1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Internet Control Message Protocol (ICMPv6)
4 * Linux INET6 implementation
5 *
6 * Authors:
7 * Pedro Roque <roque@di.fc.ul.pt>
8 *
9 * Based on net/ipv4/icmp.c
10 *
11 * RFC 1885
12 */
13
14 /*
15 * Changes:
16 *
17 * Andi Kleen : exception handling
18 * Andi Kleen add rate limits. never reply to a icmp.
19 * add more length checks and other fixes.
20 * yoshfuji : ensure to sent parameter problem for
21 * fragments.
22 * YOSHIFUJI Hideaki @USAGI: added sysctl for icmp rate limit.
23 * Randy Dunlap and
24 * YOSHIFUJI Hideaki @USAGI: Per-interface statistics support
25 * Kazunori MIYAZAWA @USAGI: change output process to use ip6_append_data
26 */
27
28 #define pr_fmt(fmt) "IPv6: " fmt
29
30 #include <linux/module.h>
31 #include <linux/errno.h>
32 #include <linux/types.h>
33 #include <linux/socket.h>
34 #include <linux/in.h>
35 #include <linux/kernel.h>
36 #include <linux/sockios.h>
37 #include <linux/net.h>
38 #include <linux/skbuff.h>
39 #include <linux/init.h>
40 #include <linux/netfilter.h>
41 #include <linux/slab.h>
42
43 #ifdef CONFIG_SYSCTL
44 #include <linux/sysctl.h>
45 #endif
46
47 #include <linux/inet.h>
48 #include <linux/netdevice.h>
49 #include <linux/icmpv6.h>
50
51 #include <net/ip.h>
52 #include <net/sock.h>
53
54 #include <net/ipv6.h>
55 #include <net/ip6_checksum.h>
56 #include <net/ping.h>
57 #include <net/protocol.h>
58 #include <net/raw.h>
59 #include <net/rawv6.h>
60 #include <net/transp_v6.h>
61 #include <net/ip6_route.h>
62 #include <net/addrconf.h>
63 #include <net/icmp.h>
64 #include <net/xfrm.h>
65 #include <net/inet_common.h>
66 #include <net/dsfield.h>
67 #include <net/l3mdev.h>
68
69 #include <linux/uaccess.h>
70
71 /*
72 * The ICMP socket(s). This is the most convenient way to flow control
73 * our ICMP output as well as maintain a clean interface throughout
74 * all layers. All Socketless IP sends will soon be gone.
75 *
76 * On SMP we have one ICMP socket per-cpu.
77 */
icmpv6_sk(struct net * net)78 static struct sock *icmpv6_sk(struct net *net)
79 {
80 return this_cpu_read(*net->ipv6.icmp_sk);
81 }
82
icmpv6_err(struct sk_buff * skb,struct inet6_skb_parm * opt,u8 type,u8 code,int offset,__be32 info)83 static int icmpv6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
84 u8 type, u8 code, int offset, __be32 info)
85 {
86 /* icmpv6_notify checks 8 bytes can be pulled, icmp6hdr is 8 bytes */
87 struct icmp6hdr *icmp6 = (struct icmp6hdr *) (skb->data + offset);
88 struct net *net = dev_net(skb->dev);
89
90 if (type == ICMPV6_PKT_TOOBIG)
91 ip6_update_pmtu(skb, net, info, skb->dev->ifindex, 0, sock_net_uid(net, NULL));
92 else if (type == NDISC_REDIRECT)
93 ip6_redirect(skb, net, skb->dev->ifindex, 0,
94 sock_net_uid(net, NULL));
95
96 if (!(type & ICMPV6_INFOMSG_MASK))
97 if (icmp6->icmp6_type == ICMPV6_ECHO_REQUEST)
98 ping_err(skb, offset, ntohl(info));
99
100 return 0;
101 }
102
103 static int icmpv6_rcv(struct sk_buff *skb);
104
105 static const struct inet6_protocol icmpv6_protocol = {
106 .handler = icmpv6_rcv,
107 .err_handler = icmpv6_err,
108 .flags = INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL,
109 };
110
111 /* Called with BH disabled */
icmpv6_xmit_lock(struct net * net)112 static __inline__ struct sock *icmpv6_xmit_lock(struct net *net)
113 {
114 struct sock *sk;
115
116 sk = icmpv6_sk(net);
117 if (unlikely(!spin_trylock(&sk->sk_lock.slock))) {
118 /* This can happen if the output path (f.e. SIT or
119 * ip6ip6 tunnel) signals dst_link_failure() for an
120 * outgoing ICMP6 packet.
121 */
122 return NULL;
123 }
124 return sk;
125 }
126
icmpv6_xmit_unlock(struct sock * sk)127 static __inline__ void icmpv6_xmit_unlock(struct sock *sk)
128 {
129 spin_unlock(&sk->sk_lock.slock);
130 }
131
132 /*
133 * Figure out, may we reply to this packet with icmp error.
134 *
135 * We do not reply, if:
136 * - it was icmp error message.
137 * - it is truncated, so that it is known, that protocol is ICMPV6
138 * (i.e. in the middle of some exthdr)
139 *
140 * --ANK (980726)
141 */
142
is_ineligible(const struct sk_buff * skb)143 static bool is_ineligible(const struct sk_buff *skb)
144 {
145 int ptr = (u8 *)(ipv6_hdr(skb) + 1) - skb->data;
146 int len = skb->len - ptr;
147 __u8 nexthdr = ipv6_hdr(skb)->nexthdr;
148 __be16 frag_off;
149
150 if (len < 0)
151 return true;
152
153 ptr = ipv6_skip_exthdr(skb, ptr, &nexthdr, &frag_off);
154 if (ptr < 0)
155 return false;
156 if (nexthdr == IPPROTO_ICMPV6) {
157 u8 _type, *tp;
158 tp = skb_header_pointer(skb,
159 ptr+offsetof(struct icmp6hdr, icmp6_type),
160 sizeof(_type), &_type);
161
162 /* Based on RFC 8200, Section 4.5 Fragment Header, return
163 * false if this is a fragment packet with no icmp header info.
