linux/net/ipv6/icmp.c
<<
>>
Prefs
   1// SPDX-License-Identifier: GPL-2.0-or-later
   2/*
   3 *      Internet Control Message Protocol (ICMPv6)
   4 *      Linux INET6 implementation
   5 *
   6 *      Authors:
   7 *      Pedro Roque             <roque@di.fc.ul.pt>
   8 *
   9 *      Based on net/ipv4/icmp.c
  10 *
  11 *      RFC 1885
  12 */
  13
  14/*
  15 *      Changes:
  16 *
  17 *      Andi Kleen              :       exception handling
  18 *      Andi Kleen                      add rate limits. never reply to a icmp.
  19 *                                      add more length checks and other fixes.
  20 *      yoshfuji                :       ensure to sent parameter problem for
  21 *                                      fragments.
  22 *      YOSHIFUJI Hideaki @USAGI:       added sysctl for icmp rate limit.
  23 *      Randy Dunlap and
  24 *      YOSHIFUJI Hideaki @USAGI:       Per-interface statistics support
  25 *      Kazunori MIYAZAWA @USAGI:       change output process to use ip6_append_data
  26 */
  27
  28#define pr_fmt(fmt) "IPv6: " fmt
  29
  30#include <linux/module.h>
  31#include <linux/errno.h>
  32#include <linux/types.h>
  33#include <linux/socket.h>
  34#include <linux/in.h>
  35#include <linux/kernel.h>
  36#include <linux/sockios.h>
  37#include <linux/net.h>
  38#include <linux/skbuff.h>
  39#include <linux/init.h>
  40#include <linux/netfilter.h>
  41#include <linux/slab.h>
  42
  43#ifdef CONFIG_SYSCTL
  44#include <linux/sysctl.h>
  45#endif
  46
  47#include <linux/inet.h>
  48#include <linux/netdevice.h>
  49#include <linux/icmpv6.h>
  50
  51#include <net/ip.h>
  52#include <net/sock.h>
  53
  54#include <net/ipv6.h>
  55#include <net/ip6_checksum.h>
  56#include <net/ping.h>
  57#include <net/protocol.h>
  58#include <net/raw.h>
  59#include <net/rawv6.h>
  60#include <net/transp_v6.h>
  61#include <net/ip6_route.h>
  62#include <net/addrconf.h>
  63#include <net/icmp.h>
  64#include <net/xfrm.h>
  65#include <net/inet_common.h>
  66#include <net/dsfield.h>
  67#include <net/l3mdev.h>
  68
  69#include <linux/uaccess.h>
  70
  71/*
  72 *      The ICMP socket(s). This is the most convenient way to flow control
  73 *      our ICMP output as well as maintain a clean interface throughout
  74 *      all layers. All Socketless IP sends will soon be gone.
  75 *
  76 *      On SMP we have one ICMP socket per-cpu.
  77 */
  78static struct sock *icmpv6_sk(struct net *net)
  79{
  80        return this_cpu_read(*net->ipv6.icmp_sk);
  81}
  82
  83static int icmpv6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
  84                       u8 type, u8 code, int offset, __be32 info)
  85{
  86        /* icmpv6_notify checks 8 bytes can be pulled, icmp6hdr is 8 bytes */
  87        struct icmp6hdr *icmp6 = (struct icmp6hdr *) (skb->data + offset);
  88        struct net *net = dev_net(skb->dev);
  89
  90        if (type == ICMPV6_PKT_TOOBIG)
  91                ip6_update_pmtu(skb, net, info, skb->dev->ifindex, 0, sock_net_uid(net, NULL));
  92        else if (type == NDISC_REDIRECT)
  93                ip6_redirect(skb, net, skb->dev->ifindex, 0,
  94                             sock_net_uid(net, NULL));
  95
  96        if (!(type & ICMPV6_INFOMSG_MASK))
  97                if (icmp6->icmp6_type == ICMPV6_ECHO_REQUEST)
  98                        ping_err(skb, offset, ntohl(info));
  99
 100        return 0;
 101}
 102
 103static int icmpv6_rcv(struct sk_buff *skb);
 104
 105static const struct inet6_protocol icmpv6_protocol = {
 106        .handler        =       icmpv6_rcv,
 107        .err_handler    =       icmpv6_err,
 108        .flags          =       INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL,
 109};
 110
 111/* Called with BH disabled */
 112static __inline__ struct sock *icmpv6_xmit_lock(struct net *net)
 113{
 114        struct sock *sk;
 115
 116        sk = icmpv6_sk(net);
 117        if (unlikely(!spin_trylock(&sk->sk_lock.slock))) {
 118                /* This can happen if the output path (f.e. SIT or
 119                 * ip6ip6 tunnel) signals dst_link_failure() for an
 120                 * outgoing ICMP6 packet.
 121                 */
 122                return NULL;
 123        }
 124        return sk;
 125}
 126
 127static __inline__ void icmpv6_xmit_unlock(struct sock *sk)
 128{
 129        spin_unlock(&sk->sk_lock.slock);
 130}
 131
 132/*
 133 * Figure out, may we reply to this packet with icmp error.
 134 *
 135 * We do not reply, if:
 136 *      - it was icmp error message.
 137 *      - it is truncated, so that it is known, that protocol is ICMPV6
 138 *        (i.e. in the middle of some exthdr)
 139 *
 140 *      --ANK (980726)
 141 */
 142
 143static bool is_ineligible(const struct sk_buff *skb)
 144{
 145        int ptr = (u8 *)(ipv6_hdr(skb) + 1) - skb->data;
 146        int len = skb->len - ptr;
 147        __u8 nexthdr = ipv6_hdr(skb)->nexthdr;
 148        __be16 frag_off;
 149
 150        if (len < 0)
 151                return true;
 152
 153        ptr = ipv6_skip_exthdr(skb, ptr, &nexthdr, &frag_off);
 154        if (ptr < 0)
 155                return false;
 156        if (nexthdr == IPPROTO_ICMPV6) {
 157                u8 _type, *tp;
 158                tp = skb_header_pointer(skb,
 159                        ptr+offsetof(struct icmp6hdr, icmp6_type),
 160                        sizeof(_type), &_type);
 161
 162                /* Based on RFC 8200, Section 4.5 Fragment Header, return
 163                 * false if this is a fragment packet with no icmp header info.
