Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. =================================================================== RCS file: /ftp/cvs/cvsroot/src/sys/netinet6/ip6_input.c,v rcsdiff: /ftp/cvs/cvsroot/src/sys/netinet6/ip6_input.c,v: warning: Unknown phrases like `commitid ...;' are present. retrieving revision 1.164.2.4 retrieving revision 1.208.2.4 diff -u -p -r1.164.2.4 -r1.208.2.4 --- src/sys/netinet6/ip6_input.c 2017/03/20 06:57:51 1.164.2.4 +++ src/sys/netinet6/ip6_input.c 2019/11/16 17:01:45 1.208.2.4 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.164.2.4 2017/03/20 06:57:51 pgoyette Exp $ */ +/* $NetBSD: ip6_input.c,v 1.208.2.4 2019/11/16 17:01:45 martin Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,14 +62,13 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.164.2.4 2017/03/20 06:57:51 pgoyette Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.208.2.4 2019/11/16 17:01:45 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_gateway.h" #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" -#include "opt_compat_netbsd.h" #include "opt_net_mpsafe.h" #endif @@ -87,6 +86,7 @@ __KERNEL_RCSID(0, "$NetBSD: ip6_input.c, #include #include #include +#include #include #include @@ -119,36 +119,27 @@ __KERNEL_RCSID(0, "$NetBSD: ip6_input.c, #include #endif /* IPSEC */ -#ifdef COMPAT_50 -#include -#include -#endif - #include #include "faith.h" -#include - extern struct domain inet6domain; u_char ip6_protox[IPPROTO_MAX]; pktqueue_t *ip6_pktq __read_mostly; -int ip6_forward_srcrt; /* XXX */ -int ip6_sourcecheck; /* XXX */ -int ip6_sourcecheck_interval; /* XXX */ - pfil_head_t *inet6_pfil_hook; percpu_t *ip6stat_percpu; -static void ip6_init2(void); +percpu_t *ip6_forward_rt_percpu __cacheline_aligned; + static void ip6intr(void *); +static bool ip6_badaddr(struct ip6_hdr *); static struct m_tag *ip6_setdstifaddr(struct mbuf *, const struct in6_ifaddr *); static int ip6_process_hopopts(struct mbuf *, u_int8_t *, int, u_int32_t *, - u_int32_t *); + u_int32_t *); static struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int); static void sysctl_net_inet6_ip6_setup(struct sysctllog **); @@ -193,7 +184,7 @@ ip6_init(void) frag6_init(); ip6_desync_factor = cprng_fast32() % MAX_TEMP_DESYNC_FACTOR; - ip6_init2(); + in6_tmpaddrtimer_init(); #ifdef GATEWAY ip6flow_init(ip6_hashsize); #endif @@ -202,18 +193,7 @@ ip6_init(void) KASSERT(inet6_pfil_hook != NULL); ip6stat_percpu = percpu_alloc(sizeof(uint64_t) * IP6_NSTATS); -} - -static void -ip6_init2(void) -{ - - /* timer for regeneranation of temporary addresses randomize ID */ - callout_init(&in6_tmpaddrtimer_ch, CALLOUT_MPSAFE); - callout_reset(&in6_tmpaddrtimer_ch, - (ip6_temp_preferred_lifetime - ip6_desync_factor - - ip6_temp_regen_advance) * hz, - in6_tmpaddrtimer, NULL); + ip6_forward_rt_percpu = rtcache_percpu_alloc(); } /* @@ -224,9 +204,7 @@ ip6intr(void *arg __unused) { struct mbuf *m; -#ifndef NET_MPSAFE - mutex_enter(softnet_lock); -#endif + SOFTNET_KERNEL_LOCK_UNLESS_NET_MPSAFE(); while ((m = pktq_dequeue(ip6_pktq)) != NULL) { struct psref psref; struct ifnet *rcvif = m_get_rcvif_psref(m, &psref); @@ -246,13 +224,9 @@ ip6intr(void *arg __unused) ip6_input(m, rcvif); m_put_rcvif_psref(rcvif, &psref); } -#ifndef NET_MPSAFE - mutex_exit(softnet_lock); -#endif + SOFTNET_KERNEL_UNLOCK_UNLESS_NET_MPSAFE(); } -extern struct route ip6_forward_rt; - void ip6_input(struct mbuf *m, struct ifnet *rcvif) { @@ -260,7 +234,7 @@ ip6_input(struct mbuf *m, struct ifnet * int hit, off = sizeof(struct ip6_hdr), nest; u_int32_t