[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ip6_input.c

Version: -  FREEBSD  -  FREEBSD10  -  FREEBSD9  -  FREEBSD92  -  FREEBSD91  -  FREEBSD90  -  FREEBSD8  -  FREEBSD82  -  FREEBSD81  -  FREEBSD80  -  FREEBSD7  -  FREEBSD74  -  FREEBSD73  -  FREEBSD72  -  FREEBSD71  -  FREEBSD70  -  FREEBSD6  -  FREEBSD64  -  FREEBSD63  -  FREEBSD62  -  FREEBSD61  -  FREEBSD60  -  FREEBSD5  -  FREEBSD55  -  FREEBSD54  -  FREEBSD53  -  FREEBSD52  -  FREEBSD51  -  FREEBSD50  -  FREEBSD4  -  FREEBSD3  -  FREEBSD22  -  cheribsd  -  linux-2.6  -  linux-2.4.22  -  MK83  -  MK84  -  PLAN9  -  DFBSD  -  NETBSD  -  NETBSD5  -  NETBSD4  -  NETBSD3  -  NETBSD20  -  OPENBSD  -  xnu-517  -  xnu-792  -  xnu-792.6.70  -  xnu-1228  -  xnu-1456.1.26  -  xnu-1699.24.8  -  xnu-2050.18.24  -  OPENSOLARIS  -  minix-3-1-1  -  FREEBSD-LIBC  -  FREEBSD8-LIBC  -  FREEBSD7-LIBC  -  FREEBSD6-LIBC  -  GLIBC27 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
    3  * All rights reserved.
    4  *
    5  * Redistribution and use in source and binary forms, with or without
    6  * modification, are permitted provided that the following conditions
    7  * are met:
    8  * 1. Redistributions of source code must retain the above copyright
    9  *    notice, this list of conditions and the following disclaimer.
   10  * 2. Redistributions in binary form must reproduce the above copyright
   11  *    notice, this list of conditions and the following disclaimer in the
   12  *    documentation and/or other materials provided with the distribution.
   13  * 3. Neither the name of the project nor the names of its contributors
   14  *    may be used to endorse or promote products derived from this software
   15  *    without specific prior written permission.
   16  *
   17  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
   18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   20  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
   21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   27  * SUCH DAMAGE.
   28  *
   29  *      $KAME: ip6_input.c,v 1.259 2002/01/21 04:58:09 jinmei Exp $
   30  */
   31 
   32 /*-
   33  * Copyright (c) 1982, 1986, 1988, 1993
   34  *      The Regents of the University of California.  All rights reserved.
   35  *
   36  * Redistribution and use in source and binary forms, with or without
   37  * modification, are permitted provided that the following conditions
   38  * are met:
   39  * 1. Redistributions of source code must retain the above copyright
   40  *    notice, this list of conditions and the following disclaimer.
   41  * 2. Redistributions in binary form must reproduce the above copyright
   42  *    notice, this list of conditions and the following disclaimer in the
   43  *    documentation and/or other materials provided with the distribution.
   44  * 4. Neither the name of the University nor the names of its contributors
   45  *    may be used to endorse or promote products derived from this software
   46  *    without specific prior written permission.
   47  *
   48  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
   49  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   50  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   51  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
   52  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   53  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   54  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   55  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   56  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   57  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   58  * SUCH DAMAGE.
   59  *
   60  *      @(#)ip_input.c  8.2 (Berkeley) 1/4/94
   61  */
   62 
   63 #include <sys/cdefs.h>
   64 __FBSDID("$FreeBSD: head/sys/netinet6/ip6_input.c 261835 2014-02-13 14:10:44Z ae $");
   65 
   66 #include "opt_inet.h"
   67 #include "opt_inet6.h"
   68 #include "opt_ipfw.h"
   69 #include "opt_ipsec.h"
   70 #include "opt_route.h"
   71 
   72 #include <sys/param.h>
   73 #include <sys/systm.h>
   74 #include <sys/malloc.h>
   75 #include <sys/mbuf.h>
   76 #include <sys/proc.h>
   77 #include <sys/domain.h>
   78 #include <sys/protosw.h>
   79 #include <sys/sdt.h>
   80 #include <sys/socket.h>
   81 #include <sys/socketvar.h>
   82 #include <sys/errno.h>
   83 #include <sys/time.h>
   84 #include <sys/kernel.h>
   85 #include <sys/syslog.h>
   86 
   87 #include <net/if.h>
   88 #include <net/if_var.h>
   89 #include <net/if_types.h>
   90 #include <net/if_dl.h>
   91 #include <net/route.h>
   92 #include <net/netisr.h>
   93 #include <net/pfil.h>
   94 #include <net/vnet.h>
   95 
   96 #include <netinet/in.h>
   97 #include <netinet/in_kdtrace.h>
   98 #include <netinet/ip_var.h>
   99 #include <netinet/in_systm.h>
  100 #include <net/if_llatbl.h>
  101 #ifdef INET
  102 #include <netinet/ip.h>
  103 #include <netinet/ip_icmp.h>
  104 #endif /* INET */
  105 #include <netinet/ip6.h>
  106 #include <netinet6/in6_var.h>
  107 #include <netinet6/ip6_var.h>
  108 #include <netinet/in_pcb.h>
  109 #include <netinet/icmp6.h>
  110 #include <netinet6/scope6_var.h>
  111 #include <netinet6/in6_ifattach.h>
  112 #include <netinet6/nd6.h>
  113 
  114 #ifdef IPSEC
  115 #include <netipsec/ipsec.h>
  116 #include <netinet6/ip6_ipsec.h>
  117 #include <netipsec/ipsec6.h>
  118 #endif /* IPSEC */
  119 
  120 #include <netinet6/ip6protosw.h>
  121 
  122 extern struct domain inet6domain;
  123 
  124 u_char ip6_protox[IPPROTO_MAX];
  125 VNET_DEFINE(struct in6_ifaddrhead, in6_ifaddrhead);
  126 VNET_DEFINE(struct in6_ifaddrlisthead *, in6_ifaddrhashtbl);
  127 VNET_DEFINE(u_long, in6_ifaddrhmask);
  128 
  129 static struct netisr_handler ip6_nh = {
  130         .nh_name = "ip6",
  131         .nh_handler = ip6_input,
  132         .nh_proto = NETISR_IPV6,
  133         .nh_policy = NETISR_POLICY_FLOW,
  134 };
  135 
  136 VNET_DECLARE(struct callout, in6_tmpaddrtimer_ch);
  137 #define V_in6_tmpaddrtimer_ch           VNET(in6_tmpaddrtimer_ch)
  138 
  139 VNET_DEFINE(struct pfil_head, inet6_pfil_hook);
  140 
  141 VNET_PCPUSTAT_DEFINE(struct ip6stat, ip6stat);
  142 VNET_PCPUSTAT_SYSINIT(ip6stat);
  143 #ifdef VIMAGE
  144 VNET_PCPUSTAT_SYSUNINIT(ip6stat);
  145 #endif /* VIMAGE */
  146 
  147 struct rwlock in6_ifaddr_lock;
  148 RW_SYSINIT(in6_ifaddr_lock, &in6_ifaddr_lock, "in6_ifaddr_lock");
  149 
  150 static void ip6_init2(void *);
  151 static struct ip6aux *ip6_setdstifaddr(struct mbuf *, struct in6_ifaddr *);
  152 static struct ip6aux *ip6_addaux(struct mbuf *);
  153 static struct ip6aux *ip6_findaux(struct mbuf *m);
  154 static void ip6_delaux (struct mbuf *);
  155 static int ip6_hopopts_input(u_int32_t *, u_int32_t *, struct mbuf **, int *);
  156 #ifdef PULLDOWN_TEST
  157 static struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int);
  158 #endif
  159 
  160 /*
  161  * IP6 initialization: fill in IP6 protocol switch table.
  162  * All protocols not implemented in kernel go to raw IP6 protocol handler.
  163  */
  164 void
  165 ip6_init(void)
  166 {
  167         struct ip6protosw *pr;
  168         int i;
  169 
  170         TUNABLE_INT_FETCH("net.inet6.ip6.auto_linklocal",
  171             &V_ip6_auto_linklocal);
  172         TUNABLE_INT_FETCH("net.inet6.ip6.accept_rtadv", &V_ip6_accept_rtadv);
  173         TUNABLE_INT_FETCH("net.inet6.ip6.no_radr", &V_ip6_no_radr);
  174 
  175         TAILQ_INIT(&V_in6_ifaddrhead);
  176         V_in6_ifaddrhashtbl = hashinit(IN6ADDR_NHASH, M_IFADDR,
  177             &V_in6_ifaddrhmask);
  178 
  179         /* Initialize packet filter hooks. */
  180         V_inet6_pfil_hook.ph_type = PFIL_TYPE_AF;
  181         V_inet6_pfil_hook.ph_af = AF_INET6;
  182         if ((i = pfil_head_register(&V_inet6_pfil_hook)) != 0)
  183                 printf("%s: WARNING: unable to register pfil hook, "
  184                         "error %d\n", __func__, i);
  185 
  186         scope6_init();
  187         addrsel_policy_init();
  188         nd6_init();
  189         frag6_init();
  190 
  191         V_ip6_desync_factor = arc4random() % MAX_TEMP_DESYNC_FACTOR;
  192 
  193         /* Skip global initialization stuff for non-default instances. */
  194         if (!IS_DEFAULT_VNET(curvnet))
  195                 return;
  196 
  197 #ifdef DIAGNOSTIC
  198         if (sizeof(struct protosw) != sizeof(struct ip6protosw))
  199                 panic("sizeof(protosw) != sizeof(ip6protosw)");
  200 #endif
  201         pr = (struct ip6protosw *)pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW);
  202         if (pr == NULL)
  203                 panic("ip6_init");
  204 
  205         /* Initialize the entire ip6_protox[] array to IPPROTO_RAW. */
  206         for (i = 0; i < IPPROTO_MAX; i++)
  207                 ip6_protox[i] = pr - inet6sw;
  208         /*
  209          * Cycle through IP protocols and put them into the appropriate place
  210          * in ip6_protox[].
