| 1 | /* $NetBSD: route6.c,v 1.23 2008/04/15 03:57:04 thorpej Exp $ */ |
| 2 | /* $KAME: route6.c,v 1.22 2000/12/03 00:54:00 itojun Exp $ */ |
| 3 | |
| 4 | /* |
| 5 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. |
| 6 | * All rights reserved. |
| 7 | * |
| 8 | * Redistribution and use in source and binary forms, with or without |
| 9 | * modification, are permitted provided that the following conditions |
| 10 | * are met: |
| 11 | * 1. Redistributions of source code must retain the above copyright |
| 12 | * notice, this list of conditions and the following disclaimer. |
| 13 | * 2. Redistributions in binary form must reproduce the above copyright |
| 14 | * notice, this list of conditions and the following disclaimer in the |
| 15 | * documentation and/or other materials provided with the distribution. |
| 16 | * 3. Neither the name of the project nor the names of its contributors |
| 17 | * may be used to endorse or promote products derived from this software |
| 18 | * without specific prior written permission. |
| 19 | * |
| 20 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND |
| 21 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE |
| 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 30 | * SUCH DAMAGE. |
| 31 | */ |
| 32 | |
| 33 | #include <sys/cdefs.h> |
| 34 | __KERNEL_RCSID(0, "$NetBSD: route6.c,v 1.23 2008/04/15 03:57:04 thorpej Exp $" ); |
| 35 | |
| 36 | #include <sys/param.h> |
| 37 | #include <sys/mbuf.h> |
| 38 | #include <sys/socket.h> |
| 39 | #include <sys/systm.h> |
| 40 | #include <sys/queue.h> |
| 41 | |
| 42 | #include <net/if.h> |
| 43 | |
| 44 | #include <netinet/in.h> |
| 45 | #include <netinet6/in6_var.h> |
| 46 | #include <netinet/ip6.h> |
| 47 | #include <netinet6/ip6_var.h> |
| 48 | #include <netinet6/ip6_private.h> |
| 49 | #include <netinet6/scope6_var.h> |
| 50 | |
| 51 | #include <netinet/icmp6.h> |
| 52 | |
| 53 | #if 0 |
| 54 | static int ip6_rthdr0(struct mbuf *, struct ip6_hdr *, struct ip6_rthdr0 *); |
| 55 | #endif |
| 56 | |
| 57 | int |
| 58 | route6_input(struct mbuf **mp, int *offp, int proto) |
| 59 | { |
| 60 | struct ip6_hdr *ip6; |
| 61 | struct mbuf *m = *mp; |
| 62 | struct ip6_rthdr *rh; |
| 63 | int off = *offp, rhlen; |
| 64 | |
| 65 | ip6 = mtod(m, struct ip6_hdr *); |
| 66 | IP6_EXTHDR_GET(rh, struct ip6_rthdr *, m, off, sizeof(*rh)); |
| 67 | if (rh == NULL) { |
| 68 | IP6_STATINC(IP6_STAT_TOOSHORT); |
| 69 | return IPPROTO_DONE; |
| 70 | } |
| 71 | |
| 72 | switch (rh->ip6r_type) { |
| 73 | #if 0 |
| 74 | /* |
| 75 | * See http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf |
| 76 | * for why IPV6_RTHDR_TYPE_0 is banned here. |
| 77 | * |
| 78 | * We return ICMPv6 parameter problem so that innocent people |
| 79 | * (not an attacker) would notice about the use of IPV6_RTHDR_TYPE_0. |
| 80 | * Since there's no amplification, and ICMPv6 error will be rate- |
| 81 | * controlled, it shouldn't cause any problem. |
| 82 | * If you are concerned about this, you may want to use the following |
| 83 | * code fragment: |
| 84 | * |
| 85 | * case IPV6_RTHDR_TYPE_0: |
| 86 | * m_freem(m); |
| 87 | * return (IPPROTO_DONE); |
| 88 | */ |
| 89 | case IPV6_RTHDR_TYPE_0: |
| 90 | rhlen = (rh->ip6r_len + 1) << 3; |
| 91 | /* |
| 92 | * note on option length: |
| 93 | * maximum rhlen: 2048 |
| 94 | * max mbuf m_pulldown can handle: MCLBYTES == usually 2048 |
| 95 | * so, here we are assuming that m_pulldown can handle |
| 96 | * rhlen == 2048 case. this may not be a good thing to |
| 97 | * assume - we may want to avoid pulling it up altogether. |
| 98 | */ |
| 99 | IP6_EXTHDR_GET(rh, struct ip6_rthdr *, m, off, rhlen); |
| 100 | if (rh == NULL) { |
| 101 | IP6_STATINC(IP6_STAT_TOOSHORT); |
| 102 | return IPPROTO_DONE; |
| 103 | } |
| 104 | if (ip6_rthdr0(m, ip6, (struct ip6_rthdr0 *)rh)) |
| 105 | return (IPPROTO_DONE); |
| 106 | break; |
| 107 | #endif |
| 108 | default: |
| 109 | /* unknown routing type */ |
