1 /*
2 * Internet Control Message Protocol (ICMPv6)
3 * Linux INET6 implementation
4 *
5 * Authors:
6 * Pedro Roque <roque@di.fc.ul.pt>
7 *
8 * Based on net/ipv4/icmp.c
9 *
10 * RFC 1885
11 *
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
16 */
17
18 /*
19 * Changes:
20 *
21 * Andi Kleen : exception handling
22 * Andi Kleen add rate limits. never reply to a icmp.
23 * add more length checks and other fixes.
24 * yoshfuji : ensure to sent parameter problem for
25 * fragments.
26 * YOSHIFUJI Hideaki @USAGI: added sysctl for icmp rate limit.
27 * Randy Dunlap and
28 * YOSHIFUJI Hideaki @USAGI: Per-interface statistics support
29 * Kazunori MIYAZAWA @USAGI: change output process to use ip6_append_data
30 */
31
32 #define pr_fmt(fmt) "IPv6: " fmt
33
34 #include <linux/module.h>
35 #include <linux/errno.h>
36 #include <linux/types.h>
37 #include <linux/socket.h>
38 #include <linux/in.h>
39 #include <linux/kernel.h>
40 #include <linux/sockios.h>
41 #include <linux/net.h>
42 #include <linux/skbuff.h>
43 #include <linux/init.h>
44 #include <linux/netfilter.h>
45 #include <linux/slab.h>
46
47 #ifdef CONFIG_SYSCTL
48 #include <linux/sysctl.h>
49 #endif
50
51 #include <linux/inet.h>
52 #include <linux/netdevice.h>
53 #include <linux/icmpv6.h>
54
55 #include <net/ip.h>
56 #include <net/sock.h>
57
58 #include <net/ipv6.h>
59 #include <net/ip6_checksum.h>
60 #include <net/ping.h>
61 #include <net/protocol.h>
62 #include <net/raw.h>
63 #include <net/rawv6.h>
64 #include <net/transp_v6.h>
65 #include <net/ip6_route.h>
66 #include <net/addrconf.h>
67 #include <net/icmp.h>
68 #include <net/xfrm.h>
69 #include <net/inet_common.h>
70 #include <net/dsfield.h>
71 #include <net/l3mdev.h>
72
73 #include <linux/uaccess.h>
74
75 /*
76 * The ICMP socket(s). This is the most convenient way to flow control
77 * our ICMP output as well as maintain a clean interface throughout
78 * all layers. All Socketless IP sends will soon be gone.
79 *
80 * On SMP we have one ICMP socket per-cpu.
81 */
icmpv6_sk(struct net * net)82 static inline struct sock *icmpv6_sk(struct net *net)
83 {
84 return net->ipv6.icmp_sk[smp_processor_id()];
85 }
86
icmpv6_err(struct sk_buff * skb,struct inet6_skb_parm * opt,u8 type,u8 code,int offset,__be32 info)87 static void icmpv6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
88 u8 type, u8 code, int offset, __be32 info)
89 {
90 /* icmpv6_notify checks 8 bytes can be pulled, icmp6hdr is 8 bytes */
91 struct icmp6hdr *icmp6 = (struct icmp6hdr *) (skb->data + offset);
92 struct net *net = dev_net(skb->dev);
93
94 if (type == ICMPV6_PKT_TOOBIG)
95 ip6_update_pmtu(skb, net, info, skb->dev->ifindex, 0, sock_net_uid(net, NULL));
96 else if (type == NDISC_REDIRECT)
97 ip6_redirect(skb, net, skb->dev->ifindex, 0,
98 sock_net_uid(net, NULL));
99
100 if (!(type & ICMPV6_INFOMSG_MASK))
101 if (icmp6->icmp6_type == ICMPV6_ECHO_REQUEST)
102 ping_err(skb, offset, ntohl(info));
103 }
104
105 static int icmpv6_rcv(struct sk_buff *skb);
106
107 static const struct inet6_protocol icmpv6_protocol = {
108 .handler = icmpv6_rcv,
109 .err_handler = icmpv6_err,
110 .flags = INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL,
111 };
112
113 /* Called with BH disabled */
icmpv6_xmit_lock(struct net * net)114 static __inline__ struct sock *icmpv6_xmit_lock(struct net *net)
115 {
116 struct sock *sk;
117
118 sk = icmpv6_sk(net);
119 if (unlikely(!spin_trylock(&sk->sk_lock.slock))) {
120 /* This can happen if the output path (f.e. SIT or
121 * ip6ip6 tunnel) signals dst_link_failure() for an
122 * outgoing ICMP6 packet.
123 */
124 return NULL;
125 }
126 return sk;
127 }
128
icmpv6_xmit_unlock(struct sock * sk)129 static __inline__ void icmpv6_xmit_unlock(struct sock *sk)
130 {
131 spin_unlock(&sk->sk_lock.slock);
132 }
133
134 /*
135 * Figure out, may we reply to this packet with icmp error.
136 *
137 * We do not reply, if:
138 * - it was icmp error message.