plen; u_int32_t rtalert = ~0; - int nxt, ours = 0, rh_present = 0; + int nxt, ours = 0, rh_present = 0, frg_present; struct ifnet *deliverifp = NULL; int srcrt = 0; struct rtentry *rt = NULL; @@ -268,6 +242,9 @@ ip6_input(struct mbuf *m, struct ifnet * struct sockaddr dst; struct sockaddr_in6 dst6; } u; + struct route *ro; + + KASSERT(rcvif != NULL); /* * make sure we don't have onion peering information into m_tag. @@ -307,7 +284,7 @@ ip6_input(struct mbuf *m, struct ifnet * */ if (IP6_HDR_ALIGNED_P(mtod(m, void *)) == 0) { if ((m = m_copyup(m, sizeof(struct ip6_hdr), - (max_linkhdr + 3) & ~3)) == NULL) { + (max_linkhdr + 3) & ~3)) == NULL) { /* XXXJRT new stat, please */ IP6_STATINC(IP6_STAT_TOOSMALL); in6_ifstat_inc(rcvif, ifs6_in_hdrerr); @@ -329,6 +306,12 @@ ip6_input(struct mbuf *m, struct ifnet * goto bad; } + if (ip6_badaddr(ip6)) { + IP6_STATINC(IP6_STAT_BADSCOPE); + in6_ifstat_inc(rcvif, ifs6_in_addrerr); + goto bad; + } + /* * Assume that we can create a fast-forward IP flow entry * based on this packet. @@ -341,24 +324,32 @@ ip6_input(struct mbuf *m, struct ifnet * * not fast-forwarded, they must clear the M_CANFASTFWD flag. * Note that filters must _never_ set this flag, as another filter * in the list may have previously cleared it. - */ - /* - * let ipfilter look at packet on the wire, - * not the decapsulated packet. + * + * Don't call hooks if the packet has already been processed by + * IPsec (encapsulated, tunnel mode). */ #if defined(IPSEC) - if (!ipsec_used || !ipsec_indone(m)) + if (!ipsec_used || !ipsec_skip_pfil(m)) #else if (1) #endif { struct in6_addr odst; + int error; odst = ip6->ip6_dst; - if (pfil_run_hooks(inet6_pfil_hook, &m, rcvif, PFIL_IN) != 0) - return; - if (m == NULL) + error = pfil_run_hooks(inet6_pfil_hook, &m, rcvif, PFIL_IN); + if (error != 0 || m == NULL) { + IP6_STATINC(IP6_STAT_PFILDROP_IN); return; + } + if (m->m_len < sizeof(struct ip6_hdr)) { + if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { + IP6_STATINC(IP6_STAT_TOOSMALL); + in6_ifstat_inc(rcvif, ifs6_in_hdrerr); + return; + } + } ip6 = mtod(m, struct ip6_hdr *); srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); } @@ -378,52 +369,6 @@ ip6_input(struct mbuf *m, struct ifnet * #endif /* - * Check against address spoofing/corruption. - */ - if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) || - IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) { - /* - * XXX: "badscope" is not very suitable for a multicast source. - */ - IP6_STATINC(IP6_STAT_BADSCOPE); - in6_ifstat_inc(rcvif, ifs6_in_addrerr); - goto bad; - } - /* - * The following check is not documented in specs. A malicious - * party may be able to use IPv4 mapped addr to confuse tcp/udp stack - * and bypass security checks (act as if it was from 127.0.0.1 by using - * IPv6 src ::ffff:127.0.0.1). Be cautious. - * - * This check chokes if we are in an SIIT cloud. As none of BSDs - * support IPv4-less kernel compilation, we cannot support SIIT - * environment at all. So, it makes more sense for us to reject any - * malicious packets for non-SIIT environment, than try to do a - * partial support for SIIT environment. - */ - if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || - IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { - IP6_STATINC(IP6_STAT_BADSCOPE); - in6_ifstat_inc(rcvif, ifs6_in_addrerr); - goto bad; - } -#if 0 - /* - * Reject packets with IPv4 compatible addresses (auto tunnel). - * - * The code forbids auto tunnel relay case in RFC1933 (the check is - * stronger than RFC1933). We