1 /*
2 * Internet Control Message Protocol (ICMPv6)
3 * Linux INET6 implementation
4 *
5 * Authors:
6 * Pedro Roque <roque@di.fc.ul.pt>
7 *
8 * Based on net/ipv4/icmp.c
9 *
10 * RFC 1885
11 *
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
16 */
17
18 /*
19 * Changes:
20 *
21 * Andi Kleen : exception handling
22 * Andi Kleen add rate limits. never reply to a icmp.
23 * add more length checks and other fixes.
24 * yoshfuji : ensure to sent parameter problem for
25 * fragments.
26 * YOSHIFUJI Hideaki @USAGI: added sysctl for icmp rate limit.
27 * Randy Dunlap and
28 * YOSHIFUJI Hideaki @USAGI: Per-interface statistics support
29 * Kazunori MIYAZAWA @USAGI: change output process to use ip6_append_data
30 */
31
32 #define pr_fmt(fmt) "IPv6: " fmt
33
34 #include <linux/module.h>
35 #include <linux/errno.h>
36 #include <linux/types.h>
37 #include <linux/socket.h>
38 #include <linux/in.h>
39 #include <linux/kernel.h>
40 #include <linux/sockios.h>
41 #include <linux/net.h>
42 #include <linux/skbuff.h>
43 #include <linux/init.h>
44 #include <linux/netfilter.h>
45 #include <linux/slab.h>
46
47 #ifdef CONFIG_SYSCTL
48 #include <linux/sysctl.h>
49 #endif
50
51 #include <linux/inet.h>
52 #include <linux/netdevice.h>
53 #include <linux/icmpv6.h>
54
55 #include <net/ip.h>
56 #include <net/sock.h>
57
58 #include <net/ipv6.h>
59 #include <net/ip6_checksum.h>
60 #include <net/ping.h>
61 #include <net/protocol.h>
62 #include <net/raw.h>
63 #include <net/rawv6.h>
64 #include <net/transp_v6.h>
65 #include <net/ip6_route.h>
66 #include <net/addrconf.h>
67 #include <net/icmp.h>
68 #include <net/xfrm.h>
69 #include <net/inet_common.h>
70 #include <net/dsfield.h>
71 #include <net/l3mdev.h>
72
73 #include <linux/uaccess.h>
74
75 /*
76 * The ICMP socket(s). This is the most convenient way to flow control
77 * our ICMP output as well as maintain a clean interface throughout
78 * all layers. All Socketless IP sends will soon be gone.
79 *
80 * On SMP we have one ICMP socket per-cpu.
81 */
icmpv6_sk(struct net * net)82 static inline struct sock *icmpv6_sk(struct net *net)
83 {
84 return net->ipv6.icmp_sk[smp_processor_id()];
85 }
86
icmpv6_err(struct sk_buff * skb,struct inet6_skb_parm * opt,u8 type,u8 code,int offset,__be32 info)87 static void icmpv6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
88 u8 type, u8 code, int offset, __be32 info)
89 {
90 /* icmpv6_notify checks 8 bytes can be pulled, icmp6hdr is 8 bytes */
91 struct icmp6hdr *icmp6 = (struct icmp6hdr *) (skb->data + offset);
92 struct net *net = dev_net(skb->dev);
93
94 if (type == ICMPV6_PKT_TOOBIG)
95 ip6_update_pmtu(skb, net, info, 0, 0, sock_net_uid(net, NULL));
96 else if (type == NDISC_REDIRECT)
97 ip6_redirect(skb, net, skb->dev->ifindex, 0,
98 sock_net_uid(net, NULL));
99
100 if (!(type & ICMPV6_INFOMSG_MASK))
101 if (icmp6->icmp6_type == ICMPV6_ECHO_REQUEST)
102 ping_err(skb, offset, ntohl(info));
103 }
104
105 static int icmpv6_rcv(struct sk_buff *skb);
106
107 static const struct inet6_protocol icmpv6_protocol = {
108 .handler = icmpv6_rcv,
109 .err_handler = icmpv6_err,
110 .flags = INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL,
111 };
112
113 /* Called with BH disabled */
icmpv6_xmit_lock(struct net * net)114 static __inline__ struct sock *icmpv6_xmit_lock(struct net *net)
115 {
116 struct sock *sk;
117
118 sk = icmpv6_sk(net);
119 if (unlikely(!spin_trylock(&sk->sk_lock.slock))) {
120 /* This can happen if the output path (f.e. SIT or
121 * ip6ip6 tunnel) signals dst_link_failure() for an
122 * outgoing ICMP6 packet.
123 */
124 return NULL;
125 }
126 return sk;
127 }
128
icmpv6_xmit_unlock(struct sock * sk)129 static __inline__ void icmpv6_xmit_unlock(struct sock *sk)
130 {
131 spin_unlock(&sk->sk_lock.slock);
132 }
133
134 /*
135 * Figure out, may we reply to this packet with icmp error.
136 *
137 * We do not reply, if:
138 * - it was icmp error message.