164 */
165 if (!tp && frag_off != 0)
166 return false;
167 else if (!tp || !(*tp & ICMPV6_INFOMSG_MASK))
168 return true;
169 }
170 return false;
171 }
172
icmpv6_mask_allow(struct net * net,int type)173 static bool icmpv6_mask_allow(struct net *net, int type)
174 {
175 if (type > ICMPV6_MSG_MAX)
176 return true;
177
178 /* Limit if icmp type is set in ratemask. */
179 if (!test_bit(type, net->ipv6.sysctl.icmpv6_ratemask))
180 return true;
181
182 return false;
183 }
184
icmpv6_global_allow(struct net * net,int type)185 static bool icmpv6_global_allow(struct net *net, int type)
186 {
187 if (icmpv6_mask_allow(net, type))
188 return true;
189
190 if (icmp_global_allow())
191 return true;
192
193 return false;
194 }
195
196 /*
197 * Check the ICMP output rate limit
198 */
icmpv6_xrlim_allow(struct sock * sk,u8 type,struct flowi6 * fl6)199 static bool icmpv6_xrlim_allow(struct sock *sk, u8 type,
200 struct flowi6 *fl6)
201 {
202 struct net *net = sock_net(sk);
203 struct dst_entry *dst;
204 bool res = false;
205
206 if (icmpv6_mask_allow(net, type))
207 return true;
208
209 /*
210 * Look up the output route.
211 * XXX: perhaps the expire for routing entries cloned by
212 * this lookup should be more aggressive (not longer than timeout).
213 */
214 dst = ip6_route_output(net, sk, fl6);
215 if (dst->error) {
216 IP6_INC_STATS(net, ip6_dst_idev(dst),
217 IPSTATS_MIB_OUTNOROUTES);
218 } else if (dst->dev && (dst->dev->flags&IFF_LOOPBACK)) {
219 res = true;
220 } else {
221 struct rt6_info *rt = (struct rt6_info *)dst;
222 int tmo = net->ipv6.sysctl.icmpv6_time;
223 struct inet_peer *peer;
224
225 /* Give more bandwidth to wider prefixes. */
226 if (rt->rt6i_dst.plen < 128)
227 tmo >>= ((128 - rt->rt6i_dst.plen)>>5);
228
229 peer = inet_getpeer_v6(net->ipv6.peers, &fl6->daddr, 1);
230 res = inet_peer_xrlim_allow(peer, tmo);
231 if (peer)
232 inet_putpeer(peer);
233 }
234 dst_release(dst);
235 return res;
236 }
237
238 /*
239 * an inline helper for the "simple" if statement below
240 * checks if parameter problem report is caused by an
241 * unrecognized IPv6 option that has the Option Type
242 * highest-order two bits set to 10
243 */
244
opt_unrec(struct sk_buff * skb,__u32 offset)245 static bool opt_unrec(struct sk_buff *skb, __u32 offset)
246 {
247 u8 _optval, *op;
248
249 offset += skb_network_offset(skb);
250 op = skb_header_pointer(skb, offset, sizeof(_optval), &_optval);
251 if (!op)
252 return true;
253 return (*op & 0xC0) == 0x80;
254 }
255
icmpv6_push_pending_frames(struct sock * sk,struct flowi6 * fl6,struct icmp6hdr * thdr,int len)256 void icmpv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6,
257 struct icmp6hdr *thdr, int len)
258 {
259 struct sk_buff *skb;
260 struct icmp6hdr *icmp6h;
261
262 skb = skb_peek(&sk->sk_write_queue);
263 if (!skb)
264 return;
265
266 icmp6h = icmp6_hdr(skb);
267 memcpy(icmp6h, thdr, sizeof(struct icmp6hdr));
268 icmp6h->icmp6_cksum = 0;
269
270 if (skb_queue_len(&sk->sk_write_queue) == 1) {
271 skb->csum = csum_partial(icmp6h,
272 sizeof(struct icmp6hdr), skb->csum);
273 icmp6h->icmp6_cksum = csum_ipv6_magic(&fl6->saddr,
274 &fl6->daddr,
275 len, fl6->flowi6_proto,
276 skb->csum);
277 } else {
278 __wsum tmp_csum = 0;
279
280 skb_queue_walk(&sk->sk_write_queue, skb) {
281 tmp_csum = csum_add(tmp_csum, skb->csum);
282 }
283
284 tmp_csum = csum_partial(icmp6h,
285 sizeof(struct icmp6hdr), tmp_csum);
286 icmp6h->icmp6_cksum = csum_ipv6_magic(&fl6->saddr,
287 &fl6->daddr,
288 len, fl6->flowi6_proto,
289 tmp_csum);
290 }
291 ip6_push_pending_frames(sk);
292 }
293
294 struct icmpv6_msg {
295 struct sk_buff *skb;
296 int offset;
297 uint8_t type;
298 };
299
icmpv6_getfrag(void * from,char * to,int offset,int len,int odd,struct sk_buff * skb)300 static int icmpv6_getfrag(void *from, char *to, int offset, int len, int odd, struct sk_buff *skb)
301 {
302 struct icmpv6_msg *msg = (struct icmpv6_msg *) from;
303 struct sk_buff *org_skb = msg->skb;
304 __wsum csum = 0;
305
306 csum = skb_copy_and_csum_bits(org_skb, msg->offset + offset,
307 to, len, csum);
308 skb->csum = csum_block_add(skb->csum, csum, odd);
309 if (!(msg->type & ICMPV6_INFOMSG_MASK))
310 nf_ct_attach(skb, org_skb);
311 return 0;
312 }
313
314 #if IS_ENABLED(CONFIG_IPV6_MIP6)
