Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. =================================================================== RCS file: /ftp/cvs/cvsroot/src/sys/netinet6/ip6_input.c,v rcsdiff: /ftp/cvs/cvsroot/src/sys/netinet6/ip6_input.c,v: warning: Unknown phrases like `commitid ...;' are present. retrieving revision 1.178.2.6 retrieving revision 1.217 diff -u -p -r1.178.2.6 -r1.217 --- src/sys/netinet6/ip6_input.c 2018/02/26 13:32:01 1.178.2.6 +++ src/sys/netinet6/ip6_input.c 2020/06/19 16:08:06 1.217 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.178.2.6 2018/02/26 13:32:01 martin Exp $ */ +/* $NetBSD: ip6_input.c,v 1.217 2020/06/19 16:08:06 maxv Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,14 +62,13 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.178.2.6 2018/02/26 13:32:01 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.217 2020/06/19 16:08:06 maxv Exp $"); #ifdef _KERNEL_OPT #include "opt_gateway.h" #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" -#include "opt_compat_netbsd.h" #include "opt_net_mpsafe.h" #endif @@ -120,38 +119,32 @@ __KERNEL_RCSID(0, "$NetBSD: ip6_input.c, #include #endif /* IPSEC */ -#ifdef COMPAT_50 -#include -#include -#endif - #include #include "faith.h" -#include - extern struct domain inet6domain; u_char ip6_protox[IPPROTO_MAX]; pktqueue_t *ip6_pktq __read_mostly; -int ip6_forward_srcrt; /* XXX */ -int ip6_sourcecheck; /* XXX */ -int ip6_sourcecheck_interval; /* XXX */ - pfil_head_t *inet6_pfil_hook; percpu_t *ip6stat_percpu; percpu_t *ip6_forward_rt_percpu __cacheline_aligned; -static void ip6_init2(void); static void ip6intr(void *); +static void ip6_input(struct mbuf *, struct ifnet *); +static bool ip6_badaddr(struct ip6_hdr *); static struct m_tag *ip6_setdstifaddr(struct mbuf *, const struct in6_ifaddr *); +static struct m_tag *ip6_addaux(struct mbuf *); +static struct m_tag *ip6_findaux(struct mbuf *); +static void ip6_delaux(struct mbuf *); + static int ip6_process_hopopts(struct mbuf *, u_int8_t *, int, u_int32_t *, - u_int32_t *); + u_int32_t *); static struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int); static void sysctl_net_inet6_ip6_setup(struct sysctllog **); @@ -194,9 +187,7 @@ ip6_init(void) addrsel_policy_init(); nd6_init(); frag6_init(); - ip6_desync_factor = cprng_fast32() % MAX_TEMP_DESYNC_FACTOR; - ip6_init2(); #ifdef GATEWAY ip6flow_init(ip6_hashsize); #endif @@ -205,19 +196,7 @@ ip6_init(void) KASSERT(inet6_pfil_hook != NULL); ip6stat_percpu = percpu_alloc(sizeof(uint64_t) * IP6_NSTATS); - ip6_forward_rt_percpu = percpu_alloc(sizeof(struct route)); -} - -static void -ip6_init2(void) -{ - - /* timer for regeneranation of temporary addresses randomize ID */ - callout_init(&in6_tmpaddrtimer_ch, CALLOUT_MPSAFE); - callout_reset(&in6_tmpaddrtimer_ch, - (ip6_temp_preferred_lifetime - ip6_desync_factor - - ip6_temp_regen_advance) * hz, - in6_tmpaddrtimer, NULL); + ip6_forward_rt_percpu = rtcache_percpu_alloc(); } /* @@ -251,7 +230,7 @@ ip6intr(void *arg __unused) SOFTNET_KERNEL_UNLOCK_UNLESS_NET_MPSAFE(); } -void +static void ip6_input(struct mbuf *m, struct ifnet *rcvif) { struct ip6_hdr *ip6; @@ -268,6 +247,8 @@ ip6_input(struct mbuf *m, struct ifnet * } u; struct route *ro; + KASSERT(rcvif != NULL); + /* * make sure we don't have onion peering information into m_tag. */ @@ -306,7 +287,7 @@ ip6_input(struct mbuf *m, struct ifnet * */ if (IP6_HDR_ALIGNED_P(mtod(m, void *)) == 0) { if ((m = m_copyup(m, sizeof(struct ip6_hdr), - (max_linkhdr + 3) & ~3)) == NULL) { + (max_linkhdr + 3) & ~3)) == NULL) { /* XXXJRT new stat, please */ IP6_STATINC(IP6_STAT_TOOSMALL); in6_ifstat_inc(rcvif, ifs6_in_hdrerr); @@ -328,6 +309,12 @@ ip6_input(struct mbuf *m, struct ifnet * goto bad; } + if (ip6_badaddr(ip6)) { + IP6_STATINC(IP6_STAT_BADSCOPE); + in6_ifstat_inc(rcvif, ifs6_in_addrerr); + goto bad; + } + /* * Assume that we can create a fast-forward IP flow entry * based on this packet. @@ -340,24 +327,32 @@ ip6_input(struct mbuf *m, struct ifnet * * not fast-forwarded, they must clear the M_CANFASTFWD flag. * Note that filters must _never_ set this flag, as another filter * in the list may have previously cleared it. - */ - /* - * let ipfilter look at packet on the wire, - * not the decapsulated packet. + * + * Don't call hooks if the packet has already been processed by + * IPsec (encapsulated, tunnel mode). */ #if defined(IPSEC) - if (!ipsec_used || !ipsec_indone(m)) + if (!ipsec_used || !ipsec_skip_pfil(m)) #else if (1) #endif { struct in6_addr odst; + int error; odst = ip6->ip6_dst; - if (pfil_run_hooks(inet6_pfil_hook, &m, rcvif, PFIL_IN) != 0) - return; - if (m == NULL) + error = pfil_run_hooks(inet6_pfil_hook, &m, rcvif, PFIL_IN); + if (error != 0 || m == NULL) { + IP6_STATINC(IP6_STAT_PFILDROP_IN); return; + } + if (m->m_len < sizeof(struct ip6_hdr)) { + if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { + IP6_STATINC(IP6_STAT_TOOSMALL); + in6_ifstat_inc(rcvif, ifs6_in_hdrerr); + return; + } + } ip6 = mtod(m, struct ip6_hdr *); srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); } @@ -377,52 +372,6 @@ ip6_input(struct mbuf *m, struct ifnet * #endif /* - * Check against address spoofing/corruption. - */ - if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) || - IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) { - /* - * XXX: "badscope" is not very suitable for a multicast source. - */ - IP6_STATINC(IP6_STAT_BADSCOPE); - in6_ifstat_inc(rcvif, ifs6_in_addrerr); - goto bad; - } - /* - * The following check is not documented in specs. A malicious - * party may be able to use IPv4 mapped addr to confuse tcp/udp stack - * and bypass security checks (act as if it was from 127.0.0.1 by using - * IPv6 src ::ffff:127.0.0.1). Be cautious. - * - * This check chokes if we are in an SIIT cloud. As none of BSDs - * support IPv4-less kernel compilation, we cannot support SIIT - * environment at all. So, it makes more sense for us to reject any - * malicious packets for non-SIIT environment, than try to do a - * partial support for SIIT environment. - */ - if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || - IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { - IP6_STATINC(IP6_STAT_BADSCOPE); - in6_ifstat_inc(rcvif, ifs6_in_addrerr); - goto bad; - } -#if 0 - /* - * Reject packets with IPv4 compatible addresses (auto tunnel). - * - * The code forbids auto tunnel relay case in RFC1933 (the check is - * stronger than RFC1933). We may want to re-enable it if mech-xx - * is revised to forbid relaying case. - */ - if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) || - IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) { - IP6_STATINC(IP6_STAT_BADSCOPE); - in6_ifstat_inc(rcvif, ifs6_in_addrerr); - goto bad; - } -#endif - - /* * Disambiguate