 164                 */
 165                if (!tp && frag_off != 0)
 166                        return false;
 167                else if (!tp || !(*tp & ICMPV6_INFOMSG_MASK))
 168                        return true;
 169        }
 170        return false;
 171}
 172
 173static bool icmpv6_mask_allow(struct net *net, int type)
 174{
 175        if (type > ICMPV6_MSG_MAX)
 176                return true;
 177
 178        /* Limit if icmp type is set in ratemask. */
 179        if (!test_bit(type, net->ipv6.sysctl.icmpv6_ratemask))
 180                return true;
 181
 182        return false;
 183}
 184
 185static bool icmpv6_global_allow(struct net *net, int type)
 186{
 187        if (icmpv6_mask_allow(net, type))
 188                return true;
 189
 190        if (icmp_global_allow())
 191                return true;
 192
 193        return false;
 194}
 195
 196/*
 197 * Check the ICMP output rate limit
 198 */
 199static bool icmpv6_xrlim_allow(struct sock *sk, u8 type,
 200                               struct flowi6 *fl6)
 201{
 202        struct net *net = sock_net(sk);
 203        struct dst_entry *dst;
 204        bool res = false;
 205
 206        if (icmpv6_mask_allow(net, type))
 207                return true;
 208
 209        /*
 210         * Look up the output route.
 211         * XXX: perhaps the expire for routing entries cloned by
 212         * this lookup should be more aggressive (not longer than timeout).
 213         */
 214        dst = ip6_route_output(net, sk, fl6);
 215        if (dst->error) {
 216                IP6_INC_STATS(net, ip6_dst_idev(dst),
 217                              IPSTATS_MIB_OUTNOROUTES);
 218        } else if (dst->dev && (dst->dev->flags&IFF_LOOPBACK)) {
 219                res = true;
 220        } else {
 221                struct rt6_info *rt = (struct rt6_info *)dst;
 222                int tmo = net->ipv6.sysctl.icmpv6_time;
 223                struct inet_peer *peer;
 224
 225                /* Give more bandwidth to wider prefixes. */
 226                if (rt->rt6i_dst.plen < 128)
 227                        tmo >>= ((128 - rt->rt6i_dst.plen)>>5);
 228
 229                peer = inet_getpeer_v6(net->ipv6.peers, &fl6->daddr, 1);
 230                res = inet_peer_xrlim_allow(peer, tmo);
 231                if (peer)
 232                        inet_putpeer(peer);
 233        }
 234        dst_release(dst);
 235        return res;
 236}
 237
 238static bool icmpv6_rt_has_prefsrc(struct sock *sk, u8 type,
 239                                  struct flowi6 *fl6)
 240{
 241        struct net *net = sock_net(sk);
 242        struct dst_entry *dst;
 243        bool res = false;
 244
 245        dst = ip6_route_output(net, sk, fl6);
 246        if (!dst->error) {
 247                struct rt6_info *rt = (struct rt6_info *)dst;
 248                struct in6_addr prefsrc;
 249
 250                rt6_get_prefsrc(rt, &prefsrc);
 251                res = !ipv6_addr_any(&prefsrc);
 252        }
 253        dst_release(dst);
 254        return res;
 255}
 256
 257/*
 258 *      an inline helper for the "simple" if statement below
 259 *      checks if parameter problem report is caused by an
 260 *      unrecognized IPv6 option that has the Option Type
 261 *      highest-order two bits set to 10
 262 */
 263
 264static bool opt_unrec(struct sk_buff *skb, __u32 offset)
 265{
 266        u8 _optval, *op;
 267
 268        offset += skb_network_offset(skb);
 269        op = skb_header_pointer(skb, offset, sizeof(_optval), &_optval);
 270        if (!op)
 271                return true;
 272        return (*op & 0xC0) == 0x80;
 273}
 274
 275void icmpv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6,
 276                                struct icmp6hdr *thdr, int len)
 277{
 278        struct sk_buff *skb;
 279        struct icmp6hdr *icmp6h;
 280
 281        skb = skb_peek(&sk->sk_write_queue);
 282        if (!skb)
 283                return;
 284
 285        icmp6h = icmp6_hdr(skb);
 286        memcpy(icmp6h, thdr, sizeof(struct icmp6hdr));
 287        icmp6h->icmp6_cksum = 0;
 288
 289        if (skb_queue_len(&sk->sk_write_queue) == 1) {
 290                skb->csum = csum_partial(icmp6h,
 291                                        sizeof(struct icmp6hdr), skb->csum);
 292                icmp6h->icmp6_cksum = csum_ipv6_magic(&fl6->saddr,
 293                                                      &fl6->daddr,
 294                                                      len, fl6->flowi6_proto,
 295                                                      skb->csum);
 296        } else {
 297                __wsum tmp_csum = 0;
 298
 299                skb_queue_walk(&sk->sk_write_queue, skb) {
 300                        tmp_csum = csum_add(tmp_csum, skb->csum);
 301                }
 302
 303                tmp_csum = csum_partial(icmp6h,
 304                                        sizeof(struct icmp6hdr), tmp_csum);
 305                icmp6h->icmp6_cksum = csum_ipv6_magic(&fl6->saddr,
 306                                                      &fl6->daddr,
 307                                                      len, fl6->flowi6_proto,
 308                                                      tmp_csum);
 309        }
 310        ip6_push_pending_frames(sk);
 311}
 312
 313struct icmpv6_msg {
 314        struct sk_buff  *skb;
 315        int             offset;
 316        uint8_t         type;
 317};
 318
 319static int icmpv6_getfrag(void *from, char *to, int offset, int len, int odd, struct sk_buff *skb)
 320{
 321        struct icmpv6_msg *msg = (struct icmpv6_msg *) from;
