = in6ifa_ifpwithaddr(m->m_pkthdr.rcvif, &ip6->ip6_dst))) {
583 lck_mtx_unlock(ip6_mutex);
584 icmp6_error(m, ICMP6_DST_UNREACH,
585 ICMP6_DST_UNREACH_ADDR, 0);
586 /* m is already freed */
587 return;
588 }
589 ifafree(&ia6->ia_ifa);
590
591 ours = 1;
592 deliverifp = m->m_pkthdr.rcvif;
593 goto hbhcheck;
594 }
595 #endif
596
597 /*
598 * Multicast check
599 */
600 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
601 struct in6_multi *in6m = 0;
602
603 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_mcast);
604 /*
605 * See if we belong to the destination multicast group on the
606 * arrival interface.
607 */
608 IN6_LOOKUP_MULTI(ip6->ip6_dst, m->m_pkthdr.rcvif, in6m);
609 if (in6m)
610 ours = 1;
611 else if (!ip6_mrouter) {
612 ip6stat.ip6s_notmember++;
613 ip6stat.ip6s_cantforward++;
614 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
615 goto bad;
616 }
617 deliverifp = m->m_pkthdr.rcvif;
618 goto hbhcheck;
619 }
620
621 /*
622 * Unicast check
623 */
624 if (ip6_forward_rt.ro_rt != NULL &&
625 (ip6_forward_rt.ro_rt->rt_flags & RTF_UP) != 0 &&
626 IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst,
627 &((struct sockaddr_in6 *)(&ip6_forward_rt.ro_dst))->sin6_addr))
628 ip6stat.ip6s_forward_cachehit++;
629 else {
630 struct sockaddr_in6 *dst6;
631
632 if (ip6_forward_rt.ro_rt) {
633 /* route is down or destination is different */
634 ip6stat.ip6s_forward_cachemiss++;
635 rtfree(ip6_forward_rt.ro_rt);
636 ip6_forward_rt.ro_rt = 0;
637 }
638
639 bzero(&ip6_forward_rt.ro_dst, sizeof(struct sockaddr_in6));
640 dst6 = (struct sockaddr_in6 *)&ip6_forward_rt.ro_dst;
641 dst6->sin6_len = sizeof(struct sockaddr_in6);
642 dst6->sin6_family = AF_INET6;
643 dst6->sin6_addr = ip6->ip6_dst;
644 #if SCOPEDROUTING
645 ip6_forward_rt.ro_dst.sin6_scope_id =
646 in6_addr2scopeid(m->m_pkthdr.rcvif, &ip6->ip6_dst);
647 #endif
648
649 rtalloc_ign((struct route *)&ip6_forward_rt, RTF_PRCLONING);
650 }
651
652 #define rt6_key(r) ((struct sockaddr_in6 *)((r)->rt_nodes->rn_key))
653
654 /*
655 * Accept the packet if the forwarding interface to the destination
656 * according to the routing table is the loopback interface,
657 * unless the associated route has a gateway.
658 * Note that this approach causes to accept a packet if there is a
659 * route to the loopback interface for the destination of the packet.
660 * But we think it's even useful in some situations, e.g. when using
661 * a special daemon which wants to intercept the packet.
662 *
663 * XXX: some OSes automatically make a cloned route for the destination
664 * of an outgoing packet. If the outgoing interface of the packet
665 * is a loopback one, the kernel would consider the packet to be
666 * accepted, even if we have no such address assinged on the interface.
667 * We check the cloned flag of the route entry to reject such cases,
668 * assuming that route entries for our own addresses are not made by
669 * cloning (it should be true because in6_addloop explicitly installs
670 * the host route). However, we might have to do an explicit check
671 * while it would be less efficient. Or, should we rather install a
672 * reject route for such a case?
673 */
674 if (ip6_forward_rt.ro_rt &&
675 (ip6_forward_rt.ro_rt->rt_flags &
676 (RTF_HOST|RTF_GATEWAY)) == RTF_HOST &&
677 #if RTF_WASCLONED
678 !(ip6_forward_rt.ro_rt->rt_flags & RTF_WASCLONED) &&
679 #endif
680 #if RTF_CLONED
681 !(ip6_forward_rt.ro_rt->rt_flags & RTF_CLONED) &&
682 #endif
683 #if 0
684 /*
685 * The check below is redundant since the comparison of
686 * the destination and the key of the rtentry has
687 * already done through looking up the routing table.
688 */
689 IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst,
690 &rt6_key(ip6_forward_rt.ro_rt)->sin6_addr)
691 #endif
692 ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_LOOP) {
693 struct in6_ifaddr *ia6 =
694 (struct in6_ifaddr *)ip6_forward_rt.ro_rt->rt_ifa;
695
696 /*
697 * record address information into m_aux.
698 */
699 (void)ip6_setdstifaddr(m, ia6);
700
701 /*
702 * packets to a tentative, duplicated, or somehow invalid
703 * address must not be accepted.