139 * - it is truncated, so that it is known, that protocol is ICMPV6
140 * (i.e. in the middle of some exthdr)
141 *
142 * --ANK (980726)
143 */
144
is_ineligible(const struct sk_buff * skb)145 static bool is_ineligible(const struct sk_buff *skb)
146 {
147 int ptr = (u8 *)(ipv6_hdr(skb) + 1) - skb->data;
148 int len = skb->len - ptr;
149 __u8 nexthdr = ipv6_hdr(skb)->nexthdr;
150 __be16 frag_off;
151
152 if (len < 0)
153 return true;
154
155 ptr = ipv6_skip_exthdr(skb, ptr, &nexthdr, &frag_off);
156 if (ptr < 0)
157 return false;
158 if (nexthdr == IPPROTO_ICMPV6) {
159 u8 _type, *tp;
160 tp = skb_header_pointer(skb,
161 ptr+offsetof(struct icmp6hdr, icmp6_type),
162 sizeof(_type), &_type);
163 if (!tp || !(*tp & ICMPV6_INFOMSG_MASK))
164 return true;
165 }
166 return false;
167 }
168
icmpv6_mask_allow(int type)169 static bool icmpv6_mask_allow(int type)
170 {
171 /* Informational messages are not limited. */
172 if (type & ICMPV6_INFOMSG_MASK)
173 return true;
174
175 /* Do not limit pmtu discovery, it would break it. */
176 if (type == ICMPV6_PKT_TOOBIG)
177 return true;
178
179 return false;
180 }
181
icmpv6_global_allow(int type)182 static bool icmpv6_global_allow(int type)
183 {
184 if (icmpv6_mask_allow(type))
185 return true;
186
187 if (icmp_global_allow())
188 return true;
189
190 return false;
191 }
192
193 /*
194 * Check the ICMP output rate limit
195 */
icmpv6_xrlim_allow(struct sock * sk,u8 type,struct flowi6 * fl6)196 static bool icmpv6_xrlim_allow(struct sock *sk, u8 type,
197 struct flowi6 *fl6)
198 {
199 struct net *net = sock_net(sk);
200 struct dst_entry *dst;
201 bool res = false;
202
203 if (icmpv6_mask_allow(type))
204 return true;
205
206 /*
207 * Look up the output route.
208 * XXX: perhaps the expire for routing entries cloned by
209 * this lookup should be more aggressive (not longer than timeout).
210 */
211 dst = ip6_route_output(net, sk, fl6);
212 if (dst->error) {
213 IP6_INC_STATS(net, ip6_dst_idev(dst),
214 IPSTATS_MIB_OUTNOROUTES);
215 } else if (dst->dev && (dst->dev->flags&IFF_LOOPBACK)) {
216 res = true;
217 } else {
218 struct rt6_info *rt = (struct rt6_info *)dst;
219 int tmo = net->ipv6.sysctl.icmpv6_time;
220 struct inet_peer *peer;
221
222 /* Give more bandwidth to wider prefixes. */
223 if (rt->rt6i_dst.plen < 128)
224 tmo >>= ((128 - rt->rt6i_dst.plen)>>5);
225
226 peer = inet_getpeer_v6(net->ipv6.peers, &fl6->daddr, 1);
227 res = inet_peer_xrlim_allow(peer, tmo);
228 if (peer)
229 inet_putpeer(peer);
230 }
231 dst_release(dst);
232 return res;
233 }
234
235 /*
236 * an inline helper for the "simple" if statement below
237 * checks if parameter problem report is caused by an
238 * unrecognized IPv6 option that has the Option Type
239 * highest-order two bits set to 10
240 */
241
opt_unrec(struct sk_buff * skb,__u32 offset)242 static bool opt_unrec(struct sk_buff *skb, __u32 offset)
243 {
244 u8 _optval, *op;
245
246 offset += skb_network_offset(skb);
247 op = skb_header_pointer(skb, offset, sizeof(_optval), &_optval);
248 if (!op)
249 return true;
250 return (*op & 0xC0) == 0x80;
251 }
252
icmpv6_push_pending_frames(struct sock * sk,struct flowi6 * fl6,struct icmp6hdr * thdr,int len)253 int icmpv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6,
254 struct icmp6hdr *thdr, int len)
255 {
256 struct sk_buff *skb;
257 struct icmp6hdr *icmp6h;
258 int err = 0;
259
260 skb = skb_peek(&sk->sk_write_queue);
261 if (!skb)
262 goto out;
263
264 icmp6h = icmp6_hdr(skb);
265 memcpy(icmp6h, thdr, sizeof(struct icmp6hdr));
266 icmp6h->icmp6_cksum = 0;
267
268 if (skb_queue_len(&sk->sk_write_queue) == 1) {
269 skb->csum = csum_partial(icmp6h,
270 sizeof(struct icmp6hdr), skb->csum);
271 icmp6h->icmp6_cksum = csum_ipv6_magic(&fl6->saddr,
272 &fl6->daddr,
273 len, fl6->flowi6_proto,
274 skb->csum);
275 } else {
276 __wsum tmp_csum = 0;
277
278 skb_queue_walk(&sk->sk_write_queue, skb) {
279 tmp_csum = csum_add(tmp_csum, skb->csum);
280 }
281
282 tmp_csum = csum_partial(icmp6h,
283 sizeof(struct icmp6hdr), tmp_csum);
284 icmp6h->icmp6_cksum = csum_ipv6_magic(&fl6->saddr,
285 &fl6->daddr,
286 len, fl6->flowi6_proto,
287 tmp_csum);
288 }
289 ip6_push_pending_frames(sk);
290 out:
291 return err;
292 }
293
294 struct icmpv6_msg {
295 struct sk_buff *skb;
296 int offset;
297 uint8_t type;
298 };
299
icmpv6_getfrag(void * from,char * to,int offset,int len,int odd,struct sk_buff * skb)300 static int icmpv6_getfrag(void *from, char *to, int offset, int len, int odd, struct sk_buff *skb)