address scope zones (if there is ambiguity). * We first make sure that the original source or destination address * is not in our internal form for scoped addresses. Such addresses @@ -430,7 +379,7 @@ ip6_input(struct mbuf *m, struct ifnet * * to the usage conflict. * in6_setscope() then also checks and rejects the cases where src or * dst are the loopback address and the receiving interface - * is not loopback. + * is not loopback. */ if (__predict_false( m_makewritable(&m, 0, sizeof(struct ip6_hdr), M_DONTWAIT))) @@ -446,7 +395,8 @@ ip6_input(struct mbuf *m, struct ifnet * goto bad; } - ro = percpu_getref(ip6_forward_rt_percpu); + ro = rtcache_percpu_getref(ip6_forward_rt_percpu); + /* * Multicast check */ @@ -459,9 +409,9 @@ ip6_input(struct mbuf *m, struct ifnet * * arrival interface. */ ingroup = in6_multi_group(&ip6->ip6_dst, rcvif); - if (ingroup) + if (ingroup) { ours = 1; - else if (!ip6_mrouter) { + } else if (!ip6_mrouter) { uint64_t *ip6s = IP6_STAT_GETREF(); ip6s[IP6_STAT_NOTMEMBER]++; ip6s[IP6_STAT_CANTFORWARD]++; @@ -476,7 +426,7 @@ ip6_input(struct mbuf *m, struct ifnet * sockaddr_in6_init(&u.dst6, &ip6->ip6_dst, 0, 0, 0); /* - * Unicast check + * Unicast check */ rt = rtcache_lookup2(ro, &u.dst, 1, &hit); if (hit) @@ -484,12 +434,15 @@ ip6_input(struct mbuf *m, struct ifnet * else IP6_STATINC(IP6_STAT_FORWARD_CACHEMISS); -#define rt6_getkey(__rt) satocsin6(rt_getkey(__rt)) - /* * Accept the packet if the forwarding interface to the destination - * according to the routing table is the loopback interface, + * (according to the routing table) is the loopback interface, * unless the associated route has a gateway. + * + * We don't explicitly match ip6_dst against an interface here. It + * is already done in rtcache_lookup2: rt->rt_ifp->if_type will be + * IFT_LOOP if the packet is for us. + * * Note that this approach causes to accept a packet if there is a * route to the loopback interface for the destination of the packet. * But we think it's even useful in some situations, e.g. when using @@ -497,14 +450,6 @@ ip6_input(struct mbuf *m, struct ifnet * */ if (rt != NULL && (rt->rt_flags & (RTF_HOST|RTF_GATEWAY)) == RTF_HOST && -#if 0 - /* - * The check below is redundant since the comparison of - * the destination and the key of the rtentry has - * already done through looking up the routing table. - */ - IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &rt6_getkey(rt)->sin6_addr) && -#endif rt->rt_ifp->if_type == IFT_LOOP) { struct in6_ifaddr *ia6 = (struct in6_ifaddr *)rt->rt_ifa; int addrok; @@ -565,26 +510,6 @@ ip6_input(struct mbuf *m, struct ifnet * } #endif -#if 0 - { - /* - * Last resort: check in6_ifaddr for incoming interface. - * The code is here until I update the "goto ours hack" code above - * working right. - */ - struct ifaddr *ifa; - IFADDR_READER_FOREACH(ifa, rcvif) { - if (ifa->ifa_addr->sa_family != AF_INET6) - continue; - if (IN6_ARE_ADDR_EQUAL(IFA_IN6(ifa), &ip6->ip6_dst)) { - ours = 1; - deliverifp = ifa->ifa_ifp; - goto hbhcheck; - } - } - } -#endif - /* * Now there is no reason to process the packet if it's not our own * and we're not a router. @@ -595,10 +520,10 @@ ip6_input(struct mbuf *m, struct ifnet * goto bad_unref; } - hbhcheck: +hbhcheck: /* - * record address information into m_tag, if we don't have one yet. - * note that we are unable to record it, if the address