704 */
705 if (!(ia6->ia6_flags & IN6_IFF_NOTREADY)) {
706 /* this address is ready */
707 ours = 1;
708 deliverifp = ia6->ia_ifp; /* correct? */
709 /* Count the packet in the ip address stats */
710 #ifndef __APPLE__
711
712 ia6->ia_ifa.if_ipackets++;
713 ia6->ia_ifa.if_ibytes += m->m_pkthdr.len;
714 #endif
715 goto hbhcheck;
716 } else {
717 /* address is not ready, so discard the packet. */
718 nd6log((LOG_INFO,
719 "ip6_input: packet to an unready address %s->%s\n",
720 ip6_sprintf(&ip6->ip6_src),
721 ip6_sprintf(&ip6->ip6_dst)));
722 goto bad;
723 }
724 }
725
726 /*
727 * FAITH(Firewall Aided Internet Translator)
728 */
729 #if defined(NFAITH) && 0 < NFAITH
730 if (ip6_keepfaith) {
731 if (ip6_forward_rt.ro_rt && ip6_forward_rt.ro_rt->rt_ifp
732 && ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_FAITH) {
733 /* XXX do we need more sanity checks? */
734 ours = 1;
735 deliverifp = ip6_forward_rt.ro_rt->rt_ifp; /* faith */
736 goto hbhcheck;
737 }
738 }
739 #endif
740
741 /*
742 * Now there is no reason to process the packet if it's not our own
743 * and we're not a router.
744 */
745 if (!ip6_forwarding) {
746 ip6stat.ip6s_cantforward++;
747 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
748 goto bad;
749 }
750
751 hbhcheck:
752 /*
753 * record address information into m_aux, if we don't have one yet.
754 * note that we are unable to record it, if the address is not listed
755 * as our interface address (e.g. multicast addresses, addresses
756 * within FAITH prefixes and such).
757 */
758 if (deliverifp && !ip6_getdstifaddr(m)) {
759 struct in6_ifaddr *ia6;
760
761 ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst);
762 if (ia6) {
763 if (!ip6_setdstifaddr(m, ia6)) {
764 /*
765 * XXX maybe we should drop the packet here,
766 * as we could not provide enough information
767 * to the upper layers.
768 */
769 }
770 }
771 }
772
773 /*
774 * Process Hop-by-Hop options header if it's contained.
775 * m may be modified in ip6_hopopts_input().
776 * If a JumboPayload option is included, plen will also be modified.
777 */
778 plen = (u_int32_t)ntohs(ip6->ip6_plen);
779 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) {
780 struct ip6_hbh *hbh;
781
782 if (ip6_hopopts_input(&plen, &rtalert, &m, &off)) {
783 #if 0 /*touches NULL pointer*/
784 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
785 #endif
786 lck_mtx_unlock(ip6_mutex);
787 return; /* m have already been freed */
788 }
789
790 /* adjust pointer */
791 ip6 = mtod(m, struct ip6_hdr *);
792
793 /*
794 * if the payload length field is 0 and the next header field
795 * indicates Hop-by-Hop Options header, then a Jumbo Payload
796 * option MUST be included.
797 */
798 if (ip6->ip6_plen == 0 && plen == 0) {
799 /*
800 * Note that if a valid jumbo payload option is
801 * contained, ip6_hoptops_input() must set a valid
802 * (non-zero) payload length to the variable plen.
803 */
804 ip6stat.ip6s_badoptions++;
805 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
806 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
807 lck_mtx_unlock(ip6_mutex);
808 icmp6_error(m, ICMP6_PARAM_PROB,
809 ICMP6_PARAMPROB_HEADER,
810 (caddr_t)&ip6->ip6_plen - (caddr_t)ip6);
811 return;
812 }
813 #ifndef PULLDOWN_TEST
814 /* ip6_hopopts_input() ensures that mbuf is contiguous */
815 hbh = (struct ip6_hbh *)(ip6 + 1);
816 #else
817 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr),
818 sizeof(struct ip6_hbh));
819 if (hbh == NULL) {
820 ip6stat.ip6s_tooshort++;
821 lck_mtx_unlock(ip6_mutex);
822 return;
823 }
824 #endif
825 nxt = hbh->ip6h_nxt;
826
827 /*
828 * accept the packet if a router alert option is included
829 * and we act as an IPv6 router.
830 */
831 if (rtalert != ~0 && ip6_forwarding)
832 ours = 1;
833 } else
834 nxt = ip6->ip6_nxt;
835
836 /*
837 * Check that the amount of data in the buffers
838 * is as at least much as the IPv6 header would have us expect.
839 * Trim mbufs if longer than we expect.
840 * Drop packet if shorter than we expect.
841 */
842 if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) {
843 ip6stat.ip6s_tooshort++;
844 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
845 goto bad;
846 }
847 if (m->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) {
848 if (m->m_len == m->m_pkthdr.len) {
849 m->m_len = sizeof(struct ip6_hdr) + plen;
850 m->m_pkthdr.len = sizeof(struct ip6_hdr) + plen;
851 } else
852 m_adj(m, sizeof(struct ip6_hdr) + plen - m->m_pkthdr.len);
853 }
854
855 /*
856 * Forward if desirable.
857 */
858 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
859 /*
860 * If we are acting as a multicast router, all
861 * incoming multicast packets are passed to the
862 * kernel-level multicast forwarding function.
863 * The packet is returned (relatively) intact; if
864 * ip6_mforward() returns a non-zero value, the packet
865 * must be discarded, else it may be accepted below.
866 */
867 if (ip6_mrouter && ip6_mforward(ip6, m->m_pkthdr.rcvif, m)) {
868 ip6stat.ip6s_cantforward++;
869 m_freem(m);
870 lck_mtx_unlock(ip6_mutex);
871 return;
872 }
873 if (!ours) {
874 m_freem(m);
875 lck_mtx_unlock(ip6_mutex);
876 return;
877 }
878 } else if (!ours) {
879 ip6_forward(m, &ip6_forward_rt, 0, 1);
880 lck_mtx_unlock(ip6_mutex);
881 return;
882 }
883
884 ip6 = mtod(m, struct ip6_hdr *);
885
886 /*
887 * Malicious party may be able to use IPv4 mapped addr to confuse
888 * tcp/udp stack and bypass security checks (act as if it was from
889 * 127.0.0.1 by using IPv6 src ::ffff:127.0.0.1). Be cautious.