| 110 | if (rh->ip6r_segleft == 0) { |
| 111 | rhlen = (rh->ip6r_len + 1) << 3; |
| 112 | break; /* Final dst. Just ignore the header. */ |
| 113 | } |
| 114 | IP6_STATINC(IP6_STAT_BADOPTIONS); |
| 115 | icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, |
| 116 | (char *)&rh->ip6r_type - (char *)ip6); |
| 117 | return (IPPROTO_DONE); |
| 118 | } |
| 119 | |
| 120 | *offp += rhlen; |
| 121 | return (rh->ip6r_nxt); |
| 122 | } |
| 123 | |
| 124 | #if 0 |
| 125 | /* |
| 126 | * Type0 routing header processing |
| 127 | * |
| 128 | * RFC2292 backward compatibility warning: no support for strict/loose bitmap, |
| 129 | * as it was dropped between RFC1883 and RFC2460. |
| 130 | */ |
| 131 | static int |
| 132 | ip6_rthdr0(struct mbuf *m, struct ip6_hdr *ip6, |
| 133 | struct ip6_rthdr0 *rh0) |
| 134 | { |
| 135 | int addrs, index; |
| 136 | struct in6_addr *nextaddr, tmpaddr; |
| 137 | const struct ip6aux *ip6a; |
| 138 | |
| 139 | if (rh0->ip6r0_segleft == 0) |
| 140 | return (0); |
| 141 | |
| 142 | if (rh0->ip6r0_len % 2 |
| 143 | #ifdef COMPAT_RFC1883 |
| 144 | || rh0->ip6r0_len > 46 |
| 145 | #endif |
| 146 | ) { |
| 147 | /* |
| 148 | * Type 0 routing header can't contain more than 23 addresses. |
| 149 | * RFC 2462: this limitation was removed since strict/loose |
| 150 | * bitmap field was deleted. |
| 151 | */ |
| 152 | IP6_STATINC(IP6_STAT_BADOPTIONS); |
| 153 | icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, |
| 154 | (char *)&rh0->ip6r0_len - (char *)ip6); |
| 155 | return (-1); |
| 156 | } |
| 157 | |
| 158 | if ((addrs = rh0->ip6r0_len / 2) < rh0->ip6r0_segleft) { |
| 159 | IP6_STATINC(IP6_STAT_BADOPTIONS); |
| 160 | icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, |
| 161 | (char *)&rh0->ip6r0_segleft - (char *)ip6); |
| 162 | return (-1); |
| 163 | } |
| 164 | |
| 165 | index = addrs - rh0->ip6r0_segleft; |
| 166 | rh0->ip6r0_segleft--; |
| 167 | nextaddr = ((struct in6_addr *)(rh0 + 1)) + index; |
| 168 | |
| 169 | /* |
| 170 | * reject invalid addresses. be proactive about malicious use of |
| 171 | * IPv4 mapped/compat address. |
| 172 | * XXX need more checks? |
| 173 | */ |
| 174 | if (IN6_IS_ADDR_MULTICAST(nextaddr) || |
| 175 | IN6_IS_ADDR_UNSPECIFIED(nextaddr) || |
| 176 | IN6_IS_ADDR_V4MAPPED(nextaddr) || |
| 177 | IN6_IS_ADDR_V4COMPAT(nextaddr)) { |
| 178 | p6stat[IP6_STAT_BADOPTIONS]++; |
| 179 | goto bad; |
| 180 | } |
| 181 | if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || |
| 182 | IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst) || |
| 183 | IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst) || |
| 184 | IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) { |
| 185 | IP6_STATINC(IP6_STAT_BADOPTIONS); |
| 186 | goto bad; |
| 187 | } |
| 188 | |
| 189 | /* |
| 190 | * Determine the scope zone of the next hop, based on the interface |
| 191 | * of the current hop. [RFC4007, Section 9] |
| 192 | * Then disambiguate the scope zone for the next hop (if necessary). |
| 193 | */ |
| 194 | if ((ip6a = ip6_getdstifaddr(m)) == NULL) |
| 195 | goto bad; |
| 196 | if (in6_setzoneid(nextaddr, ip6a->ip6a_scope_id) != 0) { |
| 197 | IP6_STATINC(IP6_STAT_BADSCOPE); |
| 198 | goto bad; |
| 199 | } |
| 200 | |
| 201 | /* |
| 202 | * Swap the IPv6 destination address and nextaddr. Forward the packet. |
| 203 | */ |
| 204 | tmpaddr = *nextaddr; |
| 205 | *nextaddr = ip6->ip6_dst; |
| 206 | in6_clearscope(nextaddr); /* XXX */ |
| 207 | ip6->ip6_dst = tmpaddr; |
| 208 | |
| 209 | #ifdef COMPAT_RFC1883 |
| 210 | if (rh0->ip6r0_slmap[index / 8] & (1 << (7 - (index % 8)))) |
| 211 | ip6_forward(m, IPV6_SRCRT_NEIGHBOR); |
| 212 | else |
| 213 | ip6_forward(m, IPV6_SRCRT_NOTNEIGHBOR); |
| 214 | #else |
| 215 | ip6_forward(m, 1); |
| 216 | #endif |
| 217 | |
| 218 | return (-1); /* m would be freed in ip6_forward() */ |
| 219 | |
| 220 | bad: |
| 221 | m_freem(m); |
| 222 | return (-1); |
| 223 | } |
| 224 | #endif |
| 225 | |