The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ip6_input.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*      $FreeBSD$       */
    2 /*      $KAME: ip6_input.c,v 1.259 2002/01/21 04:58:09 jinmei Exp $     */
    3 
    4 /*-
    5  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
    6  * All rights reserved.
    7  *
    8  * Redistribution and use in source and binary forms, with or without
    9  * modification, are permitted provided that the following conditions
   10  * are met:
   11  * 1. Redistributions of source code must retain the above copyright
   12  *    notice, this list of conditions and the following disclaimer.
   13  * 2. Redistributions in binary form must reproduce the above copyright
   14  *    notice, this list of conditions and the following disclaimer in the
   15  *    documentation and/or other materials provided with the distribution.
   16  * 3. Neither the name of the project nor the names of its contributors
   17  *    may be used to endorse or promote products derived from this software
   18  *    without specific prior written permission.
   19  *
   20  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
   21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
   24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   30  * SUCH DAMAGE.
   31  */
   32 
   33 /*-
   34  * Copyright (c) 1982, 1986, 1988, 1993
   35  *      The Regents of the University of California.  All rights reserved.
   36  *
   37  * Redistribution and use in source and binary forms, with or without
   38  * modification, are permitted provided that the following conditions
   39  * are met:
   40  * 1. Redistributions of source code must retain the above copyright
   41  *    notice, this list of conditions and the following disclaimer.
   42  * 2. Redistributions in binary form must reproduce the above copyright
   43  *    notice, this list of conditions and the following disclaimer in the
   44  *    documentation and/or other materials provided with the distribution.
   45  * 4. Neither the name of the University nor the names of its contributors
   46  *    may be used to endorse or promote products derived from this software
   47  *    without specific prior written permission.
   48  *
   49  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
   50  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   51  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   52  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
   53  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   54  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   55  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   56  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   57  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   58  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   59  * SUCH DAMAGE.
   60  *
   61  *      @(#)ip_input.c  8.2 (Berkeley) 1/4/94
   62  */
   63 
   64 #include "opt_inet.h"
   65 #include "opt_inet6.h"
   66 #include "opt_ipsec.h"
   67 
   68 #include <sys/param.h>
   69 #include <sys/systm.h>
   70 #include <sys/malloc.h>
   71 #include <sys/mbuf.h>
   72 #include <sys/proc.h>
   73 #include <sys/domain.h>
   74 #include <sys/protosw.h>
   75 #include <sys/socket.h>
   76 #include <sys/socketvar.h>
   77 #include <sys/errno.h>
   78 #include <sys/time.h>
   79 #include <sys/kernel.h>
   80 #include <sys/syslog.h>
   81 
   82 #include <net/if.h>
   83 #include <net/if_types.h>
   84 #include <net/if_dl.h>
   85 #include <net/route.h>
   86 #include <net/netisr.h>
   87 #include <net/pfil.h>
   88 
   89 #include <netinet/in.h>
   90 #include <netinet/in_systm.h>
   91 #ifdef INET
   92 #include <netinet/ip.h>
   93 #include <netinet/ip_icmp.h>
   94 #endif /* INET */
   95 #include <netinet/ip6.h>
   96 #include <netinet6/in6_var.h>
   97 #include <netinet6/ip6_var.h>
   98 #include <netinet/in_pcb.h>
   99 #include <netinet/icmp6.h>
  100 #include <netinet6/scope6_var.h>
  101 #include <netinet6/in6_ifattach.h>
  102 #include <netinet6/nd6.h>
  103 
  104 #ifdef IPSEC
  105 #include <netipsec/ipsec.h>
  106 #include <netinet6/ip6_ipsec.h>
  107 #include <netipsec/ipsec6.h>
  108 #endif /* IPSEC */
  109 
  110 #include <netinet6/ip6protosw.h>
  111 
  112 extern struct domain inet6domain;
  113 
  114 u_char ip6_protox[IPPROTO_MAX];
  115 static struct ifqueue ip6intrq;
  116 static int ip6qmaxlen = IFQ_MAXLEN;
  117 struct in6_ifaddr *in6_ifaddr;
  118 
  119 extern struct callout in6_tmpaddrtimer_ch;
  120 
  121 int ip6_forward_srcrt;                  /* XXX */
  122 int ip6_sourcecheck;                    /* XXX */
  123 int ip6_sourcecheck_interval;           /* XXX */
  124 
  125 int ip6_ours_check_algorithm;
  126 
  127 struct pfil_head inet6_pfil_hook;
  128 
  129 struct ip6stat ip6stat;
  130 
  131 static void ip6_init2 __P((void *));
  132 static struct ip6aux *ip6_setdstifaddr __P((struct mbuf *, struct in6_ifaddr *));
  133 static int ip6_hopopts_input __P((u_int32_t *, u_int32_t *, struct mbuf **, int *));
  134 #ifdef PULLDOWN_TEST
  135 static struct mbuf *ip6_pullexthdr __P((struct mbuf *, size_t, int));
  136 #endif
  137 
  138 /*
  139  * IP6 initialization: fill in IP6 protocol switch table.
  140  * All protocols not implemented in kernel go to raw IP6 protocol handler.
  141  */
  142 void
  143 ip6_init(void)
  144 {
  145         struct ip6protosw *pr;
  146         int i;
  147 
  148 #ifdef DIAGNOSTIC
  149         if (sizeof(struct protosw) != sizeof(struct ip6protosw))
  150                 panic("sizeof(protosw) != sizeof(ip6protosw)");
  151 #endif
  152         pr = (struct ip6protosw *)pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW);
  153         if (pr == 0)
  154                 panic("ip6_init");
  155 
  156         /* Initialize the entire ip_protox[] array to IPPROTO_RAW. */
  157         for (i = 0; i < IPPROTO_MAX; i++)
  158                 ip6_protox[i] = pr - inet6sw;
  159         /*
  160          * Cycle through IP protocols and put them into the appropriate place
  161          * in ip6_protox[].
  162          */
  163         for (pr = (struct ip6protosw *)inet6domain.dom_protosw;
  164             pr < (struct ip6protosw *)inet6domain.dom_protoswNPROTOSW; pr++)
  165                 if (pr->pr_domain->dom_family == PF_INET6 &&
  166                     pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) {
  167                         /* Be careful to only index valid IP protocols. */
  168                         if (pr->pr_protocol < IPPROTO_MAX)
  169                                 ip6_protox[pr->pr_protocol] = pr - inet6sw;
  170                 }
  171 
  172         /* Initialize packet filter hooks. */
  173         inet6_pfil_hook.ph_type = PFIL_TYPE_AF;
  174         inet6_pfil_hook.ph_af = AF_INET6;
  175         if ((i = pfil_head_register(&inet6_pfil_hook)) != 0)
  176                 printf("%s: WARNING: unable to register pfil hook, "
  177                         "error %d\n", __func__, i);
  178 
  179         ip6intrq.ifq_maxlen = ip6qmaxlen;
  180         mtx_init(&ip6intrq.ifq_mtx, "ip6_inq", NULL, MTX_DEF);
  181         netisr_register(NETISR_IPV6, ip6_input, &ip6intrq, 0);
  182         scope6_init();
  183         addrsel_policy_init();
  184         nd6_init();
  185         frag6_init();
  186         ip6_desync_factor = arc4random() % MAX_TEMP_DESYNC_FACTOR;
  187 }
  188 
  189 static void
  190 ip6_init2(void *dummy)
  191 {
  192 
  193         /* nd6_timer_init */
  194         callout_init(&nd6_timer_ch, 0);
  195         callout_reset(&nd6_timer_ch, hz, nd6_timer, NULL);
  196 
  197         /* timer for regeneranation of temporary addresses randomize ID */
  198         callout_init(&in6_tmpaddrtimer_ch, 0);
  199         callout_reset(&in6_tmpaddrtimer_ch,
  200                       (ip6_temp_preferred_lifetime - ip6_desync_factor -
  201                        ip6_temp_regen_advance) * hz,
  202                       in6_tmpaddrtimer, NULL);
  203 }
  204 
  205 /* cheat */
  206 /* This must be after route_init(), which is now SI_ORDER_THIRD */
  207 SYSINIT(netinet6init2, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ip6_init2, NULL);
  208 
  209 extern struct   route_in6 ip6_forward_rt;
  210 
  211 void
  212 ip6_input(struct mbuf *m)
  213 {
  214         struct ip6_hdr *ip6;
  215         int off = sizeof(struct ip6_hdr), nest;
  216         u_int32_t plen;
  217         u_int32_t rtalert = ~0;
  218         int nxt, ours = 0;
  219         struct ifnet *deliverifp = NULL;
  220         struct in6_addr odst;
  221         int srcrt = 0;
  222 
  223         GIANT_REQUIRED;                 /* XXX for now */
  224 
  225 #ifdef IPSEC
  226         /*
  227          * should the inner packet be considered authentic?