mip6_addr_swap(struct sk_buff * skb,const struct inet6_skb_parm * opt)315 static void mip6_addr_swap(struct sk_buff *skb, const struct inet6_skb_parm *opt)
316 {
317 struct ipv6hdr *iph = ipv6_hdr(skb);
318 struct ipv6_destopt_hao *hao;
319 struct in6_addr tmp;
320 int off;
321
322 if (opt->dsthao) {
323 off = ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO);
324 if (likely(off >= 0)) {
325 hao = (struct ipv6_destopt_hao *)
326 (skb_network_header(skb) + off);
327 tmp = iph->saddr;
328 iph->saddr = hao->addr;
329 hao->addr = tmp;
330 }
331 }
332 }
333 #else
mip6_addr_swap(struct sk_buff * skb,const struct inet6_skb_parm * opt)334 static inline void mip6_addr_swap(struct sk_buff *skb, const struct inet6_skb_parm *opt) {}
335 #endif
336
icmpv6_route_lookup(struct net * net,struct sk_buff * skb,struct sock * sk,struct flowi6 * fl6)337 static struct dst_entry *icmpv6_route_lookup(struct net *net,
338 struct sk_buff *skb,
339 struct sock *sk,
340 struct flowi6 *fl6)
341 {
342 struct dst_entry *dst, *dst2;
343 struct flowi6 fl2;
344 int err;
345
346 err = ip6_dst_lookup(net, sk, &dst, fl6);
347 if (err)
348 return ERR_PTR(err);
349
350 /*
351 * We won't send icmp if the destination is known
352 * anycast.
353 */
354 if (ipv6_anycast_destination(dst, &fl6->daddr)) {
355 net_dbg_ratelimited("icmp6_send: acast source\n");
356 dst_release(dst);
357 return ERR_PTR(-EINVAL);
358 }
359
360 /* No need to clone since we're just using its address. */
361 dst2 = dst;
362
363 dst = xfrm_lookup(net, dst, flowi6_to_flowi(fl6), sk, 0);
364 if (!IS_ERR(dst)) {
365 if (dst != dst2)
366 return dst;
367 } else {
368 if (PTR_ERR(dst) == -EPERM)
369 dst = NULL;
370 else
371 return dst;
372 }
373
374 err = xfrm_decode_session_reverse(skb, flowi6_to_flowi(&fl2), AF_INET6);
375 if (err)
376 goto relookup_failed;
377
378 err = ip6_dst_lookup(net, sk, &dst2, &fl2);
379 if (err)
380 goto relookup_failed;
381
382 dst2 = xfrm_lookup(net, dst2, flowi6_to_flowi(&fl2), sk, XFRM_LOOKUP_ICMP);
383 if (!IS_ERR(dst2)) {
384 dst_release(dst);
385 dst = dst2;
386 } else {
387 err = PTR_ERR(dst2);
388 if (err == -EPERM) {
389 dst_release(dst);
390 return dst2;
391 } else
392 goto relookup_failed;
393 }
394
395 relookup_failed:
396 if (dst)
397 return dst;
398 return ERR_PTR(err);
399 }
400
icmp6_dev(const struct sk_buff * skb)401 static struct net_device *icmp6_dev(const struct sk_buff *skb)
402 {
403 struct net_device *dev = skb->dev;
404
405 /* for local traffic to local address, skb dev is the loopback
406 * device. Check if there is a dst attached to the skb and if so
407 * get the real device index. Same is needed for replies to a link
408 * local address on a device enslaved to an L3 master device
409 */
410 if (unlikely(dev->ifindex == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) {
411 const struct rt6_info *rt6 = skb_rt6_info(skb);
412
413 /* The destination could be an external IP in Ext Hdr (SRv6, RPL, etc.),
414 * and ip6_null_entry could be set to skb if no route is found.
415 */
416 if (rt6 && rt6->rt6i_idev)
417 dev = rt6->rt6i_idev->dev;
418 }
419
420 return dev;
421 }
422
icmp6_iif(const struct sk_buff * skb)423 static int icmp6_iif(const struct sk_buff *skb)
424 {
425 return icmp6_dev(skb)->ifindex;
426 }
427
428 /*
429 * Send an ICMP message in response to a packet in error
430 */
icmp6_send(struct sk_buff * skb,u8 type,u8 code,__u32 info,const struct in6_addr * force_saddr,const struct inet6_skb_parm * parm)431 void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info,
432 const struct in6_addr *force_saddr,
433 const struct inet6_skb_parm *parm)
434 {
435 struct inet6_dev *idev = NULL;
436 struct ipv6hdr *hdr = ipv6_hdr(skb);
437 struct sock *sk;
438 struct net *net;
439 struct ipv6_pinfo *np;
440 const struct in6_addr *saddr = NULL;
441 struct dst_entry *dst;
442 struct icmp6hdr tmp_hdr;
443 struct flowi6 fl6;
444 struct icmpv6_msg msg;
445 struct ipcm6_cookie ipc6;
446 int iif = 0;
447 int addr_type = 0;
448 int len;
449 u32 mark;
450
451 if ((u8 *)hdr < skb->head ||
452 (skb_network_header(skb) + sizeof(*hdr)) > skb_tail_pointer(skb))
453 return;
454
455 if (!skb->dev)
456 return;
457 net = dev_net(skb->dev);
458 mark = IP6_REPLY_MARK(net, skb->mark);
459 /*
460 * Make sure we respect the rules
461 * i.e. RFC 1885 2.4(e)
462 * Rule (e.1) is enforced by not using icmp6_send
463 * in any code that processes icmp errors.