890 *
891 * For SIIT end node behavior, you may want to disable the check.
892 * However, you will become vulnerable to attacks using IPv4 mapped
893 * source.
894 */
895 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
896 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
897 ip6stat.ip6s_badscope++;
898 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
899 goto bad;
900 }
901
902 /*
903 * Tell launch routine the next header
904 */
905 ip6stat.ip6s_delivered++;
906 in6_ifstat_inc(deliverifp, ifs6_in_deliver);
907
908 lck_mtx_unlock(ip6_mutex);
909 injectit:
910 nest = 0;
911
912 while (nxt != IPPROTO_DONE) {
913 struct ipfilter *filter;
914
915 if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) {
916 ip6stat.ip6s_toomanyhdr++;
917 goto badunlocked;
918 }
919
920 /*
921 * protection against faulty packet - there should be
922 * more sanity checks in header chain processing.
923 */
924 if (m->m_pkthdr.len < off) {
925 ip6stat.ip6s_tooshort++;
926 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
927 goto badunlocked;
928 }
929
930 #if 0
931 /*
932 * do we need to do it for every header? yeah, other
933 * functions can play with it (like re-allocate and copy).
934 */
935 mhist = ip6_addaux(m);
936 if (mhist && M_TRAILINGSPACE(mhist) >= sizeof(nxt)) {
937 hist = mtod(mhist, caddr_t) + mhist->m_len;
938 bcopy(&nxt, hist, sizeof(nxt));
939 mhist->m_len += sizeof(nxt);
940 } else {
941 ip6stat.ip6s_toomanyhdr++;
942 goto bad;
943 }
944 #endif
945
946 #if IPSEC
947 /*
948 * enforce IPsec policy checking if we are seeing last header.
949 * note that we do not visit this with protocols with pcb layer
950 * code - like udp/tcp/raw ip.
951 */
952 if ((ipsec_bypass == 0) && (ip6_protox[nxt]->pr_flags & PR_LASTHDR) != 0) {
953 if (ipsec6_in_reject(m, NULL)) {
954 IPSEC_STAT_INCREMENT(ipsec6stat.in_polvio);
955 goto badunlocked;
956 }
957 }
958 #endif
959
960 /*
961 * Call IP filter
962 */
963 if (!TAILQ_EMPTY(&ipv6_filters)) {
964 ipf_ref();
965 TAILQ_FOREACH(filter, &ipv6_filters, ipf_link) {
966 if (seen == 0) {
967 if ((struct ipfilter *)inject_ipfref == filter)
968 seen = 1;
969 } else if (filter->ipf_filter.ipf_input) {
970 errno_t result;
971
972 result = filter->ipf_filter.ipf_input(
973 filter->ipf_filter.cookie, (mbuf_t*)&m, off, nxt);
974 if (result == EJUSTRETURN) {
975 ipf_unref();
976 return;
977 }
978 if (result != 0) {
979 ipf_unref();
980 m_freem(m);
981 return;
982 }
983 }
984 }
985 ipf_unref();
986 }
987 if (!(ip6_protox[nxt]->pr_flags & PR_PROTOLOCK)) {
988 lck_mtx_lock(inet6_domain_mutex);
989 nxt = (*ip6_protox[nxt]->pr_input)(&m, &off);
990 lck_mtx_unlock(inet6_domain_mutex);
991 }
992 else
993 nxt = (*ip6_protox[nxt]->pr_input)(&m, &off);
994 }
995 return;
996 bad:
997 lck_mtx_unlock(ip6_mutex);
998 badunlocked:
999 m_freem(m);
1000 return;
1001 }
1002
1003 /*
1004 * set/grab in6_ifaddr correspond to IPv6 destination address.
1005 * XXX backward compatibility wrapper
1006 */
1007 static struct ip6aux *
1008 ip6_setdstifaddr(struct mbuf *m, struct in6_ifaddr *ia6)
1009 {
1010 struct ip6aux *n;
1011
1012 n = ip6_addaux(m);
1013 if (n)
1014 n->ip6a_dstia6 = ia6;
1015 return (struct ip6aux *)n; /* NULL if failed to set */
1016 }
1017
1018 struct in6_ifaddr *
1019 ip6_getdstifaddr(m)
1020 struct mbuf *m;
1021 {
1022 struct ip6aux *n;
1023
1024 n = ip6_findaux(m);
1025 if (n)
1026 return n->ip6a_dstia6;
1027 else
1028 return NULL;
1029 }
1030
1031 /*
1032 * Hop-by-Hop options header processing. If a valid jumbo payload option is
1033 * included, the real payload length will be stored in plenp.