  228          * see comment in ah4_input().
  229          * NB: m cannot be NULL when passed to the input routine
  230          */
  231 
  232         m->m_flags &= ~M_AUTHIPHDR;
  233         m->m_flags &= ~M_AUTHIPDGM;
  234 
  235 #endif /* IPSEC */
  236 
  237         /*
  238          * make sure we don't have onion peering information into m_tag.
  239          */
  240         ip6_delaux(m);
  241 
  242         /*
  243          * mbuf statistics
  244          */
  245         if (m->m_flags & M_EXT) {
  246                 if (m->m_next)
  247                         ip6stat.ip6s_mext2m++;
  248                 else
  249                         ip6stat.ip6s_mext1++;
  250         } else {
  251 #define M2MMAX  (sizeof(ip6stat.ip6s_m2m)/sizeof(ip6stat.ip6s_m2m[0]))
  252                 if (m->m_next) {
  253                         if (m->m_flags & M_LOOP) {
  254                                 ip6stat.ip6s_m2m[loif[0].if_index]++; /* XXX */
  255                         } else if (m->m_pkthdr.rcvif->if_index < M2MMAX)
  256                                 ip6stat.ip6s_m2m[m->m_pkthdr.rcvif->if_index]++;
  257                         else
  258                                 ip6stat.ip6s_m2m[0]++;
  259                 } else
  260                         ip6stat.ip6s_m1++;
  261 #undef M2MMAX
  262         }
  263 
  264         /* drop the packet if IPv6 operation is disabled on the IF */
  265         if ((ND_IFINFO(m->m_pkthdr.rcvif)->flags & ND6_IFF_IFDISABLED)) {
  266                 m_freem(m);
  267                 return;
  268         }
  269 
  270         in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_receive);
  271         ip6stat.ip6s_total++;
  272 
  273 #ifndef PULLDOWN_TEST
  274         /*
  275          * L2 bridge code and some other code can return mbuf chain
  276          * that does not conform to KAME requirement.  too bad.
  277          * XXX: fails to join if interface MTU > MCLBYTES.  jumbogram?
  278          */
  279         if (m && m->m_next != NULL && m->m_pkthdr.len < MCLBYTES) {
  280                 struct mbuf *n;
  281 
  282                 MGETHDR(n, M_DONTWAIT, MT_HEADER);
  283                 if (n)
  284                         M_MOVE_PKTHDR(n, m);
  285                 if (n && n->m_pkthdr.len > MHLEN) {
  286                         MCLGET(n, M_DONTWAIT);
  287                         if ((n->m_flags & M_EXT) == 0) {
  288                                 m_freem(n);
  289                                 n = NULL;
  290                         }
  291                 }
  292                 if (n == NULL) {
  293                         m_freem(m);
  294                         return; /* ENOBUFS */
  295                 }
  296 
  297                 m_copydata(m, 0, n->m_pkthdr.len, mtod(n, caddr_t));
  298                 n->m_len = n->m_pkthdr.len;
  299                 m_freem(m);
  300                 m = n;
  301         }
  302         IP6_EXTHDR_CHECK(m, 0, sizeof(struct ip6_hdr), /* nothing */);
  303 #endif
  304 
  305         if (m->m_len < sizeof(struct ip6_hdr)) {
  306                 struct ifnet *inifp;
  307                 inifp = m->m_pkthdr.rcvif;
  308                 if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
  309                         ip6stat.ip6s_toosmall++;
  310                         in6_ifstat_inc(inifp, ifs6_in_hdrerr);
  311                         return;
  312                 }
  313         }
  314 
  315         ip6 = mtod(m, struct ip6_hdr *);
  316 
  317         if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) {
  318                 ip6stat.ip6s_badvers++;
  319                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
  320                 goto bad;
  321         }
  322 
  323         ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
  324 
  325         /*
  326          * Check against address spoofing/corruption.
  327          */
  328         if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) ||
  329             IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) {
  330                 /*
  331                  * XXX: "badscope" is not very suitable for a multicast source.
  332                  */
  333                 ip6stat.ip6s_badscope++;
  334                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
  335                 goto bad;
  336         }
  337         if (IN6_IS_ADDR_MC_INTFACELOCAL(&ip6->ip6_dst) &&
  338             !(m->m_flags & M_LOOP)) {
  339                 /*
  340                  * In this case, the packet should come from the loopback
  341                  * interface.  However, we cannot just check the if_flags,
  342                  * because ip6_mloopback() passes the "actual" interface
  343                  * as the outgoing/incoming interface.
  344                  */
  345                 ip6stat.ip6s_badscope++;
  346                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
  347                 goto bad;
  348         }
  349 
  350 #ifdef ALTQ
  351         if (altq_input != NULL && (*altq_input)(m, AF_INET6) == 0) {
  352                 /* packet is dropped by traffic conditioner */
  353                 return;
  354         }
  355 #endif
  356         /*
  357          * The following check is not documented in specs.  A malicious
  358          * party may be able to use IPv4 mapped addr to confuse tcp/udp stack
  359          * and bypass security checks (act as if it was from 127.0.0.1 by using
  360          * IPv6 src ::ffff:127.0.0.1).  Be cautious.
  361          *
  362          * This check chokes if we are in an SIIT cloud.  As none of BSDs
  363          * support IPv4-less kernel compilation, we cannot support SIIT
  364          * environment at all.  So, it makes more sense for us to reject any
  365          * malicious packets for non-SIIT environment, than try to do a
  366          * partial support for SIIT environment.
  367          */
  368         if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
  369             IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
  370                 ip6stat.ip6s_badscope++;
  371                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
  372                 goto bad;
  373         }
  374 #if 0
  375         /*
  376          * Reject packets with IPv4 compatible addresses (auto tunnel).
  377          *
  378          * The code forbids auto tunnel relay case in RFC1933 (the check is
  379          * stronger than RFC1933).  We may want to re-enable it if mech-xx
  380          * is revised to forbid relaying case.
  381          */
  382         if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) ||
  383             IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) {
  384                 ip6stat.ip6s_badscope++;
  385                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
  386                 goto bad;
  387         }
  388 #endif
  389 
  390         /*
  391          * Run through list of hooks for input packets.
  392          *
  393          * NB: Beware of the destination address changing
  394          *     (e.g. by NAT rewriting).  When this happens,
  395          *     tell ip6_forward to do the right thing.