464 */
465 addr_type = ipv6_addr_type(&hdr->daddr);
466
467 if (ipv6_chk_addr(net, &hdr->daddr, skb->dev, 0) ||
468 ipv6_chk_acast_addr_src(net, skb->dev, &hdr->daddr))
469 saddr = &hdr->daddr;
470
471 /*
472 * Dest addr check
473 */
474
475 if (addr_type & IPV6_ADDR_MULTICAST || skb->pkt_type != PACKET_HOST) {
476 if (type != ICMPV6_PKT_TOOBIG &&
477 !(type == ICMPV6_PARAMPROB &&
478 code == ICMPV6_UNK_OPTION &&
479 (opt_unrec(skb, info))))
480 return;
481
482 saddr = NULL;
483 }
484
485 addr_type = ipv6_addr_type(&hdr->saddr);
486
487 /*
488 * Source addr check
489 */
490
491 if (__ipv6_addr_needs_scope_id(addr_type)) {
492 iif = icmp6_iif(skb);
493 } else {
494 dst = skb_dst(skb);
495 iif = l3mdev_master_ifindex(dst ? dst->dev : skb->dev);
496 }
497
498 /*
499 * Must not send error if the source does not uniquely
500 * identify a single node (RFC2463 Section 2.4).
501 * We check unspecified / multicast addresses here,
502 * and anycast addresses will be checked later.
503 */
504 if ((addr_type == IPV6_ADDR_ANY) || (addr_type & IPV6_ADDR_MULTICAST)) {
505 net_dbg_ratelimited("icmp6_send: addr_any/mcast source [%pI6c > %pI6c]\n",
506 &hdr->saddr, &hdr->daddr);
507 return;
508 }
509
510 /*
511 * Never answer to a ICMP packet.
512 */
513 if (is_ineligible(skb)) {
514 net_dbg_ratelimited("icmp6_send: no reply to icmp error [%pI6c > %pI6c]\n",
515 &hdr->saddr, &hdr->daddr);
516 return;
517 }
518
519 /* Needed by both icmp_global_allow and icmpv6_xmit_lock */
520 local_bh_disable();
521
522 /* Check global sysctl_icmp_msgs_per_sec ratelimit */
523 if (!(skb->dev->flags & IFF_LOOPBACK) && !icmpv6_global_allow(net, type))
524 goto out_bh_enable;
525
526 mip6_addr_swap(skb, parm);
527
528 memset(&fl6, 0, sizeof(fl6));
529 fl6.flowi6_proto = IPPROTO_ICMPV6;
530 fl6.daddr = hdr->saddr;
531 if (force_saddr)
532 saddr = force_saddr;
533 if (saddr)
534 fl6.saddr = *saddr;
535 fl6.flowi6_mark = mark;
536 fl6.flowi6_oif = iif;
537 fl6.fl6_icmp_type = type;
538 fl6.fl6_icmp_code = code;
539 fl6.flowi6_uid = sock_net_uid(net, NULL);
540 fl6.mp_hash = rt6_multipath_hash(net, &fl6, skb, NULL);
541 security_skb_classify_flow(skb, flowi6_to_flowi(&fl6));
542
543 sk = icmpv6_xmit_lock(net);
544 if (!sk)
545 goto out_bh_enable;
546
547 np = inet6_sk(sk);
548
549 if (!icmpv6_xrlim_allow(sk, type, &fl6))
550 goto out;
551
552 tmp_hdr.icmp6_type = type;
553 tmp_hdr.icmp6_code = code;
554 tmp_hdr.icmp6_cksum = 0;
555 tmp_hdr.icmp6_pointer = htonl(info);
556
557 if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr))
558 fl6.flowi6_oif = np->mcast_oif;
559 else if (!fl6.flowi6_oif)
560 fl6.flowi6_oif = np->ucast_oif;
561
562 ipcm6_init_sk(&ipc6, np);
563 ipc6.sockc.mark = mark;
564 fl6.flowlabel = ip6_make_flowinfo(ipc6.tclass, fl6.flowlabel);
565
566 dst = icmpv6_route_lookup(net, skb, sk, &fl6);
567 if (IS_ERR(dst))
568 goto out;
569
570 ipc6.hlimit = ip6_sk_dst_hoplimit(np, &fl6, dst);
571
572 msg.skb = skb;
573 msg.offset = skb_network_offset(skb);
574 msg.type = type;
575
576 len = skb->len - msg.offset;
577 len = min_t(unsigned int, len, IPV6_MIN_MTU - sizeof(struct ipv6hdr) - sizeof(struct icmp6hdr));
578 if (len < 0) {
579 net_dbg_ratelimited("icmp: len problem [%pI6c > %pI6c]\n",
580 &hdr->saddr, &hdr->daddr);
581 goto out_dst_release;
582 }
583
584 rcu_read_lock();
585 idev = __in6_dev_get(skb->dev);
586
587 if (ip6_append_data(sk, icmpv6_getfrag, &msg,
588 len + sizeof(struct icmp6hdr),
589 sizeof(struct icmp6hdr),
590 &ipc6, &fl6, (struct rt6_info *)dst,
591 MSG_DONTWAIT)) {
592 ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTERRORS);
593 ip6_flush_pending_frames(sk);
594 } else {
595 icmpv6_push_pending_frames(sk, &fl6, &tmp_hdr,
596 len + sizeof(struct icmp6hdr));
597 }
598 rcu_read_unlock();
599 out_dst_release:
600 dst_release(dst);
601 out:
602 icmpv6_xmit_unlock(sk);
603 out_bh_enable:
604 local_bh_enable();
605 }
606 EXPORT_SYMBOL(icmp6_send);
607
608 /* Slightly more convenient version of icmp6_send.