301 {
302 struct icmpv6_msg *msg = (struct icmpv6_msg *) from;
303 struct sk_buff *org_skb = msg->skb;
304 __wsum csum = 0;
305
306 csum = skb_copy_and_csum_bits(org_skb, msg->offset + offset,
307 to, len, csum);
308 skb->csum = csum_block_add(skb->csum, csum, odd);
309 if (!(msg->type & ICMPV6_INFOMSG_MASK))
310 nf_ct_attach(skb, org_skb);
311 return 0;
312 }
313
314 #if IS_ENABLED(CONFIG_IPV6_MIP6)
mip6_addr_swap(struct sk_buff * skb)315 static void mip6_addr_swap(struct sk_buff *skb)
316 {
317 struct ipv6hdr *iph = ipv6_hdr(skb);
318 struct inet6_skb_parm *opt = IP6CB(skb);
319 struct ipv6_destopt_hao *hao;
320 struct in6_addr tmp;
321 int off;
322
323 if (opt->dsthao) {
324 off = ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO);
325 if (likely(off >= 0)) {
326 hao = (struct ipv6_destopt_hao *)
327 (skb_network_header(skb) + off);
328 tmp = iph->saddr;
329 iph->saddr = hao->addr;
330 hao->addr = tmp;
331 }
332 }
333 }
334 #else
mip6_addr_swap(struct sk_buff * skb)335 static inline void mip6_addr_swap(struct sk_buff *skb) {}
336 #endif
337
icmpv6_route_lookup(struct net * net,struct sk_buff * skb,struct sock * sk,struct flowi6 * fl6)338 static struct dst_entry *icmpv6_route_lookup(struct net *net,
339 struct sk_buff *skb,
340 struct sock *sk,
341 struct flowi6 *fl6)
342 {
343 struct dst_entry *dst, *dst2;
344 struct flowi6 fl2;
345 int err;
346
347 err = ip6_dst_lookup(net, sk, &dst, fl6);
348 if (err)
349 return ERR_PTR(err);
350
351 /*
352 * We won't send icmp if the destination is known
353 * anycast.
354 */
355 if (ipv6_anycast_destination(dst, &fl6->daddr)) {
356 net_dbg_ratelimited("icmp6_send: acast source\n");
357 dst_release(dst);
358 return ERR_PTR(-EINVAL);
359 }
360
361 /* No need to clone since we're just using its address. */
362 dst2 = dst;
363
364 dst = xfrm_lookup(net, dst, flowi6_to_flowi(fl6), sk, 0);
365 if (!IS_ERR(dst)) {
366 if (dst != dst2)
367 return dst;
368 } else {
369 if (PTR_ERR(dst) == -EPERM)
370 dst = NULL;
371 else
372 return dst;
373 }
374
375 err = xfrm_decode_session_reverse(skb, flowi6_to_flowi(&fl2), AF_INET6);
376 if (err)
377 goto relookup_failed;
378
379 err = ip6_dst_lookup(net, sk, &dst2, &fl2);
380 if (err)
381 goto relookup_failed;
382
383 dst2 = xfrm_lookup(net, dst2, flowi6_to_flowi(&fl2), sk, XFRM_LOOKUP_ICMP);
384 if (!IS_ERR(dst2)) {
385 dst_release(dst);
386 dst = dst2;
387 } else {
388 err = PTR_ERR(dst2);
389 if (err == -EPERM) {
390 dst_release(dst);
391 return dst2;
392 } else
393 goto relookup_failed;
394 }
395
396 relookup_failed:
397 if (dst)
398 return dst;
399 return ERR_PTR(err);
400 }
401
icmp6_iif(const struct sk_buff * skb)402 static int icmp6_iif(const struct sk_buff *skb)
403 {
404 int iif = skb->dev->ifindex;
405
406 /* for local traffic to local address, skb dev is the loopback
407 * device. Check if there is a dst attached to the skb and if so
408 * get the real device index. Same is needed for replies to a link
409 * local address on a device enslaved to an L3 master device
410 */
411 if (unlikely(iif == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) {
412 const struct rt6_info *rt6 = skb_rt6_info(skb);
413
414 if (rt6)
415 iif = rt6->rt6i_idev->dev->ifindex;
416 }
417
418 return iif;
419 }
420
421 /*
422 * Send an ICMP message in response to a packet in error
423 */
icmp6_send(struct sk_buff * skb,u8 type,u8 code,__u32 info,const struct in6_addr * force_saddr)424 static void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info,
425 const struct in6_addr *force_saddr)
426 {
427 struct net *net = dev_net(skb->dev);
428 struct inet6_dev *idev = NULL;
429 struct ipv6hdr *hdr = ipv6_hdr(skb);
430 struct sock *sk;
431 struct ipv6_pinfo *np;
432 const struct in6_addr *saddr = NULL;
433 struct dst_entry *dst;
434 struct icmp6hdr tmp_hdr;
435 struct flowi6 fl6;
436 struct icmpv6_msg msg;
437 struct sockcm_cookie sockc_unused = {0};
438 struct ipcm6_cookie ipc6;
439 int iif = 0;
440 int addr_type = 0;
441 int len;
442 int err = 0;
443 u32 mark = IP6_REPLY_MARK(net, skb->mark);
444
445 if ((u8 *)hdr < skb->head ||
446 (skb_network_header(skb) + sizeof(*hdr)) > skb_tail_pointer(skb))
447 return;
448
449 /*
450 * Make sure we respect the rules
451 * i.e. RFC 1885 2.4(e)
452 * Rule (e.1) is enforced by not using icmp6_send
453 * in any code that processes icmp errors.