may want to re-enable it if mech-xx - * is revised to forbid relaying case. - */ - if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) || - IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) { - IP6_STATINC(IP6_STAT_BADSCOPE); - in6_ifstat_inc(rcvif, ifs6_in_addrerr); - goto bad; - } -#endif - - /* * Disambiguate address scope zones (if there is ambiguity). * We first make sure that the original source or destination address * is not in our internal form for scoped addresses. Such addresses @@ -431,7 +376,7 @@ ip6_input(struct mbuf *m, struct ifnet * * to the usage conflict. * in6_setscope() then also checks and rejects the cases where src or * dst are the loopback address and the receiving interface - * is not loopback. + * is not loopback. */ if (__predict_false( m_makewritable(&m, 0, sizeof(struct ip6_hdr), M_DONTWAIT))) @@ -447,7 +392,8 @@ ip6_input(struct mbuf *m, struct ifnet * goto bad; } - ro = percpu_getref(ip6_forward_rt_percpu); + ro = rtcache_percpu_getref(ip6_forward_rt_percpu); + /* * Multicast check */ @@ -460,9 +406,9 @@ ip6_input(struct mbuf *m, struct ifnet * * arrival interface. */ ingroup = in6_multi_group(&ip6->ip6_dst, rcvif); - if (ingroup) + if (ingroup) { ours = 1; - else if (!ip6_mrouter) { + } else if (!ip6_mrouter) { uint64_t *ip6s = IP6_STAT_GETREF(); ip6s[IP6_STAT_NOTMEMBER]++; ip6s[IP6_STAT_CANTFORWARD]++; @@ -477,7 +423,7 @@ ip6_input(struct mbuf *m, struct ifnet * sockaddr_in6_init(&u.dst6, &ip6->ip6_dst, 0, 0, 0); /* - * Unicast check + * Unicast check */ rt = rtcache_lookup2(ro, &u.dst, 1, &hit); if (hit) @@ -485,12 +431,15 @@ ip6_input(struct mbuf *m, struct ifnet * else IP6_STATINC(IP6_STAT_FORWARD_CACHEMISS); -#define rt6_getkey(__rt) satocsin6(rt_getkey(__rt)) - /* * Accept the packet if the forwarding interface to the destination - * according to the routing table is the loopback interface, + * (according to the routing table) is the loopback interface, * unless the associated route has a gateway. + * + * We don't explicitly match ip6_dst against an interface here. It + * is already done in rtcache_lookup2: rt->rt_ifp->if_type will be + * IFT_LOOP if the packet is for us. + * * Note that this approach causes to accept a packet if there is a * route to the loopback interface for the destination of the packet. * But we think it's even useful in some situations, e.g. when using @@ -498,23 +447,35 @@ ip6_input(struct mbuf *m, struct ifnet * */ if (rt != NULL && (rt->rt_flags & (RTF_HOST|RTF_GATEWAY)) == RTF_HOST && -#if 0 - /* - * The check below is redundant since the comparison of - * the destination and the key of the rtentry has - * already done through looking up the routing table. - */ - IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &rt6_getkey(rt)->sin6_addr) && -#endif rt->rt_ifp->if_type == IFT_LOOP) { struct in6_ifaddr *ia6 = (struct in6_ifaddr *)rt->rt_ifa; + int addrok; + if (ia6->ia6_flags & IN6_IFF_ANYCAST) m->m_flags |= M_ANYCAST6; /* * packets to a tentative, duplicated, or somehow invalid * address must not be accepted. */ - if (!