  396          */
  397         odst = ip6->ip6_dst;
  398 
  399         /* Jump over all PFIL processing if hooks are not active. */
  400         if (!PFIL_HOOKED(&inet6_pfil_hook))
  401                 goto passin;
  402 
  403         if (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN, NULL))
  404                 return;
  405         if (m == NULL)                  /* consumed by filter */
  406                 return;
  407         ip6 = mtod(m, struct ip6_hdr *);
  408         srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst);
  409 
  410 passin:
  411         /*
  412          * Disambiguate address scope zones (if there is ambiguity).
  413          * We first make sure that the original source or destination address
  414          * is not in our internal form for scoped addresses.  Such addresses
  415          * are not necessarily invalid spec-wise, but we cannot accept them due
  416          * to the usage conflict.
  417          * in6_setscope() then also checks and rejects the cases where src or
  418          * dst are the loopback address and the receiving interface
  419          * is not loopback.
  420          */
  421         if (in6_clearscope(&ip6->ip6_src) || in6_clearscope(&ip6->ip6_dst)) {
  422                 ip6stat.ip6s_badscope++; /* XXX */
  423                 goto bad;
  424         }
  425         if (in6_setscope(&ip6->ip6_src, m->m_pkthdr.rcvif, NULL) ||
  426             in6_setscope(&ip6->ip6_dst, m->m_pkthdr.rcvif, NULL)) {
  427                 ip6stat.ip6s_badscope++;
  428                 goto bad;
  429         }
  430 
  431         /*
  432          * Multicast check
  433          */
  434         if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
  435                 struct in6_multi *in6m = 0;
  436 
  437                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_mcast);
  438                 /*
  439                  * See if we belong to the destination multicast group on the
  440                  * arrival interface.
  441                  */
  442                 IN6_LOOKUP_MULTI(ip6->ip6_dst, m->m_pkthdr.rcvif, in6m);
  443                 if (in6m)
  444                         ours = 1;
  445                 else if (!ip6_mrouter) {
  446                         ip6stat.ip6s_notmember++;
  447                         ip6stat.ip6s_cantforward++;
  448                         in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
  449                         goto bad;
  450                 }
  451                 deliverifp = m->m_pkthdr.rcvif;
  452                 goto hbhcheck;
  453         }
  454 
  455         /*
  456          *  Unicast check
  457          */
  458         if (ip6_forward_rt.ro_rt != NULL &&
  459             (ip6_forward_rt.ro_rt->rt_flags & RTF_UP) != 0 &&
  460             IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst,
  461             &((struct sockaddr_in6 *)(&ip6_forward_rt.ro_dst))->sin6_addr))
  462                 ip6stat.ip6s_forward_cachehit++;
  463         else {
  464                 struct sockaddr_in6 *dst6;
  465 
  466                 if (ip6_forward_rt.ro_rt) {
  467                         /* route is down or destination is different */
  468                         ip6stat.ip6s_forward_cachemiss++;
  469                         RTFREE(ip6_forward_rt.ro_rt);
  470                         ip6_forward_rt.ro_rt = 0;
  471                 }
  472 
  473                 bzero(&ip6_forward_rt.ro_dst, sizeof(struct sockaddr_in6));
  474                 dst6 = (struct sockaddr_in6 *)&ip6_forward_rt.ro_dst;
  475                 dst6->sin6_len = sizeof(struct sockaddr_in6);
  476                 dst6->sin6_family = AF_INET6;
  477                 dst6->sin6_addr = ip6->ip6_dst;
  478 
  479                 rtalloc((struct route *)&ip6_forward_rt);
  480         }
  481 
  482 #define rt6_key(r) ((struct sockaddr_in6 *)((r)->rt_nodes->rn_key))
  483 
  484         /*
  485          * Accept the packet if the forwarding interface to the destination
  486          * according to the routing table is the loopback interface,
  487          * unless the associated route has a gateway.
  488          * Note that this approach causes to accept a packet if there is a
  489          * route to the loopback interface for the destination of the packet.
  490          * But we think it's even useful in some situations, e.g. when using
  491          * a special daemon which wants to intercept the packet.
  492          *
  493          * XXX: some OSes automatically make a cloned route for the destination
  494          * of an outgoing packet.  If the outgoing interface of the packet
  495          * is a loopback one, the kernel would consider the packet to be
  496          * accepted, even if we have no such address assinged on the interface.
  497          * We check the cloned flag of the route entry to reject such cases,
  498          * assuming that route entries for our own addresses are not made by
  499          * cloning (it should be true because in6_addloop explicitly installs
  500          * the host route).  However, we might have to do an explicit check
  501          * while it would be less efficient.  Or, should we rather install a
  502          * reject route for such a case?
  503          */
  504         if (ip6_forward_rt.ro_rt &&
  505             (ip6_forward_rt.ro_rt->rt_flags &
  506              (RTF_HOST|RTF_GATEWAY)) == RTF_HOST &&
  507 #ifdef RTF_WASCLONED
  508             !(ip6_forward_rt.ro_rt->rt_flags & RTF_WASCLONED) &&
  509 #endif
  510 #ifdef RTF_CLONED
  511             !(ip6_forward_rt.ro_rt->rt_flags & RTF_CLONED) &&
  512 #endif
  513 #if 0
  514             /*
  515              * The check below is redundant since the comparison of
  516              * the destination and the key of the rtentry has
  517              * already done through looking up the routing table.
  518              */
  519             IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst,
  520             &rt6_key(ip6_forward_rt.ro_rt)->sin6_addr)
  521 #endif
  522             ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_LOOP) {
  523                 struct in6_ifaddr *ia6 =
  524                         (struct in6_ifaddr *)ip6_forward_rt.ro_rt->rt_ifa;
  525 
  526                 /*
  527                  * record address information into m_tag.
  528                  */
  529                 (void)ip6_setdstifaddr(m, ia6);
  530 
  531                 /*
  532                  * packets to a tentative, duplicated, or somehow invalid
  533                  * address must not be accepted.
  534                  */
  535                 if (!(ia6->ia6_flags & IN6_IFF_NOTREADY)) {
  536                         /* this address is ready */
  537                         ours = 1;
  538                         deliverifp = ia6->ia_ifp;       /* correct? */
  539                         /* Count the packet in the ip address stats */
  540                         ia6->ia_ifa.if_ipackets++;
  541                         ia6->ia_ifa.if_ibytes += m->m_pkthdr.len;
  542                         goto hbhcheck;
  543                 } else {
  544                         char ip6bufs[INET6_ADDRSTRLEN];
  545                         char ip6bufd[INET6_ADDRSTRLEN];
  546                         /* address is not ready, so discard the packet. */
  547                         nd6log((LOG_INFO,
  548                             "ip6_input: packet to an unready address %s->%s\n",
  549                             ip6_sprintf(ip6bufs, &ip6->ip6_src),
  550                             ip6_sprintf(ip6bufd, &ip6->ip6_dst)));
  551 
  552                         goto bad;
  553                 }
  554         }
  555 
  556         /*
  557          * FAITH (Firewall Aided Internet Translator)
  558          */
  559         if (ip6_keepfaith) {
  560                 if (ip6_forward_rt.ro_rt && ip6_forward_rt.ro_rt->rt_ifp
  561                  && ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_FAITH) {
  562                         /* XXX do we need more sanity checks? */
  563                         ours = 1;
  564                         deliverifp = ip6_forward_rt.ro_rt->rt_ifp; /* faith */
  565                         goto hbhcheck;
  566                 }
  567         }
  568 
  569         /*
  570          * Now there is no reason to process the packet if it's not our own
  571          * and we're not a router.
  572          */
  573         if (!ip6_forwarding) {
  574                 ip6stat.ip6s_cantforward++;
  575                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
  576                 goto bad;
  577         }
  578 
  579   hbhcheck:
  580         /*
  581          * record address information into m_tag, if we don't have one yet.