454 */
455 addr_type = ipv6_addr_type(&hdr->daddr);
456
457 if (ipv6_chk_addr(net, &hdr->daddr, skb->dev, 0) ||
458 ipv6_chk_acast_addr_src(net, skb->dev, &hdr->daddr))
459 saddr = &hdr->daddr;
460
461 /*
462 * Dest addr check
463 */
464
465 if (addr_type & IPV6_ADDR_MULTICAST || skb->pkt_type != PACKET_HOST) {
466 if (type != ICMPV6_PKT_TOOBIG &&
467 !(type == ICMPV6_PARAMPROB &&
468 code == ICMPV6_UNK_OPTION &&
469 (opt_unrec(skb, info))))
470 return;
471
472 saddr = NULL;
473 }
474
475 addr_type = ipv6_addr_type(&hdr->saddr);
476
477 /*
478 * Source addr check
479 */
480
481 if (__ipv6_addr_needs_scope_id(addr_type)) {
482 iif = icmp6_iif(skb);
483 } else {
484 dst = skb_dst(skb);
485 iif = l3mdev_master_ifindex(dst ? dst->dev : skb->dev);
486 }
487
488 /*
489 * Must not send error if the source does not uniquely
490 * identify a single node (RFC2463 Section 2.4).
491 * We check unspecified / multicast addresses here,
492 * and anycast addresses will be checked later.
493 */
494 if ((addr_type == IPV6_ADDR_ANY) || (addr_type & IPV6_ADDR_MULTICAST)) {
495 net_dbg_ratelimited("icmp6_send: addr_any/mcast source [%pI6c > %pI6c]\n",
496 &hdr->saddr, &hdr->daddr);
497 return;
498 }
499
500 /*
501 * Never answer to a ICMP packet.
502 */
503 if (is_ineligible(skb)) {
504 net_dbg_ratelimited("icmp6_send: no reply to icmp error [%pI6c > %pI6c]\n",
505 &hdr->saddr, &hdr->daddr);
506 return;
507 }
508
509 /* Needed by both icmp_global_allow and icmpv6_xmit_lock */
510 local_bh_disable();
511
512 /* Check global sysctl_icmp_msgs_per_sec ratelimit */
513 if (!(skb->dev->flags&IFF_LOOPBACK) && !icmpv6_global_allow(type))
514 goto out_bh_enable;
515
516 mip6_addr_swap(skb);
517
518 memset(&fl6, 0, sizeof(fl6));
519 fl6.flowi6_proto = IPPROTO_ICMPV6;
520 fl6.daddr = hdr->saddr;
521 if (force_saddr)
522 saddr = force_saddr;
523 if (saddr)
524 fl6.saddr = *saddr;
525 fl6.flowi6_mark = mark;
526 fl6.flowi6_oif = iif;
527 fl6.fl6_icmp_type = type;
528 fl6.fl6_icmp_code = code;
529 fl6.flowi6_uid = sock_net_uid(net, NULL);
530 fl6.mp_hash = rt6_multipath_hash(&fl6, skb);
531 security_skb_classify_flow(skb, flowi6_to_flowi(&fl6));
532
533 sk = icmpv6_xmit_lock(net);
534 if (!sk)
535 goto out_bh_enable;
536
537 sk->sk_mark = mark;
538 np = inet6_sk(sk);
539
540 if (!icmpv6_xrlim_allow(sk, type, &fl6))
541 goto out;
542
543 tmp_hdr.icmp6_type = type;
544 tmp_hdr.icmp6_code = code;
545 tmp_hdr.icmp6_cksum = 0;
546 tmp_hdr.icmp6_pointer = htonl(info);
547
548 if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr))
549 fl6.flowi6_oif = np->mcast_oif;
550 else if (!fl6.flowi6_oif)
551 fl6.flowi6_oif = np->ucast_oif;
552
553 ipc6.tclass = np->tclass;
554 fl6.flowlabel = ip6_make_flowinfo(ipc6.tclass, fl6.flowlabel);
555
556 dst = icmpv6_route_lookup(net, skb, sk, &fl6);
557 if (IS_ERR(dst))
558 goto out;
559
560 ipc6.hlimit = ip6_sk_dst_hoplimit(np, &fl6, dst);
561 ipc6.dontfrag = np->dontfrag;
562 ipc6.opt = NULL;
563
564 msg.skb = skb;
565 msg.offset = skb_network_offset(skb);
566 msg.type = type;
567
568 len = skb->len - msg.offset;
569 len = min_t(unsigned int, len, IPV6_MIN_MTU - sizeof(struct ipv6hdr) - sizeof(struct icmp6hdr));
570 if (len < 0) {
571 net_dbg_ratelimited("icmp: len problem [%pI6c > %pI6c]\n",
572 &hdr->saddr, &hdr->daddr);
573 goto out_dst_release;
574 }
575
576 rcu_read_lock();
577 idev = __in6_dev_get(skb->dev);
578
579 err = ip6_append_data(sk, icmpv6_getfrag, &msg,
580 len + sizeof(struct icmp6hdr),
581 sizeof(struct icmp6hdr),
582 &ipc6, &fl6, (struct rt6_info *)dst,
583 MSG_DONTWAIT, &sockc_unused);
584 if (err) {
585 ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTERRORS);
586 ip6_flush_pending_frames(sk);
587 } else {
588 err = icmpv6_push_pending_frames(sk, &fl6, &tmp_hdr,
589 len + sizeof(struct icmp6hdr));
590 }
591 rcu_read_unlock();
592 out_dst_release:
593 dst_release(dst);
594 out:
595 icmpv6_xmit_unlock(sk);
596 out_bh_enable:
597 local_bh_enable();
598 }
599
600 /* Slightly more convenient version of icmp6_send.