609 */
icmpv6_param_prob(struct sk_buff * skb,u8 code,int pos)610 void icmpv6_param_prob(struct sk_buff *skb, u8 code, int pos)
611 {
612 icmp6_send(skb, ICMPV6_PARAMPROB, code, pos, NULL, IP6CB(skb));
613 kfree_skb(skb);
614 }
615
616 /* Generate icmpv6 with type/code ICMPV6_DEST_UNREACH/ICMPV6_ADDR_UNREACH
617 * if sufficient data bytes are available
618 * @nhs is the size of the tunnel header(s) :
619 * Either an IPv4 header for SIT encap
620 * an IPv4 header + GRE header for GRE encap
621 */
ip6_err_gen_icmpv6_unreach(struct sk_buff * skb,int nhs,int type,unsigned int data_len)622 int ip6_err_gen_icmpv6_unreach(struct sk_buff *skb, int nhs, int type,
623 unsigned int data_len)
624 {
625 struct in6_addr temp_saddr;
626 struct rt6_info *rt;
627 struct sk_buff *skb2;
628 u32 info = 0;
629
630 if (!pskb_may_pull(skb, nhs + sizeof(struct ipv6hdr) + 8))
631 return 1;
632
633 /* RFC 4884 (partial) support for ICMP extensions */
634 if (data_len < 128 || (data_len & 7) || skb->len < data_len)
635 data_len = 0;
636
637 skb2 = data_len ? skb_copy(skb, GFP_ATOMIC) : skb_clone(skb, GFP_ATOMIC);
638
639 if (!skb2)
640 return 1;
641
642 skb_dst_drop(skb2);
643 skb_pull(skb2, nhs);
644 skb_reset_network_header(skb2);
645
646 rt = rt6_lookup(dev_net(skb->dev), &ipv6_hdr(skb2)->saddr, NULL, 0,
647 skb, 0);
648
649 if (rt && rt->dst.dev)
650 skb2->dev = rt->dst.dev;
651
652 ipv6_addr_set_v4mapped(ip_hdr(skb)->saddr, &temp_saddr);
653
654 if (data_len) {
655 /* RFC 4884 (partial) support :
656 * insert 0 padding at the end, before the extensions
657 */
658 __skb_push(skb2, nhs);
659 skb_reset_network_header(skb2);
660 memmove(skb2->data, skb2->data + nhs, data_len - nhs);
661 memset(skb2->data + data_len - nhs, 0, nhs);
662 /* RFC 4884 4.5 : Length is measured in 64-bit words,
663 * and stored in reserved[0]
664 */
665 info = (data_len/8) << 24;
666 }
667 if (type == ICMP_TIME_EXCEEDED)
668 icmp6_send(skb2, ICMPV6_TIME_EXCEED, ICMPV6_EXC_HOPLIMIT,
669 info, &temp_saddr, IP6CB(skb2));
670 else
671 icmp6_send(skb2, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH,
672 info, &temp_saddr, IP6CB(skb2));
673 if (rt)
674 ip6_rt_put(rt);
675
676 kfree_skb(skb2);
677
678 return 0;
679 }
680 EXPORT_SYMBOL(ip6_err_gen_icmpv6_unreach);
681
icmpv6_echo_reply(struct sk_buff * skb)682 static void icmpv6_echo_reply(struct sk_buff *skb)
683 {
684 struct net *net = dev_net(skb->dev);
685 struct sock *sk;
686 struct inet6_dev *idev;
687 struct ipv6_pinfo *np;
688 const struct in6_addr *saddr = NULL;
689 struct icmp6hdr *icmph = icmp6_hdr(skb);
690 struct icmp6hdr tmp_hdr;
691 struct flowi6 fl6;
692 struct icmpv6_msg msg;
693 struct dst_entry *dst;
694 struct ipcm6_cookie ipc6;
695 u32 mark = IP6_REPLY_MARK(net, skb->mark);
696 bool acast;
697
698 if (ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr) &&
699 net->ipv6.sysctl.icmpv6_echo_ignore_multicast)
700 return;
701
702 saddr = &ipv6_hdr(skb)->daddr;
703
704 acast = ipv6_anycast_destination(skb_dst(skb), saddr);
705 if (acast && net->ipv6.sysctl.icmpv6_echo_ignore_anycast)
706 return;
707
708 if (!ipv6_unicast_destination(skb) &&
709 !(net->ipv6.sysctl.anycast_src_echo_reply && acast))
710 saddr = NULL;
711
712 memcpy(&tmp_hdr, icmph, sizeof(tmp_hdr));
713 tmp_hdr.icmp6_type = ICMPV6_ECHO_REPLY;
714
715 memset(&fl6, 0, sizeof(fl6));
716 if (net->ipv6.sysctl.flowlabel_reflect & FLOWLABEL_REFLECT_ICMPV6_ECHO_REPLIES)
717 fl6.flowlabel = ip6_flowlabel(ipv6_hdr(skb));
718
719 fl6.flowi6_proto = IPPROTO_ICMPV6;
720 fl6.daddr = ipv6_hdr(skb)->saddr;
721 if (saddr)
722 fl6.saddr = *saddr;
723 fl6.flowi6_oif = icmp6_iif(skb);
724 fl6.fl6_icmp_type = ICMPV6_ECHO_REPLY;
725 fl6.flowi6_mark = mark;
726 fl6.flowi6_uid = sock_net_uid(net, NULL);
727 security_skb_classify_flow(skb, flowi6_to_flowi(&fl6));
728
729 local_bh_disable();
730 sk = icmpv6_xmit_lock(net);
731 if (!sk)
732 goto out_bh_enable;
733 np = inet6_sk(sk);