139 * - it is truncated, so that it is known, that protocol is ICMPV6
140 * (i.e. in the middle of some exthdr)
141 *
142 * --ANK (980726)
143 */
144
is_ineligible(const struct sk_buff * skb)145 static bool is_ineligible(const struct sk_buff *skb)
146 {
147 int ptr = (u8 *)(ipv6_hdr(skb) + 1) - skb->data;
148 int len = skb->len - ptr;
149 __u8 nexthdr = ipv6_hdr(skb)->nexthdr;
150 __be16 frag_off;
151
152 if (len < 0)
153 return true;
154
155 ptr = ipv6_skip_exthdr(skb, ptr, &nexthdr, &frag_off);
156 if (ptr < 0)
157 return false;
158 if (nexthdr == IPPROTO_ICMPV6) {
159 u8 _type, *tp;
160 tp = skb_header_pointer(skb,
161 ptr+offsetof(struct icmp6hdr, icmp6_type),
162 sizeof(_type), &_type);
163 if (!tp || !(*tp & ICMPV6_INFOMSG_MASK))
164 return true;
165 }
166 return false;
167 }
168
icmpv6_mask_allow(int type)169 static bool icmpv6_mask_allow(int type)
170 {
171 /* Informational messages are not limited. */
172 if (type & ICMPV6_INFOMSG_MASK)
173 return true;
174
175 /* Do not limit pmtu discovery, it would break it. */
176 if (type == ICMPV6_PKT_TOOBIG)
177 return true;
178
179 return false;
180 }
181
icmpv6_global_allow(int type)182 static bool icmpv6_global_allow(int type)
183 {
184 if (icmpv6_mask_allow(type))
185 return true;
186
187 if (icmp_global_allow())
188 return true;
189
190 return false;
191 }
192
193 /*
194 * Check the ICMP output rate limit
195 */
icmpv6_xrlim_allow(struct sock * sk,u8 type,struct flowi6 * fl6)196 static bool icmpv6_xrlim_allow(struct sock *sk, u8 type,
197 struct flowi6 *fl6)
198 {
199 struct net *net = sock_net(sk);
200 struct dst_entry *dst;
201 bool res = false;
202
203 if (icmpv6_mask_allow(type))
204 return true;
205
206 /*
207 * Look up the output route.
208 * XXX: perhaps the expire for routing entries cloned by
209 * this lookup should be more aggressive (not longer than timeout).
210 */
211 dst = ip6_route_output(net, sk, fl6);
212 if (dst->error) {
213 IP6_INC_STATS(net, ip6_dst_idev(dst),
214 IPSTATS_MIB_OUTNOROUTES);
215 } else if (dst->dev && (dst->dev->flags&IFF_LOOPBACK)) {
216 res = true;
217 } else {
218 struct rt6_info *rt = (struct rt6_info *)dst;
219 int tmo = net->ipv6.sysctl.icmpv6_time;
220 struct inet_peer *peer;
221
222 /* Give more bandwidth to wider prefixes. */
223 if (rt->rt6i_dst.plen < 128)
224 tmo >>= ((128 - rt->rt6i_dst.plen)>>5);
225
226 peer = inet_getpeer_v6(net->ipv6.peers, &fl6->daddr, 1);
227 res = inet_peer_xrlim_allow(peer, tmo);
228 if (peer)
229 inet_putpeer(peer);
230 }
231 dst_release(dst);
232 return res;
233 }
234
235 /*
236 * an inline helper for the "simple" if statement below
237 * checks if parameter problem report is caused by an
238 * unrecognized IPv6 option that has the Option Type
239 * highest-order two bits set to 10
240 */
241
opt_unrec(struct sk_buff * skb,__u32 offset)242 static bool opt_unrec(struct sk_buff *skb, __u32 offset)
243 {
244 u8 _optval, *op;
245
246 offset += skb_network_offset(skb);
247 op = skb_header_pointer(skb, offset, sizeof(_optval), &_optval);
248 if (!op)
249 return true;
250 return (*op & 0xC0) == 0x80;
251 }
252
icmpv6_push_pending_frames(struct sock * sk,struct flowi6 * fl6,struct icmp6hdr * thdr,int len)253 void icmpv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6,
254 struct icmp6hdr *thdr, int len)
255 {
256 struct sk_buff *skb;
257 struct icmp6hdr *icmp6h;
258
259 skb = skb_peek(&sk->sk_write_queue);
260 if (!skb)
261 return;
262
263 icmp6h = icmp6_hdr(skb);
264 memcpy(icmp6h, thdr, sizeof(struct icmp6hdr));
265 icmp6h->icmp6_cksum = 0;
266
267 if (skb_queue_len(&sk->sk_write_queue) == 1) {
268 skb->csum = csum_partial(icmp6h,
269 sizeof(struct icmp6hdr), skb->csum);
270 icmp6h->icmp6_cksum = csum_ipv6_magic(&fl6->saddr,
271 &fl6->daddr,
272 len, fl6->flowi6_proto,
273 skb->csum);
274 } else {
275 __wsum tmp_csum = 0;
276
277 skb_queue_walk(&sk->sk_write_queue, skb) {
278 tmp_csum = csum_add(tmp_csum, skb->csum);
279 }
280
281 tmp_csum = csum_partial(icmp6h,
282 sizeof(struct icmp6hdr), tmp_csum);
283 icmp6h->icmp6_cksum = csum_ipv6_magic(&fl6->saddr,
284 &fl6->daddr,
285 len, fl6->flowi6_proto,
286 tmp_csum);
287 }
288 ip6_push_pending_frames(sk);
289 }
290
291 struct icmpv6_msg {
292 struct sk_buff *skb;
293 int offset;
294 uint8_t type;
295 };
296
icmpv6_getfrag(void * from,char * to,int offset,int len,int odd,struct sk_buff * skb)297 static int icmpv6_getfrag(void *from, char *to, int offset, int len, int odd, struct sk_buff *skb)