1034 */
1035 static int
1036 ip6_hopopts_input(plenp, rtalertp, mp, offp)
1037 u_int32_t *plenp;
1038 u_int32_t *rtalertp; /* XXX: should be stored more smart way */
1039 struct mbuf **mp;
1040 int *offp;
1041 {
1042 struct mbuf *m = *mp;
1043 int off = *offp, hbhlen;
1044 struct ip6_hbh *hbh;
1045 u_int8_t *opt;
1046
1047 /* validation of the length of the header */
1048 #ifndef PULLDOWN_TEST
1049 IP6_EXTHDR_CHECK(m, off, sizeof(*hbh), return -1);
1050 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off);
1051 hbhlen = (hbh->ip6h_len + 1) << 3;
1052
1053 IP6_EXTHDR_CHECK(m, off, hbhlen, return -1);
1054 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off);
1055 #else
1056 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m,
1057 sizeof(struct ip6_hdr), sizeof(struct ip6_hbh));
1058 if (hbh == NULL) {
1059 ip6stat.ip6s_tooshort++;
1060 return -1;
1061 }
1062 hbhlen = (hbh->ip6h_len + 1) << 3;
1063 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr),
1064 hbhlen);
1065 if (hbh == NULL) {
1066 ip6stat.ip6s_tooshort++;
1067 return -1;
1068 }
1069 #endif
1070 off += hbhlen;
1071 hbhlen -= sizeof(struct ip6_hbh);
1072 opt = (u_int8_t *)hbh + sizeof(struct ip6_hbh);
1073
1074 if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh),
1075 hbhlen, rtalertp, plenp) < 0)
1076 return(-1);
1077
1078 *offp = off;
1079 *mp = m;
1080 return(0);
1081 }
1082
1083 /*
1084 * Search header for all Hop-by-hop options and process each option.
1085 * This function is separate from ip6_hopopts_input() in order to
1086 * handle a case where the sending node itself process its hop-by-hop
1087 * options header. In such a case, the function is called from ip6_output().
1088 *
1089 * The function assumes that hbh header is located right after the IPv6 header
1090 * (RFC2460 p7), opthead is pointer into data content in m, and opthead to
1091 * opthead + hbhlen is located in continuous memory region.
1092 */
1093 int
1094 ip6_process_hopopts(m, opthead, hbhlen, rtalertp, plenp)
1095 struct mbuf *m;
1096 u_int8_t *opthead;
1097 int hbhlen;
1098 u_int32_t *rtalertp;
1099 u_int32_t *plenp;
1100 {
1101 struct ip6_hdr *ip6;
1102 int optlen = 0;
1103 u_int8_t *opt = opthead;
1104 u_int16_t rtalert_val;
1105 u_int32_t jumboplen;
1106 const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh);
1107
1108 for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) {
1109 switch (*opt) {
1110 case IP6OPT_PAD1:
1111 optlen = 1;
1112 break;
1113 case IP6OPT_PADN:
1114 if (hbhlen < IP6OPT_MINLEN) {
1115 ip6stat.ip6s_toosmall++;
1116 goto bad;
1117 }
1118 optlen = *(opt + 1) + 2;
1119 break;
1120 case IP6OPT_RTALERT:
1121 /* XXX may need check for alignment */
1122 if (hbhlen < IP6OPT_RTALERT_LEN) {
1123 ip6stat.ip6s_toosmall++;
1124 goto bad;
1125 }
1126 if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) {
1127 /* XXX stat */
1128 lck_mtx_unlock(ip6_mutex);
1129 icmp6_error(m, ICMP6_PARAM_PROB,
1130 ICMP6_PARAMPROB_HEADER,
1131 erroff + opt + 1 - opthead);
1132 lck_mtx_lock(ip6_mutex);
1133 return(-1);
1134 }
1135 optlen = IP6OPT_RTALERT_LEN;
1136 bcopy((caddr_t)(opt + 2), (caddr_t)&rtalert_val, 2);
1137 *rtalertp = ntohs(rtalert_val);
1138 break;
1139 case IP6OPT_JUMBO:
1140 /* XXX may need check for alignment */
1141 if (hbhlen < IP6OPT_JUMBO_LEN) {
1142 ip6stat.ip6s_toosmall++;
1143 goto bad;
1144 }
1145 if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) {
1146 /* XXX stat */
1147 lck_mtx_unlock(ip6_mutex);
1148 icmp6_error(m, ICMP6_PARAM_PROB,
1149 ICMP6_PARAMPROB_HEADER,
1150 erroff + opt + 1 - opthead);
1151 lck_mtx_lock(ip6_mutex);
1152 return(-1);
1153 }
1154 optlen = IP6OPT_JUMBO_LEN;
1155
1156 /*
1157 * IPv6 packets that have non 0 payload length
1158 * must not contain a jumbo payload option.
1159 */
1160 ip6 = mtod(m, struct ip6_hdr *);
1161 if (ip6->ip6_plen) {
1162 ip6stat.ip6s_badoptions++;
1163 lck_mtx_unlock(ip6_mutex);
1164 icmp6_error(m, ICMP6_PARAM_PROB,
1165 ICMP6_PARAMPROB_HEADER,
1166 erroff + opt - opthead);
1167 lck_mtx_lock(ip6_mutex);
1168 return(-1);
1169 }
1170
1171 /*
1172 * We may see jumbolen in unaligned location, so
1173 * we'd need to perform bcopy().
1174 */
1175 bcopy(opt + 2, &jumboplen, sizeof(jumboplen));
1176 jumboplen = (u_int32_t)htonl(jumboplen);
1177
1178 #if 1
1179 /*
1180 * if there are multiple jumbo payload options,
1181 * *plenp will be non-zero and the packet will be
1182 * rejected.
1183 * the behavior may need some debate in ipngwg -
1184 * multiple options does not make sense, however,
1185 * there's no explicit mention in specification.