734
735 if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr))
736 fl6.flowi6_oif = np->mcast_oif;
737 else if (!fl6.flowi6_oif)
738 fl6.flowi6_oif = np->ucast_oif;
739
740 if (ip6_dst_lookup(net, sk, &dst, &fl6))
741 goto out;
742 dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), sk, 0);
743 if (IS_ERR(dst))
744 goto out;
745
746 /* Check the ratelimit */
747 if ((!(skb->dev->flags & IFF_LOOPBACK) && !icmpv6_global_allow(net, ICMPV6_ECHO_REPLY)) ||
748 !icmpv6_xrlim_allow(sk, ICMPV6_ECHO_REPLY, &fl6))
749 goto out_dst_release;
750
751 idev = __in6_dev_get(skb->dev);
752
753 msg.skb = skb;
754 msg.offset = 0;
755 msg.type = ICMPV6_ECHO_REPLY;
756
757 ipcm6_init_sk(&ipc6, np);
758 ipc6.hlimit = ip6_sk_dst_hoplimit(np, &fl6, dst);
759 ipc6.tclass = ipv6_get_dsfield(ipv6_hdr(skb));
760 ipc6.sockc.mark = mark;
761
762 if (ip6_append_data(sk, icmpv6_getfrag, &msg,
763 skb->len + sizeof(struct icmp6hdr),
764 sizeof(struct icmp6hdr), &ipc6, &fl6,
765 (struct rt6_info *)dst, MSG_DONTWAIT)) {
766 __ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTERRORS);
767 ip6_flush_pending_frames(sk);
768 } else {
769 icmpv6_push_pending_frames(sk, &fl6, &tmp_hdr,
770 skb->len + sizeof(struct icmp6hdr));
771 }
772 out_dst_release:
773 dst_release(dst);
774 out:
775 icmpv6_xmit_unlock(sk);
776 out_bh_enable:
777 local_bh_enable();
778 }
779
icmpv6_notify(struct sk_buff * skb,u8 type,u8 code,__be32 info)780 void icmpv6_notify(struct sk_buff *skb, u8 type, u8 code, __be32 info)
781 {
782 const struct inet6_protocol *ipprot;
783 int inner_offset;
784 __be16 frag_off;
785 u8 nexthdr;
786 struct net *net = dev_net(skb->dev);
787
788 if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
789 goto out;
790
791 nexthdr = ((struct ipv6hdr *)skb->data)->nexthdr;
792 if (ipv6_ext_hdr(nexthdr)) {
793 /* now skip over extension headers */
794 inner_offset = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr),
795 &nexthdr, &frag_off);
796 if (inner_offset < 0)
797 goto out;
798 } else {
799 inner_offset = sizeof(struct ipv6hdr);
800 }
801
802 /* Checkin header including 8 bytes of inner protocol header. */
803 if (!pskb_may_pull(skb, inner_offset+8))
804 goto out;
805
806 /* BUGGG_FUTURE: we should try to parse exthdrs in this packet.
807 Without this we will not able f.e. to make source routed
808 pmtu discovery.
809 Corresponding argument (opt) to notifiers is already added.
810 --ANK (980726)
811 */
812
813 ipprot = rcu_dereference(inet6_protos[nexthdr]);
814 if (ipprot && ipprot->err_handler)
815 ipprot->err_handler(skb, NULL, type, code, inner_offset, info);
816
817 raw6_icmp_error(skb, nexthdr, type, code, inner_offset, info);
818 return;
819
820 out:
821 __ICMP6_INC_STATS(net, __in6_dev_get(skb->dev), ICMP6_MIB_INERRORS);
822 }
823
824 /*
825 * Handle icmp messages
826 */
827
icmpv6_rcv(struct sk_buff * skb)828 static int icmpv6_rcv(struct sk_buff *skb)
829 {
830 struct net *net = dev_net(skb->dev);
831 struct net_device *dev = icmp6_dev(skb);
832 struct inet6_dev *idev = __in6_dev_get(dev);
833 const struct in6_addr *saddr, *daddr;
834 struct icmp6hdr *hdr;
835 u8 type;
836 bool success = false;
837
838 if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
839 struct sec_path *sp = skb_sec_path(skb);
840 int nh;
841
842 if (!(sp && sp->xvec[sp->len - 1]->props.flags &
843 XFRM_STATE_ICMP))
844 goto drop_no_count;
845
846 if (!pskb_may_pull(skb, sizeof(*hdr) + sizeof(struct ipv6hdr)))
847 goto drop_no_count;
848
849 nh = skb_network_offset(skb);
850 skb_set_network_header(skb, sizeof(*hdr));
851
852 if (!xfrm6_policy_check_reverse(NULL, XFRM_POLICY_IN, skb))
853 goto drop_no_count;
854
855 skb_set_network_header(skb, nh);
856 }
857
858 __ICMP6_INC_STATS(dev_net(dev), idev, ICMP6_MIB_INMSGS);
859
860 saddr = &ipv6_hdr(skb)->saddr;
861 daddr = &ipv6_hdr(skb)->daddr;
862
863 if (skb_checksum_validate(skb, IPPROTO_ICMPV6, ip6_compute_pseudo)) {