 322        struct sk_buff *org_skb = msg->skb;
 323        __wsum csum;
 324
 325        csum = skb_copy_and_csum_bits(org_skb, msg->offset + offset,
 326                                      to, len);
 327        skb->csum = csum_block_add(skb->csum, csum, odd);
 328        if (!(msg->type & ICMPV6_INFOMSG_MASK))
 329                nf_ct_attach(skb, org_skb);
 330        return 0;
 331}
 332
 333#if IS_ENABLED(CONFIG_IPV6_MIP6)
 334static void mip6_addr_swap(struct sk_buff *skb, const struct inet6_skb_parm *opt)
 335{
 336        struct ipv6hdr *iph = ipv6_hdr(skb);
 337        struct ipv6_destopt_hao *hao;
 338        struct in6_addr tmp;
 339        int off;
 340
 341        if (opt->dsthao) {
 342                off = ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO);
 343                if (likely(off >= 0)) {
 344                        hao = (struct ipv6_destopt_hao *)
 345                                        (skb_network_header(skb) + off);
 346                        tmp = iph->saddr;
 347                        iph->saddr = hao->addr;
 348                        hao->addr = tmp;
 349                }
 350        }
 351}
 352#else
 353static inline void mip6_addr_swap(struct sk_buff *skb, const struct inet6_skb_parm *opt) {}
 354#endif
 355
 356static struct dst_entry *icmpv6_route_lookup(struct net *net,
 357                                             struct sk_buff *skb,
 358                                             struct sock *sk,
 359                                             struct flowi6 *fl6)
 360{
 361        struct dst_entry *dst, *dst2;
 362        struct flowi6 fl2;
 363        int err;
 364
 365        err = ip6_dst_lookup(net, sk, &dst, fl6);
 366        if (err)
 367                return ERR_PTR(err);
 368
 369        /*
 370         * We won't send icmp if the destination is known
 371         * anycast.
 372         */
 373        if (ipv6_anycast_destination(dst, &fl6->daddr)) {
 374                net_dbg_ratelimited("icmp6_send: acast source\n");
 375                dst_release(dst);
 376                return ERR_PTR(-EINVAL);
 377        }
 378
 379        /* No need to clone since we're just using its address. */
 380        dst2 = dst;
 381
 382        dst = xfrm_lookup(net, dst, flowi6_to_flowi(fl6), sk, 0);
 383        if (!IS_ERR(dst)) {
 384                if (dst != dst2)
 385                        return dst;
 386        } else {
 387                if (PTR_ERR(dst) == -EPERM)
 388                        dst = NULL;
 389                else
 390                        return dst;
 391        }
 392
 393        err = xfrm_decode_session_reverse(skb, flowi6_to_flowi(&fl2), AF_INET6);
 394        if (err)
 395                goto relookup_failed;
 396
 397        err = ip6_dst_lookup(net, sk, &dst2, &fl2);
 398        if (err)
 399                goto relookup_failed;
 400
 401        dst2 = xfrm_lookup(net, dst2, flowi6_to_flowi(&fl2), sk, XFRM_LOOKUP_ICMP);
 402        if (!IS_ERR(dst2)) {
 403                dst_release(dst);
 404                dst = dst2;
 405        } else {
 406                err = PTR_ERR(dst2);
 407                if (err == -EPERM) {
 408                        dst_release(dst);
 409                        return dst2;
 410                } else
 411                        goto relookup_failed;
 412        }
 413
 414relookup_failed:
 415        if (dst)
 416                return dst;
 417        return ERR_PTR(err);
 418}
 419
 420static struct net_device *icmp6_dev(const struct sk_buff *skb)
 421{
 422        struct net_device *dev = skb->dev;
 423
 424        /* for local traffic to local address, skb dev is the loopback
 425         * device. Check if there is a dst attached to the skb and if so
 426         * get the real device index. Same is needed for replies to a link
 427         * local address on a device enslaved to an L3 master device
 428         */
 429        if (unlikely(dev->ifindex == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) {
 430                const struct rt6_info *rt6 = skb_rt6_info(skb);
 431
 432                if (rt6)
 433                        dev = rt6->rt6i_idev->dev;
 434        }
 435
 436        return dev;
 437}
 438
 439static int icmp6_iif(const struct sk_buff *skb)
 440{
 441        return icmp6_dev(skb)->ifindex;
 442}
 443
 444/*
 445 *      Send an ICMP message in response to a packet in error
 446 */
 447void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info,
 448                const struct in6_addr *force_saddr,
 449                const struct inet6_skb_parm *parm)
 450{
 451        struct inet6_dev *idev = NULL;
 452        struct ipv6hdr *hdr = ipv6_hdr(skb);
 453        struct sock *sk;
 454        struct net *net;
 455        struct ipv6_pinfo *np;
 456        const struct in6_addr *saddr = NULL;
 457        struct dst_entry *dst;
 458        struct icmp6hdr tmp_hdr;
 459        struct flowi6 fl6;
 460        struct icmpv6_msg msg;
 461        struct ipcm6_cookie ipc6;
 462        int iif = 0;
 463        int addr_type = 0;
 464        int len;
 465        u32 mark;
 466
 467        if ((u8 *)hdr < skb->head ||
 468            (skb_network_header(skb) + sizeof(*hdr)) > skb_tail_pointer(skb))
 469                return;
 470
 471        if (!skb->dev)
 472                return;
 473        net = dev_net(skb->dev);
 474        mark = IP6_REPLY_MARK(net, skb->mark);
 475        /*
 476         *      Make sure we respect the rules
 477         *      i.e. RFC 1885 2.4(e)
 478         *      Rule (e.1) is enforced by not using icmp6_send
 479         *      in any code that processes icmp errors.