  582          * note that we are unable to record it, if the address is not listed
  583          * as our interface address (e.g. multicast addresses, addresses
  584          * within FAITH prefixes and such).
  585          */
  586         if (deliverifp && !ip6_getdstifaddr(m)) {
  587                 struct in6_ifaddr *ia6;
  588 
  589                 ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst);
  590                 if (ia6) {
  591                         if (!ip6_setdstifaddr(m, ia6)) {
  592                                 /*
  593                                  * XXX maybe we should drop the packet here,
  594                                  * as we could not provide enough information
  595                                  * to the upper layers.
  596                                  */
  597                         }
  598                 }
  599         }
  600 
  601         /*
  602          * Process Hop-by-Hop options header if it's contained.
  603          * m may be modified in ip6_hopopts_input().
  604          * If a JumboPayload option is included, plen will also be modified.
  605          */
  606         plen = (u_int32_t)ntohs(ip6->ip6_plen);
  607         if (ip6->ip6_nxt == IPPROTO_HOPOPTS) {
  608                 struct ip6_hbh *hbh;
  609 
  610                 if (ip6_hopopts_input(&plen, &rtalert, &m, &off)) {
  611 #if 0   /*touches NULL pointer*/
  612                         in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
  613 #endif
  614                         return; /* m have already been freed */
  615                 }
  616 
  617                 /* adjust pointer */
  618                 ip6 = mtod(m, struct ip6_hdr *);
  619 
  620                 /*
  621                  * if the payload length field is 0 and the next header field
  622                  * indicates Hop-by-Hop Options header, then a Jumbo Payload
  623                  * option MUST be included.
  624                  */
  625                 if (ip6->ip6_plen == 0 && plen == 0) {
  626                         /*
  627                          * Note that if a valid jumbo payload option is
  628                          * contained, ip6_hopopts_input() must set a valid
  629                          * (non-zero) payload length to the variable plen.
  630                          */
  631                         ip6stat.ip6s_badoptions++;
  632                         in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
  633                         in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
  634                         icmp6_error(m, ICMP6_PARAM_PROB,
  635                                     ICMP6_PARAMPROB_HEADER,
  636                                     (caddr_t)&ip6->ip6_plen - (caddr_t)ip6);
  637                         return;
  638                 }
  639 #ifndef PULLDOWN_TEST
  640                 /* ip6_hopopts_input() ensures that mbuf is contiguous */
  641                 hbh = (struct ip6_hbh *)(ip6 + 1);
  642 #else
  643                 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr),
  644                         sizeof(struct ip6_hbh));
  645                 if (hbh == NULL) {
  646                         ip6stat.ip6s_tooshort++;
  647                         return;
  648                 }
  649 #endif
  650                 nxt = hbh->ip6h_nxt;
  651 
  652                 /*
  653                  * If we are acting as a router and the packet contains a
  654                  * router alert option, see if we know the option value.
  655                  * Currently, we only support the option value for MLD, in which
  656                  * case we should pass the packet to the multicast routing
  657                  * daemon.
  658                  */
  659                 if (rtalert != ~0 && ip6_forwarding) {
  660                         switch (rtalert) {
  661                         case IP6OPT_RTALERT_MLD:
  662                                 ours = 1;
  663                                 break;
  664                         default:
  665                                 /*
  666                                  * RFC2711 requires unrecognized values must be
  667                                  * silently ignored.
  668                                  */
  669                                 break;
  670                         }
  671                 }
  672         } else
  673                 nxt = ip6->ip6_nxt;
  674 
  675         /*
  676          * Check that the amount of data in the buffers
  677          * is as at least much as the IPv6 header would have us expect.
  678          * Trim mbufs if longer than we expect.
  679          * Drop packet if shorter than we expect.
  680          */
  681         if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) {
  682                 ip6stat.ip6s_tooshort++;
  683                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
  684                 goto bad;
  685         }
  686         if (m->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) {
  687                 if (m->m_len == m->m_pkthdr.len) {
  688                         m->m_len = sizeof(struct ip6_hdr) + plen;
  689                         m->m_pkthdr.len = sizeof(struct ip6_hdr) + plen;
  690                 } else
  691                         m_adj(m, sizeof(struct ip6_hdr) + plen - m->m_pkthdr.len);
  692         }
  693 
  694         /*
  695          * Forward if desirable.
  696          */
  697         if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
  698                 /*
  699                  * If we are acting as a multicast router, all
  700                  * incoming multicast packets are passed to the
  701                  * kernel-level multicast forwarding function.
  702                  * The packet is returned (relatively) intact; if
  703                  * ip6_mforward() returns a non-zero value, the packet
  704                  * must be discarded, else it may be accepted below.
  705                  */
  706                 if (ip6_mrouter && ip6_mforward &&
  707                     ip6_mforward(ip6, m->m_pkthdr.rcvif, m)) {
  708                         ip6stat.ip6s_cantforward++;
  709                         m_freem(m);
  710                         return;
  711                 }
  712                 if (!ours) {
  713                         m_freem(m);
  714                         return;
  715                 }
  716         } else if (!ours) {
  717                 ip6_forward(m, srcrt);
  718                 return;
  719         }
  720 
  721         ip6 = mtod(m, struct ip6_hdr *);
  722 
  723         /*
  724          * Malicious party may be able to use IPv4 mapped addr to confuse
  725          * tcp/udp stack and bypass security checks (act as if it was from
  726          * 127.0.0.1 by using IPv6 src ::ffff:127.0.0.1).  Be cautious.
  727          *
  728          * For SIIT end node behavior, you may want to disable the check.
  729          * However, you will  become vulnerable to attacks using IPv4 mapped
  730          * source.
  731          */
  732         if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
  733             IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
  734                 ip6stat.ip6s_badscope++;
  735                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
  736                 goto bad;
  737         }
  738 
  739         /*
  740          * Tell launch routine the next header
  741          */
  742         ip6stat.ip6s_delivered++;
  743         in6_ifstat_inc(deliverifp, ifs6_in_deliver);
  744         nest = 0;
  745 
  746         while (nxt != IPPROTO_DONE) {
  747                 if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) {
  748                         ip6stat.ip6s_toomanyhdr++;
  749                         goto bad;
  750                 }
  751 
  752                 /*
  753                  * protection against faulty packet - there should be
  754                  * more sanity checks in header chain processing.
  755                  */
  756                 if (m->m_pkthdr.len < off) {
  757                         ip6stat.ip6s_tooshort++;
  758                         in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
  759                         goto bad;
  760                 }
  761 
  762 #ifdef IPSEC
  763                 /*
  764                  * enforce IPsec policy checking if we are seeing last header.
  765                  * note that we do not visit this with protocols with pcb layer
  766                  * code - like udp/tcp/raw ip.
  767                  */
  768                 if (ip6_ipsec_input(m, nxt))
  769                         goto bad;
  770 #endif /* IPSEC */
  771                 nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);
  772         }
  773         return;
  774  bad:
  775         m_freem(m);
  776 }
  777 
  778 /*
  779  * set/grab in6_ifaddr correspond to IPv6 destination address.
  780  * XXX backward compatibility wrapper
  781  */
  782 static struct ip6aux *
  783 ip6_setdstifaddr(struct mbuf *m, struct in6_ifaddr *ia6)
  784 {
  785         struct ip6aux *ip6a;
  786 
  787         ip6a = ip6_addaux(m);
  788         if (ip6a)
  789                 ip6a->ip6a_dstia6 = ia6;
  790         return ip6a;    /* NULL if failed to set */
  791 }
  792 
  793 struct in6_ifaddr *
  794 ip6_getdstifaddr(struct mbuf *m)
  795 {
  796         struct ip6aux *ip6a;
  797 
  798         ip6a = ip6_findaux(m);
  799         if (ip6a)
  800                 return ip6a->ip6a_dstia6;
  801         else
  802                 return NULL;
  803 }
  804 
  805 /*
  806  * Hop-by-Hop options header processing. If a valid jumbo payload option is
  807  * included, the real payload length will be stored in plenp.