  211          */
  212         for (pr = (struct ip6protosw *)inet6domain.dom_protosw;
  213             pr < (struct ip6protosw *)inet6domain.dom_protoswNPROTOSW; pr++)
  214                 if (pr->pr_domain->dom_family == PF_INET6 &&
  215                     pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) {
  216                         /* Be careful to only index valid IP protocols. */
  217                         if (pr->pr_protocol < IPPROTO_MAX)
  218                                 ip6_protox[pr->pr_protocol] = pr - inet6sw;
  219                 }
  220 
  221         netisr_register(&ip6_nh);
  222 }
  223 
  224 /*
  225  * The protocol to be inserted into ip6_protox[] must be already registered
  226  * in inet6sw[], either statically or through pf_proto_register().
  227  */
  228 int
  229 ip6proto_register(short ip6proto)
  230 {
  231         struct ip6protosw *pr;
  232 
  233         /* Sanity checks. */
  234         if (ip6proto <= 0 || ip6proto >= IPPROTO_MAX)
  235                 return (EPROTONOSUPPORT);
  236 
  237         /*
  238          * The protocol slot must not be occupied by another protocol
  239          * already.  An index pointing to IPPROTO_RAW is unused.
  240          */
  241         pr = (struct ip6protosw *)pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW);
  242         if (pr == NULL)
  243                 return (EPFNOSUPPORT);
  244         if (ip6_protox[ip6proto] != pr - inet6sw)       /* IPPROTO_RAW */
  245                 return (EEXIST);
  246 
  247         /*
  248          * Find the protocol position in inet6sw[] and set the index.
  249          */
  250         for (pr = (struct ip6protosw *)inet6domain.dom_protosw;
  251             pr < (struct ip6protosw *)inet6domain.dom_protoswNPROTOSW; pr++) {
  252                 if (pr->pr_domain->dom_family == PF_INET6 &&
  253                     pr->pr_protocol && pr->pr_protocol == ip6proto) {
  254                         ip6_protox[pr->pr_protocol] = pr - inet6sw;
  255                         return (0);
  256                 }
  257         }
  258         return (EPROTONOSUPPORT);
  259 }
  260 
  261 int
  262 ip6proto_unregister(short ip6proto)
  263 {
  264         struct ip6protosw *pr;
  265 
  266         /* Sanity checks. */
  267         if (ip6proto <= 0 || ip6proto >= IPPROTO_MAX)
  268                 return (EPROTONOSUPPORT);
  269 
  270         /* Check if the protocol was indeed registered. */
  271         pr = (struct ip6protosw *)pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW);
  272         if (pr == NULL)
  273                 return (EPFNOSUPPORT);
  274         if (ip6_protox[ip6proto] == pr - inet6sw)       /* IPPROTO_RAW */
  275                 return (ENOENT);
  276 
  277         /* Reset the protocol slot to IPPROTO_RAW. */
  278         ip6_protox[ip6proto] = pr - inet6sw;
  279         return (0);
  280 }
  281 
  282 #ifdef VIMAGE
  283 void
  284 ip6_destroy()
  285 {
  286         int i;
  287 
  288         if ((i = pfil_head_unregister(&V_inet6_pfil_hook)) != 0)
  289                 printf("%s: WARNING: unable to unregister pfil hook, "
  290                     "error %d\n", __func__, i);
  291         hashdestroy(V_in6_ifaddrhashtbl, M_IFADDR, V_in6_ifaddrhmask);
  292         nd6_destroy();
  293         callout_drain(&V_in6_tmpaddrtimer_ch);
  294 }
  295 #endif
  296 
  297 static int
  298 ip6_init2_vnet(const void *unused __unused)
  299 {
  300 
  301         /* nd6_timer_init */
  302         callout_init(&V_nd6_timer_ch, 0);
  303         callout_reset(&V_nd6_timer_ch, hz, nd6_timer, curvnet);
  304 
  305         /* timer for regeneranation of temporary addresses randomize ID */
  306         callout_init(&V_in6_tmpaddrtimer_ch, 0);
  307         callout_reset(&V_in6_tmpaddrtimer_ch,
  308                       (V_ip6_temp_preferred_lifetime - V_ip6_desync_factor -
  309                        V_ip6_temp_regen_advance) * hz,
  310                       in6_tmpaddrtimer, curvnet);
  311 
  312         return (0);
  313 }
  314 
  315 static void
  316 ip6_init2(void *dummy)
  317 {
  318 
  319         ip6_init2_vnet(NULL);
  320 }
  321 
  322 /* cheat */
  323 /* This must be after route_init(), which is now SI_ORDER_THIRD */
  324 SYSINIT(netinet6init2, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ip6_init2, NULL);
  325 
  326 static int
  327 ip6_input_hbh(struct mbuf *m, uint32_t *plen, uint32_t *rtalert, int *off,
  328     int *nxt, int *ours)
  329 {
  330         struct ip6_hdr *ip6;
  331         struct ip6_hbh *hbh;
  332 
  333         if (ip6_hopopts_input(plen, rtalert, &m, off)) {
  334 #if 0   /*touches NULL pointer*/
  335                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
  336 #endif
  337                 goto out;       /* m have already been freed */
  338         }
  339 
  340         /* adjust pointer */
  341         ip6 = mtod(m, struct ip6_hdr *);
  342 
  343         /*
  344          * if the payload length field is 0 and the next header field
  345          * indicates Hop-by-Hop Options header, then a Jumbo Payload
  346          * option MUST be included.
  347          */
  348         if (ip6->ip6_plen == 0 && *plen == 0) {
  349                 /*
  350                  * Note that if a valid jumbo payload option is
  351                  * contained, ip6_hopopts_input() must set a valid
  352                  * (non-zero) payload length to the variable plen.
  353                  */
  354                 IP6STAT_INC(ip6s_badoptions);
  355                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
  356                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
  357                 icmp6_error(m, ICMP6_PARAM_PROB,
  358                             ICMP6_PARAMPROB_HEADER,
  359                             (caddr_t)&ip6->ip6_plen - (caddr_t)ip6);
  360                 goto out;
  361         }
  362 #ifndef PULLDOWN_TEST
  363         /* ip6_hopopts_input() ensures that mbuf is contiguous */
  364         hbh = (struct ip6_hbh *)(ip6 + 1);
  365 #else
  366         IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr),
  367                 sizeof(struct ip6_hbh));
  368         if (hbh == NULL) {
  369                 IP6STAT_INC(ip6s_tooshort);
  370                 goto out;
  371         }
  372 #endif
  373         *nxt = hbh->ip6h_nxt;
  374 
  375         /*
  376          * If we are acting as a router and the packet contains a
  377          * router alert option, see if we know the option value.
  378          * Currently, we only support the option value for MLD, in which
  379          * case we should pass the packet to the multicast routing
  380          * daemon.
  381          */
  382         if (*rtalert != ~0) {
  383                 switch (*rtalert) {
  384                 case IP6OPT_RTALERT_MLD:
  385                         if (V_ip6_forwarding)
  386                                 *ours = 1;
  387                         break;
  388                 default:
  389                         /*
  390                          * RFC2711 requires unrecognized values must be
  391                          * silently ignored.
  392                          */
  393                         break;
  394                 }
  395         }
  396 
  397         return (0);
  398 
  399 out:
  400         return (1);
  401 }
  402 
  403 void
  404 ip6_input(struct mbuf *m)
  405 {
  406         struct ip6_hdr *ip6;
  407         int off = sizeof(struct ip6_hdr), nest;
  408         u_int32_t plen;
  409         u_int32_t rtalert = ~0;
  410         int nxt, ours = 0;
  411         struct ifnet *deliverifp = NULL, *ifp = NULL;
  412         struct in6_addr odst;
  413         struct route_in6 rin6;
  414         int srcrt = 0;
  415         struct llentry *lle = NULL;
  416         struct sockaddr_in6 dst6, *dst;
  417 
  418         bzero(&rin6, sizeof(struct route_in6));
  419 #ifdef IPSEC
  420         /*
  421          * should the inner packet be considered authentic?
  422          * see comment in ah4_input().
  423          * NB: m cannot be NULL when passed to the input routine
  424          */
  425 
  426         m->m_flags &= ~M_AUTHIPHDR;
  427         m->m_flags &= ~M_AUTHIPDGM;
  428 
  429 #endif /* IPSEC */
  430 
  431         /*
  432          * make sure we don't have onion peering information into m_tag.
  433          */
  434         ip6_delaux(m);
  435 
  436         if (m->m_flags & M_FASTFWD_OURS) {
  437                 /*
  438                  * Firewall changed destination to local.