 480         */
 481        addr_type = ipv6_addr_type(&hdr->daddr);
 482
 483        if (ipv6_chk_addr(net, &hdr->daddr, skb->dev, 0) ||
 484            ipv6_chk_acast_addr_src(net, skb->dev, &hdr->daddr))
 485                saddr = &hdr->daddr;
 486
 487        /*
 488         *      Dest addr check
 489         */
 490
 491        if (addr_type & IPV6_ADDR_MULTICAST || skb->pkt_type != PACKET_HOST) {
 492                if (type != ICMPV6_PKT_TOOBIG &&
 493                    !(type == ICMPV6_PARAMPROB &&
 494                      code == ICMPV6_UNK_OPTION &&
 495                      (opt_unrec(skb, info))))
 496                        return;
 497
 498                saddr = NULL;
 499        }
 500
 501        addr_type = ipv6_addr_type(&hdr->saddr);
 502
 503        /*
 504         *      Source addr check
 505         */
 506
 507        if (__ipv6_addr_needs_scope_id(addr_type)) {
 508                iif = icmp6_iif(skb);
 509        } else {
 510                /*
 511                 * The source device is used for looking up which routing table
 512                 * to use for sending an ICMP error.
 513                 */
 514                iif = l3mdev_master_ifindex(skb->dev);
 515        }
 516
 517        /*
 518         *      Must not send error if the source does not uniquely
 519         *      identify a single node (RFC2463 Section 2.4).
 520         *      We check unspecified / multicast addresses here,
 521         *      and anycast addresses will be checked later.
 522         */
 523        if ((addr_type == IPV6_ADDR_ANY) || (addr_type & IPV6_ADDR_MULTICAST)) {
 524                net_dbg_ratelimited("icmp6_send: addr_any/mcast source [%pI6c > %pI6c]\n",
 525                                    &hdr->saddr, &hdr->daddr);
 526                return;
 527        }
 528
 529        /*
 530         *      Never answer to a ICMP packet.
 531         */
 532        if (is_ineligible(skb)) {
 533                net_dbg_ratelimited("icmp6_send: no reply to icmp error [%pI6c > %pI6c]\n",
 534                                    &hdr->saddr, &hdr->daddr);
 535                return;
 536        }
 537
 538        /* Needed by both icmp_global_allow and icmpv6_xmit_lock */
 539        local_bh_disable();
 540
 541        /* Check global sysctl_icmp_msgs_per_sec ratelimit */
 542        if (!(skb->dev->flags & IFF_LOOPBACK) && !icmpv6_global_allow(net, type))
 543                goto out_bh_enable;
 544
 545        mip6_addr_swap(skb, parm);
 546
 547        sk = icmpv6_xmit_lock(net);
 548        if (!sk)
 549                goto out_bh_enable;
 550
 551        memset(&fl6, 0, sizeof(fl6));
 552        fl6.flowi6_proto = IPPROTO_ICMPV6;
 553        fl6.daddr = hdr->saddr;
 554        if (force_saddr)
 555                saddr = force_saddr;
 556        if (saddr) {
 557                fl6.saddr = *saddr;
 558        } else if (!icmpv6_rt_has_prefsrc(sk, type, &fl6)) {
 559                /* select a more meaningful saddr from input if */
 560                struct net_device *in_netdev;
 561
 562                in_netdev = dev_get_by_index(net, parm->iif);
 563                if (in_netdev) {
 564                        ipv6_dev_get_saddr(net, in_netdev, &fl6.daddr,
 565                                           inet6_sk(sk)->srcprefs,
 566                                           &fl6.saddr);
 567                        dev_put(in_netdev);
 568                }
 569        }
 570        fl6.flowi6_mark = mark;
 571        fl6.flowi6_oif = iif;
 572        fl6.fl6_icmp_type = type;
 573        fl6.fl6_icmp_code = code;
 574        fl6.flowi6_uid = sock_net_uid(net, NULL);
 575        fl6.mp_hash = rt6_multipath_hash(net, &fl6, skb, NULL);
 576        security_skb_classify_flow(skb, flowi6_to_flowi_common(&fl6));
 577
 578        np = inet6_sk(sk);
 579
 580        if (!icmpv6_xrlim_allow(sk, type, &fl6))
 581                goto out;
 582
 583        tmp_hdr.icmp6_type = type;
 584        tmp_hdr.icmp6_code = code;
 585        tmp_hdr.icmp6_cksum = 0;
 586        tmp_hdr.icmp6_pointer = htonl(info);
 587
 588        if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr))
 589                fl6.flowi6_oif = np->mcast_oif;
 590        else if (!fl6.flowi6_oif)
 591                fl6.flowi6_oif = np->ucast_oif;
 592
 593        ipcm6_init_sk(&ipc6, np);
 594        ipc6.sockc.mark = mark;
 595        fl6.flowlabel = ip6_make_flowinfo(ipc6.tclass, fl6.flowlabel);
 596
 597        dst = icmpv6_route_lookup(net, skb, sk, &fl6);
 598        if (IS_ERR(dst))
 599                goto out;
 600
 601        ipc6.hlimit = ip6_sk_dst_hoplimit(np, &fl6, dst);
 602
 603        msg.skb = skb;
 604        msg.offset = skb_network_offset(skb);
 605        msg.type = type;
 606
 607        len = skb->len - msg.offset;
 608        len = min_t(unsigned int, len, IPV6_MIN_MTU - sizeof(struct ipv6hdr) - sizeof(struct icmp6hdr));
 609        if (len < 0) {
 610                net_dbg_ratelimited("icmp: len problem [%pI6c > %pI6c]\n",
 611                                    &hdr->saddr, &hdr->daddr);
 612                goto out_dst_release;
 613        }
 614
 615        rcu_read_lock();
 616        idev = __in6_dev_get(skb->dev);
 617
 618        if (ip6_append_data(sk, icmpv6_getfrag, &msg,
 619                            len + sizeof(struct icmp6hdr),
 620                            sizeof(struct icmp6hdr),
 621                            &ipc6, &fl6, (struct rt6_info *)dst,
 622                            MSG_DONTWAIT)) {
 623                ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTERRORS);
 624                ip6_flush_pending_frames(sk);
 625        } else {
 626                icmpv6_push_pending_frames(sk, &fl6, &tmp_hdr,
 627                                           len + sizeof(struct icmp6hdr));
 628        }
 629        rcu_read_unlock();
 630out_dst_release:
 631        dst_release(dst);
 632out:
 633        icmpv6_xmit_unlock(sk);
 634out_bh_enable:
 635        local_bh_enable();
 636}
 637EXPORT_SYMBOL(icmp6_send);
 638
 639/* Slightly more convenient version of icmp6_send.