is not listed + * Record address information into m_tag, if we don't have one yet. + * Note that we are unable to record it, if the address is not listed * as our interface address (e.g. multicast addresses, addresses * within FAITH prefixes and such). */ @@ -628,12 +553,11 @@ ip6_input(struct mbuf *m, struct ifnet * struct ip6_hbh *hbh; if (ip6_hopopts_input(&plen, &rtalert, &m, &off)) { -#if 0 /*touches NULL pointer*/ + /* m already freed */ in6_ifstat_inc(rcvif, ifs6_in_discard); -#endif rtcache_unref(rt, ro); - percpu_putref(ip6_forward_rt_percpu); - return; /* m have already been freed */ + rtcache_percpu_putref(ip6_forward_rt_percpu); + return; } /* adjust pointer */ @@ -657,7 +581,7 @@ ip6_input(struct mbuf *m, struct ifnet * ICMP6_PARAMPROB_HEADER, (char *)&ip6->ip6_plen - (char *)ip6); rtcache_unref(rt, ro); - percpu_putref(ip6_forward_rt_percpu); + rtcache_percpu_putref(ip6_forward_rt_percpu); return; } IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), @@ -665,7 +589,7 @@ ip6_input(struct mbuf *m, struct ifnet * if (hbh == NULL) { IP6_STATINC(IP6_STAT_TOOSHORT); rtcache_unref(rt, ro); - percpu_putref(ip6_forward_rt_percpu); + rtcache_percpu_putref(ip6_forward_rt_percpu); return; } KASSERT(IP6_HDR_ALIGNED_P(hbh)); @@ -681,10 +605,9 @@ ip6_input(struct mbuf *m, struct ifnet * nxt = ip6->ip6_nxt; /* - * Check that the amount of data in the buffers - * is as at least much as the IPv6 header would have us expect. - * Trim mbufs if longer than we expect. - * Drop packet if shorter than we expect. + * Check that the amount of data in the buffers is at least much as + * the IPv6 header would have us expect. Trim mbufs if longer than we + * expect. Drop packet if shorter than we expect. */ if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) { IP6_STATINC(IP6_STAT_TOOSHORT); @@ -720,7 +643,7 @@ ip6_input(struct mbuf *m, struct ifnet * if (error != 0) { rtcache_unref(rt, ro); - percpu_putref(ip6_forward_rt_percpu); + rtcache_percpu_putref(ip6_forward_rt_percpu); IP6_STATINC(IP6_STAT_CANTFORWARD); goto bad; } @@ -729,7 +652,7 @@ ip6_input(struct mbuf *m, struct ifnet * goto bad_unref; } else if (!ours) { rtcache_unref(rt, ro); - percpu_putref(ip6_forward_rt_percpu); + rtcache_percpu_putref(ip6_forward_rt_percpu); ip6_forward(m, srcrt); return; } @@ -752,9 +675,6 @@ ip6_input(struct mbuf *m, struct ifnet * goto bad_unref; } - /* - * Tell launch routine the next header - */ #ifdef IFA_STATS if (deliverifp != NULL) { struct in6_ifaddr *ia6; @@ -773,7 +693,7 @@ ip6_input(struct mbuf *m, struct ifnet * rtcache_unref(rt, ro); rt = NULL; } - percpu_putref(ip6_forward_rt_percpu); + rtcache_percpu_putref(ip6_forward_rt_percpu); rh_present = 0; frg_present = 0; @@ -784,6 +704,8 @@ ip6_input(struct mbuf *m, struct ifnet * goto bad; } + M_VERIFY_PACKET(m); + /* * protection against faulty packet - there should be * more sanity checks in header chain processing. @@ -811,33 +733,70 @@ ip6_input(struct mbuf *m, struct ifnet * #ifdef IPSEC if (ipsec_used) { /* - * enforce IPsec policy checking if we are seeing last - * header. note that we do not visit this with + * Enforce IPsec policy checking if we are seeing last + * header. Note that we do not visit this with * protocols with pcb layer code - like udp/tcp/raw ip. */ - if ((inet6sw[ip_protox[nxt]].pr_flags + if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0) { int