Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

===================================================================
RCS file: /ftp/cvs/cvsroot/src/sys/netinet6/ip6_input.c,v
rcsdiff: /ftp/cvs/cvsroot/src/sys/netinet6/ip6_input.c,v: warning: Unknown phrases like `commitid ...;' are present.
retrieving revision 1.41
retrieving revision 1.41.2.3
diff -u -p -r1.41 -r1.41.2.3
--- src/sys/netinet6/ip6_input.c	2001/04/13 23:30:26	1.41
+++ src/sys/netinet6/ip6_input.c	2002/06/23 17:51:15	1.41.2.3
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.41 2001/04/13 23:30:26 thorpej Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.41.2.3 2002/06/23 17:51:15 jdolecek Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -65,6 +65,9 @@
  *	@(#)ip_input.c	8.2 (Berkeley) 1/4/94
  */
 
+#include <sys/cdefs.h>
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.41.2.3 2002/06/23 17:51:15 jdolecek Exp $");
+
 #include "opt_inet.h"
 #include "opt_ipsec.h"
 #include "opt_pfil_hooks.h"
@@ -82,6 +85,7 @@
 #include <sys/kernel.h>
 #include <sys/syslog.h>
 #include <sys/proc.h>
+#include <sys/sysctl.h>
 
 #include <net/if.h>
 #include <net/if_types.h>
@@ -97,7 +101,7 @@
 #ifdef INET
 #include <netinet/ip.h>
 #include <netinet/ip_icmp.h>
-#endif /*INET*/
+#endif /* INET */
 #include <netinet/ip6.h>
 #include <netinet6/in6_var.h>
 #include <netinet6/ip6_var.h>
@@ -105,7 +109,6 @@
 #include <netinet/icmp6.h>
 #include <netinet6/in6_ifattach.h>
 #include <netinet6/nd6.h>
-#include <netinet6/in6_prefix.h>
 
 #ifdef IPSEC
 #include <netinet6/ipsec.h>
@@ -116,10 +119,13 @@
 /* we need it for NLOOP. */
 #include "loop.h"
 #include "faith.h"
-
 #include "gif.h"
 #include "bpfilter.h"
 
+#if NGIF > 0
+#include <netinet6/in6_gif.h>
+#endif
+
 #include <net/net_osdep.h>
 
 extern struct domain inet6domain;
@@ -153,7 +159,6 @@ ip6_init()
 {
 	struct ip6protosw *pr;
 	int i;
-	struct timeval tv;
 
 	pr = (struct ip6protosw *)pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW);
 	if (pr == 0)
@@ -168,12 +173,7 @@ ip6_init()
 	ip6intrq.ifq_maxlen = ip6qmaxlen;
 	nd6_init();
 	frag6_init();
-	/*
-	 * in many cases, random() here does NOT return random number
-	 * as initialization during bootstrap time occur in fixed order.
-	 */
-	microtime(&tv);
-	ip6_flow_seq = random() ^ tv.tv_usec;
+	ip6_flow_seq = arc4random();
 
 	ip6_init2((void *)0);
 
@@ -192,18 +192,10 @@ static void
 ip6_init2(dummy)
 	void *dummy;
 {
-	/*
-	 * to route local address of p2p link to loopback,
-	 * assign loopback address first.
-	 */
-	in6_ifattach(&loif[0], NULL);
 
 	/* nd6_timer_init */
 	callout_init(&nd6_timer_ch);
 	callout_reset(&nd6_timer_ch, hz, nd6_timer, NULL);
-	/* router renumbering prefix list maintenance */
-	callout_init(&in6_rr_timer_ch);
-	callout_reset(&in6_rr_timer_ch, hz, in6_rr_timer, NULL);
 }
 
 /*
@@ -243,14 +235,12 @@ ip6_input(m)
 	 * should the inner packet be considered authentic?
 	 * see comment in ah4_input().
 	 */
-	if (m) {
-		m->m_flags &= ~M_AUTHIPHDR;
-		m->m_flags &= ~M_AUTHIPDGM;
-	}
+	m->m_flags &= ~M_AUTHIPHDR;
+	m->m_flags &= ~M_AUTHIPDGM;
 #endif
 