  439                  */
  440                 m->m_flags &= ~M_FASTFWD_OURS;
  441                 ours = 1;
  442                 deliverifp = m->m_pkthdr.rcvif;
  443                 ip6 = mtod(m, struct ip6_hdr *);
  444                 goto hbhcheck;
  445         }
  446 
  447         /*
  448          * mbuf statistics
  449          */
  450         if (m->m_flags & M_EXT) {
  451                 if (m->m_next)
  452                         IP6STAT_INC(ip6s_mext2m);
  453                 else
  454                         IP6STAT_INC(ip6s_mext1);
  455         } else {
  456                 if (m->m_next) {
  457                         if (m->m_flags & M_LOOP) {
  458                                 IP6STAT_INC(ip6s_m2m[V_loif->if_index]);
  459                         } else if (m->m_pkthdr.rcvif->if_index < IP6S_M2MMAX)
  460                                 IP6STAT_INC(
  461                                     ip6s_m2m[m->m_pkthdr.rcvif->if_index]);
  462                         else
  463                                 IP6STAT_INC(ip6s_m2m[0]);
  464                 } else
  465                         IP6STAT_INC(ip6s_m1);
  466         }
  467 
  468         /* drop the packet if IPv6 operation is disabled on the IF */
  469         if ((ND_IFINFO(m->m_pkthdr.rcvif)->flags & ND6_IFF_IFDISABLED)) {
  470                 m_freem(m);
  471                 return;
  472         }
  473 
  474         in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_receive);
  475         IP6STAT_INC(ip6s_total);
  476 
  477 #ifndef PULLDOWN_TEST
  478         /*
  479          * L2 bridge code and some other code can return mbuf chain
  480          * that does not conform to KAME requirement.  too bad.
  481          * XXX: fails to join if interface MTU > MCLBYTES.  jumbogram?
  482          */
  483         if (m && m->m_next != NULL && m->m_pkthdr.len < MCLBYTES) {
  484                 struct mbuf *n;
  485 
  486                 if (m->m_pkthdr.len > MHLEN)
  487                         n = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
  488                 else
  489                         n = m_gethdr(M_NOWAIT, MT_DATA);
  490                 if (n == NULL) {
  491                         m_freem(m);
  492                         return; /* ENOBUFS */
  493                 }
  494 
  495                 m_move_pkthdr(n, m);
  496                 m_copydata(m, 0, n->m_pkthdr.len, mtod(n, caddr_t));
  497                 n->m_len = n->m_pkthdr.len;
  498                 m_freem(m);
  499                 m = n;
  500         }
  501         IP6_EXTHDR_CHECK(m, 0, sizeof(struct ip6_hdr), /* nothing */);
  502 #endif
  503 
  504         if (m->m_len < sizeof(struct ip6_hdr)) {
  505                 struct ifnet *inifp;
  506                 inifp = m->m_pkthdr.rcvif;
  507                 if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
  508                         IP6STAT_INC(ip6s_toosmall);
  509                         in6_ifstat_inc(inifp, ifs6_in_hdrerr);
  510                         return;
  511                 }
  512         }
  513 
  514         ip6 = mtod(m, struct ip6_hdr *);
  515 
  516         if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) {
  517                 IP6STAT_INC(ip6s_badvers);
  518                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
  519                 goto bad;
  520         }
  521 
  522         IP6STAT_INC(ip6s_nxthist[ip6->ip6_nxt]);
  523 
  524         IP_PROBE(receive, NULL, NULL, ip6, m->m_pkthdr.rcvif, NULL, ip6);
  525 
  526         /*
  527          * Check against address spoofing/corruption.
  528          */
  529         if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) ||
  530             IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) {
  531                 /*
  532                  * XXX: "badscope" is not very suitable for a multicast source.
  533                  */
  534                 IP6STAT_INC(ip6s_badscope);
  535                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
  536                 goto bad;
  537         }
  538         if (IN6_IS_ADDR_MC_INTFACELOCAL(&ip6->ip6_dst) &&
  539             !(m->m_flags & M_LOOP)) {
  540                 /*
  541                  * In this case, the packet should come from the loopback
  542                  * interface.  However, we cannot just check the if_flags,
  543                  * because ip6_mloopback() passes the "actual" interface
  544                  * as the outgoing/incoming interface.
  545                  */
  546                 IP6STAT_INC(ip6s_badscope);
  547                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
  548                 goto bad;
  549         }
  550         if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) &&
  551             IPV6_ADDR_MC_SCOPE(&ip6->ip6_dst) == 0) {
  552                 /*
  553                  * RFC4291 2.7:
  554                  * Nodes must not originate a packet to a multicast address
  555                  * whose scop field contains the reserved value 0; if such
  556                  * a packet is received, it must be silently dropped.
  557                  */
  558                 IP6STAT_INC(ip6s_badscope);
  559                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
  560                 goto bad;
  561         }
  562 #ifdef ALTQ
  563         if (altq_input != NULL && (*altq_input)(m, AF_INET6) == 0) {
  564                 /* packet is dropped by traffic conditioner */
  565                 return;
  566         }
  567 #endif
  568         /*
  569          * The following check is not documented in specs.  A malicious
  570          * party may be able to use IPv4 mapped addr to confuse tcp/udp stack
  571          * and bypass security checks (act as if it was from 127.0.0.1 by using
  572          * IPv6 src ::ffff:127.0.0.1).  Be cautious.
  573          *
  574          * This check chokes if we are in an SIIT cloud.  As none of BSDs
  575          * support IPv4-less kernel compilation, we cannot support SIIT
  576          * environment at all.  So, it makes more sense for us to reject any
  577          * malicious packets for non-SIIT environment, than try to do a
  578          * partial support for SIIT environment.
  579          */
  580         if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
  581             IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
  582                 IP6STAT_INC(ip6s_badscope);
  583                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
  584                 goto bad;
  585         }
  586 #if 0
  587         /*
  588          * Reject packets with IPv4 compatible addresses (auto tunnel).
  589          *
  590          * The code forbids auto tunnel relay case in RFC1933 (the check is
  591          * stronger than RFC1933).  We may want to re-enable it if mech-xx
  592          * is revised to forbid relaying case.
  593          */
  594         if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) ||
  595             IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) {
  596                 IP6STAT_INC(ip6s_badscope);
  597                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
  598                 goto bad;
  599         }
  600 #endif
  601 #ifdef IPSEC
  602         /*
  603          * Bypass packet filtering for packets previously handled by IPsec.
  604          */
  605         if (ip6_ipsec_filtertunnel(m))
  606                 goto passin;
  607 #endif /* IPSEC */
  608 
  609         /*
  610          * Run through list of hooks for input packets.
  611          *
  612          * NB: Beware of the destination address changing
  613          *     (e.g. by NAT rewriting).  When this happens,
  614          *     tell ip6_forward to do the right thing.
  615          */
  616         odst = ip6->ip6_dst;
  617 
  618         /* Jump over all PFIL processing if hooks are not active. */
  619         if (!PFIL_HOOKED(&V_inet6_pfil_hook))
  620                 goto passin;
  621 
  622         if (pfil_run_hooks(&V_inet6_pfil_hook, &m,
  623             m->m_pkthdr.rcvif, PFIL_IN, NULL))
  624                 return;
  625         if (m == NULL)                  /* consumed by filter */
  626                 return;
  627         ip6 = mtod(m, struct ip6_hdr *);
  628         srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst);
  629 
  630         if (m->m_flags & M_FASTFWD_OURS) {
  631                 m->m_flags &= ~M_FASTFWD_OURS;
  632                 ours = 1;
  633                 deliverifp = m->m_pkthdr.rcvif;
  634                 goto hbhcheck;
  635         }
  636         if ((m->m_flags & M_IP6_NEXTHOP) &&
  637             m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL) {
  638                 /*
  639                  * Directly ship the packet on.  This allows forwarding
  640                  * packets originally destined to us to some other directly
  641                  * connected host.
  642                  */
  643                 ip6_forward(m, 1);
  644                 goto out;
  645         }
  646 
  647 passin:
  648         /*
  649          * Disambiguate address scope zones (if there is ambiguity).
  650          * We first make sure that the original source or destination address
  651          * is not in our internal form for scoped addresses.  Such addresses
  652          * are not necessarily invalid spec-wise, but we cannot accept them due
  653          * to the usage conflict.
  654          * in6_setscope() then also checks and rejects the cases where src or
  655          * dst are the loopback address and the receiving interface
  656          * is not loopback.
  657          */
  658         if (in6_clearscope(&ip6->ip6_src) || in6_clearscope(&ip6->ip6_dst)) {
  659                 IP6STAT_INC(ip6s_badscope); /* XXX */
  660                 goto bad;
  661         }
  662         if (in6_setscope(&ip6->ip6_src, m->m_pkthdr.rcvif, NULL) ||
  663             in6_setscope(&ip6->ip6_dst, m->m_pkthdr.rcvif, NULL)) {
  664                 IP6STAT_INC(ip6s_badscope);
  665                 goto bad;
  666         }
  667 
  668         /*
  669          * Multicast check. Assume packet is for us to avoid
  670          * prematurely taking locks.