error; - error = ipsec6_input(m); + error = ipsec_ip_input(m, false); if (error) goto bad; } } -#endif /* IPSEC */ +#endif nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); } return; - bad_unref: +bad_unref: rtcache_unref(rt, ro); - percpu_putref(ip6_forward_rt_percpu); - bad: + rtcache_percpu_putref(ip6_forward_rt_percpu); +bad: m_freem(m); return; } +static bool +ip6_badaddr(struct ip6_hdr *ip6) +{ + /* Check against address spoofing/corruption. */ + if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) || + IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) { + return true; + } + + /* + * The following check is not documented in specs. A malicious + * party may be able to use IPv4 mapped addr to confuse tcp/udp stack + * and bypass security checks (act as if it was from 127.0.0.1 by using + * IPv6 src ::ffff:127.0.0.1). Be cautious. + * + * This check chokes if we are in an SIIT cloud. As none of BSDs + * support IPv4-less kernel compilation, we cannot support SIIT + * environment at all. So, it makes more sense for us to reject any + * malicious packets for non-SIIT environment, than try to do a + * partial support for SIIT environment. + */ + if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || + IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { + return true; + } + + /* + * Reject packets with IPv4-compatible IPv6 addresses (RFC4291). + */ + if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) || + IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) { + return true; + } + + return false; +} + /* * set/grab in6_ifaddr correspond to IPv6 destination address. */ @@ -890,14 +849,14 @@ ip6_hopopts_input(u_int32_t *plenp, u_in /* validation of the length of the header */ IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, - sizeof(struct ip6_hdr), sizeof(struct ip6_hbh)); + sizeof(struct ip6_hdr), sizeof(struct ip6_hbh)); if (hbh == NULL) { IP6_STATINC(IP6_STAT_TOOSHORT); return -1; } hbhlen = (hbh->ip6h_len + 1) << 3; IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), - hbhlen); + hbhlen); if (hbh == NULL) { IP6_STATINC(IP6_STAT_TOOSHORT); return -1; @@ -907,12 +866,12 @@ ip6_hopopts_input(u_int32_t *plenp, u_in hbhlen -= sizeof(struct ip6_hbh); if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh), - hbhlen, rtalertp, plenp) < 0) - return (-1); + hbhlen, rtalertp, plenp) < 0) + return -1; *offp = off; *mp = m; - return (0); + return 0; } /* @@ -995,7 +954,7 @@ ip6_process_hopopts(struct mbuf *m, u_in /* * We may see jumbolen in unaligned location, so - * we'd need to perform bcopy(). + * we'd need to perform memcpy(). */ memcpy(&jumboplen, opt + 2, sizeof(jumboplen)); jumboplen = (u_int32_t)htonl(jumboplen); @@ -1089,48 +1048,21 @@ ip6_unknown_opt(u_int8_t *optp, struct m return (-1); } -/* - * Create the "control" list for this pcb. - * - * The routine will be called from upper layer handlers like tcp6_input(). - * Thus the routine assumes that the caller (tcp6_input) have already - * called IP6_EXTHDR_CHECK() and all the extension headers are located in the - * very first mbuf on the mbuf chain. - * We may want to add some infinite loop prevention or sanity checks for safety. - * (This applies only when you are using KAME mbuf chain restriction, i.e. - * you are using IP6_EXTHDR_CHECK() not m_pulldown()) - */ void ip6_savecontrol(struct in6pcb *in6p, struct mbuf **mp, struct