1186 */
1187 if (*plenp != 0) {
1188 ip6stat.ip6s_badoptions++;
1189 lck_mtx_unlock(ip6_mutex);
1190 icmp6_error(m, ICMP6_PARAM_PROB,
1191 ICMP6_PARAMPROB_HEADER,
1192 erroff + opt + 2 - opthead);
1193 lck_mtx_lock(ip6_mutex);
1194 return(-1);
1195 }
1196 #endif
1197
1198 /*
1199 * jumbo payload length must be larger than 65535.
1200 */
1201 if (jumboplen <= IPV6_MAXPACKET) {
1202 ip6stat.ip6s_badoptions++;
1203 lck_mtx_unlock(ip6_mutex);
1204 icmp6_error(m, ICMP6_PARAM_PROB,
1205 ICMP6_PARAMPROB_HEADER,
1206 erroff + opt + 2 - opthead);
1207 lck_mtx_lock(ip6_mutex);
1208 return(-1);
1209 }
1210 *plenp = jumboplen;
1211
1212 break;
1213 default: /* unknown option */
1214 if (hbhlen < IP6OPT_MINLEN) {
1215 ip6stat.ip6s_toosmall++;
1216 goto bad;
1217 }
1218 optlen = ip6_unknown_opt(opt, m,
1219 erroff + opt - opthead, 1);
1220 if (optlen == -1) {
1221 /* ip6_unknown opt unlocked ip6_mutex */
1222 return(-1);
1223 }
1224 optlen += 2;
1225 break;
1226 }
1227 }
1228
1229 return(0);
1230
1231 bad:
1232 m_freem(m);
1233 return(-1);
1234 }
1235
1236 /*
1237 * Unknown option processing.
1238 * The third argument `off' is the offset from the IPv6 header to the option,
1239 * which is necessary if the IPv6 header the and option header and IPv6 header
1240 * is not continuous in order to return an ICMPv6 error.
1241 */
1242 int
1243 ip6_unknown_opt(optp, m, off, locked)
1244 u_int8_t *optp;
1245 struct mbuf *m;
1246 int off;
1247 int locked;
1248 {
1249 struct ip6_hdr *ip6;
1250
1251 switch (IP6OPT_TYPE(*optp)) {
1252 case IP6OPT_TYPE_SKIP: /* ignore the option */
1253 return((int)*(optp + 1));
1254 case IP6OPT_TYPE_DISCARD: /* silently discard */
1255 m_freem(m);
1256 return(-1);
1257 case IP6OPT_TYPE_FORCEICMP: /* send ICMP even if multicasted */
1258 ip6stat.ip6s_badoptions++;
1259 if (locked)
1260 lck_mtx_unlock(ip6_mutex);
1261 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_OPTION, off);
1262 if (locked)
1263 lck_mtx_lock(ip6_mutex);
1264 return(-1);
1265 case IP6OPT_TYPE_ICMP: /* send ICMP if not multicasted */
1266 ip6stat.ip6s_badoptions++;
1267 ip6 = mtod(m, struct ip6_hdr *);
1268 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
1269 (m->m_flags & (M_BCAST|M_MCAST)))
1270 m_freem(m);
1271 else {
1272 if (locked)
1273 lck_mtx_unlock(ip6_mutex);
1274 icmp6_error(m, ICMP6_PARAM_PROB,
1275 ICMP6_PARAMPROB_OPTION, off);
1276 if (locked)
1277 lck_mtx_lock(ip6_mutex);
1278 }
1279 return(-1);
1280 }
1281
1282 m_freem(m); /* XXX: NOTREACHED */
1283 return(-1);
1284 }
1285
1286 /*
1287 * Create the "control" list for this pcb.
1288 * The function will not modify mbuf chain at all.
1289 *
1290 * with KAME mbuf chain restriction:
1291 * The routine will be called from upper layer handlers like tcp6_input().
1292 * Thus the routine assumes that the caller (tcp6_input) have already
1293 * called IP6_EXTHDR_CHECK() and all the extension headers are located in the
1294 * very first mbuf on the mbuf chain.
1295 */
1296 void
1297 ip6_savecontrol(in6p, mp, ip6, m)
1298 struct inpcb *in6p;
1299 struct mbuf **mp;
1300 struct ip6_hdr *ip6;
1301 struct mbuf *m;
1302 {
1303 int rthdr_exist = 0;
1304
1305 #if SO_TIMESTAMP
1306 if ((in6p->in6p_socket->so_options & SO_TIMESTAMP) != 0) {
1307 struct timeval tv;
1308
1309 microtime(&tv);
1310 *mp = sbcreatecontrol((caddr_t) &tv, sizeof(tv),
1311 SCM_TIMESTAMP, SOL_SOCKET);
1312 if (*mp) {
1313 mp = &(*mp)->m_next;
1314 }
1315 }
1316 #endif
1317
1318 /* some OSes call this logic with IPv4 packet, for SO_TIMESTAMP */
1319 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION)
1320 return;
1321
1322 /* RFC 2292 sec. 5 */
1323 if ((in6p->in6p_flags & IN6P_PKTINFO) != 0) {
1324 struct in6_pktinfo pi6;
1325 bcopy(&ip6->ip6_dst, &pi6.ipi6_addr, sizeof(struct in6_addr));
1326 if (IN6_IS_SCOPE_LINKLOCAL(&pi6.ipi6_addr))
1327 pi6.ipi6_addr.s6_addr16[1] = 0;
1328 pi6.ipi6_ifindex = (m && m->m_pkthdr.rcvif)
1329 ? m->m_pkthdr.rcvif->if_index
1330 : 0;
1331 *mp = sbcreatecontrol((caddr_t) &pi6,
1332 sizeof(struct in6_pktinfo), IPV6_PKTINFO,
1333 IPPROTO_IPV6);
1334 if (*mp)
1335 mp = &(*mp)->m_next;
1336 }
1337
1338 if ((in6p->in6p_flags & IN6P_HOPLIMIT) != 0) {
1339 int hlim = ip6->ip6_hlim & 0xff;
1340 *mp = sbcreatecontrol((caddr_t) &hlim,
1341 sizeof(int), IPV6_HOPLIMIT, IPPROTO_IPV6);
1342 if (*mp)
1343 mp = &(*mp)->m_next;
1344 }
1345
1346 /*
1347 * IPV6_HOPOPTS socket option. Recall that we required super-user
1348 * privilege for the option (see ip6_ctloutput), but it might be too
1349 * strict, since there might be some hop-by-hop options which can be
1350 * returned to normal user.