601 */
icmpv6_param_prob(struct sk_buff * skb,u8 code,int pos)602 void icmpv6_param_prob(struct sk_buff *skb, u8 code, int pos)
603 {
604 icmp6_send(skb, ICMPV6_PARAMPROB, code, pos, NULL);
605 kfree_skb(skb);
606 }
607
608 /* Generate icmpv6 with type/code ICMPV6_DEST_UNREACH/ICMPV6_ADDR_UNREACH
609 * if sufficient data bytes are available
610 * @nhs is the size of the tunnel header(s) :
611 * Either an IPv4 header for SIT encap
612 * an IPv4 header + GRE header for GRE encap
613 */
ip6_err_gen_icmpv6_unreach(struct sk_buff * skb,int nhs,int type,unsigned int data_len)614 int ip6_err_gen_icmpv6_unreach(struct sk_buff *skb, int nhs, int type,
615 unsigned int data_len)
616 {
617 struct in6_addr temp_saddr;
618 struct rt6_info *rt;
619 struct sk_buff *skb2;
620 u32 info = 0;
621
622 if (!pskb_may_pull(skb, nhs + sizeof(struct ipv6hdr) + 8))
623 return 1;
624
625 /* RFC 4884 (partial) support for ICMP extensions */
626 if (data_len < 128 || (data_len & 7) || skb->len < data_len)
627 data_len = 0;
628
629 skb2 = data_len ? skb_copy(skb, GFP_ATOMIC) : skb_clone(skb, GFP_ATOMIC);
630
631 if (!skb2)
632 return 1;
633
634 skb_dst_drop(skb2);
635 skb_pull(skb2, nhs);
636 skb_reset_network_header(skb2);
637
638 rt = rt6_lookup(dev_net(skb->dev), &ipv6_hdr(skb2)->saddr, NULL, 0, 0);
639
640 if (rt && rt->dst.dev)
641 skb2->dev = rt->dst.dev;
642
643 ipv6_addr_set_v4mapped(ip_hdr(skb)->saddr, &temp_saddr);
644
645 if (data_len) {
646 /* RFC 4884 (partial) support :
647 * insert 0 padding at the end, before the extensions
648 */
649 __skb_push(skb2, nhs);
650 skb_reset_network_header(skb2);
651 memmove(skb2->data, skb2->data + nhs, data_len - nhs);
652 memset(skb2->data + data_len - nhs, 0, nhs);
653 /* RFC 4884 4.5 : Length is measured in 64-bit words,
654 * and stored in reserved[0]
655 */
656 info = (data_len/8) << 24;
657 }
658 if (type == ICMP_TIME_EXCEEDED)
659 icmp6_send(skb2, ICMPV6_TIME_EXCEED, ICMPV6_EXC_HOPLIMIT,
660 info, &temp_saddr);
661 else
662 icmp6_send(skb2, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH,
663 info, &temp_saddr);
664 if (rt)
665 ip6_rt_put(rt);
666
667 kfree_skb(skb2);
668
669 return 0;
670 }
671 EXPORT_SYMBOL(ip6_err_gen_icmpv6_unreach);
672
icmpv6_echo_reply(struct sk_buff * skb)673 static void icmpv6_echo_reply(struct sk_buff *skb)
674 {
675 struct net *net = dev_net(skb->dev);
676 struct sock *sk;
677 struct inet6_dev *idev;
678 struct ipv6_pinfo *np;
679 const struct in6_addr *saddr = NULL;
680 struct icmp6hdr *icmph = icmp6_hdr(skb);
681 struct icmp6hdr tmp_hdr;
682 struct flowi6 fl6;
683 struct icmpv6_msg msg;
684 struct dst_entry *dst;
685 struct ipcm6_cookie ipc6;
686 int err = 0;
687 u32 mark = IP6_REPLY_MARK(net, skb->mark);
688 struct sockcm_cookie sockc_unused = {0};
689
690 saddr = &ipv6_hdr(skb)->daddr;
691
692 if (!ipv6_unicast_destination(skb) &&
693 !(net->ipv6.sysctl.anycast_src_echo_reply &&
694 ipv6_anycast_destination(skb_dst(skb), saddr)))
695 saddr = NULL;
696
697 memcpy(&tmp_hdr, icmph, sizeof(tmp_hdr));
698 tmp_hdr.icmp6_type = ICMPV6_ECHO_REPLY;
699
700 memset(&fl6, 0, sizeof(fl6));
701 fl6.flowi6_proto = IPPROTO_ICMPV6;
702 fl6.daddr = ipv6_hdr(skb)->saddr;
703 if (saddr)
704 fl6.saddr = *saddr;
705 fl6.flowi6_oif = icmp6_iif(skb);
706 fl6.fl6_icmp_type = ICMPV6_ECHO_REPLY;
707 fl6.flowi6_mark = mark;
708 fl6.flowi6_uid = sock_net_uid(net, NULL);
709 security_skb_classify_flow(skb, flowi6_to_flowi(&fl6));
710
711 local_bh_disable();
712 sk = icmpv6_xmit_lock(net);
713 if (!sk)
714 goto out_bh_enable;
715 sk->sk_mark = mark;
716 np = inet6_sk(sk);
717
718 if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr))