 640 */
 641void icmpv6_param_prob(struct sk_buff *skb, u8 code, int pos)
 642{
 643        icmp6_send(skb, ICMPV6_PARAMPROB, code, pos, NULL, IP6CB(skb));
 644        kfree_skb(skb);
 645}
 646
 647/* Generate icmpv6 with type/code ICMPV6_DEST_UNREACH/ICMPV6_ADDR_UNREACH
 648 * if sufficient data bytes are available
 649 * @nhs is the size of the tunnel header(s) :
 650 *  Either an IPv4 header for SIT encap
 651 *         an IPv4 header + GRE header for GRE encap
 652 */
 653int ip6_err_gen_icmpv6_unreach(struct sk_buff *skb, int nhs, int type,
 654                               unsigned int data_len)
 655{
 656        struct in6_addr temp_saddr;
 657        struct rt6_info *rt;
 658        struct sk_buff *skb2;
 659        u32 info = 0;
 660
 661        if (!pskb_may_pull(skb, nhs + sizeof(struct ipv6hdr) + 8))
 662                return 1;
 663
 664        /* RFC 4884 (partial) support for ICMP extensions */
 665        if (data_len < 128 || (data_len & 7) || skb->len < data_len)
 666                data_len = 0;
 667
 668        skb2 = data_len ? skb_copy(skb, GFP_ATOMIC) : skb_clone(skb, GFP_ATOMIC);
 669
 670        if (!skb2)
 671                return 1;
 672
 673        skb_dst_drop(skb2);
 674        skb_pull(skb2, nhs);
 675        skb_reset_network_header(skb2);
 676
 677        rt = rt6_lookup(dev_net(skb->dev), &ipv6_hdr(skb2)->saddr, NULL, 0,
 678                        skb, 0);
 679
 680        if (rt && rt->dst.dev)
 681                skb2->dev = rt->dst.dev;
 682
 683        ipv6_addr_set_v4mapped(ip_hdr(skb)->saddr, &temp_saddr);
 684
 685        if (data_len) {
 686                /* RFC 4884 (partial) support :
 687                 * insert 0 padding at the end, before the extensions
 688                 */
 689                __skb_push(skb2, nhs);
 690                skb_reset_network_header(skb2);
 691                memmove(skb2->data, skb2->data + nhs, data_len - nhs);
 692                memset(skb2->data + data_len - nhs, 0, nhs);
 693                /* RFC 4884 4.5 : Length is measured in 64-bit words,
 694                 * and stored in reserved[0]
 695                 */
 696                info = (data_len/8) << 24;
 697        }
 698        if (type == ICMP_TIME_EXCEEDED)
 699                icmp6_send(skb2, ICMPV6_TIME_EXCEED, ICMPV6_EXC_HOPLIMIT,
 700                           info, &temp_saddr, IP6CB(skb2));
 701        else
 702                icmp6_send(skb2, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH,
 703                           info, &temp_saddr, IP6CB(skb2));
 704        if (rt)
 705                ip6_rt_put(rt);
 706
 707        kfree_skb(skb2);
 708
 709        return 0;
 710}
 711EXPORT_SYMBOL(ip6_err_gen_icmpv6_unreach);
 712
 713static void icmpv6_echo_reply(struct sk_buff *skb)
 714{
 715        struct net *net = dev_net(skb->dev);
 716        struct sock *sk;
 717        struct inet6_dev *idev;
 718        struct ipv6_pinfo *np;
 719        const struct in6_addr *saddr = NULL;
 720        struct icmp6hdr *icmph = icmp6_hdr(skb);
 721        struct icmp6hdr tmp_hdr;
 722        struct flowi6 fl6;
 723        struct icmpv6_msg msg;
 724        struct dst_entry *dst;
 725        struct ipcm6_cookie ipc6;
 726        u32 mark = IP6_REPLY_MARK(net, skb->mark);
 727        bool acast;
 728        u8 type;
 729
 730        if (ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr) &&
 731            net->ipv6.sysctl.icmpv6_echo_ignore_multicast)
 732                return;
 733
 734        saddr = &ipv6_hdr(skb)->daddr;
 735
 736        acast = ipv6_anycast_destination(skb_dst(skb), saddr);
 737        if (acast && net->ipv6.sysctl.icmpv6_echo_ignore_anycast)
 738                return;
 739
 740        if (!ipv6_unicast_destination(skb) &&
 741            !(net->ipv6.sysctl.anycast_src_echo_reply && acast))
 742                saddr = NULL;
 743
 744        if (icmph->icmp6_type == ICMPV6_EXT_ECHO_REQUEST)
 745                type = ICMPV6_EXT_ECHO_REPLY;
 746        else
 747                type = ICMPV6_ECHO_REPLY;
 748
 749        memcpy(&tmp_hdr, icmph, sizeof(tmp_hdr));
 750        tmp_hdr.icmp6_type = type;
 751
 752        memset(&fl6, 0, sizeof(fl6));
 753        if (net->ipv6.sysctl.flowlabel_reflect & FLOWLABEL_REFLECT_ICMPV6_ECHO_REPLIES)
 754                fl6.flowlabel = ip6_flowlabel(ipv6_hdr(skb));
 755
 756        fl6.flowi6_proto = IPPROTO_ICMPV6;
 757        fl6.daddr = ipv6_hdr(skb)->saddr;
 758        if (saddr)
 759                fl6.saddr = *saddr;
 760        fl6.flowi6_oif = icmp6_iif(skb);
 761        fl6.fl6_icmp_type = type;
 762        fl6.flowi6_mark = mark;
 763        fl6.flowi6_uid = sock_net_uid(net, NULL);
 764        security_skb_classify_flow(skb, flowi6_to_flowi_common(&fl6));
 765
 766        local_bh_disable();
 767        sk = icmpv6_xmit_lock(net);
 768        if (!sk)
 769                goto out_bh_enable;
 770        np = inet6_sk(sk);
 771
 772        if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr))
 773                fl6.flowi6_oif = np->mcast_oif;
 774        else if (!fl6.flowi6_oif)
 775                fl6.flowi6_oif = np->ucast_oif;
 776
 777        if (ip6_dst_lookup(net, sk, &dst, &fl6))
 778                goto out;