 	/*
-	 * mbuf statistics by kazu
+	 * mbuf statistics
 	 */
 	if (m->m_flags & M_EXT) {
 		if (m->m_next)
@@ -261,7 +251,7 @@ ip6_input(m)
 #define M2MMAX	(sizeof(ip6stat.ip6s_m2m)/sizeof(ip6stat.ip6s_m2m[0]))
 		if (m->m_next) {
 			if (m->m_flags & M_LOOP) {
-				ip6stat.ip6s_m2m[loif[0].if_index]++;	/*XXX*/
+				ip6stat.ip6s_m2m[loif[0].if_index]++; /* XXX */
 			} else if (m->m_pkthdr.rcvif->if_index < M2MMAX)
 				ip6stat.ip6s_m2m[m->m_pkthdr.rcvif->if_index]++;
 			else
@@ -282,7 +272,7 @@ ip6_input(m)
 	if (m->m_len < sizeof(struct ip6_hdr)) {
 		struct ifnet *inifp;
 		inifp = m->m_pkthdr.rcvif;
-		if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == 0) {
+		if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
 			ip6stat.ip6s_toosmall++;
 			in6_ifstat_inc(inifp, ifs6_in_hdrerr);
 			return;
@@ -310,7 +300,7 @@ ip6_input(m)
 	 * not the decapsulated packet.
 	 */
 #ifdef IPSEC
-	if (!ipsec_gethist(m, NULL))
+	if (!ipsec_getnhist(m))
 #else
 	if (1)
 #endif
@@ -324,11 +314,9 @@ ip6_input(m)
 	}
 #endif /* PFIL_HOOKS */
 
-
 	ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
 
 #ifdef ALTQ
-	/* XXX Temporary until ALTQ is changed to use a pfil hook */
 	if (altq_input != NULL && (*altq_input)(m, AF_INET6) == 0) {
 		/* packet is dropped by traffic conditioner */
 		return;
@@ -336,25 +324,28 @@ ip6_input(m)
 #endif
 
 	/*
-	 * Scope check
+	 * Check against address spoofing/corruption.
 	 */
 	if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) ||
 	    IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) {
+		/*
+		 * XXX: "badscope" is not very suitable for a multicast source.
+		 */
 		ip6stat.ip6s_badscope++;
 		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
 		goto bad;
 	}
 	/*
-	 * The following check is not documented in the spec.  Malicious party
-	 * may be able to use IPv4 mapped addr to confuse tcp/udp stack and
-	 * bypass security checks (act as if it was from 127.0.0.1 by using
-	 * IPv6 src ::ffff:127.0.0.1).	Be cautious.
+	 * The following check is not documented in specs.  A malicious
+	 * party may be able to use IPv4 mapped addr to confuse tcp/udp stack
+	 * and bypass security checks (act as if it was from 127.0.0.1 by using
+	 * IPv6 src ::ffff:127.0.0.1).  Be cautious.
 	 *
-	 * This check chokes if we are in SIIT cloud.  As none of BSDs support
-	 * IPv4-less kernel compilation, we cannot support SIIT environment
-	 * at all.  So, it makes more sense for us to reject any malicious
-	 * packets for non-SIIT environment, than try to do a partical support
-	 * for SIIT environment.
+	 * This check chokes if we are in an SIIT cloud.  As none of BSDs
+	 * support IPv4-less kernel compilation, we cannot support SIIT
+	 * environment at all.  So, it makes more sense for us to reject any
+	 * malicious packets for non-SIIT environment, than try to do a
+	 * partial support for SIIT environment.
 	 */
 	if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
 	    IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
@@ -463,7 +454,7 @@ ip6_input(m)
 	 *  Unicast check
 	 */
 	if (ip6_forward_rt.ro_rt != NULL &&
-	    (ip6_forward_rt.ro_rt->rt_flags & RTF_UP) != 0 && 
+	    (ip6_forward_rt.ro_rt->rt_flags & RTF_UP) != 0 &&
 	    IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst,
 			       &((struct sockaddr_in6 *)(&ip6_forward_rt.ro_dst))->sin6_addr))
 		ip6stat.ip6s_forward_cachehit++;
@@ -500,6 +491,7 @@ ip6_input(m)
 	if (ip6_forward_rt.ro_rt &&
 	    (ip6_forward_rt.ro_rt->rt_flags &
 	     (RTF_HOST|RTF_GATEWAY)) == RTF_HOST &&
+	    !(ip6_forward_rt.ro_rt->rt_flags & RTF_CLONED) &&
 #if 0
 	    /*
 	     * The check below is redundant since the comparison of
@@ -507,7 +499,7 @@ ip6_input(m)
 	     * already done through looking up the routing table.
 	     */
 	    IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst,
-			       &rt6_key(ip6_forward_rt.ro_rt)->sin6_addr) &&
+	    &rt6_key(ip6_forward_rt.ro_rt)->sin6_addr) &&
 #endif
 	    ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_LOOP) {
 		struct in6_ifaddr *ia6 =
@@ -535,7 +527,7 @@ ip6_input(m)
 	}
 