719 fl6.flowi6_oif = np->mcast_oif;
720 else if (!fl6.flowi6_oif)
721 fl6.flowi6_oif = np->ucast_oif;
722
723 err = ip6_dst_lookup(net, sk, &dst, &fl6);
724 if (err)
725 goto out;
726 dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), sk, 0);
727 if (IS_ERR(dst))
728 goto out;
729
730 idev = __in6_dev_get(skb->dev);
731
732 msg.skb = skb;
733 msg.offset = 0;
734 msg.type = ICMPV6_ECHO_REPLY;
735
736 ipc6.hlimit = ip6_sk_dst_hoplimit(np, &fl6, dst);
737 ipc6.tclass = ipv6_get_dsfield(ipv6_hdr(skb));
738 ipc6.dontfrag = np->dontfrag;
739 ipc6.opt = NULL;
740
741 err = ip6_append_data(sk, icmpv6_getfrag, &msg, skb->len + sizeof(struct icmp6hdr),
742 sizeof(struct icmp6hdr), &ipc6, &fl6,
743 (struct rt6_info *)dst, MSG_DONTWAIT,
744 &sockc_unused);
745
746 if (err) {
747 __ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTERRORS);
748 ip6_flush_pending_frames(sk);
749 } else {
750 err = icmpv6_push_pending_frames(sk, &fl6, &tmp_hdr,
751 skb->len + sizeof(struct icmp6hdr));
752 }
753 dst_release(dst);
754 out:
755 icmpv6_xmit_unlock(sk);
756 out_bh_enable:
757 local_bh_enable();
758 }
759
icmpv6_notify(struct sk_buff * skb,u8 type,u8 code,__be32 info)760 void icmpv6_notify(struct sk_buff *skb, u8 type, u8 code, __be32 info)
761 {
762 const struct inet6_protocol *ipprot;
763 int inner_offset;
764 __be16 frag_off;
765 u8 nexthdr;
766 struct net *net = dev_net(skb->dev);
767
768 if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
769 goto out;
770
771 nexthdr = ((struct ipv6hdr *)skb->data)->nexthdr;
772 if (ipv6_ext_hdr(nexthdr)) {
773 /* now skip over extension headers */
774 inner_offset = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr),
775 &nexthdr, &frag_off);
776 if (inner_offset < 0)
777 goto out;
778 } else {
779 inner_offset = sizeof(struct ipv6hdr);
780 }
781
782 /* Checkin header including 8 bytes of inner protocol header. */
783 if (!pskb_may_pull(skb, inner_offset+8))
784 goto out;
785
786 /* BUGGG_FUTURE: we should try to parse exthdrs in this packet.
787 Without this we will not able f.e. to make source routed
788 pmtu discovery.
789 Corresponding argument (opt) to notifiers is already added.
790 --ANK (980726)
791 */
792
793 ipprot = rcu_dereference(inet6_protos[nexthdr]);
794 if (ipprot && ipprot->err_handler)
795 ipprot->err_handler(skb, NULL, type, code, inner_offset, info);
796
797 raw6_icmp_error(skb, nexthdr, type, code, inner_offset, info);
798 return;
799
800 out:
801 __ICMP6_INC_STATS(net, __in6_dev_get(skb->dev), ICMP6_MIB_INERRORS);
802 }
803
804 /*
805 * Handle icmp messages
806 */
807
icmpv6_rcv(struct sk_buff * skb)808 static int icmpv6_rcv(struct sk_buff *skb)
809 {
810 struct net_device *dev = skb->dev;
811 struct inet6_dev *idev = __in6_dev_get(dev);
812 const struct in6_addr *saddr, *daddr;
813 struct icmp6hdr *hdr;
814 u8 type;
815 bool success = false;
816
817 if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
818 struct sec_path *sp = skb_sec_path(skb);
819 int nh;
820
821 if (!(sp && sp->xvec[sp->len - 1]->props.flags &
822 XFRM_STATE_ICMP))
823 goto drop_no_count;
824
825 if (!pskb_may_pull(skb, sizeof(*hdr) + sizeof(struct ipv6hdr)))
826 goto drop_no_count;
827
828 nh = skb_network_offset(skb);
829 skb_set_network_header(skb, sizeof(*hdr));
830
831 if (!xfrm6_policy_check_reverse(NULL, XFRM_POLICY_IN, skb))
832 goto drop_no_count;
833
834 skb_set_network_header(skb, nh);
835 }
836
837 __ICMP6_INC_STATS(dev_net(dev), idev, ICMP6_MIB_INMSGS);
838
839 saddr = &ipv6_hdr(skb)->saddr;
840 daddr = &ipv6_hdr(skb)->daddr;
841
842 if (skb_checksum_validate(skb, IPPROTO_ICMPV6, ip6_compute_pseudo)) {