(ia6->ia6_flags & IN6_IFF_NOTREADY)) { + if (ia6->ia6_flags & IN6_IFF_NOTREADY) + addrok = 0; + else if (ia6->ia6_flags & IN6_IFF_DETACHED && + !IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) + { + /* Allow internal traffic to DETACHED addresses */ + struct sockaddr_in6 sin6; + int s; + + memset(&sin6, 0, sizeof(sin6)); + sin6.sin6_family = AF_INET6; + sin6.sin6_len = sizeof(sin6); + sin6.sin6_addr = ip6->ip6_src; + s = pserialize_read_enter(); + addrok = (ifa_ifwithaddr(sin6tosa(&sin6)) != NULL); + pserialize_read_exit(s); + } else + addrok = 1; + if (addrok) { /* this address is ready */ ours = 1; deliverifp = ia6->ia_ifp; /* correct? */ @@ -546,26 +507,6 @@ ip6_input(struct mbuf *m, struct ifnet * } #endif -#if 0 - { - /* - * Last resort: check in6_ifaddr for incoming interface. - * The code is here until I update the "goto ours hack" code above - * working right. - */ - struct ifaddr *ifa; - IFADDR_READER_FOREACH(ifa, rcvif) { - if (ifa->ifa_addr->sa_family != AF_INET6) - continue; - if (IN6_ARE_ADDR_EQUAL(IFA_IN6(ifa), &ip6->ip6_dst)) { - ours = 1; - deliverifp = ifa->ifa_ifp; - goto hbhcheck; - } - } - } -#endif - /* * Now there is no reason to process the packet if it's not our own * and we're not a router. @@ -576,10 +517,10 @@ ip6_input(struct mbuf *m, struct ifnet * goto bad_unref; } - hbhcheck: +hbhcheck: /* - * record address information into m_tag, if we don't have one yet. - * note that we are unable to record it, if the address is not listed + * Record address information into m_tag, if we don't have one yet. + * Note that we are unable to record it, if the address is not listed * as our interface address (e.g. multicast addresses, addresses * within FAITH prefixes and such). */ @@ -609,12 +550,11 @@ ip6_input(struct mbuf *m, struct ifnet * struct ip6_hbh *hbh; if (ip6_hopopts_input(&plen, &rtalert, &m, &off)) { -#if 0 /*touches NULL pointer*/ + /* m already freed */ in6_ifstat_inc(rcvif, ifs6_in_discard); -#endif rtcache_unref(rt, ro); - percpu_putref(ip6_forward_rt_percpu); - return; /* m have already been freed */ + rtcache_percpu_putref(ip6_forward_rt_percpu); + return; } /* adjust pointer */ @@ -638,7 +578,7 @@ ip6_input(struct mbuf *m, struct ifnet * ICMP6_PARAMPROB_HEADER, (char *)&ip6->ip6_plen - (char *)ip6); rtcache_unref(rt, ro); - percpu_putref(ip6_forward_rt_percpu); + rtcache_percpu_putref(ip6_forward_rt_percpu); return; } IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), @@ -646,7 +586,7 @@ ip6_input(struct mbuf *m, struct ifnet * if (hbh == NULL) { IP6_STATINC(IP6_STAT_TOOSHORT); rtcache_unref(rt, ro); - percpu_putref(ip6_forward_rt_percpu); + rtcache_percpu_putref(ip6_forward_rt_percpu); return; } KASSERT(IP6_HDR_ALIGNED_P(hbh)); @@ -662,10 +602,9 @@ ip6_input(struct mbuf *m, struct ifnet * nxt = ip6->ip6_nxt; /* - * Check that the amount of data in the buffers - * is as at least much as the IPv6 header would have us expect. - * Trim mbufs if longer than we expect. - * Drop packet if shorter than we expect. + * Check that the amount of data in the buffers is at least much as + * the IPv6 header would have us expect. Trim mbufs if longer than we + * expect. Drop packet if shorter than we expect. */ if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) { IP6_STATINC(IP6_STAT_TOOSHORT); @@ -701,7 +640,7 @@ ip6_input(struct mbuf *m, struct ifnet * if (error != 0) { rtcache_unref(rt, ro); - percpu_putref(ip6_forward_rt_percpu); + rtcache_percpu_putref(ip6_forward_rt_percpu); IP6_STATINC(IP6_STAT_CANTFORWARD); goto bad; } @@ -710,7 +649,7 @@ ip6_input(struct mbuf *m, struct ifnet * goto bad_unref; } else if (!ours) { rtcache_unref(rt, ro); - percpu_putref(ip6_forward_rt_percpu); + rtcache_percpu_putref(ip6_forward_rt_percpu); ip6_forward(m, srcrt); return; } @@ -733,9 +672,6 @@ ip6_input(struct mbuf *m, struct ifnet * goto bad_unref; } - /* - * Tell launch routine the next header - */ #ifdef IFA_STATS if (deliverifp != NULL) { struct in6_ifaddr *ia6; @@ -754,9 +690,10 @@ ip6_input(struct mbuf *m, struct ifnet * rtcache_unref(rt, ro); rt = NULL; } - percpu_putref(ip6_forward_rt_percpu); + rtcache_percpu_putref(ip6_forward_rt_percpu); rh_present = 0; + frg_present = 0; while (nxt != IPPROTO_DONE) { if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) { IP6_STATINC(IP6_STAT_TOOMANYHDR); @@ -764,6 +701,8 @@ ip6_input(struct mbuf *m, struct ifnet * goto bad; } + M_VERIFY_PACKET(m); + /* * protection against faulty packet - there should be * more sanity checks in header chain processing. @@ -780,42 +719,81 @@ ip6_input(struct mbuf *m, struct ifnet * IP6_STATINC(IP6_STAT_BADOPTIONS); goto bad; } + } else if (nxt == IPPROTO_FRAGMENT) { + if (frg_present++) { + in6_ifstat_inc(rcvif, ifs6_in_hdrerr); + IP6_STATINC(IP6_STAT_BADOPTIONS); + goto bad; + } } #ifdef IPSEC if (ipsec_used) { /* - * enforce IPsec policy checking if we are seeing last - * header. note that we do not visit this with + * Enforce IPsec policy checking if we are seeing last + * header. Note that we do not visit this with * protocols with pcb layer code - like udp/tcp/raw ip. */ - if ((inet6sw[ip_protox[nxt]].pr_flags + if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0) { int error; - SOFTNET_LOCK(); - error = ipsec6_input(m); - SOFTNET_UNLOCK(); + error = ipsec_ip_input(m, false); if (error) goto bad; } } -#endif /* IPSEC */ +#endif - SOFTNET_LOCK(); nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); - SOFTNET_UNLOCK(); } return; - bad_unref: +bad_unref: rtcache_unref(rt, ro); - percpu_putref(ip6_forward_rt_percpu); - bad: + rtcache_percpu_putref(ip6_forward_rt_percpu); +bad: m_freem(m); return; } +static bool +ip6_badaddr(struct ip6_hdr *ip6) +{ + /* Check against address spoofing/corruption. */ + if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) || + IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) { + return true; + } + + /* + * The following check is not documented in specs. A malicious + * party may be able to use IPv4 mapped addr to confuse tcp/udp stack + * and bypass security checks (act as if it was from 127.0.0.1 by using + * IPv6 src ::ffff:127.0.0.1). Be cautious. + * + * This check chokes if we are in an SIIT cloud. As none of BSDs + * support IPv4-less kernel compilation, we cannot support SIIT + * environment at all. So, it makes more sense for us to reject any + * malicious packets for non-SIIT environment, than try to do a + * partial support for SIIT environment. + */ + if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || + IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { + return true; + } + + /* + * Reject packets with IPv4-compatible IPv6 addresses (RFC4291). + */ + if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) || + IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) { + return true; + } + + return false; +} + /* * set/grab in6_ifaddr correspond to IPv6 destination address. */ @@ -868,14 +846,14 @@ ip6_hopopts_input(u_int32_t *plenp, u_in /* validation of the length of the header */ IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, - sizeof(struct ip6_hdr), sizeof(struct ip6_hbh)); + sizeof(struct ip6_hdr), sizeof(struct ip6_hbh)); if (hbh == NULL) { IP6_STATINC(IP6_STAT_TOOSHORT); return -1; } hbhlen = (hbh->ip6h_len + 1) << 3; IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), - hbhlen); + hbhlen); if (hbh == NULL) { IP6_STATINC(IP6_STAT_TOOSHORT); return -1; @@ -885,12 +863,12 @@ ip6_hopopts_input(u_int32_t *plenp, u_in hbhlen -= sizeof(struct ip6_hbh); if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh), - hbhlen, rtalertp, plenp) < 