  808  *
  809  * rtalertp - XXX: should be stored more smart way
  810  */
  811 static int
  812 ip6_hopopts_input(u_int32_t *plenp, u_int32_t *rtalertp,
  813     struct mbuf **mp, int *offp)
  814 {
  815         struct mbuf *m = *mp;
  816         int off = *offp, hbhlen;
  817         struct ip6_hbh *hbh;
  818         u_int8_t *opt;
  819 
  820         /* validation of the length of the header */
  821 #ifndef PULLDOWN_TEST
  822         IP6_EXTHDR_CHECK(m, off, sizeof(*hbh), -1);
  823         hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off);
  824         hbhlen = (hbh->ip6h_len + 1) << 3;
  825 
  826         IP6_EXTHDR_CHECK(m, off, hbhlen, -1);
  827         hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off);
  828 #else
  829         IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m,
  830                 sizeof(struct ip6_hdr), sizeof(struct ip6_hbh));
  831         if (hbh == NULL) {
  832                 ip6stat.ip6s_tooshort++;
  833                 return -1;
  834         }
  835         hbhlen = (hbh->ip6h_len + 1) << 3;
  836         IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr),
  837                 hbhlen);
  838         if (hbh == NULL) {
  839                 ip6stat.ip6s_tooshort++;
  840                 return -1;
  841         }
  842 #endif
  843         off += hbhlen;
  844         hbhlen -= sizeof(struct ip6_hbh);
  845         opt = (u_int8_t *)hbh + sizeof(struct ip6_hbh);
  846 
  847         if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh),
  848                                 hbhlen, rtalertp, plenp) < 0)
  849                 return (-1);
  850 
  851         *offp = off;
  852         *mp = m;
  853         return (0);
  854 }
  855 
  856 /*
  857  * Search header for all Hop-by-hop options and process each option.
  858  * This function is separate from ip6_hopopts_input() in order to
  859  * handle a case where the sending node itself process its hop-by-hop
  860  * options header. In such a case, the function is called from ip6_output().
  861  *
  862  * The function assumes that hbh header is located right after the IPv6 header
  863  * (RFC2460 p7), opthead is pointer into data content in m, and opthead to
  864  * opthead + hbhlen is located in continuous memory region.
  865  */
  866 int
  867 ip6_process_hopopts(struct mbuf *m, u_int8_t *opthead, int hbhlen,
  868     u_int32_t *rtalertp, u_int32_t *plenp)
  869 {
  870         struct ip6_hdr *ip6;
  871         int optlen = 0;
  872         u_int8_t *opt = opthead;
  873         u_int16_t rtalert_val;
  874         u_int32_t jumboplen;
  875         const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh);
  876 
  877         for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) {
  878                 switch (*opt) {
  879                 case IP6OPT_PAD1:
  880                         optlen = 1;
  881                         break;
  882                 case IP6OPT_PADN:
  883                         if (hbhlen < IP6OPT_MINLEN) {
  884                                 ip6stat.ip6s_toosmall++;
  885                                 goto bad;
  886                         }
  887                         optlen = *(opt + 1) + 2;
  888                         break;
  889                 case IP6OPT_ROUTER_ALERT:
  890                         /* XXX may need check for alignment */
  891                         if (hbhlen < IP6OPT_RTALERT_LEN) {
  892                                 ip6stat.ip6s_toosmall++;
  893                                 goto bad;
  894                         }
  895                         if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) {
  896                                 /* XXX stat */
  897                                 icmp6_error(m, ICMP6_PARAM_PROB,
  898                                     ICMP6_PARAMPROB_HEADER,
  899                                     erroff + opt + 1 - opthead);
  900                                 return (-1);
  901                         }
  902                         optlen = IP6OPT_RTALERT_LEN;
  903                         bcopy((caddr_t)(opt + 2), (caddr_t)&rtalert_val, 2);
  904                         *rtalertp = ntohs(rtalert_val);
  905                         break;
  906                 case IP6OPT_JUMBO:
  907                         /* XXX may need check for alignment */
  908                         if (hbhlen < IP6OPT_JUMBO_LEN) {
  909                                 ip6stat.ip6s_toosmall++;
  910                                 goto bad;
  911                         }
  912                         if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) {
  913                                 /* XXX stat */
  914                                 icmp6_error(m, ICMP6_PARAM_PROB,
  915                                     ICMP6_PARAMPROB_HEADER,
  916                                     erroff + opt + 1 - opthead);
  917                                 return (-1);
  918                         }
  919                         optlen = IP6OPT_JUMBO_LEN;
  920 
  921                         /*
  922                          * IPv6 packets that have non 0 payload length
  923                          * must not contain a jumbo payload option.
  924                          */
  925                         ip6 = mtod(m, struct ip6_hdr *);
  926                         if (ip6->ip6_plen) {
  927                                 ip6stat.ip6s_badoptions++;
  928                                 icmp6_error(m, ICMP6_PARAM_PROB,
  929                                     ICMP6_PARAMPROB_HEADER,
  930                                     erroff + opt - opthead);
  931                                 return (-1);
  932                         }
  933 
  934                         /*
  935                          * We may see jumbolen in unaligned location, so
  936                          * we'd need to perform bcopy().
  937                          */
  938                         bcopy(opt + 2, &jumboplen, sizeof(jumboplen));
  939                         jumboplen = (u_int32_t)htonl(jumboplen);
  940 
  941 #if 1
  942                         /*
  943                          * if there are multiple jumbo payload options,
  944                          * *plenp will be non-zero and the packet will be
  945                          * rejected.
  946                          * the behavior may need some debate in ipngwg -
  947                          * multiple options does not make sense, however,
  948                          * there's no explicit mention in specification.
  949                          */
  950                         if (*plenp != 0) {
  951                                 ip6stat.ip6s_badoptions++;
  952                                 icmp6_error(m, ICMP6_PARAM_PROB,
  953                                     ICMP6_PARAMPROB_HEADER,
  954                                     erroff + opt + 2 - opthead);
  955                                 return (-1);
  956                         }
  957 #endif
  958 
  959                         /*
  960                          * jumbo payload length must be larger than 65535.
  961                          */
  962                         if (jumboplen <= IPV6_MAXPACKET) {
  963                                 ip6stat.ip6s_badoptions++;
  964                                 icmp6_error(m, ICMP6_PARAM_PROB,
  965                                     ICMP6_PARAMPROB_HEADER,
  966                                     erroff + opt + 2 - opthead);
  967                                 return (-1);
  968                         }
  969                         *plenp = jumboplen;
  970 
  971                         break;
  972                 default:                /* unknown option */
  973                         if (hbhlen < IP6OPT_MINLEN) {
  974                                 ip6stat.ip6s_toosmall++;
  975                                 goto bad;
  976                         }
  977                         optlen = ip6_unknown_opt(opt, m,
  978                             erroff + opt - opthead);
  979                         if (optlen == -1)
  980                                 return (-1);
  981                         optlen += 2;
  982                         break;
  983                 }
  984         }
  985 
  986         return (0);
  987 
  988   bad:
  989         m_freem(m);
  990         return (-1);
  991 }
  992 
  993 /*
  994  * Unknown option processing.
  995  * The third argument `off' is the offset from the IPv6 header to the option,
  996  * which is necessary if the IPv6 header the and option header and IPv6 header
  997  * is not continuous in order to return an ICMPv6 error.