1351 * See RFC 2292 section 6.
1352 */
1353 if ((in6p->in6p_flags & IN6P_HOPOPTS) != 0) {
1354 /*
1355 * Check if a hop-by-hop options header is contatined in the
1356 * received packet, and if so, store the options as ancillary
1357 * data. Note that a hop-by-hop options header must be
1358 * just after the IPv6 header, which fact is assured through
1359 * the IPv6 input processing.
1360 */
1361 ip6 = mtod(m, struct ip6_hdr *);
1362 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) {
1363 struct ip6_hbh *hbh;
1364 int hbhlen = 0;
1365 #if PULLDOWN_TEST
1366 struct mbuf *ext;
1367 #endif
1368
1369 #ifndef PULLDOWN_TEST
1370 hbh = (struct ip6_hbh *)(ip6 + 1);
1371 hbhlen = (hbh->ip6h_len + 1) << 3;
1372 #else
1373 ext = ip6_pullexthdr(m, sizeof(struct ip6_hdr),
1374 ip6->ip6_nxt);
1375 if (ext == NULL) {
1376 ip6stat.ip6s_tooshort++;
1377 return;
1378 }
1379 hbh = mtod(ext, struct ip6_hbh *);
1380 hbhlen = (hbh->ip6h_len + 1) << 3;
1381 if (hbhlen != ext->m_len) {
1382 m_freem(ext);
1383 ip6stat.ip6s_tooshort++;
1384 return;
1385 }
1386 #endif
1387
1388 /*
1389 * XXX: We copy whole the header even if a jumbo
1390 * payload option is included, which option is to
1391 * be removed before returning in the RFC 2292.
1392 * Note: this constraint is removed in 2292bis.
1393 */
1394 *mp = sbcreatecontrol((caddr_t)hbh, hbhlen,
1395 IPV6_HOPOPTS, IPPROTO_IPV6);
1396 if (*mp)
1397 mp = &(*mp)->m_next;
1398 #if PULLDOWN_TEST
1399 m_freem(ext);
1400 #endif
1401 }
1402 }
1403
1404 /* IPV6_DSTOPTS and IPV6_RTHDR socket options */
1405 if ((in6p->in6p_flags & (IN6P_DSTOPTS | IN6P_RTHDRDSTOPTS)) != 0) {
1406 int proto, off, nxt;
1407
1408 /*
1409 * go through the header chain to see if a routing header is
1410 * contained in the packet. We need this information to store
1411 * destination options headers (if any) properly.
1412 * XXX: performance issue. We should record this info when
1413 * processing extension headers in incoming routine.
1414 * (todo) use m_aux?
1415 */
1416 proto = IPPROTO_IPV6;
1417 off = 0;
1418 nxt = -1;
1419 while (1) {
1420 int newoff;
1421
1422 newoff = ip6_nexthdr(m, off, proto, &nxt);
1423 if (newoff < 0)
1424 break;
1425 if (newoff < off) /* invalid, check for safety */
1426 break;
1427 if ((proto = nxt) == IPPROTO_ROUTING) {
1428 rthdr_exist = 1;
1429 break;
1430 }
1431 off = newoff;
1432 }
1433 }
1434
1435 if ((in6p->in6p_flags &
1436 (IN6P_RTHDR | IN6P_DSTOPTS | IN6P_RTHDRDSTOPTS)) != 0) {
1437 ip6 = mtod(m, struct ip6_hdr *);
1438 int nxt = ip6->ip6_nxt, off = sizeof(struct ip6_hdr);
1439
1440 /*
1441 * Search for destination options headers or routing
1442 * header(s) through the header chain, and stores each
1443 * header as ancillary data.
1444 * Note that the order of the headers remains in
1445 * the chain of ancillary data.
1446 */
1447 while (1) { /* is explicit loop prevention necessary? */
1448 struct ip6_ext *ip6e = NULL;
1449 int elen;
1450 #if PULLDOWN_TEST
1451 struct mbuf *ext = NULL;
1452 #endif
1453
1454 /*
1455 * if it is not an extension header, don't try to
1456 * pull it from the chain.