864 net_dbg_ratelimited("ICMPv6 checksum failed [%pI6c > %pI6c]\n",
865 saddr, daddr);
866 goto csum_error;
867 }
868
869 if (!pskb_pull(skb, sizeof(*hdr)))
870 goto discard_it;
871
872 hdr = icmp6_hdr(skb);
873
874 type = hdr->icmp6_type;
875
876 ICMP6MSGIN_INC_STATS(dev_net(dev), idev, type);
877
878 switch (type) {
879 case ICMPV6_ECHO_REQUEST:
880 if (!net->ipv6.sysctl.icmpv6_echo_ignore_all)
881 icmpv6_echo_reply(skb);
882 break;
883
884 case ICMPV6_ECHO_REPLY:
885 success = ping_rcv(skb);
886 break;
887
888 case ICMPV6_PKT_TOOBIG:
889 /* BUGGG_FUTURE: if packet contains rthdr, we cannot update
890 standard destination cache. Seems, only "advanced"
891 destination cache will allow to solve this problem
892 --ANK (980726)
893 */
894 if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
895 goto discard_it;
896 hdr = icmp6_hdr(skb);
897
898 /* to notify */
899 /* fall through */
900 case ICMPV6_DEST_UNREACH:
901 case ICMPV6_TIME_EXCEED:
902 case ICMPV6_PARAMPROB:
903 icmpv6_notify(skb, type, hdr->icmp6_code, hdr->icmp6_mtu);
904 break;
905
906 case NDISC_ROUTER_SOLICITATION:
907 case NDISC_ROUTER_ADVERTISEMENT:
908 case NDISC_NEIGHBOUR_SOLICITATION:
909 case NDISC_NEIGHBOUR_ADVERTISEMENT:
910 case NDISC_REDIRECT:
911 ndisc_rcv(skb);
912 break;
913
914 case ICMPV6_MGM_QUERY:
915 igmp6_event_query(skb);
916 break;
917
918 case ICMPV6_MGM_REPORT:
919 igmp6_event_report(skb);
920 break;
921
922 case ICMPV6_MGM_REDUCTION:
923 case ICMPV6_NI_QUERY:
924 case ICMPV6_NI_REPLY:
925 case ICMPV6_MLD2_REPORT:
926 case ICMPV6_DHAAD_REQUEST:
927 case ICMPV6_DHAAD_REPLY:
928 case ICMPV6_MOBILE_PREFIX_SOL:
929 case ICMPV6_MOBILE_PREFIX_ADV:
930 break;
931
932 default:
933 /* informational */
934 if (type & ICMPV6_INFOMSG_MASK)
935 break;
936
937 net_dbg_ratelimited("icmpv6: msg of unknown type [%pI6c > %pI6c]\n",
938 saddr, daddr);
939
940 /*
941 * error of unknown type.
942 * must pass to upper level
943 */
944
945 icmpv6_notify(skb, type, hdr->icmp6_code, hdr->icmp6_mtu);
946 }
947
948 /* until the v6 path can be better sorted assume failure and
949 * preserve the status quo behaviour for the rest of the paths to here
950 */
951 if (success)
952 consume_skb(skb);
953 else
954 kfree_skb(skb);
955
956 return 0;
957
958 csum_error:
959 __ICMP6_INC_STATS(dev_net(dev), idev, ICMP6_MIB_CSUMERRORS);
960 discard_it:
961 __ICMP6_INC_STATS(dev_net(dev), idev, ICMP6_MIB_INERRORS);
962 drop_no_count:
963 kfree_skb(skb);
964 return 0;
965 }
966
icmpv6_flow_init(struct sock * sk,struct flowi6 * fl6,u8 type,const struct in6_addr * saddr,const struct in6_addr * daddr,int oif)967 void icmpv6_flow_init(struct sock *sk, struct flowi6 *fl6,
968 u8 type,
969 const struct in6_addr *saddr,
970 const struct in6_addr *daddr,
971 int oif)
972 {
973 memset(fl6, 0, sizeof(*fl6));
974 fl6->saddr = *saddr;
975 fl6->daddr = *daddr;
976 fl6->flowi6_proto = IPPROTO_ICMPV6;
977 fl6->fl6_icmp_type = type;
978 fl6->fl6_icmp_code = 0;
979 fl6->flowi6_oif = oif;
980 security_sk_classify_flow(sk, flowi6_to_flowi(fl6));
981 }
982
icmpv6_sk_exit(struct net * net)983 static void __net_exit icmpv6_sk_exit(struct net *net)
984 {
985 int i;
986
987 for_each_possible_cpu(i)
988 inet_ctl_sock_destroy(*per_cpu_ptr(net->ipv6.icmp_sk, i));
989 free_percpu(net->ipv6.icmp_sk);
990 }
991
icmpv6_sk_init(struct net * net)992 static int __net_init icmpv6_sk_init(struct net *net)
993 {
994 struct sock *sk;
995 int err, i;
996
997 net->ipv6.icmp_sk = alloc_percpu(struct sock *);
998 if (!net->ipv6.icmp_sk)
999 return -ENOMEM;
1000
1001 for_each_possible_cpu(i) {
1002 err = inet_ctl_sock_create(&sk, PF_INET6,
1003 SOCK_RAW, IPPROTO_ICMPV6, net);
1004 if (err < 0) {
1005 pr_err("Failed to initialize the ICMP6 control socket (err %d)\n",
1006 err);
1007 goto fail;
1008 }
1009
1010 *per_cpu_ptr(net->ipv6.icmp_sk, i) = sk;
1011
1012 /* Enough space for 2 64K ICMP packets, including
1013 * sk_buff struct overhead.