0) - return (-1); + hbhlen, rtalertp, plenp) < 0) + return -1; *offp = off; *mp = m; - return (0); + return 0; } /* @@ -973,7 +951,7 @@ ip6_process_hopopts(struct mbuf *m, u_in /* * We may see jumbolen in unaligned location, so - * we'd need to perform bcopy(). + * we'd need to perform memcpy(). */ memcpy(&jumboplen, opt + 2, sizeof(jumboplen)); jumboplen = (u_int32_t)htonl(jumboplen); @@ -1067,48 +1045,21 @@ ip6_unknown_opt(u_int8_t *optp, struct m return (-1); } -/* - * Create the "control" list for this pcb. - * - * The routine will be called from upper layer handlers like tcp6_input(). - * Thus the routine assumes that the caller (tcp6_input) have already - * called IP6_EXTHDR_CHECK() and all the extension headers are located in the - * very first mbuf on the mbuf chain. - * We may want to add some infinite loop prevention or sanity checks for safety. - * (This applies only when you are using KAME mbuf chain restriction, i.e. - * you are using IP6_EXTHDR_CHECK() not m_pulldown()) - */ void ip6_savecontrol(struct in6pcb *in6p, struct mbuf **mp, struct ip6_hdr *ip6, struct mbuf *m) { + struct socket *so = in6p->in6p_socket; #ifdef RFC2292 #define IS2292(x, y) ((in6p->in6p_flags & IN6P_RFC2292) ? (x) : (y)) #else #define IS2292(x, y) (y) #endif - if (in6p->in6p_socket->so_options & SO_TIMESTAMP -#ifdef SO_OTIMESTAMP - || in6p->in6p_socket->so_options & SO_OTIMESTAMP -#endif - ) { - struct timeval tv; + KASSERT(m->m_flags & M_PKTHDR); - microtime(&tv); -#ifdef SO_OTIMESTAMP - if (in6p->in6p_socket->so_options & SO_OTIMESTAMP) { - struct timeval50 tv50; - timeval_to_timeval50(&tv, &tv50); - *mp = sbcreatecontrol((void *) &tv50, sizeof(tv50), - SCM_OTIMESTAMP, SOL_SOCKET); - } else -#endif - *mp = sbcreatecontrol((void *) &tv, sizeof(tv), - SCM_TIMESTAMP, SOL_SOCKET); - if (*mp) - mp = &(*mp)->m_next; - } + if (SOOPT_TIMESTAMP(so->so_options)) + mp = sbsavetimestamp(so->so_options, mp); /* some OSes call this logic with IPv4 packet, for SO_TIMESTAMP */ if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) @@ -1121,8 +1072,7 @@ ip6_savecontrol(struct in6pcb *in6p, str memcpy(&pi6.ipi6_addr, &ip6->ip6_dst, sizeof(struct in6_addr)); in6_clearscope(&pi6.ipi6_addr); /* XXX */ pi6.ipi6_ifindex = m->m_pkthdr.rcvif_index; - *mp = sbcreatecontrol((void *) &pi6, - sizeof(struct in6_pktinfo), + *mp = sbcreatecontrol(&pi6, sizeof(pi6), IS2292(IPV6_2292PKTINFO, IPV6_PKTINFO), IPPROTO_IPV6); if (*mp) mp = &(*mp)->m_next; @@ -1131,7 +1081,7 @@ ip6_savecontrol(struct in6pcb *in6p, str if (in6p->in6p_flags & IN6P_HOPLIMIT) { int hlim = ip6->ip6_hlim & 0xff; - *mp = sbcreatecontrol((void *) &hlim, sizeof(int), + *mp = sbcreatecontrol(&hlim, sizeof(hlim), IS2292(IPV6_2292HOPLIMIT, IPV6_HOPLIMIT), IPPROTO_IPV6); if (*mp) mp = &(*mp)->m_next; @@ -1145,7 +1095,7 @@ ip6_savecontrol(struct in6pcb *in6p, str flowinfo >>= 20; tclass = flowinfo & 0xff; - *mp = sbcreatecontrol((void *)&tclass, sizeof(tclass), + *mp = sbcreatecontrol(&tclass, sizeof(tclass), IPV6_TCLASS, IPPROTO_IPV6); if (*mp) @@ -1193,7 +1143,7 @@ ip6_savecontrol(struct in6pcb *in6p, str * be removed before returning in the RFC 2292. * Note: this constraint is removed in RFC3542. */ - *mp = sbcreatecontrol((void *)hbh, hbhlen, + *mp = sbcreatecontrol(hbh, hbhlen, IS2292(IPV6_2292HOPOPTS, IPV6_HOPOPTS), IPPROTO_IPV6); if (*mp) @@ -1255,7 +1205,7 @@ ip6_savecontrol(struct in6pcb *in6p, str if (!(in6p->in6p_flags & IN6P_DSTOPTS)) break; - *mp = sbcreatecontrol((void *)ip6e, elen, + *mp = sbcreatecontrol(ip6e, elen, IS2292(IPV6_2292DSTOPTS, IPV6_DSTOPTS), IPPROTO_IPV6); if (*mp) @@ -1266,7 +1216,7 @@ ip6_savecontrol(struct in6pcb *in6p, str if (!