ip6_hdr *ip6, struct mbuf *m) { + struct socket *so = in6p->in6p_socket; #ifdef RFC2292 #define IS2292(x, y) ((in6p->in6p_flags & IN6P_RFC2292) ? (x) : (y)) #else #define IS2292(x, y) (y) #endif - if (in6p->in6p_socket->so_options & SO_TIMESTAMP -#ifdef SO_OTIMESTAMP - || in6p->in6p_socket->so_options & SO_OTIMESTAMP -#endif - ) { - struct timeval tv; + KASSERT(m->m_flags & M_PKTHDR); - microtime(&tv); -#ifdef SO_OTIMESTAMP - if (in6p->in6p_socket->so_options & SO_OTIMESTAMP) { - struct timeval50 tv50; - timeval_to_timeval50(&tv, &tv50); - *mp = sbcreatecontrol((void *) &tv50, sizeof(tv50), - SCM_OTIMESTAMP, SOL_SOCKET); - } else -#endif - *mp = sbcreatecontrol((void *) &tv, sizeof(tv), - SCM_TIMESTAMP, SOL_SOCKET); - if (*mp) - mp = &(*mp)->m_next; - } + if (SOOPT_TIMESTAMP(so->so_options)) + mp = sbsavetimestamp(so->so_options, mp); /* some OSes call this logic with IPv4 packet, for SO_TIMESTAMP */ if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) @@ -1143,8 +1075,7 @@ ip6_savecontrol(struct in6pcb *in6p, str memcpy(&pi6.ipi6_addr, &ip6->ip6_dst, sizeof(struct in6_addr)); in6_clearscope(&pi6.ipi6_addr); /* XXX */ pi6.ipi6_ifindex = m->m_pkthdr.rcvif_index; - *mp = sbcreatecontrol((void *) &pi6, - sizeof(struct in6_pktinfo), + *mp = sbcreatecontrol(&pi6, sizeof(pi6), IS2292(IPV6_2292PKTINFO, IPV6_PKTINFO), IPPROTO_IPV6); if (*mp) mp = &(*mp)->m_next; @@ -1153,7 +1084,7 @@ ip6_savecontrol(struct in6pcb *in6p, str if (in6p->in6p_flags & IN6P_HOPLIMIT) { int hlim = ip6->ip6_hlim & 0xff; - *mp = sbcreatecontrol((void *) &hlim, sizeof(int), + *mp = sbcreatecontrol(&hlim, sizeof(hlim), IS2292(IPV6_2292HOPLIMIT, IPV6_HOPLIMIT), IPPROTO_IPV6); if (*mp) mp = &(*mp)->m_next; @@ -1167,7 +1098,7 @@ ip6_savecontrol(struct in6pcb *in6p, str flowinfo >>= 20; tclass = flowinfo & 0xff; - *mp = sbcreatecontrol((void *)&tclass, sizeof(tclass), + *mp = sbcreatecontrol(&tclass, sizeof(tclass), IPV6_TCLASS, IPPROTO_IPV6); if (*mp) @@ -1215,7 +1146,7 @@ ip6_savecontrol(struct in6pcb *in6p, str * be removed before returning in the RFC 2292. * Note: this constraint is removed in RFC3542. */ - *mp = sbcreatecontrol((void *)hbh, hbhlen, + *mp = sbcreatecontrol(hbh, hbhlen, IS2292(IPV6_2292HOPOPTS, IPV6_HOPOPTS), IPPROTO_IPV6); if (*mp) @@ -1277,7 +1208,7 @@ ip6_savecontrol(struct in6pcb *in6p, str if (!(in6p->in6p_flags & IN6P_DSTOPTS)) break; - *mp = sbcreatecontrol((void *)ip6e, elen, + *mp = sbcreatecontrol(ip6e, elen, IS2292(IPV6_2292DSTOPTS, IPV6_DSTOPTS), IPPROTO_IPV6); if (*mp) @@ -1288,7 +1219,7 @@ ip6_savecontrol(struct in6pcb *in6p, str if (!(in6p->in6p_flags & IN6P_RTHDR)) break; - *mp = sbcreatecontrol((void *)ip6e, elen, + *mp = sbcreatecontrol(ip6e, elen, IS2292(IPV6_2292RTHDR, IPV6_RTHDR), IPPROTO_IPV6); if (*mp) @@ -1346,14 +1277,14 @@ ip6_notify_pmtu(struct in6pcb *in6p, con if (sa6_recoverscope(&mtuctl.ip6m_addr)) return; - if ((m_mtu = sbcreatecontrol((void *)&mtuctl, sizeof(mtuctl), + if ((m_mtu = sbcreatecontrol(&mtuctl, sizeof(mtuctl), IPV6_PATHMTU, IPPROTO_IPV6)) == NULL) return; if (sbappendaddr(&so->so_rcv, (const struct sockaddr *)dst, NULL, m_mtu) == 0) { + soroverflow(so); m_freem(m_mtu); - /* XXX: should count statistics */ } else sorwakeup(so); @@ -1371,17 +1302,8 @@ ip6_pullexthdr(struct mbuf *m, size_t of size_t elen; struct mbuf *n; -#ifdef DIAGNOSTIC - switch (nxt) { - case IPPROTO_DSTOPTS: - case