 779        dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), sk, 0);
 780        if (IS_ERR(dst))
 781                goto out;
 782
 783        /* Check the ratelimit */
 784        if ((!(skb->dev->flags & IFF_LOOPBACK) && !icmpv6_global_allow(net, ICMPV6_ECHO_REPLY)) ||
 785            !icmpv6_xrlim_allow(sk, ICMPV6_ECHO_REPLY, &fl6))
 786                goto out_dst_release;
 787
 788        idev = __in6_dev_get(skb->dev);
 789
 790        msg.skb = skb;
 791        msg.offset = 0;
 792        msg.type = type;
 793
 794        ipcm6_init_sk(&ipc6, np);
 795        ipc6.hlimit = ip6_sk_dst_hoplimit(np, &fl6, dst);
 796        ipc6.tclass = ipv6_get_dsfield(ipv6_hdr(skb));
 797        ipc6.sockc.mark = mark;
 798
 799        if (icmph->icmp6_type == ICMPV6_EXT_ECHO_REQUEST)
 800                if (!icmp_build_probe(skb, (struct icmphdr *)&tmp_hdr))
 801                        goto out_dst_release;
 802
 803        if (ip6_append_data(sk, icmpv6_getfrag, &msg,
 804                            skb->len + sizeof(struct icmp6hdr),
 805                            sizeof(struct icmp6hdr), &ipc6, &fl6,
 806                            (struct rt6_info *)dst, MSG_DONTWAIT)) {
 807                __ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTERRORS);
 808                ip6_flush_pending_frames(sk);
 809        } else {
 810                icmpv6_push_pending_frames(sk, &fl6, &tmp_hdr,
 811                                           skb->len + sizeof(struct icmp6hdr));
 812        }
 813out_dst_release:
 814        dst_release(dst);
 815out:
 816        icmpv6_xmit_unlock(sk);
 817out_bh_enable:
 818        local_bh_enable();
 819}
 820
 821void icmpv6_notify(struct sk_buff *skb, u8 type, u8 code, __be32 info)
 822{
 823        const struct inet6_protocol *ipprot;
 824        int inner_offset;
 825        __be16 frag_off;
 826        u8 nexthdr;
 827        struct net *net = dev_net(skb->dev);
 828
 829        if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
 830                goto out;
 831
 832        nexthdr = ((struct ipv6hdr *)skb->data)->nexthdr;
 833        if (ipv6_ext_hdr(nexthdr)) {
 834                /* now skip over extension headers */
 835                inner_offset = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr),
 836                                                &nexthdr, &frag_off);
 837                if (inner_offset < 0)
 838                        goto out;
 839        } else {
 840                inner_offset = sizeof(struct ipv6hdr);
 841        }
 842
 843        /* Checkin header including 8 bytes of inner protocol header. */
 844        if (!pskb_may_pull(skb, inner_offset+8))
 845                goto out;
 846
 847        /* BUGGG_FUTURE: we should try to parse exthdrs in this packet.
 848           Without this we will not able f.e. to make source routed
 849           pmtu discovery.
 850           Corresponding argument (opt) to notifiers is already added.
 851           --ANK (980726)
 852         */
 853
 854        ipprot = rcu_dereference(inet6_protos[nexthdr]);
 855        if (ipprot && ipprot->err_handler)
 856                ipprot->err_handler(skb, NULL, type, code, inner_offset, info);
 857
 858        raw6_icmp_error(skb, nexthdr, type, code, inner_offset, info);
 859        return;
 860
 861out:
 862        __ICMP6_INC_STATS(net, __in6_dev_get(skb->dev), ICMP6_MIB_INERRORS);
 863}
 864
 865/*
 866 *      Handle icmp messages
 867 */
 868
 869static int icmpv6_rcv(struct sk_buff *skb)
 870{
 871        struct net *net = dev_net(skb->dev);
 872        struct net_device *dev = icmp6_dev(skb);
 873        struct inet6_dev *idev = __in6_dev_get(dev);
 874        const struct in6_addr *saddr, *daddr;
 875        struct icmp6hdr *hdr;
 876        u8 type;
 877        bool success = false;
 878
 879        if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
 880                struct sec_path *sp = skb_sec_path(skb);
 881                int nh;
 882
 883                if (!(sp && sp->xvec[sp->len - 1]->props.flags &
 884                                 XFRM_STATE_ICMP))
 885                        goto drop_no_count;
 886
 887                if (!pskb_may_pull(skb, sizeof(*hdr) + sizeof(struct ipv6hdr)))
 888                        goto drop_no_count;
 889
 890                nh = skb_network_offset(skb);
 891                skb_set_network_header(skb, sizeof(*hdr));
 892
 893                if (!xfrm6_policy_check_reverse(NULL, XFRM_POLICY_IN, skb))
 894                        goto drop_no_count;
 895
 896                skb_set_network_header(skb, nh);
 897        }
 898
 899        __ICMP6_INC_STATS(dev_net(dev), idev, ICMP6_MIB_INMSGS);
 900
 901        saddr = &ipv6_hdr(skb)->saddr;
 902        daddr = &ipv6_hdr(skb)->daddr;
 903
 904        if (skb_checksum_validate(skb, IPPROTO_ICMPV6, ip6_compute_pseudo)) {
 905                net_dbg_ratelimited("ICMPv6 checksum failed [%pI6c > %pI6c]\n",
 906                                    saddr, daddr);
 907                goto csum_error;
 908        }
 909
 910        if (!pskb_pull(skb, sizeof(*hdr)))
 911                goto discard_it;
 912
 913        hdr = icmp6_hdr(skb);
 914
 915        type = hdr->icmp6_type;
 916