298 {
299 struct icmpv6_msg *msg = (struct icmpv6_msg *) from;
300 struct sk_buff *org_skb = msg->skb;
301 __wsum csum = 0;
302
303 csum = skb_copy_and_csum_bits(org_skb, msg->offset + offset,
304 to, len, csum);
305 skb->csum = csum_block_add(skb->csum, csum, odd);
306 if (!(msg->type & ICMPV6_INFOMSG_MASK))
307 nf_ct_attach(skb, org_skb);
308 return 0;
309 }
310
311 #if IS_ENABLED(CONFIG_IPV6_MIP6)
mip6_addr_swap(struct sk_buff * skb)312 static void mip6_addr_swap(struct sk_buff *skb)
313 {
314 struct ipv6hdr *iph = ipv6_hdr(skb);
315 struct inet6_skb_parm *opt = IP6CB(skb);
316 struct ipv6_destopt_hao *hao;
317 struct in6_addr tmp;
318 int off;
319
320 if (opt->dsthao) {
321 off = ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO);
322 if (likely(off >= 0)) {
323 hao = (struct ipv6_destopt_hao *)
324 (skb_network_header(skb) + off);
325 tmp = iph->saddr;
326 iph->saddr = hao->addr;
327 hao->addr = tmp;
328 }
329 }
330 }
331 #else
mip6_addr_swap(struct sk_buff * skb)332 static inline void mip6_addr_swap(struct sk_buff *skb) {}
333 #endif
334
icmpv6_route_lookup(struct net * net,struct sk_buff * skb,struct sock * sk,struct flowi6 * fl6)335 static struct dst_entry *icmpv6_route_lookup(struct net *net,
336 struct sk_buff *skb,
337 struct sock *sk,
338 struct flowi6 *fl6)
339 {
340 struct dst_entry *dst, *dst2;
341 struct flowi6 fl2;
342 int err;
343
344 err = ip6_dst_lookup(net, sk, &dst, fl6);
345 if (err)
346 return ERR_PTR(err);
347
348 /*
349 * We won't send icmp if the destination is known
350 * anycast.
351 */
352 if (ipv6_anycast_destination(dst, &fl6->daddr)) {
353 net_dbg_ratelimited("icmp6_send: acast source\n");
354 dst_release(dst);
355 return ERR_PTR(-EINVAL);
356 }
357
358 /* No need to clone since we're just using its address. */
359 dst2 = dst;
360
361 dst = xfrm_lookup(net, dst, flowi6_to_flowi(fl6), sk, 0);
362 if (!IS_ERR(dst)) {
363 if (dst != dst2)
364 return dst;
365 } else {
366 if (PTR_ERR(dst) == -EPERM)
367 dst = NULL;
368 else
369 return dst;
370 }
371
372 err = xfrm_decode_session_reverse(skb, flowi6_to_flowi(&fl2), AF_INET6);
373 if (err)
374 goto relookup_failed;
375
376 err = ip6_dst_lookup(net, sk, &dst2, &fl2);
377 if (err)
378 goto relookup_failed;
379
380 dst2 = xfrm_lookup(net, dst2, flowi6_to_flowi(&fl2), sk, XFRM_LOOKUP_ICMP);
381 if (!IS_ERR(dst2)) {
382 dst_release(dst);
383 dst = dst2;
384 } else {
385 err = PTR_ERR(dst2);
386 if (err == -EPERM) {
387 dst_release(dst);
388 return dst2;
389 } else
390 goto relookup_failed;
391 }
392
393 relookup_failed:
394 if (dst)
395 return dst;
396 return ERR_PTR(err);
397 }
398
icmp6_iif(const struct sk_buff * skb)399 static int icmp6_iif(const struct sk_buff *skb)
400 {
401 int iif = skb->dev->ifindex;
402
403 /* for local traffic to local address, skb dev is the loopback
404 * device. Check if there is a dst attached to the skb and if so
405 * get the real device index. Same is needed for replies to a link
406 * local address on a device enslaved to an L3 master device
407 */
408 if (unlikely(iif == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) {
409 const struct rt6_info *rt6 = skb_rt6_info(skb);
410
411 if (rt6)
412 iif = rt6->rt6i_idev->dev->ifindex;
413 }
414
415 return iif;
416 }
417
418 /*
419 * Send an ICMP message in response to a packet in error
420 */
icmp6_send(struct sk_buff * skb,u8 type,u8 code,__u32 info,const struct in6_addr * force_saddr)421 static void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info,
422 const struct in6_addr *force_saddr)
423 {
424 struct inet6_dev *idev = NULL;
425 struct ipv6hdr *hdr = ipv6_hdr(skb);
426 struct sock *sk;
427 struct net *net;
428 struct ipv6_pinfo *np;
429 const struct in6_addr *saddr = NULL;
430 struct dst_entry *dst;
431 struct icmp6hdr tmp_hdr;
432 struct flowi6 fl6;
433 struct icmpv6_msg msg;
434 struct ipcm6_cookie ipc6;
435 int iif = 0;
436 int addr_type = 0;
437 int len;
438 u32 mark;
439
440 if ((u8 *)hdr < skb->head ||
441 (skb_network_header(skb) + sizeof(*hdr)) > skb_tail_pointer(skb))
442 return;
443
444 if (!skb->dev)
445 return;
446 net = dev_net(skb->dev);
447 mark = IP6_REPLY_MARK(net, skb->mark);
448 /*
449 * Make sure we respect the rules
450 * i.e. RFC 1885 2.4(e)
451 * Rule (e.1) is enforced by not using icmp6_send
452 * in any code that processes icmp errors.