 	/*
-	 * FAITH(Firewall Aided Internet Translator)
+	 * FAITH (Firewall Aided Internet Translator)
 	 */
 #if defined(NFAITH) && 0 < NFAITH
 	if (ip6_keepfaith) {
@@ -543,7 +535,7 @@ ip6_input(m)
 		 && ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_FAITH) {
 			/* XXX do we need more sanity checks? */
 			ours = 1;
-			deliverifp = ip6_forward_rt.ro_rt->rt_ifp; /*faith*/
+			deliverifp = ip6_forward_rt.ro_rt->rt_ifp; /* faith */
 			goto hbhcheck;
 		}
 	}
@@ -604,7 +596,7 @@ ip6_input(m)
 		ip6 = mtod(m, struct ip6_hdr *);
 
 		/*
-		 * if the payload length field is 0 and the next header field  
+		 * if the payload length field is 0 and the next header field
 		 * indicates Hop-by-Hop Options header, then a Jumbo Payload
 		 * option MUST be included.
 		 */
@@ -612,7 +604,7 @@ ip6_input(m)
 			/*
 			 * Note that if a valid jumbo payload option is
 			 * contained, ip6_hoptops_input() must set a valid
-			 * (non-zero) payload length to the variable plen. 
+			 * (non-zero) payload length to the variable plen.
 			 */
 			ip6stat.ip6s_badoptions++;
 			in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
@@ -687,7 +679,7 @@ ip6_input(m)
 	} else if (!ours) {
 		ip6_forward(m, 0);
 		return;
-	}	
+	}
 
 	ip6 = mtod(m, struct ip6_hdr *);
 
@@ -750,7 +742,7 @@ ip6_input(m)
 			goto bad;
 		}
 #endif
-		
+
 		nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);
 	}
 	return;
@@ -815,6 +807,10 @@ ip6_hopopts_input(plenp, rtalertp, mp, o
  * This function is separate from ip6_hopopts_input() in order to
  * handle a case where the sending node itself process its hop-by-hop
  * options header. In such a case, the function is called from ip6_output().
+ *
+ * The function assumes that hbh header is located right after the IPv6 header
+ * (RFC2460 p7), opthead is pointer into data content in m, and opthead to
+ * opthead + hbhlen is located in continuous memory region.
  */
 int
 ip6_process_hopopts(m, opthead, hbhlen, rtalertp, plenp)
@@ -829,6 +825,7 @@ ip6_process_hopopts(m, opthead, hbhlen, 
 	u_int8_t *opt = opthead;
 	u_int16_t rtalert_val;
 	u_int32_t jumboplen;
+	const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh);
 
 	for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) {
 		switch (*opt) {
@@ -849,9 +846,11 @@ ip6_process_hopopts(m, opthead, hbhlen, 
 				goto bad;
 			}
 			if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) {
-				 /* XXX: should we discard the packet? */
-				log(LOG_ERR, "length of router alert opt is inconsitent(%d)",
-				    *(opt + 1));
+				/* XXX stat */
+				icmp6_error(m, ICMP6_PARAM_PROB,
+				    ICMP6_PARAMPROB_HEADER,
+				    erroff + opt + 1 - opthead);
+				return (-1);
 			}
 			optlen = IP6OPT_RTALERT_LEN;
 			bcopy((caddr_t)(opt + 2), (caddr_t)&rtalert_val, 2);
@@ -864,10 +863,11 @@ ip6_process_hopopts(m, opthead, hbhlen, 
 				goto bad;
 			}
 			if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) {
-				/* XXX: should we discard the packet? */
-				log(LOG_ERR, "length of jumbopayload opt "
-				    "is inconsistent(%d)\n",
-				    *(opt + 1));
+				/* XXX stat */
+				icmp6_error(m, ICMP6_PARAM_PROB,
+				    ICMP6_PARAMPROB_HEADER,
+				    erroff + opt + 1 - opthead);
+				return (-1);
 			}
 			optlen = IP6OPT_JUMBO_LEN;
 
@@ -879,11 +879,9 @@ ip6_process_hopopts(m, opthead, hbhlen, 
 			if (ip6->ip6_plen) {
 				ip6stat.ip6s_badoptions++;
 				icmp6_error(m, ICMP6_PARAM_PROB,
-					    ICMP6_PARAMPROB_HEADER,
-					    sizeof(struct ip6_hdr) +
-					    sizeof(struct ip6_hbh) +
-					    opt - opthead);
-				return(-1);
+				    ICMP6_PARAMPROB_HEADER,
+				    erroff + opt - opthead);
+				return (-1);
 			}
 
 			/*
@@ -905,11 +903,9 @@ ip6_process_hopopts(m, opthead, hbhlen, 
 			if (*plenp != 0) {
 				ip6stat.ip6s_badoptions++;
 				icmp6_error(m, ICMP6_PARAM_PROB,
-					    ICMP6_PARAMPROB_HEADER,
-					    sizeof(struct ip6_hdr) +
-					    sizeof(struct ip6_hbh) +
-					    opt + 2 - opthead);
-				return(-1);
+				    ICMP6_PARAMPROB_HEADER,
+				    erroff + opt + 2 - opthead);
+				return (-1);
 			}
 #endif
 