IPPROTO_ROUTING: - case IPPROTO_HOPOPTS: - case IPPROTO_AH: /* is it possible? */ - break; - default: - printf("ip6_pullexthdr: invalid nxt=%d\n", nxt); - } -#endif + if (off + sizeof(ip6e) > m->m_pkthdr.len) + return NULL; m_copydata(m, off, sizeof(ip6e), (void *)&ip6e); if (nxt == IPPROTO_AH) @@ -1389,6 +1311,9 @@ ip6_pullexthdr(struct mbuf *m, size_t of else elen = (ip6e.ip6e_len + 1) << 3; + if (off + elen > m->m_pkthdr.len) + return NULL; + MGET(n, M_DONTWAIT, MT_DATA); if (n && elen >= MLEN) { MCLGET(n, M_DONTWAIT); @@ -1465,7 +1390,7 @@ ip6_nexthdr(struct mbuf *m, int off, int /* just in case */ if (m == NULL) - panic("ip6_nexthdr: m == NULL"); + panic("%s: m == NULL", __func__); if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off) return -1; @@ -1559,12 +1484,12 @@ ip6_lasthdr(struct mbuf *m, int off, int } } -struct m_tag * +static struct m_tag * ip6_addaux(struct mbuf *m) { struct m_tag *mtag; - mtag = m_tag_find(m, PACKET_TAG_INET6, NULL); + mtag = m_tag_find(m, PACKET_TAG_INET6); if (!mtag) { mtag = m_tag_get(PACKET_TAG_INET6, sizeof(struct ip6aux), M_NOWAIT); @@ -1576,21 +1501,21 @@ ip6_addaux(struct mbuf *m) return mtag; } -struct m_tag * +static struct m_tag * ip6_findaux(struct mbuf *m) { struct m_tag *mtag; - mtag = m_tag_find(m, PACKET_TAG_INET6, NULL); + mtag = m_tag_find(m, PACKET_TAG_INET6); return mtag; } -void +static void ip6_delaux(struct mbuf *m) { struct m_tag *mtag; - mtag = m_tag_find(m, PACKET_TAG_INET6, NULL); + mtag = m_tag_find(m, PACKET_TAG_INET6); if (mtag) m_tag_delete(m, mtag); } @@ -1620,11 +1545,6 @@ sysctl_net_inet6_ip6_stats(SYSCTLFN_ARGS static void sysctl_net_inet6_ip6_setup(struct sysctllog **clog) { -#ifdef RFC2292 -#define IS2292(x, y) ((in6p->in6p_flags & IN6P_RFC2292) ? (x) : (y)) -#else -#define IS2292(x, y) (y) -#endif sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT, @@ -1660,34 +1580,6 @@ sysctl_net_inet6_ip6_setup(struct sysctl NULL, 0, &ip6_defhlim, 0, CTL_NET, PF_INET6, IPPROTO_IPV6, IPV6CTL_DEFHLIM, CTL_EOL); -#ifdef notyet - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "mtu", NULL, - NULL, 0, &, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - IPV6CTL_DEFMTU, CTL_EOL); -#endif -#ifdef __no_idea__ - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "forwsrcrt", NULL, - NULL, 0, &?, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - IPV6CTL_FORWSRCRT, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_STRUCT, "mrtstats", NULL, - NULL, 0, &?, sizeof(?), - CTL_NET, PF_INET6, IPPROTO_IPV6, - IPV6CTL_MRTSTATS, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_?, "mrtproto", NULL, - NULL, 0, &?, sizeof(?), - CTL_NET, PF_INET6, IPPROTO_IPV6, - IPV6CTL_MRTPROTO, CTL_EOL); -#endif sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "maxfragpackets", @@ -1696,41 +1588,6 @@ sysctl_net_inet6_ip6_setup(struct sysctl NULL, 0, &ip6_maxfragpackets, 0, CTL_NET, PF_INET6, IPPROTO_IPV6, IPV6CTL_MAXFRAGPACKETS, CTL_EOL); -#ifdef __no_idea__ - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "sourcecheck", NULL, - NULL, 0, &?, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - IPV6CTL_SOURCECHECK, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "sourcecheck_logint", NULL, - NULL, 0, &?, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - IPV6CTL_SOURCECHECK_LOGINT, CTL_EOL); -#endif - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "accept_rtadv", - SYSCTL_DESCR("Accept