(in6p->in6p_flags & IN6P_RTHDR)) break; - *mp = sbcreatecontrol((void *)ip6e, elen, + *mp = sbcreatecontrol(ip6e, elen, IS2292(IPV6_2292RTHDR, IPV6_RTHDR), IPPROTO_IPV6); if (*mp) @@ -1324,14 +1274,14 @@ ip6_notify_pmtu(struct in6pcb *in6p, con if (sa6_recoverscope(&mtuctl.ip6m_addr)) return; - if ((m_mtu = sbcreatecontrol((void *)&mtuctl, sizeof(mtuctl), + if ((m_mtu = sbcreatecontrol(&mtuctl, sizeof(mtuctl), IPV6_PATHMTU, IPPROTO_IPV6)) == NULL) return; if (sbappendaddr(&so->so_rcv, (const struct sockaddr *)dst, NULL, m_mtu) == 0) { + soroverflow(so); m_freem(m_mtu); - /* XXX: should count statistics */ } else sorwakeup(so); @@ -1349,17 +1299,8 @@ ip6_pullexthdr(struct mbuf *m, size_t of size_t elen; struct mbuf *n; -#ifdef DIAGNOSTIC - switch (nxt) { - case IPPROTO_DSTOPTS: - case IPPROTO_ROUTING: - case IPPROTO_HOPOPTS: - case IPPROTO_AH: /* is it possible? */ - break; - default: - printf("ip6_pullexthdr: invalid nxt=%d\n", nxt); - } -#endif + if (off + sizeof(ip6e) > m->m_pkthdr.len) + return NULL; m_copydata(m, off, sizeof(ip6e), (void *)&ip6e); if (nxt == IPPROTO_AH) @@ -1367,6 +1308,9 @@ ip6_pullexthdr(struct mbuf *m, size_t of else elen = (ip6e.ip6e_len + 1) << 3; + if (off + elen > m->m_pkthdr.len) + return NULL; + MGET(n, M_DONTWAIT, MT_DATA); if (n && elen >= MLEN) { MCLGET(n, M_DONTWAIT); @@ -1390,50 +1334,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of } /* - * Get pointer to the previous header followed by the header + * Get offset to the previous header followed by the header * currently processed. - * XXX: This function supposes that - * M includes all headers, - * the next header field and the header length field of each header - * are valid, and - * the sum of each header length equals to OFF. - * Because of these assumptions, this function must be called very - * carefully. Moreover, it will not be used in the near future when - * we develop `neater' mechanism to process extension headers. */ -u_int8_t * +int ip6_get_prevhdr(struct mbuf *m, int off) { struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); - if (off == sizeof(struct ip6_hdr)) - return (&ip6->ip6_nxt); - else { - int len, nxt; - struct ip6_ext *ip6e = NULL; + if (off == sizeof(struct ip6_hdr)) { + return offsetof(struct ip6_hdr, ip6_nxt); + } else if (off < sizeof(struct ip6_hdr)) { + panic("%s: off < sizeof(struct ip6_hdr)", __func__); + } else { + int len, nlen, nxt; + struct ip6_ext ip6e; nxt = ip6->ip6_nxt; len = sizeof(struct ip6_hdr); + nlen = 0; while (len < off) { - ip6e = (struct ip6_ext *)(mtod(m, char *) + len); + m_copydata(m, len, sizeof(ip6e), &ip6e); switch (nxt) { case IPPROTO_FRAGMENT: - len += sizeof(struct ip6_frag); + nlen = sizeof(struct ip6_frag); break; case IPPROTO_AH: - len += (ip6e->ip6e_len + 2) << 2; + nlen = (ip6e.ip6e_len + 2) << 2; break; default: - len += (ip6e->ip6e_len + 1) << 3; + nlen = (ip6e.ip6e_len + 1) << 3; break; } - nxt = ip6e->ip6e_nxt; + len += nlen; + nxt = ip6e.ip6e_nxt; } - if (ip6e) - return (&ip6e->ip6e_nxt); - else - return NULL; + + return (len - nlen); } } @@ -1449,7 +1387,7 @@ ip6_nexthdr(struct mbuf *m, int off, int /* just in case */ if (m == NULL) - panic("ip6_nexthdr: m == NULL"); + panic("%s: m == NULL", __func__); if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off) return -1; @@ -1548,7 +1486,7 @@ ip6_addaux(struct mbuf *m) { struct m_tag *mtag; - mtag = m_tag_find(m, PACKET_TAG_INET6, NULL); + mtag = m_tag_find(m, PACKET_TAG_INET6); if (!mtag) { mtag = m_tag_get(PACKET_TAG_INET6, sizeof(struct ip6aux), M_NOWAIT); @@ -1565,7 +1503,7 @@ ip6_findaux(struct mbuf *m) { struct m_tag *mtag; - mtag = m_tag_find(m, PACKET_TAG_INET6, NULL); + mtag = m_tag_find(m, PACKET_TAG_INET6); return mtag; } @@ -1574,7 +1512,7 @@ ip6_delaux(struct mbuf *m) { struct m_tag *mtag; - mtag = m_tag_find(m, PACKET_TAG_INET6, NULL); + mtag = m_tag_find(m, PACKET_TAG_INET6); if (mtag) m_tag_delete(m, mtag); } @@ -1601,14 +1539,33 @@ sysctl_net_inet6_ip6_stats(SYSCTLFN_ARGS return (NETSTAT_SYSCTL(ip6stat_percpu, IP6_NSTATS)); } +static int +sysctl_net_inet6_ip6_temppltime(SYSCTLFN_ARGS) +{ + int error; + uint32_t pltime; + struct sysctlnode node; + + node = *rnode; + node.sysctl_data = &pltime; + pltime = ip6_temp_preferred_lifetime; + error = sysctl_lookup(SYSCTLFN_CALL(&node)); + if (error || newp == NULL) + return error; + + if (pltime <= (MAX_TEMP_DESYNC_FACTOR + TEMPADDR_REGEN_ADVANCE)) + return EINVAL; + + ip6_temp_preferred_lifetime = pltime; + + in6_tmpaddrtimer_schedule(); + + return 0; +} + static void sysctl_net_inet6_ip6_setup(struct sysctllog **clog) { -#ifdef RFC2292 -#define IS2292(x, y) ((in6p->in6p_flags & IN6P_RFC2292) ? (x) : (y)) -#else -#define IS2292(x, y) (y) -#endif sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT, @@ -1644,34 +1601,6 @@ sysctl_net_inet6_ip6_setup(struct sysctl NULL, 0, &ip6_defhlim, 0, CTL_NET, PF_INET6, IPPROTO_IPV6, IPV6CTL_DEFHLIM, CTL_EOL); -#ifdef notyet - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "mtu", NULL, - NULL, 0, &, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - IPV6CTL_DEFMTU, CTL_EOL); -#endif -#ifdef __no_idea__ - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "forwsrcrt", NULL, - NULL, 0, &?, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - IPV6CTL_FORWSRCRT, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_STRUCT, "mrtstats", NULL, - NULL, 0, &?, sizeof(?), - CTL_NET, PF_INET6, IPPROTO_IPV6, - IPV6CTL_MRTSTATS, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_?, "mrtproto", NULL, - NULL, 0, &?, sizeof(?), - CTL_NET, PF_INET6, IPPROTO_IPV6, - IPV6CTL_MRTPROTO, CTL_EOL); -#endif sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "maxfragpackets", @@ -1680,20 +1609,6 @@ sysctl_net_inet6_ip6_setup(struct sysctl NULL, 0, &ip6_maxfragpackets, 0, CTL_NET, PF_INET6, IPPROTO_IPV6, IPV6CTL_MAXFRAGPACKETS, CTL_EOL); -#ifdef __no_idea__ - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "sourcecheck", NULL, - NULL, 0, &?, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - IPV6CTL_SOURCECHECK, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "sourcecheck_logint", NULL, - NULL, 0, &?, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - IPV6CTL_SOURCECHECK_LOGINT, CTL_EOL); -#endif sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "accept_rtadv", @@ -1725,7 +1640,7 @@ sysctl_net_inet6_ip6_setup(struct sysctl sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "log_interval", - SYSCTL_DESCR("Minumum interval between logging " + SYSCTL_DESCR("Minimum interval between logging " "unroutable packets"), NULL, 0, &ip6_log_interval, 0, CTL_NET, PF_INET6, IPPROTO_IPV6, @@ -1859,7 +1774,7 @@ sysctl_net_inet6_ip6_setup(struct sysctl CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "temppltime", SYSCTL_DESCR("preferred lifetime of a temporary address"), - NULL, 0, &ip6_temp_preferred_lifetime, 0, + sysctl_net_inet6_ip6_temppltime, 0, NULL, 0, CTL_NET, PF_INET6, IPPROTO_IPV6, CTL_CREATE, CTL_EOL); sysctl_createv(clog, 0, NULL, NULL,