453 */
454 addr_type = ipv6_addr_type(&hdr->daddr);
455
456 if (ipv6_chk_addr(net, &hdr->daddr, skb->dev, 0) ||
457 ipv6_chk_acast_addr_src(net, skb->dev, &hdr->daddr))
458 saddr = &hdr->daddr;
459
460 /*
461 * Dest addr check
462 */
463
464 if (addr_type & IPV6_ADDR_MULTICAST || skb->pkt_type != PACKET_HOST) {
465 if (type != ICMPV6_PKT_TOOBIG &&
466 !(type == ICMPV6_PARAMPROB &&
467 code == ICMPV6_UNK_OPTION &&
468 (opt_unrec(skb, info))))
469 return;
470
471 saddr = NULL;
472 }
473
474 addr_type = ipv6_addr_type(&hdr->saddr);
475
476 /*
477 * Source addr check
478 */
479
480 if (__ipv6_addr_needs_scope_id(addr_type)) {
481 iif = icmp6_iif(skb);
482 } else {
483 dst = skb_dst(skb);
484 iif = l3mdev_master_ifindex(dst ? dst->dev : skb->dev);
485 }
486
487 /*
488 * Must not send error if the source does not uniquely
489 * identify a single node (RFC2463 Section 2.4).
490 * We check unspecified / multicast addresses here,
491 * and anycast addresses will be checked later.
492 */
493 if ((addr_type == IPV6_ADDR_ANY) || (addr_type & IPV6_ADDR_MULTICAST)) {
494 net_dbg_ratelimited("icmp6_send: addr_any/mcast source [%pI6c > %pI6c]\n",
495 &hdr->saddr, &hdr->daddr);
496 return;
497 }
498
499 /*
500 * Never answer to a ICMP packet.
501 */
502 if (is_ineligible(skb)) {
503 net_dbg_ratelimited("icmp6_send: no reply to icmp error [%pI6c > %pI6c]\n",
504 &hdr->saddr, &hdr->daddr);
505 return;
506 }
507
508 /* Needed by both icmp_global_allow and icmpv6_xmit_lock */
509 local_bh_disable();
510
511 /* Check global sysctl_icmp_msgs_per_sec ratelimit */
512 if (!(skb->dev->flags&IFF_LOOPBACK) && !icmpv6_global_allow(type))
513 goto out_bh_enable;
514
515 mip6_addr_swap(skb);
516
517 memset(&fl6, 0, sizeof(fl6));
518 fl6.flowi6_proto = IPPROTO_ICMPV6;
519 fl6.daddr = hdr->saddr;
520 if (force_saddr)
521 saddr = force_saddr;
522 if (saddr)
523 fl6.saddr = *saddr;
524 fl6.flowi6_mark = mark;
525 fl6.flowi6_oif = iif;
526 fl6.fl6_icmp_type = type;
527 fl6.fl6_icmp_code = code;
528 fl6.flowi6_uid = sock_net_uid(net, NULL);
529 fl6.mp_hash = rt6_multipath_hash(net, &fl6, skb, NULL);
530 security_skb_classify_flow(skb, flowi6_to_flowi(&fl6));
531
532 sk = icmpv6_xmit_lock(net);
533 if (!sk)
534 goto out_bh_enable;
535
536 sk->sk_mark = mark;
537 np = inet6_sk(sk);
538
539 if (!icmpv6_xrlim_allow(sk, type, &fl6))
540 goto out;
541
542 tmp_hdr.icmp6_type = type;
543 tmp_hdr.icmp6_code = code;
544 tmp_hdr.icmp6_cksum = 0;
545 tmp_hdr.icmp6_pointer = htonl(info);
546
547 if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr))
548 fl6.flowi6_oif = np->mcast_oif;
549 else if (!fl6.flowi6_oif)
550 fl6.flowi6_oif = np->ucast_oif;
551
552 ipcm6_init_sk(&ipc6, np);
553 fl6.flowlabel = ip6_make_flowinfo(ipc6.tclass, fl6.flowlabel);
554
555 dst = icmpv6_route_lookup(net, skb, sk, &fl6);
556 if (IS_ERR(dst))
557 goto out;
558
559 ipc6.hlimit = ip6_sk_dst_hoplimit(np, &fl6, dst);
560
561 msg.skb = skb;
562 msg.offset = skb_network_offset(skb);
563 msg.type = type;
564
565 len = skb->len - msg.offset;
566 len = min_t(unsigned int, len, IPV6_MIN_MTU - sizeof(struct ipv6hdr) - sizeof(struct icmp6hdr));
567 if (len < 0) {
568 net_dbg_ratelimited("icmp: len problem [%pI6c > %pI6c]\n",
569 &hdr->saddr, &hdr->daddr);
570 goto out_dst_release;
571 }
572
573 rcu_read_lock();
574 idev = __in6_dev_get(skb->dev);
575
576 if (ip6_append_data(sk, icmpv6_getfrag, &msg,
577 len + sizeof(struct icmp6hdr),
578 sizeof(struct icmp6hdr),
579 &ipc6, &fl6, (struct rt6_info *)dst,
580 MSG_DONTWAIT)) {
581 ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTERRORS);
582 ip6_flush_pending_frames(sk);
583 } else {
584 icmpv6_push_pending_frames(sk, &fl6, &tmp_hdr,
585 len + sizeof(struct icmp6hdr));
586 }
587 rcu_read_unlock();
588 out_dst_release:
589 dst_release(dst);
590 out:
591 icmpv6_xmit_unlock(sk);
592 out_bh_enable:
593 local_bh_enable();
594 }
595
596 /* Slightly more convenient version of icmp6_send.