router advertisements"), - NULL, 0, &ip6_accept_rtadv, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - IPV6CTL_ACCEPT_RTADV, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "rtadv_maxroutes", - SYSCTL_DESCR("Maximum number of routes accepted via router advertisements"), - NULL, 0, &ip6_rtadv_maxroutes, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - IPV6CTL_RTADV_MAXROUTES, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT, - CTLTYPE_INT, "rtadv_numroutes", - SYSCTL_DESCR("Current number of routes accepted via router advertisements"), - NULL, 0, &nd6_numroutes, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - IPV6CTL_RTADV_NUMROUTES, CTL_EOL); sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "keepfaith", @@ -1741,7 +1598,7 @@ sysctl_net_inet6_ip6_setup(struct sysctl sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "log_interval", - SYSCTL_DESCR("Minumum interval between logging " + SYSCTL_DESCR("Minimum interval between logging " "unroutable packets"), NULL, 0, &ip6_log_interval, 0, CTL_NET, PF_INET6, IPPROTO_IPV6, @@ -1791,12 +1648,6 @@ sysctl_net_inet6_ip6_setup(struct sysctl CTL_NET, PF_INET6, IPPROTO_IPV6, IPV6CTL_USE_DEPRECATED, CTL_EOL); sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "rr_prune", NULL, - NULL, 0, &ip6_rr_prune, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - IPV6CTL_RR_PRUNE, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT #ifndef INET6_BINDV6ONLY |CTLFLAG_READWRITE, @@ -1858,13 +1709,6 @@ sysctl_net_inet6_ip6_setup(struct sysctl IPV6CTL_ADDRCTLPOLICY, CTL_EOL); sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "use_tempaddr", - SYSCTL_DESCR("Use temporary address"), - NULL, 0, &ip6_use_tempaddr, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - CTL_CREATE, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "prefer_tempaddr", SYSCTL_DESCR("Prefer temporary address as source " "address"), @@ -1873,20 +1717,6 @@ sysctl_net_inet6_ip6_setup(struct sysctl CTL_CREATE, CTL_EOL); sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "temppltime", - SYSCTL_DESCR("preferred lifetime of a temporary address"), - NULL, 0, &ip6_temp_preferred_lifetime, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - CTL_CREATE, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "tempvltime", - SYSCTL_DESCR("valid lifetime of a temporary address"), - NULL, 0, &ip6_temp_valid_lifetime, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - CTL_CREATE, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "maxfrags", SYSCTL_DESCR("Maximum fragments in reassembly queue"), NULL, 0, &ip6_maxfrags, 0, @@ -1949,22 +1779,6 @@ sysctl_net_inet6_ip6_setup(struct sysctl CTL_CREATE, CTL_EOL); sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "maxifprefixes", - SYSCTL_DESCR("Maximum number of prefixes created by" - " route advertisement per interface"), - NULL, 1, &ip6_maxifprefixes, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - CTL_CREATE, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "maxifdefrouters", - SYSCTL_DESCR("Maximum number of default routers created" - " by route advertisement per interface"), - NULL, 1, &ip6_maxifdefrouters, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - CTL_CREATE, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "maxdynroutes", SYSCTL_DESCR("Maximum number of routes created via" " redirect"),