 917        ICMP6MSGIN_INC_STATS(dev_net(dev), idev, type);
 918
 919        switch (type) {
 920        case ICMPV6_ECHO_REQUEST:
 921                if (!net->ipv6.sysctl.icmpv6_echo_ignore_all)
 922                        icmpv6_echo_reply(skb);
 923                break;
 924        case ICMPV6_EXT_ECHO_REQUEST:
 925                if (!net->ipv6.sysctl.icmpv6_echo_ignore_all &&
 926                    net->ipv4.sysctl_icmp_echo_enable_probe)
 927                        icmpv6_echo_reply(skb);
 928                break;
 929
 930        case ICMPV6_ECHO_REPLY:
 931                success = ping_rcv(skb);
 932                break;
 933
 934        case ICMPV6_EXT_ECHO_REPLY:
 935                success = ping_rcv(skb);
 936                break;
 937
 938        case ICMPV6_PKT_TOOBIG:
 939                /* BUGGG_FUTURE: if packet contains rthdr, we cannot update
 940                   standard destination cache. Seems, only "advanced"
 941                   destination cache will allow to solve this problem
 942                   --ANK (980726)
 943                 */
 944                if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
 945                        goto discard_it;
 946                hdr = icmp6_hdr(skb);
 947
 948                /* to notify */
 949                fallthrough;
 950        case ICMPV6_DEST_UNREACH:
 951        case ICMPV6_TIME_EXCEED:
 952        case ICMPV6_PARAMPROB:
 953                icmpv6_notify(skb, type, hdr->icmp6_code, hdr->icmp6_mtu);
 954                break;
 955
 956        case NDISC_ROUTER_SOLICITATION:
 957        case NDISC_ROUTER_ADVERTISEMENT:
 958        case NDISC_NEIGHBOUR_SOLICITATION:
 959        case NDISC_NEIGHBOUR_ADVERTISEMENT:
 960        case NDISC_REDIRECT:
 961                ndisc_rcv(skb);
 962                break;
 963
 964        case ICMPV6_MGM_QUERY:
 965                igmp6_event_query(skb);
 966                return 0;
 967
 968        case ICMPV6_MGM_REPORT:
 969                igmp6_event_report(skb);
 970                return 0;
 971
 972        case ICMPV6_MGM_REDUCTION:
 973        case ICMPV6_NI_QUERY:
 974        case ICMPV6_NI_REPLY:
 975        case ICMPV6_MLD2_REPORT:
 976        case ICMPV6_DHAAD_REQUEST:
 977        case ICMPV6_DHAAD_REPLY:
 978        case ICMPV6_MOBILE_PREFIX_SOL:
 979        case ICMPV6_MOBILE_PREFIX_ADV:
 980                break;
 981
 982        default:
 983                /* informational */
 984                if (type & ICMPV6_INFOMSG_MASK)
 985                        break;
 986
 987                net_dbg_ratelimited("icmpv6: msg of unknown type [%pI6c > %pI6c]\n",
 988                                    saddr, daddr);
 989
 990                /*
 991                 * error of unknown type.
 992                 * must pass to upper level
 993                 */
 994
 995                icmpv6_notify(skb, type, hdr->icmp6_code, hdr->icmp6_mtu);
 996        }
 997
 998        /* until the v6 path can be better sorted assume failure and
 999         * preserve the status quo behaviour for the rest of the paths to here
1000         */
1001        if (success)
1002                consume_skb(skb);
1003        else
1004                kfree_skb(skb);
1005
1006        return 0;
1007
1008csum_error:
1009        __ICMP6_INC_STATS(dev_net(dev), idev, ICMP6_MIB_CSUMERRORS);
1010discard_it:
1011        __ICMP6_INC_STATS(dev_net(dev), idev, ICMP6_MIB_INERRORS);
1012drop_no_count:
1013        kfree_skb(skb);
1014        return 0;
1015}
1016
1017void icmpv6_flow_init(struct sock *sk, struct flowi6 *fl6,
1018                      u8 type,
1019                      const struct in6_addr *saddr,
1020                      const struct in6_addr *daddr,
1021                      int oif)
1022{
1023        memset(fl6, 0, sizeof(*fl6));
1024        fl6->saddr = *saddr;
1025        fl6->daddr = *daddr;
1026        fl6->flowi6_proto       = IPPROTO_ICMPV6;
1027        fl6->fl6_icmp_type      = type;
1028        fl6->fl6_icmp_code      = 0;
1029        fl6->flowi6_oif         = oif;
1030        security_sk_classify_flow(sk, flowi6_to_flowi_common(fl6));
1031}
1032
1033static void __net_exit icmpv6_sk_exit(struct net *net)
1034{
1035        int i;
1036
1037        for_each_possible_cpu(i)
1038                inet_ctl_sock_destroy(*per_cpu_ptr(net->ipv6.icmp_sk, i));
1039        free_percpu(net->ipv6.icmp_sk);
1040}
1041
1042static int __net_init icmpv6_sk_init(struct net *net)
1043{
1044        struct sock *sk;
1045        int err, i;
1046
1047        net->ipv6.icmp_sk = alloc_percpu(struct sock *);
1048        if (!net->ipv6.icmp_sk)
1049                return -ENOMEM;
1050
1051        for_each_possible_cpu(i) {
1052                err = inet_ctl_sock_create(&sk, PF_INET6,
1053                                           SOCK_RAW, IPPROTO_ICMPV6, net);
1054                if (err < 0) {
1055                        pr_err("Failed to initialize the ICMP6 control socket (err %d)\n",
1056                               err);
1057                        goto fail;
1058                }
1059
1060                *per_cpu_ptr(net->ipv6.icmp_sk, i) = sk;
1061
1062                /* Enough space for 2 64K ICMP packets, including
1063                 * sk_buff struct overhead.