  998  */
  999 int
 1000 ip6_unknown_opt(u_int8_t *optp, struct mbuf *m, int off)
 1001 {
 1002         struct ip6_hdr *ip6;
 1003 
 1004         switch (IP6OPT_TYPE(*optp)) {
 1005         case IP6OPT_TYPE_SKIP: /* ignore the option */
 1006                 return ((int)*(optp + 1));
 1007         case IP6OPT_TYPE_DISCARD:       /* silently discard */
 1008                 m_freem(m);
 1009                 return (-1);
 1010         case IP6OPT_TYPE_FORCEICMP: /* send ICMP even if multicasted */
 1011                 ip6stat.ip6s_badoptions++;
 1012                 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_OPTION, off);
 1013                 return (-1);
 1014         case IP6OPT_TYPE_ICMP: /* send ICMP if not multicasted */
 1015                 ip6stat.ip6s_badoptions++;
 1016                 ip6 = mtod(m, struct ip6_hdr *);
 1017                 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
 1018                     (m->m_flags & (M_BCAST|M_MCAST)))
 1019                         m_freem(m);
 1020                 else
 1021                         icmp6_error(m, ICMP6_PARAM_PROB,
 1022                                     ICMP6_PARAMPROB_OPTION, off);
 1023                 return (-1);
 1024         }
 1025 
 1026         m_freem(m);             /* XXX: NOTREACHED */
 1027         return (-1);
 1028 }
 1029 
 1030 /*
 1031  * Create the "control" list for this pcb.
 1032  * The function will not modify mbuf chain at all.
 1033  *
 1034  * with KAME mbuf chain restriction:
 1035  * The routine will be called from upper layer handlers like tcp6_input().
 1036  * Thus the routine assumes that the caller (tcp6_input) have already
 1037  * called IP6_EXTHDR_CHECK() and all the extension headers are located in the
 1038  * very first mbuf on the mbuf chain.
 1039  */
 1040 void
 1041 ip6_savecontrol(struct inpcb *in6p, struct mbuf *m, struct mbuf **mp)
 1042 {
 1043 #define IS2292(x, y)    ((in6p->in6p_flags & IN6P_RFC2292) ? (x) : (y))
 1044         struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
 1045 
 1046 #ifdef SO_TIMESTAMP
 1047         if ((in6p->in6p_socket->so_options & SO_TIMESTAMP) != 0) {
 1048                 struct timeval tv;
 1049 
 1050                 microtime(&tv);
 1051                 *mp = sbcreatecontrol((caddr_t) &tv, sizeof(tv),
 1052                     SCM_TIMESTAMP, SOL_SOCKET);
 1053                 if (*mp)
 1054                         mp = &(*mp)->m_next;
 1055         }
 1056 #endif
 1057 
 1058         if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION)
 1059                 return;
 1060 
 1061         /* RFC 2292 sec. 5 */
 1062         if ((in6p->in6p_flags & IN6P_PKTINFO) != 0) {
 1063                 struct in6_pktinfo pi6;
 1064 
 1065                 bcopy(&ip6->ip6_dst, &pi6.ipi6_addr, sizeof(struct in6_addr));
 1066                 in6_clearscope(&pi6.ipi6_addr); /* XXX */
 1067                 pi6.ipi6_ifindex =
 1068                     (m && m->m_pkthdr.rcvif) ? m->m_pkthdr.rcvif->if_index : 0;
 1069 
 1070                 *mp = sbcreatecontrol((caddr_t) &pi6,
 1071                     sizeof(struct in6_pktinfo),
 1072                     IS2292(IPV6_2292PKTINFO, IPV6_PKTINFO), IPPROTO_IPV6);
 1073                 if (*mp)
 1074                         mp = &(*mp)->m_next;
 1075         }
 1076 
 1077         if ((in6p->in6p_flags & IN6P_HOPLIMIT) != 0) {
 1078                 int hlim = ip6->ip6_hlim & 0xff;
 1079 
 1080                 *mp = sbcreatecontrol((caddr_t) &hlim, sizeof(int),
 1081                     IS2292(IPV6_2292HOPLIMIT, IPV6_HOPLIMIT), IPPROTO_IPV6);
 1082                 if (*mp)
 1083                         mp = &(*mp)->m_next;
 1084         }
 1085 
 1086         if ((in6p->in6p_flags & IN6P_TCLASS) != 0) {
 1087                 u_int32_t flowinfo;
 1088                 int tclass;
 1089 
 1090                 flowinfo = (u_int32_t)ntohl(ip6->ip6_flow & IPV6_FLOWINFO_MASK);
 1091                 flowinfo >>= 20;
 1092 
 1093                 tclass = flowinfo & 0xff;
 1094                 *mp = sbcreatecontrol((caddr_t) &tclass, sizeof(tclass),
 1095                     IPV6_TCLASS, IPPROTO_IPV6);
 1096                 if (*mp)
 1097                         mp = &(*mp)->m_next;
 1098         }
 1099 
 1100         /*
 1101          * IPV6_HOPOPTS socket option.  Recall that we required super-user
 1102          * privilege for the option (see ip6_ctloutput), but it might be too
 1103          * strict, since there might be some hop-by-hop options which can be
 1104          * returned to normal user.
 1105          * See also RFC 2292 section 6 (or RFC 3542 section 8).
 1106          */
 1107         if ((in6p->in6p_flags & IN6P_HOPOPTS) != 0) {
 1108                 /*
 1109                  * Check if a hop-by-hop options header is contatined in the
 1110                  * received packet, and if so, store the options as ancillary
 1111                  * data. Note that a hop-by-hop options header must be
 1112                  * just after the IPv6 header, which is assured through the
 1113                  * IPv6 input processing.
 1114                  */
 1115                 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) {
 1116                         struct ip6_hbh *hbh;
 1117                         int hbhlen = 0;
 1118 #ifdef PULLDOWN_TEST
 1119                         struct mbuf *ext;
 1120 #endif
 1121 
 1122 #ifndef PULLDOWN_TEST
 1123                         hbh = (struct ip6_hbh *)(ip6 + 1);
 1124                         hbhlen = (hbh->ip6h_len + 1) << 3;
 1125 #else
 1126                         ext = ip6_pullexthdr(m, sizeof(struct ip6_hdr),
 1127                             ip6->ip6_nxt);
 1128                         if (ext == NULL) {
 1129                                 ip6stat.ip6s_tooshort++;
 1130                                 return;
 1131                         }
 1132                         hbh = mtod(ext, struct ip6_hbh *);
 1133                         hbhlen = (hbh->ip6h_len + 1) << 3;
 1134                         if (hbhlen != ext->m_len) {
 1135                                 m_freem(ext);
 1136                                 ip6stat.ip6s_tooshort++;
 1137                                 return;
 1138                         }
 1139 #endif
 1140 
 1141                         /*
 1142                          * XXX: We copy the whole header even if a
 1143                          * jumbo payload option is included, the option which
 1144                          * is to be removed before returning according to
 1145                          * RFC2292.
 1146                          * Note: this constraint is removed in RFC3542
 1147                          */
 1148                         *mp = sbcreatecontrol((caddr_t)hbh, hbhlen,
 1149                             IS2292(IPV6_2292HOPOPTS, IPV6_HOPOPTS),
 1150                             IPPROTO_IPV6);
 1151                         if (*mp)
 1152                                 mp = &(*mp)->m_next;
 1153 #ifdef PULLDOWN_TEST
 1154                         m_freem(ext);
 1155 #endif
 1156                 }
 1157         }
 1158 
 1159         if ((in6p->in6p_flags & (IN6P_RTHDR | IN6P_DSTOPTS)) != 0) {
 1160                 int nxt = ip6->ip6_nxt, off = sizeof(struct ip6_hdr);
 1161 
 1162                 /*
 1163                  * Search for destination options headers or routing
 1164                  * header(s) through the header chain, and stores each
 1165                  * header as ancillary data.