597 */
icmpv6_param_prob(struct sk_buff * skb,u8 code,int pos)598 void icmpv6_param_prob(struct sk_buff *skb, u8 code, int pos)
599 {
600 icmp6_send(skb, ICMPV6_PARAMPROB, code, pos, NULL);
601 kfree_skb(skb);
602 }
603
604 /* Generate icmpv6 with type/code ICMPV6_DEST_UNREACH/ICMPV6_ADDR_UNREACH
605 * if sufficient data bytes are available
606 * @nhs is the size of the tunnel header(s) :
607 * Either an IPv4 header for SIT encap
608 * an IPv4 header + GRE header for GRE encap
609 */
ip6_err_gen_icmpv6_unreach(struct sk_buff * skb,int nhs,int type,unsigned int data_len)610 int ip6_err_gen_icmpv6_unreach(struct sk_buff *skb, int nhs, int type,
611 unsigned int data_len)
612 {
613 struct in6_addr temp_saddr;
614 struct rt6_info *rt;
615 struct sk_buff *skb2;
616 u32 info = 0;
617
618 if (!pskb_may_pull(skb, nhs + sizeof(struct ipv6hdr) + 8))
619 return 1;
620
621 /* RFC 4884 (partial) support for ICMP extensions */
622 if (data_len < 128 || (data_len & 7) || skb->len < data_len)
623 data_len = 0;
624
625 skb2 = data_len ? skb_copy(skb, GFP_ATOMIC) : skb_clone(skb, GFP_ATOMIC);
626
627 if (!skb2)
628 return 1;
629
630 skb_dst_drop(skb2);
631 skb_pull(skb2, nhs);
632 skb_reset_network_header(skb2);
633
634 rt = rt6_lookup(dev_net(skb->dev), &ipv6_hdr(skb2)->saddr, NULL, 0,
635 skb, 0);
636
637 if (rt && rt->dst.dev)
638 skb2->dev = rt->dst.dev;
639
640 ipv6_addr_set_v4mapped(ip_hdr(skb)->saddr, &temp_saddr);
641
642 if (data_len) {
643 /* RFC 4884 (partial) support :
644 * insert 0 padding at the end, before the extensions
645 */
646 __skb_push(skb2, nhs);
647 skb_reset_network_header(skb2);
648 memmove(skb2->data, skb2->data + nhs, data_len - nhs);
649 memset(skb2->data + data_len - nhs, 0, nhs);
650 /* RFC 4884 4.5 : Length is measured in 64-bit words,
651 * and stored in reserved[0]
652 */
653 info = (data_len/8) << 24;
654 }
655 if (type == ICMP_TIME_EXCEEDED)
656 icmp6_send(skb2, ICMPV6_TIME_EXCEED, ICMPV6_EXC_HOPLIMIT,
657 info, &temp_saddr);
658 else
659 icmp6_send(skb2, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH,
660 info, &temp_saddr);
661 if (rt)
662 ip6_rt_put(rt);
663
664 kfree_skb(skb2);
665
666 return 0;
667 }
668 EXPORT_SYMBOL(ip6_err_gen_icmpv6_unreach);
669
icmpv6_echo_reply(struct sk_buff * skb)670 static void icmpv6_echo_reply(struct sk_buff *skb)
671 {
672 struct net *net = dev_net(skb->dev);
673 struct sock *sk;
674 struct inet6_dev *idev;
675 struct ipv6_pinfo *np;
676 const struct in6_addr *saddr = NULL;
677 struct icmp6hdr *icmph = icmp6_hdr(skb);
678 struct icmp6hdr tmp_hdr;
679 struct flowi6 fl6;
680 struct icmpv6_msg msg;
681 struct dst_entry *dst;
682 struct ipcm6_cookie ipc6;
683 u32 mark = IP6_REPLY_MARK(net, skb->mark);
684
685 saddr = &ipv6_hdr(skb)->daddr;
686
687 if (!ipv6_unicast_destination(skb) &&
688 !(net->ipv6.sysctl.anycast_src_echo_reply &&
689 ipv6_anycast_destination(skb_dst(skb), saddr)))
690 saddr = NULL;
691
692 memcpy(&tmp_hdr, icmph, sizeof(tmp_hdr));
693 tmp_hdr.icmp6_type = ICMPV6_ECHO_REPLY;
694
695 memset(&fl6, 0, sizeof(fl6));
696 fl6.flowi6_proto = IPPROTO_ICMPV6;
697 fl6.daddr = ipv6_hdr(skb)->saddr;
698 if (saddr)
699 fl6.saddr = *saddr;
700 fl6.flowi6_oif = icmp6_iif(skb);
701 fl6.fl6_icmp_type = ICMPV6_ECHO_REPLY;
702 fl6.flowi6_mark = mark;
703 fl6.flowi6_uid = sock_net_uid(net, NULL);
704 security_skb_classify_flow(skb, flowi6_to_flowi(&fl6));
705
706 local_bh_disable();
707 sk = icmpv6_xmit_lock(net);
708 if (!sk)
709 goto out_bh_enable;
710 sk->sk_mark = mark;
711 np = inet6_sk(sk);
712
713 if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr))
714 fl6.flowi6_oif = np->mcast_oif;