  671          */
  672         if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
  673                 ours = 1;
  674                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_mcast);
  675                 deliverifp = m->m_pkthdr.rcvif;
  676                 goto hbhcheck;
  677         }
  678 
  679         /*
  680          *  Unicast check
  681          */
  682 
  683         bzero(&dst6, sizeof(dst6));
  684         dst6.sin6_family = AF_INET6;
  685         dst6.sin6_len = sizeof(struct sockaddr_in6);
  686         dst6.sin6_addr = ip6->ip6_dst;
  687         ifp = m->m_pkthdr.rcvif;
  688         IF_AFDATA_RLOCK(ifp);
  689         lle = lla_lookup(LLTABLE6(ifp), 0,
  690              (struct sockaddr *)&dst6);
  691         IF_AFDATA_RUNLOCK(ifp);
  692         if ((lle != NULL) && (lle->la_flags & LLE_IFADDR)) {
  693                 struct ifaddr *ifa;
  694                 struct in6_ifaddr *ia6;
  695                 int bad;
  696 
  697                 bad = 1;
  698 #define sa_equal(a1, a2)                                                \
  699         (bcmp((a1), (a2), ((a1))->sin6_len) == 0)
  700                 IF_ADDR_RLOCK(ifp);
  701                 TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
  702                         if (ifa->ifa_addr->sa_family != dst6.sin6_family)
  703                                 continue;
  704                         if (sa_equal(&dst6, ifa->ifa_addr))
  705                                 break;
  706                 }
  707                 KASSERT(ifa != NULL, ("%s: ifa not found for lle %p",
  708                     __func__, lle));
  709 #undef sa_equal
  710 
  711                 ia6 = (struct in6_ifaddr *)ifa;
  712                 if (!(ia6->ia6_flags & IN6_IFF_NOTREADY)) {
  713                         /* Count the packet in the ip address stats */
  714                         counter_u64_add(ia6->ia_ifa.ifa_ipackets, 1);
  715                         counter_u64_add(ia6->ia_ifa.ifa_ibytes,
  716                             m->m_pkthdr.len);
  717 
  718                         /*
  719                          * record address information into m_tag.
  720                          */
  721                         (void)ip6_setdstifaddr(m, ia6);
  722 
  723                         bad = 0;
  724                 } else {
  725                         char ip6bufs[INET6_ADDRSTRLEN];
  726                         char ip6bufd[INET6_ADDRSTRLEN];
  727                         /* address is not ready, so discard the packet. */
  728                         nd6log((LOG_INFO,
  729                             "ip6_input: packet to an unready address %s->%s\n",
  730                             ip6_sprintf(ip6bufs, &ip6->ip6_src),
  731                             ip6_sprintf(ip6bufd, &ip6->ip6_dst)));
  732                 }
  733                 IF_ADDR_RUNLOCK(ifp);
  734                 LLE_RUNLOCK(lle);
  735                 if (bad)
  736                         goto bad;
  737                 else {
  738                         ours = 1;
  739                         deliverifp = ifp;
  740                         goto hbhcheck;
  741                 }
  742         }
  743         if (lle != NULL)
  744                 LLE_RUNLOCK(lle);
  745 
  746         dst = &rin6.ro_dst;
  747         dst->sin6_len = sizeof(struct sockaddr_in6);
  748         dst->sin6_family = AF_INET6;
  749         dst->sin6_addr = ip6->ip6_dst;
  750         rin6.ro_rt = in6_rtalloc1((struct sockaddr *)dst, 0, 0, M_GETFIB(m));
  751         if (rin6.ro_rt)
  752                 RT_UNLOCK(rin6.ro_rt);
  753 
  754 #define rt6_key(r) ((struct sockaddr_in6 *)((r)->rt_nodes->rn_key))
  755 
  756         /*
  757          * Accept the packet if the forwarding interface to the destination
  758          * according to the routing table is the loopback interface,
  759          * unless the associated route has a gateway.
  760          * Note that this approach causes to accept a packet if there is a
  761          * route to the loopback interface for the destination of the packet.
  762          * But we think it's even useful in some situations, e.g. when using
  763          * a special daemon which wants to intercept the packet.
  764          *
  765          * XXX: some OSes automatically make a cloned route for the destination
  766          * of an outgoing packet.  If the outgoing interface of the packet
  767          * is a loopback one, the kernel would consider the packet to be
  768          * accepted, even if we have no such address assinged on the interface.
  769          * We check the cloned flag of the route entry to reject such cases,
  770          * assuming that route entries for our own addresses are not made by
  771          * cloning (it should be true because in6_addloop explicitly installs
  772          * the host route).  However, we might have to do an explicit check
  773          * while it would be less efficient.  Or, should we rather install a
  774          * reject route for such a case?
  775          */
  776         if (rin6.ro_rt &&
  777             (rin6.ro_rt->rt_flags &
  778              (RTF_HOST|RTF_GATEWAY)) == RTF_HOST &&
  779 #ifdef RTF_WASCLONED
  780             !(rin6.ro_rt->rt_flags & RTF_WASCLONED) &&
  781 #endif
  782 #ifdef RTF_CLONED
  783             !(rin6.ro_rt->rt_flags & RTF_CLONED) &&
  784 #endif
  785 #if 0
  786             /*
  787              * The check below is redundant since the comparison of
  788              * the destination and the key of the rtentry has
  789              * already done through looking up the routing table.
  790              */
  791             IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst,
  792             &rt6_key(rin6.ro_rt)->sin6_addr)
  793 #endif
  794             rin6.ro_rt->rt_ifp->if_type == IFT_LOOP) {
  795                 int free_ia6 = 0;
  796                 struct in6_ifaddr *ia6;
  797 
  798                 /*
  799                  * found the loopback route to the interface address
  800                  */
  801                 if (rin6.ro_rt->rt_gateway->sa_family == AF_LINK) {
  802                         struct sockaddr_in6 dest6;
  803 
  804                         bzero(&dest6, sizeof(dest6));
  805                         dest6.sin6_family = AF_INET6;
  806                         dest6.sin6_len = sizeof(dest6);
  807                         dest6.sin6_addr = ip6->ip6_dst;
  808                         ia6 = (struct in6_ifaddr *)
  809                             ifa_ifwithaddr((struct sockaddr *)&dest6);
  810                         if (ia6 == NULL)
  811                                 goto bad;
  812                         free_ia6 = 1;
  813                 }
  814                 else
  815                         ia6 = (struct in6_ifaddr *)rin6.ro_rt->rt_ifa;
  816 
  817                 /*
  818                  * record address information into m_tag.
  819                  */
  820                 (void)ip6_setdstifaddr(m, ia6);
  821 
  822                 /*
  823                  * packets to a tentative, duplicated, or somehow invalid
  824                  * address must not be accepted.
  825                  */
  826                 if (!(ia6->ia6_flags & IN6_IFF_NOTREADY)) {
  827                         /* this address is ready */
  828                         ours = 1;
  829                         deliverifp = ia6->ia_ifp;       /* correct? */
  830                         /* Count the packet in the ip address stats */
  831                         counter_u64_add(ia6->ia_ifa.ifa_ipackets, 1);
  832                         counter_u64_add(ia6->ia_ifa.ifa_ibytes,
  833                             m->m_pkthdr.len);
  834                         if (free_ia6)
  835                                 ifa_free(&ia6->ia_ifa);
  836                         goto hbhcheck;
  837                 } else {
  838                         char ip6bufs[INET6_ADDRSTRLEN];
  839                         char ip6bufd[INET6_ADDRSTRLEN];
  840                         /* address is not ready, so discard the packet. */
  841                         nd6log((LOG_INFO,
  842                             "ip6_input: packet to an unready address %s->%s\n",
  843                             ip6_sprintf(ip6bufs, &ip6->ip6_src),
  844                             ip6_sprintf(ip6bufd, &ip6->ip6_dst)));
  845 
  846                         if (free_ia6)
  847                                 ifa_free(&ia6->ia_ifa);
  848                         goto bad;
  849                 }
  850         }
  851 
  852         /*
  853          * FAITH (Firewall Aided Internet Translator)
  854          */
  855         if (V_ip6_keepfaith) {
  856                 if (rin6.ro_rt && rin6.ro_rt->rt_ifp &&
  857                     rin6.ro_rt->rt_ifp->if_type == IFT_FAITH) {
  858                         /* XXX do we need more sanity checks? */
  859                         ours = 1;
  860                         deliverifp = rin6.ro_rt->rt_ifp; /* faith */
  861                         goto hbhcheck;
  862                 }
  863         }
  864 
  865         /*
  866          * Now there is no reason to process the packet if it's not our own
  867          * and we're not a router.
  868          */
  869         if (!V_ip6_forwarding) {
  870                 IP6STAT_INC(ip6s_cantforward);
  871                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
  872                 goto bad;
  873         }
  874 
  875   hbhcheck:
  876         /*
  877          * record address information into m_tag, if we don't have one yet.
  878          * note that we are unable to record it, if the address is not listed
  879          * as our interface address (e.g. multicast addresses, addresses
  880          * within FAITH prefixes and such).
  881          */
  882         if (deliverifp) {
  883                 struct in6_ifaddr *ia6;
  884 
  885                 if ((ia6 = ip6_getdstifaddr(m)) != NULL) {
  886                         ifa_free(&ia6->ia_ifa);
  887                 } else {
  888                         ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst);
  889                         if (ia6) {
  890                                 if (!ip6_setdstifaddr(m, ia6)) {
  891                                         /*
  892                                          * XXX maybe we should drop the packet here,
  893                                          * as we could not provide enough information
  894                                          * to the upper layers.
  895                                          */
  896                                 }
  897                                 ifa_free(&ia6->ia_ifa);
  898                         }
  899                 }
  900         }
  901 
  902         /*
  903          * Process Hop-by-Hop options header if it's contained.
  904          * m may be modified in ip6_hopopts_input().
  905          * If a JumboPayload option is included, plen will also be modified.
  906          */
  907         plen = (u_int32_t)ntohs(ip6->ip6_plen);
  908         if (ip6->ip6_nxt == IPPROTO_HOPOPTS) {
  909                 int error;
  910 
  911                 error = ip6_input_hbh(m, &plen, &rtalert, &off, &nxt, &ours);
  912                 if (error != 0)
  913                         goto out;
  914         } else
  915                 nxt = ip6->ip6_nxt;
  916 
  917         /*
  918          * Check that the amount of data in the buffers
  919          * is as at least much as the IPv6 header would have us expect.
  920          * Trim mbufs if longer than we expect.