 1166                  * Note that the order of the headers remains in
 1167                  * the chain of ancillary data.
 1168                  */
 1169                 while (1) {     /* is explicit loop prevention necessary? */
 1170                         struct ip6_ext *ip6e = NULL;
 1171                         int elen;
 1172 #ifdef PULLDOWN_TEST
 1173                         struct mbuf *ext = NULL;
 1174 #endif
 1175 
 1176                         /*
 1177                          * if it is not an extension header, don't try to
 1178                          * pull it from the chain.
 1179                          */
 1180                         switch (nxt) {
 1181                         case IPPROTO_DSTOPTS:
 1182                         case IPPROTO_ROUTING:
 1183                         case IPPROTO_HOPOPTS:
 1184                         case IPPROTO_AH: /* is it possible? */
 1185                                 break;
 1186                         default:
 1187                                 goto loopend;
 1188                         }
 1189 
 1190 #ifndef PULLDOWN_TEST
 1191                         if (off + sizeof(*ip6e) > m->m_len)
 1192                                 goto loopend;
 1193                         ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + off);
 1194                         if (nxt == IPPROTO_AH)
 1195                                 elen = (ip6e->ip6e_len + 2) << 2;
 1196                         else
 1197                                 elen = (ip6e->ip6e_len + 1) << 3;
 1198                         if (off + elen > m->m_len)
 1199                                 goto loopend;
 1200 #else
 1201                         ext = ip6_pullexthdr(m, off, nxt);
 1202                         if (ext == NULL) {
 1203                                 ip6stat.ip6s_tooshort++;
 1204                                 return;
 1205                         }
 1206                         ip6e = mtod(ext, struct ip6_ext *);
 1207                         if (nxt == IPPROTO_AH)
 1208                                 elen = (ip6e->ip6e_len + 2) << 2;
 1209                         else
 1210                                 elen = (ip6e->ip6e_len + 1) << 3;
 1211                         if (elen != ext->m_len) {
 1212                                 m_freem(ext);
 1213                                 ip6stat.ip6s_tooshort++;
 1214                                 return;
 1215                         }
 1216 #endif
 1217 
 1218                         switch (nxt) {
 1219                         case IPPROTO_DSTOPTS:
 1220                                 if (!(in6p->in6p_flags & IN6P_DSTOPTS))
 1221                                         break;
 1222 
 1223                                 *mp = sbcreatecontrol((caddr_t)ip6e, elen,
 1224                                     IS2292(IPV6_2292DSTOPTS, IPV6_DSTOPTS),
 1225                                     IPPROTO_IPV6);
 1226                                 if (*mp)
 1227                                         mp = &(*mp)->m_next;
 1228                                 break;
 1229                         case IPPROTO_ROUTING:
 1230                                 if (!in6p->in6p_flags & IN6P_RTHDR)
 1231                                         break;
 1232 
 1233                                 *mp = sbcreatecontrol((caddr_t)ip6e, elen,
 1234                                     IS2292(IPV6_2292RTHDR, IPV6_RTHDR),
 1235                                     IPPROTO_IPV6);
 1236                                 if (*mp)
 1237                                         mp = &(*mp)->m_next;
 1238                                 break;
 1239                         case IPPROTO_HOPOPTS:
 1240                         case IPPROTO_AH: /* is it possible? */
 1241                                 break;
 1242 
 1243                         default:
 1244                                 /*
 1245                                  * other cases have been filtered in the above.
 1246                                  * none will visit this case.  here we supply
 1247                                  * the code just in case (nxt overwritten or
 1248                                  * other cases).
 1249                                  */
 1250 #ifdef PULLDOWN_TEST
 1251                                 m_freem(ext);
 1252 #endif
 1253                                 goto loopend;
 1254 
 1255                         }
 1256 
 1257                         /* proceed with the next header. */
 1258                         off += elen;
 1259                         nxt = ip6e->ip6e_nxt;
 1260                         ip6e = NULL;
 1261 #ifdef PULLDOWN_TEST
 1262                         m_freem(ext);
 1263                         ext = NULL;
 1264 #endif
 1265                 }
 1266           loopend:
 1267                 ;
 1268         }
 1269 
 1270 #undef IS2292
 1271 }
 1272 
 1273 void
 1274 ip6_notify_pmtu(struct inpcb *in6p, struct sockaddr_in6 *dst, u_int32_t *mtu)
 1275 {
 1276         struct socket *so;
 1277         struct mbuf *m_mtu;
 1278         struct ip6_mtuinfo mtuctl;
 1279 
 1280         so =  in6p->inp_socket;
 1281 
 1282         if (mtu == NULL)
 1283                 return;
 1284 
 1285 #ifdef DIAGNOSTIC
 1286         if (so == NULL)         /* I believe this is impossible */
 1287                 panic("ip6_notify_pmtu: socket is NULL");
 1288 #endif
 1289 
 1290         bzero(&mtuctl, sizeof(mtuctl)); /* zero-clear for safety */
 1291         mtuctl.ip6m_mtu = *mtu;
 1292         mtuctl.ip6m_addr = *dst;
 1293         if (sa6_recoverscope(&mtuctl.ip6m_addr))
 1294                 return;
 1295 
 1296         if ((m_mtu = sbcreatecontrol((caddr_t)&mtuctl, sizeof(mtuctl),
 1297             IPV6_PATHMTU, IPPROTO_IPV6)) == NULL)
 1298                 return;
 1299 
 1300         if (sbappendaddr(&so->so_rcv, (struct sockaddr *)dst, NULL, m_mtu)
 1301             == 0) {
 1302                 m_freem(m_mtu);
 1303                 /* XXX: should count statistics */
 1304         } else
 1305                 sorwakeup(so);
 1306 
 1307         return;
 1308 }
 1309 
 1310 #ifdef PULLDOWN_TEST
 1311 /*
 1312  * pull single extension header from mbuf chain.  returns single mbuf that
 1313  * contains the result, or NULL on error.
 1314  */
 1315 static struct mbuf *
 1316 ip6_pullexthdr(struct mbuf *m, size_t off, int nxt)
 1317 {
 1318         struct ip6_ext ip6e;
 1319         size_t elen;
 1320         struct mbuf *n;
 1321 
 1322 #ifdef DIAGNOSTIC
 1323         switch (nxt) {
 1324         case IPPROTO_DSTOPTS:
 1325         case IPPROTO_ROUTING:
 1326         case IPPROTO_HOPOPTS:
 1327         case IPPROTO_AH: /* is it possible? */
 1328                 break;
 1329         default:
 1330                 printf("ip6_pullexthdr: invalid nxt=%d\n", nxt);
 1331         }
 1332 #endif
 1333 
 1334         m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
 1335         if (nxt == IPPROTO_AH)
 1336                 elen = (ip6e.ip6e_len + 2) << 2;
 1337         else
 1338                 elen = (ip6e.ip6e_len + 1) << 3;
 1339 
 1340         MGET(n, M_DONTWAIT, MT_DATA);
 1341         if (n && elen >= MLEN) {
 1342                 MCLGET(n, M_DONTWAIT);
 1343                 if ((n->m_flags & M_EXT) == 0) {
 1344                         m_free(n);
 1345                         n = NULL;
 1346                 }
 1347         }
 1348         if (!n)
 1349                 return NULL;
 1350 
 1351         n->m_len = 0;
 1352         if (elen >= M_TRAILINGSPACE(n)) {
 1353                 m_free(n);
 1354                 return NULL;
 1355         }
 1356 
 1357         m_copydata(m, off, elen, mtod(n, caddr_t));
 1358         n->m_len = elen;
 1359         return n;
 1360 }
 1361 #endif
 1362 
 1363 /*
 1364  * Get pointer to the previous header followed by the header
 1365  * currently processed.