1457 */
1458 switch (nxt) {
1459 case IPPROTO_DSTOPTS:
1460 case IPPROTO_ROUTING:
1461 case IPPROTO_HOPOPTS:
1462 case IPPROTO_AH: /* is it possible? */
1463 break;
1464 default:
1465 goto loopend;
1466 }
1467
1468 #ifndef PULLDOWN_TEST
1469 if (off + sizeof(*ip6e) > m->m_len)
1470 goto loopend;
1471 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + off);
1472 if (nxt == IPPROTO_AH)
1473 elen = (ip6e->ip6e_len + 2) << 2;
1474 else
1475 elen = (ip6e->ip6e_len + 1) << 3;
1476 if (off + elen > m->m_len)
1477 goto loopend;
1478 #else
1479 ext = ip6_pullexthdr(m, off, nxt);
1480 if (ext == NULL) {
1481 ip6stat.ip6s_tooshort++;
1482 return;
1483 }
1484 ip6e = mtod(ext, struct ip6_ext *);
1485 if (nxt == IPPROTO_AH)
1486 elen = (ip6e->ip6e_len + 2) << 2;
1487 else
1488 elen = (ip6e->ip6e_len + 1) << 3;
1489 if (elen != ext->m_len) {
1490 m_freem(ext);
1491 ip6stat.ip6s_tooshort++;
1492 return;
1493 }
1494 #endif
1495
1496 switch (nxt) {
1497 case IPPROTO_DSTOPTS:
1498 if ((in6p->in6p_flags & IN6P_DSTOPTS) == 0)
1499 break;
1500
1501 *mp = sbcreatecontrol((caddr_t)ip6e, elen,
1502 IPV6_DSTOPTS,
1503 IPPROTO_IPV6);
1504 if (*mp)
1505 mp = &(*mp)->m_next;
1506 break;
1507 case IPPROTO_ROUTING:
1508 if (!in6p->in6p_flags & IN6P_RTHDR)
1509 break;
1510
1511 *mp = sbcreatecontrol((caddr_t)ip6e, elen,
1512 IPV6_RTHDR,
1513 IPPROTO_IPV6);
1514 if (*mp)
1515 mp = &(*mp)->m_next;
1516 break;
1517 case IPPROTO_HOPOPTS:
1518 case IPPROTO_AH: /* is it possible? */
1519 break;
1520
1521 default:
1522 /*
1523 * other cases have been filtered in the above.
1524 * none will visit this case. here we supply
1525 * the code just in case (nxt overwritten or
1526 * other cases).
1527 */
1528 #if PULLDOWN_TEST
1529 m_freem(ext);
1530 #endif
1531 goto loopend;
1532
1533 }
1534
1535 /* proceed with the next header. */
1536 off += elen;
1537 nxt = ip6e->ip6e_nxt;
1538 ip6e = NULL;
1539 #if PULLDOWN_TEST
1540 m_freem(ext);
1541 ext = NULL;
1542 #endif
1543 }
1544 loopend:
1545 ;
1546 }
1547
1548 }
1549
1550 #if PULLDOWN_TEST
1551 /*
1552 * pull single extension header from mbuf chain. returns single mbuf that
1553 * contains the result, or NULL on error.
1554 */
1555 static struct mbuf *
1556 ip6_pullexthdr(m, off, nxt)
1557 struct mbuf *m;
1558 size_t off;
1559 int nxt;
1560 {
1561 struct ip6_ext ip6e;
1562 size_t elen;
1563 struct mbuf *n;
1564
1565 #if DIAGNOSTIC
1566 switch (nxt) {
1567 case IPPROTO_DSTOPTS:
1568 case IPPROTO_ROUTING:
1569 case IPPROTO_HOPOPTS:
1570 case IPPROTO_AH: /* is it possible? */
1571 break;
1572 default:
1573 printf("ip6_pullexthdr: invalid nxt=%d\n", nxt);
1574 }
1575 #endif
1576
1577 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1578 if (nxt == IPPROTO_AH)
1579 elen = (ip6e.ip6e_len + 2) << 2;
1580 else
1581 elen = (ip6e.ip6e_len + 1) << 3;
1582
1583 MGET(n, M_DONTWAIT, MT_DATA);
1584 if (n && elen >= MLEN) {
1585 MCLGET(n, M_DONTWAIT);
1586 if ((n->m_flags & M_EXT) == 0) {
1587 m_free(n);
1588 n = NULL;
1589 }
1590 }
1591 if (!n)
1592 return NULL;
1593
1594 n->m_len = 0;
1595 if (elen >= M_TRAILINGSPACE(n)) {
1596 m_free(n);
1597 return NULL;
1598 }
1599
1600 m_copydata(m, off, elen, mtod(n, caddr_t));
1601 n->m_len = elen;
1602 return n;
1603 }
1604 #endif
1605
1606 /*
1607 * Get pointer to the previous header followed by the header
1608 * currently processed.
1609 * XXX: This function supposes that
1610 * M includes all headers,
1611 * the next header field and the header length field of each header
1612 * are valid, and
1613 * the sum of each header length equals to OFF.
1614 * Because of these assumptions, this function must be called very
1615 * carefully. Moreover, it will not be used in the near future when
1616 * we develop `neater' mechanism to process extension headers.
1617 */
1618 char *
1619 ip6_get_prevhdr(m, off)
1620 struct mbuf *m;
1621 int off;
1622 {
1623 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
1624
1625 if (off == sizeof(struct ip6_hdr))
1626 return((char *) &ip6->ip6_nxt);
1627 else {
1628 int len, nxt;
1629 struct ip6_ext *ip6e = NULL;
1630
1631 nxt = ip6->ip6_nxt;
1632 len = sizeof(struct ip6_hdr);
1633 while (len < off) {
1634 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + len);
1635
1636 switch (nxt) {
1637 case IPPROTO_FRAGMENT:
1638 len += sizeof(struct ip6_frag);
1639 break;
1640 case IPPROTO_AH:
1641 len += (ip6e->ip6e_len + 2) << 2;
1642 break;
1643 default:
1644 len += (ip6e->ip6e_len + 1) << 3;
1645 break;
1646 }
1647 nxt = ip6e->ip6e_nxt;
1648 }
1649 if (ip6e)
1650 return((char *) &ip6e->ip6e_nxt);
1651 else
1652 return NULL;
1653 }
1654 }
1655
1656 /*
1657 * get next header offset. m will be retained.