@@ -919,11 +915,9 @@ ip6_process_hopopts(m, opthead, hbhlen, 
 			if (jumboplen <= IPV6_MAXPACKET) {
 				ip6stat.ip6s_badoptions++;
 				icmp6_error(m, ICMP6_PARAM_PROB,
-					    ICMP6_PARAMPROB_HEADER,
-					    sizeof(struct ip6_hdr) +
-					    sizeof(struct ip6_hbh) +
-					    opt + 2 - opthead);
-				return(-1);
+				    ICMP6_PARAMPROB_HEADER,
+				    erroff + opt + 2 - opthead);
+				return (-1);
 			}
 			*plenp = jumboplen;
 
@@ -933,21 +927,20 @@ ip6_process_hopopts(m, opthead, hbhlen, 
 				ip6stat.ip6s_toosmall++;
 				goto bad;
 			}
-			if ((optlen = ip6_unknown_opt(opt, m,
-						      sizeof(struct ip6_hdr) +
-						      sizeof(struct ip6_hbh) +
-						      opt - opthead)) == -1)
-				return(-1);
+			optlen = ip6_unknown_opt(opt, m,
+			    erroff + opt - opthead);
+			if (optlen == -1)
+				return (-1);
 			optlen += 2;
 			break;
 		}
 	}
 
-	return(0);
+	return (0);
 
   bad:
 	m_freem(m);
-	return(-1);
+	return (-1);
 }
 
 /*
@@ -1323,6 +1316,8 @@ ip6_nexthdr(m, off, proto, nxtp)
 		if (nxtp)
 			*nxtp = ip6e.ip6e_nxt;
 		off += (ip6e.ip6e_len + 2) << 2;
+		if (m->m_pkthdr.len < off)
+			return -1;
 		return off;
 
 	case IPPROTO_HOPOPTS:
@@ -1334,6 +1329,8 @@ ip6_nexthdr(m, off, proto, nxtp)
 		if (nxtp)
 			*nxtp = ip6e.ip6e_nxt;
 		off += (ip6e.ip6e_len + 1) << 3;
+		if (m->m_pkthdr.len < off)
+			return -1;
 		return off;
 
 	case IPPROTO_NONE:
@@ -1393,9 +1390,6 @@ u_char	inet6ctlerrmap[PRC_NCMDS] = {
 	ENOPROTOOPT
 };
 
-#include <uvm/uvm_extern.h>
-#include <sys/sysctl.h>
-
 int
 ip6_sysctl(name, namelen, oldp, oldlenp, newp, newlen)
 	int *name;
@@ -1443,9 +1437,11 @@ ip6_sysctl(name, namelen, oldp, oldlenp,
 	case IPV6CTL_DEFMCASTHLIM:
 		return sysctl_int(oldp, oldlenp, newp, newlen,
 				&ip6_defmcasthlim);
+#if NGIF > 0
 	case IPV6CTL_GIF_HLIM:
 		return sysctl_int(oldp, oldlenp, newp, newlen,
 				&ip6_gif_hlim);
+#endif
 	case IPV6CTL_KAME_VERSION:
 		return sysctl_rdstring(oldp, oldlenp, newp, __KAME_VERSION);
 	case IPV6CTL_USE_DEPRECATED:
@@ -1453,10 +1449,11 @@ ip6_sysctl(name, namelen, oldp, oldlenp,
 				&ip6_use_deprecated);
 	case IPV6CTL_RR_PRUNE:
 		return sysctl_int(oldp, oldlenp, newp, newlen, &ip6_rr_prune);
-#ifndef INET6_BINDV6ONLY
-	case IPV6CTL_BINDV6ONLY:
-		return sysctl_int(oldp, oldlenp, newp, newlen,
-				&ip6_bindv6only);
+	case IPV6CTL_V6ONLY:
+#ifdef INET6_BINDV6ONLY
+		return sysctl_rdint(oldp, oldlenp, newp, ip6_v6only);
+#else
+		return sysctl_int(oldp, oldlenp, newp, newlen, &ip6_v6only);
 #endif
 	case IPV6CTL_ANONPORTMIN:
 		old = ip6_anonportmin;
@@ -1510,6 +1507,8 @@ ip6_sysctl(name, namelen, oldp, oldlenp,
 		}
 		return (error);
 #endif
+	case IPV6CTL_MAXFRAGS:
+		return sysctl_int(oldp, oldlenp, newp, newlen, &ip6_maxfrags);
 	default:
 		return EOPNOTSUPP;
 	}