  921          * Drop packet if shorter than we expect.
  922          */
  923         if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) {
  924                 IP6STAT_INC(ip6s_tooshort);
  925                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
  926                 goto bad;
  927         }
  928         if (m->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) {
  929                 if (m->m_len == m->m_pkthdr.len) {
  930                         m->m_len = sizeof(struct ip6_hdr) + plen;
  931                         m->m_pkthdr.len = sizeof(struct ip6_hdr) + plen;
  932                 } else
  933                         m_adj(m, sizeof(struct ip6_hdr) + plen - m->m_pkthdr.len);
  934         }
  935 
  936         /*
  937          * Forward if desirable.
  938          */
  939         if (V_ip6_mrouter &&
  940             IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
  941                 /*
  942                  * If we are acting as a multicast router, all
  943                  * incoming multicast packets are passed to the
  944                  * kernel-level multicast forwarding function.
  945                  * The packet is returned (relatively) intact; if
  946                  * ip6_mforward() returns a non-zero value, the packet
  947                  * must be discarded, else it may be accepted below.
  948                  *
  949                  * XXX TODO: Check hlim and multicast scope here to avoid
  950                  * unnecessarily calling into ip6_mforward().
  951                  */
  952                 if (ip6_mforward &&
  953                     ip6_mforward(ip6, m->m_pkthdr.rcvif, m)) {
  954                         IP6STAT_INC(ip6s_cantforward);
  955                         in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
  956                         goto bad;
  957                 }
  958         } else if (!ours) {
  959                 ip6_forward(m, srcrt);
  960                 goto out;
  961         }
  962 
  963         ip6 = mtod(m, struct ip6_hdr *);
  964 
  965         /*
  966          * Malicious party may be able to use IPv4 mapped addr to confuse
  967          * tcp/udp stack and bypass security checks (act as if it was from
  968          * 127.0.0.1 by using IPv6 src ::ffff:127.0.0.1).  Be cautious.
  969          *
  970          * For SIIT end node behavior, you may want to disable the check.
  971          * However, you will  become vulnerable to attacks using IPv4 mapped
  972          * source.
  973          */
  974         if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
  975             IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
  976                 IP6STAT_INC(ip6s_badscope);
  977                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
  978                 goto bad;
  979         }
  980 
  981         /*
  982          * Tell launch routine the next header
  983          */
  984         IP6STAT_INC(ip6s_delivered);
  985         in6_ifstat_inc(deliverifp, ifs6_in_deliver);
  986         nest = 0;
  987 
  988         while (nxt != IPPROTO_DONE) {
  989                 if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) {
  990                         IP6STAT_INC(ip6s_toomanyhdr);
  991                         goto bad;
  992                 }
  993 
  994                 /*
  995                  * protection against faulty packet - there should be
  996                  * more sanity checks in header chain processing.
  997                  */
  998                 if (m->m_pkthdr.len < off) {
  999                         IP6STAT_INC(ip6s_tooshort);
 1000                         in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
 1001                         goto bad;
 1002                 }
 1003 
 1004 #ifdef IPSEC
 1005                 /*
 1006                  * enforce IPsec policy checking if we are seeing last header.
 1007                  * note that we do not visit this with protocols with pcb layer
 1008                  * code - like udp/tcp/raw ip.
 1009                  */
 1010                 if (ip6_ipsec_input(m, nxt))
 1011                         goto bad;
 1012 #endif /* IPSEC */
 1013 
 1014                 /*
 1015                  * Use mbuf flags to propagate Router Alert option to
 1016                  * ICMPv6 layer, as hop-by-hop options have been stripped.
 1017                  */
 1018                 if (nxt == IPPROTO_ICMPV6 && rtalert != ~0)
 1019                         m->m_flags |= M_RTALERT_MLD;
 1020 
 1021                 nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);
 1022         }
 1023         goto out;
 1024 bad:
 1025         m_freem(m);
 1026 out:
 1027         if (rin6.ro_rt)
 1028                 RTFREE(rin6.ro_rt);
 1029 }
 1030 
 1031 /*
 1032  * set/grab in6_ifaddr correspond to IPv6 destination address.
 1033  * XXX backward compatibility wrapper
 1034  *
 1035  * XXXRW: We should bump the refcount on ia6 before sticking it in the m_tag,
 1036  * and then bump it when the tag is copied, and release it when the tag is
 1037  * freed.  Unfortunately, m_tags don't support deep copies (yet), so instead
 1038  * we just bump the ia refcount when we receive it.  This should be fixed.
 1039  */
 1040 static struct ip6aux *
 1041 ip6_setdstifaddr(struct mbuf *m, struct in6_ifaddr *ia6)
 1042 {
 1043         struct ip6aux *ip6a;
 1044 
 1045         ip6a = ip6_addaux(m);
 1046         if (ip6a)
 1047                 ip6a->ip6a_dstia6 = ia6;
 1048         return ip6a;    /* NULL if failed to set */
 1049 }
 1050 
 1051 struct in6_ifaddr *
 1052 ip6_getdstifaddr(struct mbuf *m)
 1053 {
 1054         struct ip6aux *ip6a;
 1055         struct in6_ifaddr *ia;
 1056 
 1057         ip6a = ip6_findaux(m);
 1058         if (ip6a) {
 1059                 ia = ip6a->ip6a_dstia6;
 1060                 ifa_ref(&ia->ia_ifa);
 1061                 return ia;
 1062         } else
 1063                 return NULL;
 1064 }
 1065 
 1066 /*
 1067  * Hop-by-Hop options header processing. If a valid jumbo payload option is
 1068  * included, the real payload length will be stored in plenp.
 1069  *
 1070  * rtalertp - XXX: should be stored more smart way
 1071  */
 1072 static int
 1073 ip6_hopopts_input(u_int32_t *plenp, u_int32_t *rtalertp,
 1074     struct mbuf **mp, int *offp)
 1075 {
 1076         struct mbuf *m = *mp;
 1077         int off = *offp, hbhlen;
 1078         struct ip6_hbh *hbh;
 1079         u_int8_t *opt;
 1080 
 1081         /* validation of the length of the header */
 1082 #ifndef PULLDOWN_TEST
 1083         IP6_EXTHDR_CHECK(m, off, sizeof(*hbh), -1);
 1084         hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off);
 1085         hbhlen = (hbh->ip6h_len + 1) << 3;
 1086 
 1087         IP6_EXTHDR_CHECK(m, off, hbhlen, -1);
 1088         hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off);
 1089 #else
 1090         IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m,
 1091                 sizeof(struct ip6_hdr), sizeof(struct ip6_hbh));
 1092         if (hbh == NULL) {
 1093                 IP6STAT_INC(ip6s_tooshort);
 1094                 return -1;
 1095         }
 1096         hbhlen = (hbh->ip6h_len + 1) << 3;
 1097         IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr),
 1098                 hbhlen);
 1099         if (hbh == NULL) {
 1100                 IP6STAT_INC(ip6s_tooshort);
 1101                 return -1;
 1102         }
 1103 #endif
 1104         off += hbhlen;
 1105         hbhlen -= sizeof(struct ip6_hbh);
 1106         opt = (u_int8_t *)hbh + sizeof(struct ip6_hbh);
 1107 
 1108         if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh),
 1109                                 hbhlen, rtalertp, plenp) < 0)
 1110                 return (-1);
 1111 
 1112         *offp = off;
 1113         *mp = m;
 1114         return (0);
 1115 }
 1116 
 1117 /*
 1118  * Search header for all Hop-by-hop options and process each option.
 1119  * This function is separate from ip6_hopopts_input() in order to
 1120  * handle a case where the sending node itself process its hop-by-hop
 1121  * options header. In such a case, the function is called from ip6_output().
 1122  *
 1123  * The function assumes that hbh header is located right after the IPv6 header
 1124  * (RFC2460 p7), opthead is pointer into data content in m, and opthead to
 1125  * opthead + hbhlen is located in contiguous memory region.
 1126  */
 1127 int
 1128 ip6_process_hopopts(struct mbuf *m, u_int8_t *opthead, int hbhlen,
 1129     u_int32_t *rtalertp, u_int32_t *plenp)
 1130 {
 1131         struct ip6_hdr *ip6;
 1132         int optlen = 0;
 1133         u_int8_t *opt = opthead;
 1134         u_int16_t rtalert_val;
 1135         u_int32_t jumboplen;
 1136         const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh);
 1137 
 1138         for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) {
 1139                 switch (*opt) {
 1140                 case IP6OPT_PAD1:
 1141                         optlen = 1;
 1142                         break;
 1143                 case IP6OPT_PADN:
 1144                         if (hbhlen < IP6OPT_MINLEN) {
 1145                                 IP6STAT_INC(ip6s_toosmall);
 1146                                 goto bad;
 1147                         }
 1148                         optlen = *(opt + 1) + 2;
 1149                         break;
 1150                 case IP6OPT_ROUTER_ALERT:
 1151                         /* XXX may need check for alignment */
 1152                         if (hbhlen < IP6OPT_RTALERT_LEN) {
 1153                                 IP6STAT_INC(ip6s_toosmall);
 1154                                 goto bad;
 1155                         }
 1156                         if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) {
 1157                                 /* XXX stat */
 1158                                 icmp6_error(m, ICMP6_PARAM_PROB,
 1159                                     ICMP6_PARAMPROB_HEADER,
 1160                                     erroff + opt + 1 - opthead);
 1161                                 return (-1);
 1162                         }
 1163                         optlen = IP6OPT_RTALERT_LEN;
 1164                         bcopy((caddr_t)(opt + 2), (caddr_t)&rtalert_val, 2);
 1165                         *rtalertp = ntohs(rtalert_val);
 1166                         break;
 1167                 case IP6OPT_JUMBO:
 1168                         /* XXX may need check for alignment */
 1169                         if (hbhlen < IP6OPT_JUMBO_LEN) {
 1170                                 IP6STAT_INC(ip6s_toosmall);
 1171                                 goto bad;
 1172                         }
 1173                         if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) {
 1174                                 /* XXX stat */
 1175                                 icmp6_error(m, ICMP6_PARAM_PROB,
 1176                                     ICMP6_PARAMPROB_HEADER,
 1177                                     erroff + opt + 1 - opthead);
 1178                                 return (-1);
 1179                         }
 1180                         optlen = IP6OPT_JUMBO_LEN;
 1181 
 1182                         /*
 1183                          * IPv6 packets that have non 0 payload length
 1184                          * must not contain a jumbo payload option.