843 net_dbg_ratelimited("ICMPv6 checksum failed [%pI6c > %pI6c]\n",
844 saddr, daddr);
845 goto csum_error;
846 }
847
848 if (!pskb_pull(skb, sizeof(*hdr)))
849 goto discard_it;
850
851 hdr = icmp6_hdr(skb);
852
853 type = hdr->icmp6_type;
854
855 ICMP6MSGIN_INC_STATS(dev_net(dev), idev, type);
856
857 switch (type) {
858 case ICMPV6_ECHO_REQUEST:
859 icmpv6_echo_reply(skb);
860 break;
861
862 case ICMPV6_ECHO_REPLY:
863 success = ping_rcv(skb);
864 break;
865
866 case ICMPV6_PKT_TOOBIG:
867 /* BUGGG_FUTURE: if packet contains rthdr, we cannot update
868 standard destination cache. Seems, only "advanced"
869 destination cache will allow to solve this problem
870 --ANK (980726)
871 */
872 if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
873 goto discard_it;
874 hdr = icmp6_hdr(skb);
875
876 /*
877 * Drop through to notify
878 */
879
880 case ICMPV6_DEST_UNREACH:
881 case ICMPV6_TIME_EXCEED:
882 case ICMPV6_PARAMPROB:
883 icmpv6_notify(skb, type, hdr->icmp6_code, hdr->icmp6_mtu);
884 break;
885
886 case NDISC_ROUTER_SOLICITATION:
887 case NDISC_ROUTER_ADVERTISEMENT:
888 case NDISC_NEIGHBOUR_SOLICITATION:
889 case NDISC_NEIGHBOUR_ADVERTISEMENT:
890 case NDISC_REDIRECT:
891 ndisc_rcv(skb);
892 break;
893
894 case ICMPV6_MGM_QUERY:
895 igmp6_event_query(skb);
896 break;
897
898 case ICMPV6_MGM_REPORT:
899 igmp6_event_report(skb);
900 break;
901
902 case ICMPV6_MGM_REDUCTION:
903 case ICMPV6_NI_QUERY:
904 case ICMPV6_NI_REPLY:
905 case ICMPV6_MLD2_REPORT:
906 case ICMPV6_DHAAD_REQUEST:
907 case ICMPV6_DHAAD_REPLY:
908 case ICMPV6_MOBILE_PREFIX_SOL:
909 case ICMPV6_MOBILE_PREFIX_ADV:
910 break;
911
912 default:
913 /* informational */
914 if (type & ICMPV6_INFOMSG_MASK)
915 break;
916
917 net_dbg_ratelimited("icmpv6: msg of unknown type [%pI6c > %pI6c]\n",
918 saddr, daddr);
919
920 /*
921 * error of unknown type.
922 * must pass to upper level
923 */
924
925 icmpv6_notify(skb, type, hdr->icmp6_code, hdr->icmp6_mtu);
926 }
927
928 /* until the v6 path can be better sorted assume failure and
929 * preserve the status quo behaviour for the rest of the paths to here
930 */
931 if (success)
932 consume_skb(skb);
933 else
934 kfree_skb(skb);
935
936 return 0;
937
938 csum_error:
939 __ICMP6_INC_STATS(dev_net(dev), idev, ICMP6_MIB_CSUMERRORS);
940 discard_it:
941 __ICMP6_INC_STATS(dev_net(dev), idev, ICMP6_MIB_INERRORS);
942 drop_no_count:
943 kfree_skb(skb);
944 return 0;
945 }
946
icmpv6_flow_init(struct sock * sk,struct flowi6 * fl6,u8 type,const struct in6_addr * saddr,const struct in6_addr * daddr,int oif)947 void icmpv6_flow_init(struct sock *sk, struct flowi6 *fl6,
948 u8 type,
949 const struct in6_addr *saddr,
950 const struct in6_addr *daddr,
951 int oif)
952 {
953 memset(fl6, 0, sizeof(*fl6));
954 fl6->saddr = *saddr;
955 fl6->daddr = *daddr;
956 fl6->flowi6_proto = IPPROTO_ICMPV6;
957 fl6->fl6_icmp_type = type;
958 fl6->fl6_icmp_code = 0;
959 fl6->flowi6_oif = oif;
960 security_sk_classify_flow(sk, flowi6_to_flowi(fl6));
961 }
962
icmpv6_sk_init(struct net * net)963 static int __net_init icmpv6_sk_init(struct net *net)
964 {
965 struct sock *sk;
966 int err, i, j;
967
968 net->ipv6.icmp_sk =
969 kzalloc(nr_cpu_ids * sizeof(struct sock *), GFP_KERNEL);
970 if (!net->ipv6.icmp_sk)
971 return -ENOMEM;
972
973 for_each_possible_cpu(i) {
974 err = inet_ctl_sock_create(&sk, PF_INET6,
975 SOCK_RAW, IPPROTO_ICMPV6, net);
976 if (err < 0) {
977 pr_err("Failed to initialize the ICMP6 control socket (err %d)\n",
978 err);
979 goto fail;
980 }
981
982 net->ipv6.icmp_sk[i] = sk;
983
984 /* Enough space for 2 64K ICMP packets, including
985 * sk_buff struct overhead.