715 else if (!fl6.flowi6_oif)
716 fl6.flowi6_oif = np->ucast_oif;
717
718 if (ip6_dst_lookup(net, sk, &dst, &fl6))
719 goto out;
720 dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), sk, 0);
721 if (IS_ERR(dst))
722 goto out;
723
724 idev = __in6_dev_get(skb->dev);
725
726 msg.skb = skb;
727 msg.offset = 0;
728 msg.type = ICMPV6_ECHO_REPLY;
729
730 ipcm6_init_sk(&ipc6, np);
731 ipc6.hlimit = ip6_sk_dst_hoplimit(np, &fl6, dst);
732 ipc6.tclass = ipv6_get_dsfield(ipv6_hdr(skb));
733
734 if (ip6_append_data(sk, icmpv6_getfrag, &msg,
735 skb->len + sizeof(struct icmp6hdr),
736 sizeof(struct icmp6hdr), &ipc6, &fl6,
737 (struct rt6_info *)dst, MSG_DONTWAIT)) {
738 __ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTERRORS);
739 ip6_flush_pending_frames(sk);
740 } else {
741 icmpv6_push_pending_frames(sk, &fl6, &tmp_hdr,
742 skb->len + sizeof(struct icmp6hdr));
743 }
744 dst_release(dst);
745 out:
746 icmpv6_xmit_unlock(sk);
747 out_bh_enable:
748 local_bh_enable();
749 }
750
icmpv6_notify(struct sk_buff * skb,u8 type,u8 code,__be32 info)751 void icmpv6_notify(struct sk_buff *skb, u8 type, u8 code, __be32 info)
752 {
753 const struct inet6_protocol *ipprot;
754 int inner_offset;
755 __be16 frag_off;
756 u8 nexthdr;
757 struct net *net = dev_net(skb->dev);
758
759 if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
760 goto out;
761
762 nexthdr = ((struct ipv6hdr *)skb->data)->nexthdr;
763 if (ipv6_ext_hdr(nexthdr)) {
764 /* now skip over extension headers */
765 inner_offset = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr),
766 &nexthdr, &frag_off);
767 if (inner_offset < 0)
768 goto out;
769 } else {
770 inner_offset = sizeof(struct ipv6hdr);
771 }
772
773 /* Checkin header including 8 bytes of inner protocol header. */
774 if (!pskb_may_pull(skb, inner_offset+8))
775 goto out;
776
777 /* BUGGG_FUTURE: we should try to parse exthdrs in this packet.
778 Without this we will not able f.e. to make source routed
779 pmtu discovery.
780 Corresponding argument (opt) to notifiers is already added.
781 --ANK (980726)
782 */
783
784 ipprot = rcu_dereference(inet6_protos[nexthdr]);
785 if (ipprot && ipprot->err_handler)
786 ipprot->err_handler(skb, NULL, type, code, inner_offset, info);
787
788 raw6_icmp_error(skb, nexthdr, type, code, inner_offset, info);
789 return;
790
791 out:
792 __ICMP6_INC_STATS(net, __in6_dev_get(skb->dev), ICMP6_MIB_INERRORS);
793 }
794
795 /*
796 * Handle icmp messages
797 */
798
icmpv6_rcv(struct sk_buff * skb)799 static int icmpv6_rcv(struct sk_buff *skb)
800 {
801 struct net *net = dev_net(skb->dev);
802 struct net_device *dev = skb->dev;
803 struct inet6_dev *idev = __in6_dev_get(dev);
804 const struct in6_addr *saddr, *daddr;
805 struct icmp6hdr *hdr;
806 u8 type;
807 bool success = false;
808
809 if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
810 struct sec_path *sp = skb_sec_path(skb);
811 int nh;
812
813 if (!(sp && sp->xvec[sp->len - 1]->props.flags &
814 XFRM_STATE_ICMP))
815 goto drop_no_count;
816
817 if (!pskb_may_pull(skb, sizeof(*hdr) + sizeof(struct ipv6hdr)))
818 goto drop_no_count;
819
820 nh = skb_network_offset(skb);
821 skb_set_network_header(skb, sizeof(*hdr));
822
823 if (!xfrm6_policy_check_reverse(NULL, XFRM_POLICY_IN, skb))
824 goto drop_no_count;
825
826 skb_set_network_header(skb, nh);
827 }
828
829 __ICMP6_INC_STATS(dev_net(dev), idev, ICMP6_MIB_INMSGS);
830
831 saddr = &ipv6_hdr(skb)->saddr;
832 daddr = &ipv6_hdr(skb)->daddr;
833
834 if (skb_checksum_validate(skb, IPPROTO_ICMPV6, ip6_compute_pseudo)) {
835 net_dbg_ratelimited("ICMPv6 checksum failed [%pI6c > %pI6c]\n",