 1185                          */
 1186                         ip6 = mtod(m, struct ip6_hdr *);
 1187                         if (ip6->ip6_plen) {
 1188                                 IP6STAT_INC(ip6s_badoptions);
 1189                                 icmp6_error(m, ICMP6_PARAM_PROB,
 1190                                     ICMP6_PARAMPROB_HEADER,
 1191                                     erroff + opt - opthead);
 1192                                 return (-1);
 1193                         }
 1194 
 1195                         /*
 1196                          * We may see jumbolen in unaligned location, so
 1197                          * we'd need to perform bcopy().
 1198                          */
 1199                         bcopy(opt + 2, &jumboplen, sizeof(jumboplen));
 1200                         jumboplen = (u_int32_t)htonl(jumboplen);
 1201 
 1202 #if 1
 1203                         /*
 1204                          * if there are multiple jumbo payload options,
 1205                          * *plenp will be non-zero and the packet will be
 1206                          * rejected.
 1207                          * the behavior may need some debate in ipngwg -
 1208                          * multiple options does not make sense, however,
 1209                          * there's no explicit mention in specification.
 1210                          */
 1211                         if (*plenp != 0) {
 1212                                 IP6STAT_INC(ip6s_badoptions);
 1213                                 icmp6_error(m, ICMP6_PARAM_PROB,
 1214                                     ICMP6_PARAMPROB_HEADER,
 1215                                     erroff + opt + 2 - opthead);
 1216                                 return (-1);
 1217                         }
 1218 #endif
 1219 
 1220                         /*
 1221                          * jumbo payload length must be larger than 65535.
 1222                          */
 1223                         if (jumboplen <= IPV6_MAXPACKET) {
 1224                                 IP6STAT_INC(ip6s_badoptions);
 1225                                 icmp6_error(m, ICMP6_PARAM_PROB,
 1226                                     ICMP6_PARAMPROB_HEADER,
 1227                                     erroff + opt + 2 - opthead);
 1228                                 return (-1);
 1229                         }
 1230                         *plenp = jumboplen;
 1231 
 1232                         break;
 1233                 default:                /* unknown option */
 1234                         if (hbhlen < IP6OPT_MINLEN) {
 1235                                 IP6STAT_INC(ip6s_toosmall);
 1236                                 goto bad;
 1237                         }
 1238                         optlen = ip6_unknown_opt(opt, m,
 1239                             erroff + opt - opthead);
 1240                         if (optlen == -1)
 1241                                 return (-1);
 1242                         optlen += 2;
 1243                         break;
 1244                 }
 1245         }
 1246 
 1247         return (0);
 1248 
 1249   bad:
 1250         m_freem(m);
 1251         return (-1);
 1252 }
 1253 
 1254 /*
 1255  * Unknown option processing.
 1256  * The third argument `off' is the offset from the IPv6 header to the option,
 1257  * which is necessary if the IPv6 header the and option header and IPv6 header
 1258  * is not contiguous in order to return an ICMPv6 error.
 1259  */
 1260 int
 1261 ip6_unknown_opt(u_int8_t *optp, struct mbuf *m, int off)
 1262 {
 1263         struct ip6_hdr *ip6;
 1264 
 1265         switch (IP6OPT_TYPE(*optp)) {
 1266         case IP6OPT_TYPE_SKIP: /* ignore the option */
 1267                 return ((int)*(optp + 1));
 1268         case IP6OPT_TYPE_DISCARD:       /* silently discard */
 1269                 m_freem(m);
 1270                 return (-1);
 1271         case IP6OPT_TYPE_FORCEICMP: /* send ICMP even if multicasted */
 1272                 IP6STAT_INC(ip6s_badoptions);
 1273                 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_OPTION, off);
 1274                 return (-1);
 1275         case IP6OPT_TYPE_ICMP: /* send ICMP if not multicasted */
 1276                 IP6STAT_INC(ip6s_badoptions);
 1277                 ip6 = mtod(m, struct ip6_hdr *);
 1278                 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
 1279                     (m->m_flags & (M_BCAST|M_MCAST)))
 1280                         m_freem(m);
 1281                 else
 1282                         icmp6_error(m, ICMP6_PARAM_PROB,
 1283                                     ICMP6_PARAMPROB_OPTION, off);
 1284                 return (-1);
 1285         }
 1286 
 1287         m_freem(m);             /* XXX: NOTREACHED */
 1288         return (-1);
 1289 }
 1290 
 1291 /*
 1292  * Create the "control" list for this pcb.
 1293  * These functions will not modify mbuf chain at all.
 1294  *
 1295  * With KAME mbuf chain restriction:
 1296  * The routine will be called from upper layer handlers like tcp6_input().
 1297  * Thus the routine assumes that the caller (tcp6_input) have already
 1298  * called IP6_EXTHDR_CHECK() and all the extension headers are located in the
 1299  * very first mbuf on the mbuf chain.
 1300  *
 1301  * ip6_savecontrol_v4 will handle those options that are possible to be
 1302  * set on a v4-mapped socket.
 1303  * ip6_savecontrol will directly call ip6_savecontrol_v4 to handle those
 1304  * options and handle the v6-only ones itself.
 1305  */
 1306 struct mbuf **
 1307 ip6_savecontrol_v4(struct inpcb *inp, struct mbuf *m, struct mbuf **mp,
 1308     int *v4only)
 1309 {
 1310         struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
 1311 
 1312 #ifdef SO_TIMESTAMP
 1313         if ((inp->inp_socket->so_options & SO_TIMESTAMP) != 0) {
 1314                 struct timeval tv;
 1315 
 1316                 microtime(&tv);
 1317                 *mp = sbcreatecontrol((caddr_t) &tv, sizeof(tv),
 1318                     SCM_TIMESTAMP, SOL_SOCKET);
 1319                 if (*mp)
 1320                         mp = &(*mp)->m_next;
 1321         }
 1322 #endif
 1323 
 1324 #define IS2292(inp, x, y)       (((inp)->inp_flags & IN6P_RFC2292) ? (x) : (y))
 1325         /* RFC 2292 sec. 5 */
 1326         if ((inp->inp_flags & IN6P_PKTINFO) != 0) {
 1327                 struct in6_pktinfo pi6;
 1328 
 1329                 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) {
 1330 #ifdef INET
 1331                         struct ip *ip;
 1332 
 1333                         ip = mtod(m, struct ip *);
 1334                         pi6.ipi6_addr.s6_addr32[0] = 0;
 1335                         pi6.ipi6_addr.s6_addr32[1] = 0;
 1336                         pi6.ipi6_addr.s6_addr32[2] = IPV6_ADDR_INT32_SMP;
 1337                         pi6.ipi6_addr.s6_addr32[3] = ip->ip_dst.s_addr;
 1338 #else
 1339                         /* We won't hit this code */
 1340                         bzero(&pi6.ipi6_addr, sizeof(struct in6_addr));
 1341 #endif
 1342                 } else {        
 1343                         bcopy(&ip6->ip6_dst, &pi6.ipi6_addr, sizeof(struct in6_addr));
 1344                         in6_clearscope(&pi6.ipi6_addr); /* XXX */
 1345                 }
 1346                 pi6.ipi6_ifindex =
 1347                     (m && m->m_pkthdr.rcvif) ? m->m_pkthdr.rcvif->if_index : 0;
 1348 
 1349                 *mp = sbcreatecontrol((caddr_t) &pi6,
 1350                     sizeof(struct in6_pktinfo),
 1351                     IS2292(inp, IPV6_2292PKTINFO, IPV6_PKTINFO), IPPROTO_IPV6);
 1352                 if (*mp)
 1353                         mp = &(*mp)->m_next;
 1354         }
 1355 
 1356         if ((inp->inp_flags & IN6P_HOPLIMIT) != 0) {
 1357                 int hlim;
 1358 
 1359                 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) {
 1360 #ifdef INET
 1361                         struct ip *ip;
 1362 
 1363                         ip = mtod(m, struct ip *);
 1364                         hlim = ip->ip_ttl;
 1365 #else
 1366                         /* We won't hit this code */
 1367                         hlim = 0;
 1368 #endif
 1369                 } else {
 1370                         hlim = ip6->ip6_hlim & 0xff;
 1371                 }
 1372                 *mp = sbcreatecontrol((caddr_t) &hlim, sizeof(int),
 1373                     IS2292(inp, IPV6_2292HOPLIMIT, IPV6_HOPLIMIT),
 1374                     IPPROTO_IPV6);
 1375                 if (*mp)
 1376                         mp = &(*mp)->m_next;
 1377         }
 1378 
 1379         if ((inp->inp_flags & IN6P_TCLASS) != 0) {
 1380                 int tclass;
 1381 
 1382                 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) {
 1383 #ifdef INET
 1384                         struct ip *ip;
 1385 
 1386                         ip = mtod(m, struct ip *);
 1387                         tclass = ip->ip_tos;
 1388 #else
 1389                         /* We won't hit this code */
 1390                         tclass = 0;
 1391 #endif
 1392                 } else {
 1393                         u_int32_t flowinfo;
 1394 
 1395                         flowinfo = (u_int32_t)ntohl(ip6->ip6_flow & IPV6_FLOWINFO_MASK);
 1396                         flowinfo >>= 20;
 1397                         tclass = flowinfo & 0xff;
 1398                 }
 1399                 *mp = sbcreatecontrol((caddr_t) &tclass, sizeof(int),
 1400                     IPV6_TCLASS, IPPROTO_IPV6);
 1401                 if (*mp)
 1402                         mp = &(*mp)->m_next;
 1403         }
 1404 
 1405         if (v4only != NULL) {
 1406                 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) {
 1407                         *v4only = 1;
 1408                 } else {
 1409                         *v4only = 0;
 1410                 }
 1411         }
 1412 
 1413         return (mp);
 1414 }
 1415 
 1416 void
 1417 ip6_savecontrol(struct inpcb *in6p, struct mbuf *m, struct mbuf **mp)
 1418 {
 1419         struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
 1420         int v4only = 0;
 1421 
 1422         mp = ip6_savecontrol_v4(in6p, m, mp, &v4only);
 1423         if (v4only)
 1424                 return;
 1425 
 1426         /*
 1427          * IPV6_HOPOPTS socket option.  Recall that we required super-user
 1428          * privilege for the option (see ip6_ctloutput), but it might be too
 1429          * strict, since there might be some hop-by-hop options which can be
 1430          * returned to normal user.