986 */
987 sk->sk_sndbuf = 2 * SKB_TRUESIZE(64 * 1024);
988 }
989 return 0;
990
991 fail:
992 for (j = 0; j < i; j++)
993 inet_ctl_sock_destroy(net->ipv6.icmp_sk[j]);
994 kfree(net->ipv6.icmp_sk);
995 return err;
996 }
997
icmpv6_sk_exit(struct net * net)998 static void __net_exit icmpv6_sk_exit(struct net *net)
999 {
1000 int i;
1001
1002 for_each_possible_cpu(i) {
1003 inet_ctl_sock_destroy(net->ipv6.icmp_sk[i]);
1004 }
1005 kfree(net->ipv6.icmp_sk);
1006 }
1007
1008 static struct pernet_operations icmpv6_sk_ops = {
1009 .init = icmpv6_sk_init,
1010 .exit = icmpv6_sk_exit,
1011 };
1012
icmpv6_init(void)1013 int __init icmpv6_init(void)
1014 {
1015 int err;
1016
1017 err = register_pernet_subsys(&icmpv6_sk_ops);
1018 if (err < 0)
1019 return err;
1020
1021 err = -EAGAIN;
1022 if (inet6_add_protocol(&icmpv6_protocol, IPPROTO_ICMPV6) < 0)
1023 goto fail;
1024
1025 err = inet6_register_icmp_sender(icmp6_send);
1026 if (err)
1027 goto sender_reg_err;
1028 return 0;
1029
1030 sender_reg_err:
1031 inet6_del_protocol(&icmpv6_protocol, IPPROTO_ICMPV6);
1032 fail:
1033 pr_err("Failed to register ICMP6 protocol\n");
1034 unregister_pernet_subsys(&icmpv6_sk_ops);
1035 return err;
1036 }
1037
icmpv6_cleanup(void)1038 void icmpv6_cleanup(void)
1039 {
1040 inet6_unregister_icmp_sender(icmp6_send);
1041 unregister_pernet_subsys(&icmpv6_sk_ops);
1042 inet6_del_protocol(&icmpv6_protocol, IPPROTO_ICMPV6);
1043 }
1044
1045
1046 static const struct icmp6_err {
1047 int err;
1048 int fatal;
1049 } tab_unreach[] = {
1050 { /* NOROUTE */
1051 .err = ENETUNREACH,
1052 .fatal = 0,
1053 },
1054 { /* ADM_PROHIBITED */
1055 .err = EACCES,
1056 .fatal = 1,
1057 },
1058 { /* Was NOT_NEIGHBOUR, now reserved */
1059 .err = EHOSTUNREACH,
1060 .fatal = 0,
1061 },
1062 { /* ADDR_UNREACH */
1063 .err = EHOSTUNREACH,
1064 .fatal = 0,
1065 },
1066 { /* PORT_UNREACH */
1067 .err = ECONNREFUSED,
1068 .fatal = 1,
1069 },
1070 { /* POLICY_FAIL */
1071 .err = EACCES,
1072 .fatal = 1,
1073 },
1074 { /* REJECT_ROUTE */
1075 .err = EACCES,
1076 .fatal = 1,
1077 },
1078 };
1079
icmpv6_err_convert(u8 type,u8 code,int * err)1080 int icmpv6_err_convert(u8 type, u8 code, int *err)
1081 {
1082 int fatal = 0;
1083
1084 *err = EPROTO;
1085
1086 switch (type) {
1087 case ICMPV6_DEST_UNREACH:
1088 fatal = 1;
1089 if (code < ARRAY_SIZE(tab_unreach)) {
1090 *err = tab_unreach[code].err;
1091 fatal = tab_unreach[code].fatal;
1092 }
1093 break;
1094
1095 case ICMPV6_PKT_TOOBIG:
1096 *err = EMSGSIZE;
1097 break;
1098
1099 case ICMPV6_PARAMPROB:
1100 *err = EPROTO;
1101 fatal = 1;
1102 break;
1103
1104 case ICMPV6_TIME_EXCEED:
1105 *err = EHOSTUNREACH;
1106 break;
1107 }
1108
1109 return fatal;
1110 }
1111 EXPORT_SYMBOL(icmpv6_err_convert);
1112
1113 #ifdef CONFIG_SYSCTL
1114 static struct ctl_table ipv6_icmp_table_template[] = {
1115 {
1116 .procname = "ratelimit",
1117 .data = &init_net.ipv6.sysctl.icmpv6_time,
1118 .maxlen = sizeof(int),
1119 .mode = 0644,
1120 .proc_handler = proc_dointvec_ms_jiffies,
1121 },
1122 { },
1123 };
1124
ipv6_icmp_sysctl_init(struct net * net)1125 struct ctl_table * __net_init ipv6_icmp_sysctl_init(struct net *net)
1126 {
1127 struct ctl_table *table;
1128
1129 table = kmemdup(ipv6_icmp_table_template,
1130 sizeof(ipv6_icmp_table_template),
1131 GFP_KERNEL);
1132
1133 if (table)
1134 table[0].data = &net->ipv6.sysctl.icmpv6_time;
1135
1136 return table;
1137 }
1138 #endif
1139