836 saddr, daddr);
837 goto csum_error;
838 }
839
840 if (!pskb_pull(skb, sizeof(*hdr)))
841 goto discard_it;
842
843 hdr = icmp6_hdr(skb);
844
845 type = hdr->icmp6_type;
846
847 ICMP6MSGIN_INC_STATS(dev_net(dev), idev, type);
848
849 switch (type) {
850 case ICMPV6_ECHO_REQUEST:
851 if (!net->ipv6.sysctl.icmpv6_echo_ignore_all)
852 icmpv6_echo_reply(skb);
853 break;
854
855 case ICMPV6_ECHO_REPLY:
856 success = ping_rcv(skb);
857 break;
858
859 case ICMPV6_PKT_TOOBIG:
860 /* BUGGG_FUTURE: if packet contains rthdr, we cannot update
861 standard destination cache. Seems, only "advanced"
862 destination cache will allow to solve this problem
863 --ANK (980726)
864 */
865 if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
866 goto discard_it;
867 hdr = icmp6_hdr(skb);
868
869 /* to notify */
870 /* fall through */
871 case ICMPV6_DEST_UNREACH:
872 case ICMPV6_TIME_EXCEED:
873 case ICMPV6_PARAMPROB:
874 icmpv6_notify(skb, type, hdr->icmp6_code, hdr->icmp6_mtu);
875 break;
876
877 case NDISC_ROUTER_SOLICITATION:
878 case NDISC_ROUTER_ADVERTISEMENT:
879 case NDISC_NEIGHBOUR_SOLICITATION:
880 case NDISC_NEIGHBOUR_ADVERTISEMENT:
881 case NDISC_REDIRECT:
882 ndisc_rcv(skb);
883 break;
884
885 case ICMPV6_MGM_QUERY:
886 igmp6_event_query(skb);
887 break;
888
889 case ICMPV6_MGM_REPORT:
890 igmp6_event_report(skb);
891 break;
892
893 case ICMPV6_MGM_REDUCTION:
894 case ICMPV6_NI_QUERY:
895 case ICMPV6_NI_REPLY:
896 case ICMPV6_MLD2_REPORT:
897 case ICMPV6_DHAAD_REQUEST:
898 case ICMPV6_DHAAD_REPLY:
899 case ICMPV6_MOBILE_PREFIX_SOL:
900 case ICMPV6_MOBILE_PREFIX_ADV:
901 break;
902
903 default:
904 /* informational */
905 if (type & ICMPV6_INFOMSG_MASK)
906 break;
907
908 net_dbg_ratelimited("icmpv6: msg of unknown type [%pI6c > %pI6c]\n",
909 saddr, daddr);
910
911 /*
912 * error of unknown type.
913 * must pass to upper level
914 */
915
916 icmpv6_notify(skb, type, hdr->icmp6_code, hdr->icmp6_mtu);
917 }
918
919 /* until the v6 path can be better sorted assume failure and
920 * preserve the status quo behaviour for the rest of the paths to here
921 */
922 if (success)
923 consume_skb(skb);
924 else
925 kfree_skb(skb);
926
927 return 0;
928
929 csum_error:
930 __ICMP6_INC_STATS(dev_net(dev), idev, ICMP6_MIB_CSUMERRORS);
931 discard_it:
932 __ICMP6_INC_STATS(dev_net(dev), idev, ICMP6_MIB_INERRORS);
933 drop_no_count:
934 kfree_skb(skb);
935 return 0;
936 }
937
icmpv6_flow_init(struct sock * sk,struct flowi6 * fl6,u8 type,const struct in6_addr * saddr,const struct in6_addr * daddr,int oif)938 void icmpv6_flow_init(struct sock *sk, struct flowi6 *fl6,
939 u8 type,
940 const struct in6_addr *saddr,
941 const struct in6_addr *daddr,
942 int oif)
943 {
944 memset(fl6, 0, sizeof(*fl6));
945 fl6->saddr = *saddr;
946 fl6->daddr = *daddr;
947 fl6->flowi6_proto = IPPROTO_ICMPV6;
948 fl6->fl6_icmp_type = type;
949 fl6->fl6_icmp_code = 0;
950 fl6->flowi6_oif = oif;
951 security_sk_classify_flow(sk, flowi6_to_flowi(fl6));
952 }
953
icmpv6_sk_init(struct net * net)954 static int __net_init icmpv6_sk_init(struct net *net)
955 {
956 struct sock *sk;
957 int err, i, j;
958
959 net->ipv6.icmp_sk =
960 kcalloc(nr_cpu_ids, sizeof(struct sock *), GFP_KERNEL);
961 if (!net->ipv6.icmp_sk)
962 return -ENOMEM;
963
964 for_each_possible_cpu(i) {
965 err = inet_ctl_sock_create(&sk, PF_INET6,
966 SOCK_RAW, IPPROTO_ICMPV6, net);
967 if (err < 0) {
968 pr_err("Failed to initialize the ICMP6 control socket (err %d)\n",
969 err);
970 goto fail;
971 }
972
973 net->ipv6.icmp_sk[i] = sk;
974
975 /* Enough space for 2 64K ICMP packets, including
976 * sk_buff struct overhead.