 1366  * XXX: This function supposes that
 1367  *      M includes all headers,
 1368  *      the next header field and the header length field of each header
 1369  *      are valid, and
 1370  *      the sum of each header length equals to OFF.
 1371  * Because of these assumptions, this function must be called very
 1372  * carefully. Moreover, it will not be used in the near future when
 1373  * we develop `neater' mechanism to process extension headers.
 1374  */
 1375 char *
 1376 ip6_get_prevhdr(struct mbuf *m, int off)
 1377 {
 1378         struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
 1379 
 1380         if (off == sizeof(struct ip6_hdr))
 1381                 return (&ip6->ip6_nxt);
 1382         else {
 1383                 int len, nxt;
 1384                 struct ip6_ext *ip6e = NULL;
 1385 
 1386                 nxt = ip6->ip6_nxt;
 1387                 len = sizeof(struct ip6_hdr);
 1388                 while (len < off) {
 1389                         ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + len);
 1390 
 1391                         switch (nxt) {
 1392                         case IPPROTO_FRAGMENT:
 1393                                 len += sizeof(struct ip6_frag);
 1394                                 break;
 1395                         case IPPROTO_AH:
 1396                                 len += (ip6e->ip6e_len + 2) << 2;
 1397                                 break;
 1398                         default:
 1399                                 len += (ip6e->ip6e_len + 1) << 3;
 1400                                 break;
 1401                         }
 1402                         nxt = ip6e->ip6e_nxt;
 1403                 }
 1404                 if (ip6e)
 1405                         return (&ip6e->ip6e_nxt);
 1406                 else
 1407                         return NULL;
 1408         }
 1409 }
 1410 
 1411 /*
 1412  * get next header offset.  m will be retained.
 1413  */
 1414 int
 1415 ip6_nexthdr(struct mbuf *m, int off, int proto, int *nxtp)
 1416 {
 1417         struct ip6_hdr ip6;
 1418         struct ip6_ext ip6e;
 1419         struct ip6_frag fh;
 1420 
 1421         /* just in case */
 1422         if (m == NULL)
 1423                 panic("ip6_nexthdr: m == NULL");
 1424         if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off)
 1425                 return -1;
 1426 
 1427         switch (proto) {
 1428         case IPPROTO_IPV6:
 1429                 if (m->m_pkthdr.len < off + sizeof(ip6))
 1430                         return -1;
 1431                 m_copydata(m, off, sizeof(ip6), (caddr_t)&ip6);
 1432                 if (nxtp)
 1433                         *nxtp = ip6.ip6_nxt;
 1434                 off += sizeof(ip6);
 1435                 return off;
 1436 
 1437         case IPPROTO_FRAGMENT:
 1438                 /*
 1439                  * terminate parsing if it is not the first fragment,
 1440                  * it does not make sense to parse through it.
 1441                  */
 1442                 if (m->m_pkthdr.len < off + sizeof(fh))
 1443                         return -1;
 1444                 m_copydata(m, off, sizeof(fh), (caddr_t)&fh);
 1445                 /* IP6F_OFF_MASK = 0xfff8(BigEndian), 0xf8ff(LittleEndian) */
 1446                 if (fh.ip6f_offlg & IP6F_OFF_MASK)
 1447                         return -1;
 1448                 if (nxtp)
 1449                         *nxtp = fh.ip6f_nxt;
 1450                 off += sizeof(struct ip6_frag);
 1451                 return off;
 1452 
 1453         case IPPROTO_AH:
 1454                 if (m->m_pkthdr.len < off + sizeof(ip6e))
 1455                         return -1;
 1456                 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
 1457                 if (nxtp)
 1458                         *nxtp = ip6e.ip6e_nxt;
 1459                 off += (ip6e.ip6e_len + 2) << 2;
 1460                 return off;
 1461 
 1462         case IPPROTO_HOPOPTS:
 1463         case IPPROTO_ROUTING:
 1464         case IPPROTO_DSTOPTS:
 1465                 if (m->m_pkthdr.len < off + sizeof(ip6e))
 1466                         return -1;
 1467                 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
 1468                 if (nxtp)
 1469                         *nxtp = ip6e.ip6e_nxt;
 1470                 off += (ip6e.ip6e_len + 1) << 3;
 1471                 return off;
 1472 
 1473         case IPPROTO_NONE:
 1474         case IPPROTO_ESP:
 1475         case IPPROTO_IPCOMP:
 1476                 /* give up */
 1477                 return -1;
 1478 
 1479         default:
 1480                 return -1;
 1481         }
 1482 
 1483         return -1;
 1484 }
 1485 
 1486 /*
 1487  * get offset for the last header in the chain.  m will be kept untainted.
 1488  */
 1489 int
 1490 ip6_lasthdr(struct mbuf *m, int off, int proto, int *nxtp)
 1491 {
 1492         int newoff;
 1493         int nxt;
 1494 
 1495         if (!nxtp) {
 1496                 nxt = -1;
 1497                 nxtp = &nxt;
 1498         }
 1499         while (1) {
 1500                 newoff = ip6_nexthdr(m, off, proto, nxtp);
 1501                 if (newoff < 0)
 1502                         return off;
 1503                 else if (newoff < off)
 1504                         return -1;      /* invalid */
 1505                 else if (newoff == off)
 1506                         return newoff;
 1507 
 1508                 off = newoff;
 1509                 proto = *nxtp;
 1510         }
 1511 }
 1512 
 1513 struct ip6aux *
 1514 ip6_addaux(struct mbuf *m)
 1515 {
 1516         struct m_tag *mtag;
 1517 
 1518         mtag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL);
 1519         if (!mtag) {
 1520                 mtag = m_tag_get(PACKET_TAG_IPV6_INPUT, sizeof(struct ip6aux),
 1521                     M_NOWAIT);
 1522                 if (mtag) {
 1523                         m_tag_prepend(m, mtag);
 1524                         bzero(mtag + 1, sizeof(struct ip6aux));
 1525                 }
 1526         }
 1527         return mtag ? (struct ip6aux *)(mtag + 1) : NULL;
 1528 }
 1529 
 1530 struct ip6aux *
 1531 ip6_findaux(struct mbuf *m)
 1532 {
 1533         struct m_tag *mtag;
 1534 
 1535         mtag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL);
 1536         return mtag ? (struct ip6aux *)(mtag + 1) : NULL;
 1537 }
 1538 
 1539 void
 1540 ip6_delaux(struct mbuf *m)
 1541 {
 1542         struct m_tag *mtag;
 1543 
 1544         mtag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL);
 1545         if (mtag)
 1546                 m_tag_delete(m, mtag);
 1547 }
 1548 
 1549 /*
 1550  * System control for IP6
 1551  */
 1552 
 1553 u_char  inet6ctlerrmap[PRC_NCMDS] = {
 1554         0,              0,              0,              0,
 1555         0,              EMSGSIZE,       EHOSTDOWN,      EHOSTUNREACH,
 1556         EHOSTUNREACH,   EHOSTUNREACH,   ECONNREFUSED,   ECONNREFUSED,
 1557         EMSGSIZE,       EHOSTUNREACH,   0,              0,
 1558         0,              0,              0,              0,
 1559         ENOPROTOOPT
 1560 };

Cache object: 3ba33da8858efb0b337c34908ea4556b


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.