1658 */
1659 int
1660 ip6_nexthdr(m, off, proto, nxtp)
1661 struct mbuf *m;
1662 int off;
1663 int proto;
1664 int *nxtp;
1665 {
1666 struct ip6_hdr ip6;
1667 struct ip6_ext ip6e;
1668 struct ip6_frag fh;
1669
1670 /* just in case */
1671 if (m == NULL)
1672 panic("ip6_nexthdr: m == NULL");
1673 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off)
1674 return -1;
1675
1676 switch (proto) {
1677 case IPPROTO_IPV6:
1678 if (m->m_pkthdr.len < off + sizeof(ip6))
1679 return -1;
1680 m_copydata(m, off, sizeof(ip6), (caddr_t)&ip6);
1681 if (nxtp)
1682 *nxtp = ip6.ip6_nxt;
1683 off += sizeof(ip6);
1684 return off;
1685
1686 case IPPROTO_FRAGMENT:
1687 /*
1688 * terminate parsing if it is not the first fragment,
1689 * it does not make sense to parse through it.
1690 */
1691 if (m->m_pkthdr.len < off + sizeof(fh))
1692 return -1;
1693 m_copydata(m, off, sizeof(fh), (caddr_t)&fh);
1694 /* IP6F_OFF_MASK = 0xfff8(BigEndian), 0xf8ff(LittleEndian) */
1695 if (fh.ip6f_offlg & IP6F_OFF_MASK)
1696 return -1;
1697 if (nxtp)
1698 *nxtp = fh.ip6f_nxt;
1699 off += sizeof(struct ip6_frag);
1700 return off;
1701
1702 case IPPROTO_AH:
1703 if (m->m_pkthdr.len < off + sizeof(ip6e))
1704 return -1;
1705 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1706 if (nxtp)
1707 *nxtp = ip6e.ip6e_nxt;
1708 off += (ip6e.ip6e_len + 2) << 2;
1709 return off;
1710
1711 case IPPROTO_HOPOPTS:
1712 case IPPROTO_ROUTING:
1713 case IPPROTO_DSTOPTS:
1714 if (m->m_pkthdr.len < off + sizeof(ip6e))
1715 return -1;
1716 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1717 if (nxtp)
1718 *nxtp = ip6e.ip6e_nxt;
1719 off += (ip6e.ip6e_len + 1) << 3;
1720 return off;
1721
1722 case IPPROTO_NONE:
1723 case IPPROTO_ESP:
1724 case IPPROTO_IPCOMP:
1725 /* give up */
1726 return -1;
1727
1728 default:
1729 return -1;
1730 }
1731
1732 return -1;
1733 }
1734
1735 /*
1736 * get offset for the last header in the chain. m will be kept untainted.
1737 */
1738 int
1739 ip6_lasthdr(m, off, proto, nxtp)
1740 struct mbuf *m;
1741 int off;
1742 int proto;
1743 int *nxtp;
1744 {
1745 int newoff;
1746 int nxt;
1747
1748 if (!nxtp) {
1749 nxt = -1;
1750 nxtp = &nxt;
1751 }
1752 while (1) {
1753 newoff = ip6_nexthdr(m, off, proto, nxtp);
1754 if (newoff < 0)
1755 return off;
1756 else if (newoff < off)
1757 return -1; /* invalid */
1758 else if (newoff == off)
1759 return newoff;
1760
1761 off = newoff;
1762 proto = *nxtp;
1763 }
1764 }
1765
1766 struct ip6aux *
1767 ip6_addaux(
1768 struct mbuf *m)
1769 {
1770 struct m_tag *tag;
1771
1772 /* Check if one is already allocated */
1773 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_INET6, NULL);
1774 if (tag == NULL) {
1775 /* Allocate a tag */
1776 tag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_INET6,
1777 sizeof(*tag), M_DONTWAIT);
1778
1779 /* Attach it to the mbuf */
1780 if (tag) {
1781 m_tag_prepend(m, tag);
1782 }
1783 }
1784
1785 return tag ? (struct ip6aux*)(tag + 1) : NULL;
1786 }
1787
1788 struct ip6aux *
1789 ip6_findaux(
1790 struct mbuf *m)
1791 {
1792 struct m_tag *tag;
1793
1794 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_ENCAP, NULL);
1795
1796 return tag ? (struct ip6aux*)(tag + 1) : NULL;
1797 }
1798
1799 void
1800 ip6_delaux(
1801 struct mbuf *m)
1802 {
1803 struct m_tag *tag;
1804
1805 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_ENCAP, NULL);
1806 if (tag) {
1807 m_tag_delete(m, tag);
1808 }
1809 }
1810
1811 /*
1812 * System control for IP6
1813 */
1814
1815 u_char inet6ctlerrmap[PRC_NCMDS] = {
1816 0, 0, 0, 0,
1817 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH,
1818 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
1819 EMSGSIZE, EHOSTUNREACH, 0, 0,
1820 0, 0, 0, 0,
1821 ENOPROTOOPT
1822 };
mirror of XNU