977 */
978 sk->sk_sndbuf = 2 * SKB_TRUESIZE(64 * 1024);
979 }
980 return 0;
981
982 fail:
983 for (j = 0; j < i; j++)
984 inet_ctl_sock_destroy(net->ipv6.icmp_sk[j]);
985 kfree(net->ipv6.icmp_sk);
986 return err;
987 }
988
icmpv6_sk_exit(struct net * net)989 static void __net_exit icmpv6_sk_exit(struct net *net)
990 {
991 int i;
992
993 for_each_possible_cpu(i) {
994 inet_ctl_sock_destroy(net->ipv6.icmp_sk[i]);
995 }
996 kfree(net->ipv6.icmp_sk);
997 }
998
999 static struct pernet_operations icmpv6_sk_ops = {
1000 .init = icmpv6_sk_init,
1001 .exit = icmpv6_sk_exit,
1002 };
1003
icmpv6_init(void)1004 int __init icmpv6_init(void)
1005 {
1006 int err;
1007
1008 err = register_pernet_subsys(&icmpv6_sk_ops);
1009 if (err < 0)
1010 return err;
1011
1012 err = -EAGAIN;
1013 if (inet6_add_protocol(&icmpv6_protocol, IPPROTO_ICMPV6) < 0)
1014 goto fail;
1015
1016 err = inet6_register_icmp_sender(icmp6_send);
1017 if (err)
1018 goto sender_reg_err;
1019 return 0;
1020
1021 sender_reg_err:
1022 inet6_del_protocol(&icmpv6_protocol, IPPROTO_ICMPV6);
1023 fail:
1024 pr_err("Failed to register ICMP6 protocol\n");
1025 unregister_pernet_subsys(&icmpv6_sk_ops);
1026 return err;
1027 }
1028
icmpv6_cleanup(void)1029 void icmpv6_cleanup(void)
1030 {
1031 inet6_unregister_icmp_sender(icmp6_send);
1032 unregister_pernet_subsys(&icmpv6_sk_ops);
1033 inet6_del_protocol(&icmpv6_protocol, IPPROTO_ICMPV6);
1034 }
1035
1036
1037 static const struct icmp6_err {
1038 int err;
1039 int fatal;
1040 } tab_unreach[] = {
1041 { /* NOROUTE */
1042 .err = ENETUNREACH,
1043 .fatal = 0,
1044 },
1045 { /* ADM_PROHIBITED */
1046 .err = EACCES,
1047 .fatal = 1,
1048 },
1049 { /* Was NOT_NEIGHBOUR, now reserved */
1050 .err = EHOSTUNREACH,
1051 .fatal = 0,
1052 },
1053 { /* ADDR_UNREACH */
1054 .err = EHOSTUNREACH,
1055 .fatal = 0,
1056 },
1057 { /* PORT_UNREACH */
1058 .err = ECONNREFUSED,
1059 .fatal = 1,
1060 },
1061 { /* POLICY_FAIL */
1062 .err = EACCES,
1063 .fatal = 1,
1064 },
1065 { /* REJECT_ROUTE */
1066 .err = EACCES,
1067 .fatal = 1,
1068 },
1069 };
1070
icmpv6_err_convert(u8 type,u8 code,int * err)1071 int icmpv6_err_convert(u8 type, u8 code, int *err)
1072 {
1073 int fatal = 0;
1074
1075 *err = EPROTO;
1076
1077 switch (type) {
1078 case ICMPV6_DEST_UNREACH:
1079 fatal = 1;
1080 if (code < ARRAY_SIZE(tab_unreach)) {
1081 *err = tab_unreach[code].err;
1082 fatal = tab_unreach[code].fatal;
1083 }
1084 break;
1085
1086 case ICMPV6_PKT_TOOBIG:
1087 *err = EMSGSIZE;
1088 break;
1089
1090 case ICMPV6_PARAMPROB:
1091 *err = EPROTO;
1092 fatal = 1;
1093 break;
1094
1095 case ICMPV6_TIME_EXCEED:
1096 *err = EHOSTUNREACH;
1097 break;
1098 }
1099
1100 return fatal;
1101 }
1102 EXPORT_SYMBOL(icmpv6_err_convert);
1103
1104 #ifdef CONFIG_SYSCTL
1105 static struct ctl_table ipv6_icmp_table_template[] = {
1106 {
1107 .procname = "ratelimit",
1108 .data = &init_net.ipv6.sysctl.icmpv6_time,
1109 .maxlen = sizeof(int),
1110 .mode = 0644,
1111 .proc_handler = proc_dointvec_ms_jiffies,
1112 },
1113 {
1114 .procname = "echo_ignore_all",
1115 .data = &init_net.ipv6.sysctl.icmpv6_echo_ignore_all,
1116 .maxlen = sizeof(int),
1117 .mode = 0644,
1118 .proc_handler = proc_dointvec,
1119 },
1120 { },
1121 };
1122
ipv6_icmp_sysctl_init(struct net * net)1123 struct ctl_table * __net_init ipv6_icmp_sysctl_init(struct net *net)
1124 {
1125 struct ctl_table *table;
1126
1127 table = kmemdup(ipv6_icmp_table_template,
1128 sizeof(ipv6_icmp_table_template),
1129 GFP_KERNEL);
1130
1131 if (table) {
1132 table[0].data = &net->ipv6.sysctl.icmpv6_time;
1133 table[1].data = &net->ipv6.sysctl.icmpv6_echo_ignore_all;
1134 }
1135 return table;
1136 }
1137 #endif
1138