 1431          * See also RFC 2292 section 6 (or RFC 3542 section 8).
 1432          */
 1433         if ((in6p->inp_flags & IN6P_HOPOPTS) != 0) {
 1434                 /*
 1435                  * Check if a hop-by-hop options header is contatined in the
 1436                  * received packet, and if so, store the options as ancillary
 1437                  * data. Note that a hop-by-hop options header must be
 1438                  * just after the IPv6 header, which is assured through the
 1439                  * IPv6 input processing.
 1440                  */
 1441                 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) {
 1442                         struct ip6_hbh *hbh;
 1443                         int hbhlen = 0;
 1444 #ifdef PULLDOWN_TEST
 1445                         struct mbuf *ext;
 1446 #endif
 1447 
 1448 #ifndef PULLDOWN_TEST
 1449                         hbh = (struct ip6_hbh *)(ip6 + 1);
 1450                         hbhlen = (hbh->ip6h_len + 1) << 3;
 1451 #else
 1452                         ext = ip6_pullexthdr(m, sizeof(struct ip6_hdr),
 1453                             ip6->ip6_nxt);
 1454                         if (ext == NULL) {
 1455                                 IP6STAT_INC(ip6s_tooshort);
 1456                                 return;
 1457                         }
 1458                         hbh = mtod(ext, struct ip6_hbh *);
 1459                         hbhlen = (hbh->ip6h_len + 1) << 3;
 1460                         if (hbhlen != ext->m_len) {
 1461                                 m_freem(ext);
 1462                                 IP6STAT_INC(ip6s_tooshort);
 1463                                 return;
 1464                         }
 1465 #endif
 1466 
 1467                         /*
 1468                          * XXX: We copy the whole header even if a
 1469                          * jumbo payload option is included, the option which
 1470                          * is to be removed before returning according to
 1471                          * RFC2292.
 1472                          * Note: this constraint is removed in RFC3542
 1473                          */
 1474                         *mp = sbcreatecontrol((caddr_t)hbh, hbhlen,
 1475                             IS2292(in6p, IPV6_2292HOPOPTS, IPV6_HOPOPTS),
 1476                             IPPROTO_IPV6);
 1477                         if (*mp)
 1478                                 mp = &(*mp)->m_next;
 1479 #ifdef PULLDOWN_TEST
 1480                         m_freem(ext);
 1481 #endif
 1482                 }
 1483         }
 1484 
 1485         if ((in6p->inp_flags & (IN6P_RTHDR | IN6P_DSTOPTS)) != 0) {
 1486                 int nxt = ip6->ip6_nxt, off = sizeof(struct ip6_hdr);
 1487 
 1488                 /*
 1489                  * Search for destination options headers or routing
 1490                  * header(s) through the header chain, and stores each
 1491                  * header as ancillary data.
 1492                  * Note that the order of the headers remains in
 1493                  * the chain of ancillary data.
 1494                  */
 1495                 while (1) {     /* is explicit loop prevention necessary? */
 1496                         struct ip6_ext *ip6e = NULL;
 1497                         int elen;
 1498 #ifdef PULLDOWN_TEST
 1499                         struct mbuf *ext = NULL;
 1500 #endif
 1501 
 1502                         /*
 1503                          * if it is not an extension header, don't try to
 1504                          * pull it from the chain.
 1505                          */
 1506                         switch (nxt) {
 1507                         case IPPROTO_DSTOPTS:
 1508                         case IPPROTO_ROUTING:
 1509                         case IPPROTO_HOPOPTS:
 1510                         case IPPROTO_AH: /* is it possible? */
 1511                                 break;
 1512                         default:
 1513                                 goto loopend;
 1514                         }
 1515 
 1516 #ifndef PULLDOWN_TEST
 1517                         if (off + sizeof(*ip6e) > m->m_len)
 1518                                 goto loopend;
 1519                         ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + off);
 1520                         if (nxt == IPPROTO_AH)
 1521                                 elen = (ip6e->ip6e_len + 2) << 2;
 1522                         else
 1523                                 elen = (ip6e->ip6e_len + 1) << 3;
 1524                         if (off + elen > m->m_len)
 1525                                 goto loopend;
 1526 #else
 1527                         ext = ip6_pullexthdr(m, off, nxt);
 1528                         if (ext == NULL) {
 1529                                 IP6STAT_INC(ip6s_tooshort);
 1530                                 return;
 1531                         }
 1532                         ip6e = mtod(ext, struct ip6_ext *);
 1533                         if (nxt == IPPROTO_AH)
 1534                                 elen = (ip6e->ip6e_len + 2) << 2;
 1535                         else
 1536                                 elen = (ip6e->ip6e_len + 1) << 3;
 1537                         if (elen != ext->m_len) {
 1538                                 m_freem(ext);
 1539                                 IP6STAT_INC(ip6s_tooshort);
 1540                                 return;
 1541                         }
 1542 #endif
 1543 
 1544                         switch (nxt) {
 1545                         case IPPROTO_DSTOPTS:
 1546                                 if (!(in6p->inp_flags & IN6P_DSTOPTS))
 1547                                         break;
 1548 
 1549                                 *mp = sbcreatecontrol((caddr_t)ip6e, elen,
 1550                                     IS2292(in6p,
 1551                                         IPV6_2292DSTOPTS, IPV6_DSTOPTS),
 1552                                     IPPROTO_IPV6);
 1553                                 if (*mp)
 1554                                         mp = &(*mp)->m_next;
 1555                                 break;
 1556                         case IPPROTO_ROUTING:
 1557                                 if (!(in6p->inp_flags & IN6P_RTHDR))
 1558                                         break;
 1559 
 1560                                 *mp = sbcreatecontrol((caddr_t)ip6e, elen,
 1561                                     IS2292(in6p, IPV6_2292RTHDR, IPV6_RTHDR),
 1562                                     IPPROTO_IPV6);
 1563                                 if (*mp)
 1564                                         mp = &(*mp)->m_next;
 1565                                 break;
 1566                         case IPPROTO_HOPOPTS:
 1567                         case IPPROTO_AH: /* is it possible? */
 1568                                 break;
 1569 
 1570                         default:
 1571                                 /*
 1572                                  * other cases have been filtered in the above.
 1573                                  * none will visit this case.  here we supply
 1574                                  * the code just in case (nxt overwritten or
 1575                                  * other cases).
 1576                                  */
 1577 #ifdef PULLDOWN_TEST
 1578                                 m_freem(ext);
 1579 #endif
 1580                                 goto loopend;
 1581 
 1582                         }
 1583 
 1584                         /* proceed with the next header. */
 1585                         off += elen;
 1586                         nxt = ip6e->ip6e_nxt;
 1587                         ip6e = NULL;
 1588 #ifdef PULLDOWN_TEST
 1589                         m_freem(ext);
 1590                         ext = NULL;
 1591 #endif
 1592                 }
 1593           loopend:
 1594                 ;
 1595         }
 1596 }
 1597 #undef IS2292
 1598 
 1599 void
 1600 ip6_notify_pmtu(struct inpcb *in6p, struct sockaddr_in6 *dst, u_int32_t *mtu)
 1601 {
 1602         struct socket *so;
 1603         struct mbuf *m_mtu;
 1604         struct ip6_mtuinfo mtuctl;
 1605 
 1606         so =  in6p->inp_socket;
 1607 
 1608         if (mtu == NULL)
 1609                 return;
 1610 
 1611 #ifdef DIAGNOSTIC
 1612         if (so == NULL)         /* I believe this is impossible */
 1613                 panic("ip6_notify_pmtu: socket is NULL");
 1614 #endif
 1615 
 1616         bzero(&mtuctl, sizeof(mtuctl)); /* zero-clear for safety */
 1617         mtuctl.ip6m_mtu = *mtu;
 1618         mtuctl.ip6m_addr = *dst;
 1619         if (sa6_recoverscope(&mtuctl.ip6m_addr))
 1620                 return;
 1621 
 1622         if ((m_mtu = sbcreatecontrol((caddr_t)&mtuctl, sizeof(mtuctl),
 1623             IPV6_PATHMTU, IPPROTO_IPV6)) == NULL)
 1624                 return;
 1625 
 1626         if (sbappendaddr(&so->so_rcv, (struct sockaddr *)dst, NULL, m_mtu)
 1627             == 0) {
 1628                 m_freem(m_mtu);
 1629                 /* XXX: should count statistics */
 1630         } else
 1631                 sorwakeup(so);
 1632 
 1633         return;
 1634 }
 1635 
 1636 #ifdef PULLDOWN_TEST
 1637 /*
 1638  * pull single extension header from mbuf chain.  returns single mbuf that
 1639  * contains the result, or NULL on error.