1014 */
1015 sk->sk_sndbuf = 2 * SKB_TRUESIZE(64 * 1024);
1016 }
1017 return 0;
1018
1019 fail:
1020 icmpv6_sk_exit(net);
1021 return err;
1022 }
1023
1024 static struct pernet_operations icmpv6_sk_ops = {
1025 .init = icmpv6_sk_init,
1026 .exit = icmpv6_sk_exit,
1027 };
1028
icmpv6_init(void)1029 int __init icmpv6_init(void)
1030 {
1031 int err;
1032
1033 err = register_pernet_subsys(&icmpv6_sk_ops);
1034 if (err < 0)
1035 return err;
1036
1037 err = -EAGAIN;
1038 if (inet6_add_protocol(&icmpv6_protocol, IPPROTO_ICMPV6) < 0)
1039 goto fail;
1040
1041 err = inet6_register_icmp_sender(icmp6_send);
1042 if (err)
1043 goto sender_reg_err;
1044 return 0;
1045
1046 sender_reg_err:
1047 inet6_del_protocol(&icmpv6_protocol, IPPROTO_ICMPV6);
1048 fail:
1049 pr_err("Failed to register ICMP6 protocol\n");
1050 unregister_pernet_subsys(&icmpv6_sk_ops);
1051 return err;
1052 }
1053
icmpv6_cleanup(void)1054 void icmpv6_cleanup(void)
1055 {
1056 inet6_unregister_icmp_sender(icmp6_send);
1057 unregister_pernet_subsys(&icmpv6_sk_ops);
1058 inet6_del_protocol(&icmpv6_protocol, IPPROTO_ICMPV6);
1059 }
1060
1061
1062 static const struct icmp6_err {
1063 int err;
1064 int fatal;
1065 } tab_unreach[] = {
1066 { /* NOROUTE */
1067 .err = ENETUNREACH,
1068 .fatal = 0,
1069 },
1070 { /* ADM_PROHIBITED */
1071 .err = EACCES,
1072 .fatal = 1,
1073 },
1074 { /* Was NOT_NEIGHBOUR, now reserved */
1075 .err = EHOSTUNREACH,
1076 .fatal = 0,
1077 },
1078 { /* ADDR_UNREACH */
1079 .err = EHOSTUNREACH,
1080 .fatal = 0,
1081 },
1082 { /* PORT_UNREACH */
1083 .err = ECONNREFUSED,
1084 .fatal = 1,
1085 },
1086 { /* POLICY_FAIL */
1087 .err = EACCES,
1088 .fatal = 1,
1089 },
1090 { /* REJECT_ROUTE */
1091 .err = EACCES,
1092 .fatal = 1,
1093 },
1094 };
1095
icmpv6_err_convert(u8 type,u8 code,int * err)1096 int icmpv6_err_convert(u8 type, u8 code, int *err)
1097 {
1098 int fatal = 0;
1099
1100 *err = EPROTO;
1101
1102 switch (type) {
1103 case ICMPV6_DEST_UNREACH:
1104 fatal = 1;
1105 if (code < ARRAY_SIZE(tab_unreach)) {
1106 *err = tab_unreach[code].err;
1107 fatal = tab_unreach[code].fatal;
1108 }
1109 break;
1110
1111 case ICMPV6_PKT_TOOBIG:
1112 *err = EMSGSIZE;
1113 break;
1114
1115 case ICMPV6_PARAMPROB:
1116 *err = EPROTO;
1117 fatal = 1;
1118 break;
1119
1120 case ICMPV6_TIME_EXCEED:
1121 *err = EHOSTUNREACH;
1122 break;
1123 }
1124
1125 return fatal;
1126 }
1127 EXPORT_SYMBOL(icmpv6_err_convert);
1128
1129 #ifdef CONFIG_SYSCTL
1130 static struct ctl_table ipv6_icmp_table_template[] = {
1131 {
1132 .procname = "ratelimit",
1133 .data = &init_net.ipv6.sysctl.icmpv6_time,
1134 .maxlen = sizeof(int),
1135 .mode = 0644,
1136 .proc_handler = proc_dointvec_ms_jiffies,
1137 },
1138 {
1139 .procname = "echo_ignore_all",
1140 .data = &init_net.ipv6.sysctl.icmpv6_echo_ignore_all,
1141 .maxlen = sizeof(int),
1142 .mode = 0644,
1143 .proc_handler = proc_dointvec,
1144 },
1145 {
1146 .procname = "echo_ignore_multicast",
1147 .data = &init_net.ipv6.sysctl.icmpv6_echo_ignore_multicast,
1148 .maxlen = sizeof(int),
1149 .mode = 0644,
1150 .proc_handler = proc_dointvec,
1151 },
1152 {
1153 .procname = "echo_ignore_anycast",
1154 .data = &init_net.ipv6.sysctl.icmpv6_echo_ignore_anycast,
1155 .maxlen = sizeof(int),
1156 .mode = 0644,
1157 .proc_handler = proc_dointvec,
1158 },
1159 {
1160 .procname = "ratemask",
1161 .data = &init_net.ipv6.sysctl.icmpv6_ratemask_ptr,
1162 .maxlen = ICMPV6_MSG_MAX + 1,
1163 .mode = 0644,
1164 .proc_handler = proc_do_large_bitmap,
1165 },
1166 { },
1167 };
1168
ipv6_icmp_sysctl_init(struct net * net)1169 struct ctl_table * __net_init ipv6_icmp_sysctl_init(struct net *net)
1170 {
1171 struct ctl_table *table;
1172
1173 table = kmemdup(ipv6_icmp_table_template,
1174 sizeof(ipv6_icmp_table_template),
1175 GFP_KERNEL);
1176
1177 if (table) {
1178 table[0].data = &net->ipv6.sysctl.icmpv6_time;
1179 table[1].data = &net->ipv6.sysctl.icmpv6_echo_ignore_all;
1180 table[2].data = &net->ipv6.sysctl.icmpv6_echo_ignore_multicast;
1181 table[3].data = &net->ipv6.sysctl.icmpv6_echo_ignore_anycast;
1182 table[4].data = &net->ipv6.sysctl.icmpv6_ratemask_ptr;
1183 }
1184 return table;
1185 }
1186 #endif
1187