 1640  */
 1641 static struct mbuf *
 1642 ip6_pullexthdr(struct mbuf *m, size_t off, int nxt)
 1643 {
 1644         struct ip6_ext ip6e;
 1645         size_t elen;
 1646         struct mbuf *n;
 1647 
 1648 #ifdef DIAGNOSTIC
 1649         switch (nxt) {
 1650         case IPPROTO_DSTOPTS:
 1651         case IPPROTO_ROUTING:
 1652         case IPPROTO_HOPOPTS:
 1653         case IPPROTO_AH: /* is it possible? */
 1654                 break;
 1655         default:
 1656                 printf("ip6_pullexthdr: invalid nxt=%d\n", nxt);
 1657         }
 1658 #endif
 1659 
 1660         m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
 1661         if (nxt == IPPROTO_AH)
 1662                 elen = (ip6e.ip6e_len + 2) << 2;
 1663         else
 1664                 elen = (ip6e.ip6e_len + 1) << 3;
 1665 
 1666         if (elen > MLEN)
 1667                 n = m_getcl(M_NOWAIT, MT_DATA, 0);
 1668         else
 1669                 n = m_get(M_NOWAIT, MT_DATA);
 1670         if (n == NULL)
 1671                 return NULL;
 1672 
 1673         m_copydata(m, off, elen, mtod(n, caddr_t));
 1674         n->m_len = elen;
 1675         return n;
 1676 }
 1677 #endif
 1678 
 1679 /*
 1680  * Get pointer to the previous header followed by the header
 1681  * currently processed.
 1682  * XXX: This function supposes that
 1683  *      M includes all headers,
 1684  *      the next header field and the header length field of each header
 1685  *      are valid, and
 1686  *      the sum of each header length equals to OFF.
 1687  * Because of these assumptions, this function must be called very
 1688  * carefully. Moreover, it will not be used in the near future when
 1689  * we develop `neater' mechanism to process extension headers.
 1690  */
 1691 char *
 1692 ip6_get_prevhdr(struct mbuf *m, int off)
 1693 {
 1694         struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
 1695 
 1696         if (off == sizeof(struct ip6_hdr))
 1697                 return (&ip6->ip6_nxt);
 1698         else {
 1699                 int len, nxt;
 1700                 struct ip6_ext *ip6e = NULL;
 1701 
 1702                 nxt = ip6->ip6_nxt;
 1703                 len = sizeof(struct ip6_hdr);
 1704                 while (len < off) {
 1705                         ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + len);
 1706 
 1707                         switch (nxt) {
 1708                         case IPPROTO_FRAGMENT:
 1709                                 len += sizeof(struct ip6_frag);
 1710                                 break;
 1711                         case IPPROTO_AH:
 1712                                 len += (ip6e->ip6e_len + 2) << 2;
 1713                                 break;
 1714                         default:
 1715                                 len += (ip6e->ip6e_len + 1) << 3;
 1716                                 break;
 1717                         }
 1718                         nxt = ip6e->ip6e_nxt;
 1719                 }
 1720                 if (ip6e)
 1721                         return (&ip6e->ip6e_nxt);
 1722                 else
 1723                         return NULL;
 1724         }
 1725 }
 1726 
 1727 /*
 1728  * get next header offset.  m will be retained.
 1729  */
 1730 int
 1731 ip6_nexthdr(struct mbuf *m, int off, int proto, int *nxtp)
 1732 {
 1733         struct ip6_hdr ip6;
 1734         struct ip6_ext ip6e;
 1735         struct ip6_frag fh;
 1736 
 1737         /* just in case */
 1738         if (m == NULL)
 1739                 panic("ip6_nexthdr: m == NULL");
 1740         if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off)
 1741                 return -1;
 1742 
 1743         switch (proto) {
 1744         case IPPROTO_IPV6:
 1745                 if (m->m_pkthdr.len < off + sizeof(ip6))
 1746                         return -1;
 1747                 m_copydata(m, off, sizeof(ip6), (caddr_t)&ip6);
 1748                 if (nxtp)
 1749                         *nxtp = ip6.ip6_nxt;
 1750                 off += sizeof(ip6);
 1751                 return off;
 1752 
 1753         case IPPROTO_FRAGMENT:
 1754                 /*
 1755                  * terminate parsing if it is not the first fragment,
 1756                  * it does not make sense to parse through it.
 1757                  */
 1758                 if (m->m_pkthdr.len < off + sizeof(fh))
 1759                         return -1;
 1760                 m_copydata(m, off, sizeof(fh), (caddr_t)&fh);
 1761                 /* IP6F_OFF_MASK = 0xfff8(BigEndian), 0xf8ff(LittleEndian) */
 1762                 if (fh.ip6f_offlg & IP6F_OFF_MASK)
 1763                         return -1;
 1764                 if (nxtp)
 1765                         *nxtp = fh.ip6f_nxt;
 1766                 off += sizeof(struct ip6_frag);
 1767                 return off;
 1768 
 1769         case IPPROTO_AH:
 1770                 if (m->m_pkthdr.len < off + sizeof(ip6e))
 1771                         return -1;
 1772                 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
 1773                 if (nxtp)
 1774                         *nxtp = ip6e.ip6e_nxt;
 1775                 off += (ip6e.ip6e_len + 2) << 2;
 1776                 return off;
 1777 
 1778         case IPPROTO_HOPOPTS:
 1779         case IPPROTO_ROUTING:
 1780         case IPPROTO_DSTOPTS:
 1781                 if (m->m_pkthdr.len < off + sizeof(ip6e))
 1782                         return -1;
 1783                 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
 1784                 if (nxtp)
 1785                         *nxtp = ip6e.ip6e_nxt;
 1786                 off += (ip6e.ip6e_len + 1) << 3;
 1787                 return off;
 1788 
 1789         case IPPROTO_NONE:
 1790         case IPPROTO_ESP:
 1791         case IPPROTO_IPCOMP:
 1792                 /* give up */
 1793                 return -1;
 1794 
 1795         default:
 1796                 return -1;
 1797         }
 1798 
 1799         return -1;
 1800 }
 1801 
 1802 /*
 1803  * get offset for the last header in the chain.  m will be kept untainted.
 1804  */
 1805 int
 1806 ip6_lasthdr(struct mbuf *m, int off, int proto, int *nxtp)
 1807 {
 1808         int newoff;
 1809         int nxt;
 1810 
 1811         if (!nxtp) {
 1812                 nxt = -1;
 1813                 nxtp = &nxt;
 1814         }
 1815         while (1) {
 1816                 newoff = ip6_nexthdr(m, off, proto, nxtp);
 1817                 if (newoff < 0)
 1818                         return off;
 1819                 else if (newoff < off)
 1820                         return -1;      /* invalid */
 1821                 else if (newoff == off)
 1822                         return newoff;
 1823 
 1824                 off = newoff;
 1825                 proto = *nxtp;
 1826         }
 1827 }
 1828 
 1829 static struct ip6aux *
 1830 ip6_addaux(struct mbuf *m)
 1831 {
 1832         struct m_tag *mtag;
 1833 
 1834         mtag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL);
 1835         if (!mtag) {
 1836                 mtag = m_tag_get(PACKET_TAG_IPV6_INPUT, sizeof(struct ip6aux),
 1837                     M_NOWAIT);
 1838                 if (mtag) {
 1839                         m_tag_prepend(m, mtag);
 1840                         bzero(mtag + 1, sizeof(struct ip6aux));
 1841                 }
 1842         }
 1843         return mtag ? (struct ip6aux *)(mtag + 1) : NULL;
 1844 }
 1845 
 1846 static struct ip6aux *
 1847 ip6_findaux(struct mbuf *m)
 1848 {
 1849         struct m_tag *mtag;
 1850 
 1851         mtag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL);
 1852         return mtag ? (struct ip6aux *)(mtag + 1) : NULL;
 1853 }
 1854 
 1855 static void
 1856 ip6_delaux(struct mbuf *m)
 1857 {
 1858         struct m_tag *mtag;
 1859 
 1860         mtag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL);
 1861         if (mtag)
 1862                 m_tag_delete(m, mtag);
 1863 }
 1864 
 1865 /*
 1866  * System control for IP6
 1867  */
 1868 
 1869 u_char  inet6ctlerrmap[PRC_NCMDS] = {
 1870         0,              0,              0,              0,
 1871         0,              EMSGSIZE,       EHOSTDOWN,      EHOSTUNREACH,
 1872         EHOSTUNREACH,   EHOSTUNREACH,   ECONNREFUSED,   ECONNREFUSED,
 1873         EMSGSIZE,       EHOSTUNREACH,   0,              0,
 1874         0,              0,              0,              0,
 1875         ENOPROTOOPT
 1876 };

Cache object: fd0060379d1b2431af56cae698e29187


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.