1064                 */
1065                sk->sk_sndbuf = 2 * SKB_TRUESIZE(64 * 1024);
1066        }
1067        return 0;
1068
1069 fail:
1070        icmpv6_sk_exit(net);
1071        return err;
1072}
1073
1074static struct pernet_operations icmpv6_sk_ops = {
1075        .init = icmpv6_sk_init,
1076        .exit = icmpv6_sk_exit,
1077};
1078
1079int __init icmpv6_init(void)
1080{
1081        int err;
1082
1083        err = register_pernet_subsys(&icmpv6_sk_ops);
1084        if (err < 0)
1085                return err;
1086
1087        err = -EAGAIN;
1088        if (inet6_add_protocol(&icmpv6_protocol, IPPROTO_ICMPV6) < 0)
1089                goto fail;
1090
1091        err = inet6_register_icmp_sender(icmp6_send);
1092        if (err)
1093                goto sender_reg_err;
1094        return 0;
1095
1096sender_reg_err:
1097        inet6_del_protocol(&icmpv6_protocol, IPPROTO_ICMPV6);
1098fail:
1099        pr_err("Failed to register ICMP6 protocol\n");
1100        unregister_pernet_subsys(&icmpv6_sk_ops);
1101        return err;
1102}
1103
1104void icmpv6_cleanup(void)
1105{
1106        inet6_unregister_icmp_sender(icmp6_send);
1107        unregister_pernet_subsys(&icmpv6_sk_ops);
1108        inet6_del_protocol(&icmpv6_protocol, IPPROTO_ICMPV6);
1109}
1110
1111
1112static const struct icmp6_err {
1113        int err;
1114        int fatal;
1115} tab_unreach[] = {
1116        {       /* NOROUTE */
1117                .err    = ENETUNREACH,
1118                .fatal  = 0,
1119        },
1120        {       /* ADM_PROHIBITED */
1121                .err    = EACCES,
1122                .fatal  = 1,
1123        },
1124        {       /* Was NOT_NEIGHBOUR, now reserved */
1125                .err    = EHOSTUNREACH,
1126                .fatal  = 0,
1127        },
1128        {       /* ADDR_UNREACH */
1129                .err    = EHOSTUNREACH,
1130                .fatal  = 0,
1131        },
1132        {       /* PORT_UNREACH */
1133                .err    = ECONNREFUSED,
1134                .fatal  = 1,
1135        },
1136        {       /* POLICY_FAIL */
1137                .err    = EACCES,
1138                .fatal  = 1,
1139        },
1140        {       /* REJECT_ROUTE */
1141                .err    = EACCES,
1142                .fatal  = 1,
1143        },
1144};
1145
1146int icmpv6_err_convert(u8 type, u8 code, int *err)
1147{
1148        int fatal = 0;
1149
1150        *err = EPROTO;
1151
1152        switch (type) {
1153        case ICMPV6_DEST_UNREACH:
1154                fatal = 1;
1155                if (code < ARRAY_SIZE(tab_unreach)) {
1156                        *err  = tab_unreach[code].err;
1157                        fatal = tab_unreach[code].fatal;
1158                }
1159                break;
1160
1161        case ICMPV6_PKT_TOOBIG:
1162                *err = EMSGSIZE;
1163                break;
1164
1165        case ICMPV6_PARAMPROB:
1166                *err = EPROTO;
1167                fatal = 1;
1168                break;
1169
1170        case ICMPV6_TIME_EXCEED:
1171                *err = EHOSTUNREACH;
1172                break;
1173        }
1174
1175        return fatal;
1176}
1177EXPORT_SYMBOL(icmpv6_err_convert);
1178
1179#ifdef CONFIG_SYSCTL
1180static struct ctl_table ipv6_icmp_table_template[] = {
1181        {
1182                .procname       = "ratelimit",
1183                .data           = &init_net.ipv6.sysctl.icmpv6_time,
1184                .maxlen         = sizeof(int),
1185                .mode           = 0644,
1186                .proc_handler   = proc_dointvec_ms_jiffies,
1187        },
1188        {
1189                .procname       = "echo_ignore_all",
1190                .data           = &init_net.ipv6.sysctl.icmpv6_echo_ignore_all,
1191                .maxlen         = sizeof(u8),
1192                .mode           = 0644,
1193                .proc_handler = proc_dou8vec_minmax,
1194        },
1195        {
1196                .procname       = "echo_ignore_multicast",
1197                .data           = &init_net.ipv6.sysctl.icmpv6_echo_ignore_multicast,
1198                .maxlen         = sizeof(u8),
1199                .mode           = 0644,
1200                .proc_handler = proc_dou8vec_minmax,
1201        },
1202        {
1203                .procname       = "echo_ignore_anycast",
1204                .data           = &init_net.ipv6.sysctl.icmpv6_echo_ignore_anycast,
1205                .maxlen         = sizeof(u8),
1206                .mode           = 0644,
1207                .proc_handler = proc_dou8vec_minmax,
1208        },
1209        {
1210                .procname       = "ratemask",
1211                .data           = &init_net.ipv6.sysctl.icmpv6_ratemask_ptr,
1212                .maxlen         = ICMPV6_MSG_MAX + 1,
1213                .mode           = 0644,
1214                .proc_handler = proc_do_large_bitmap,
1215        },
1216        { },
1217};
1218
1219struct ctl_table * __net_init ipv6_icmp_sysctl_init(struct net *net)
1220{
1221        struct ctl_table *table;
1222
1223        table = kmemdup(ipv6_icmp_table_template,
1224                        sizeof(ipv6_icmp_table_template),
1225                        GFP_KERNEL);
1226
1227        if (table) {
1228                table[0].data = &net->ipv6.sysctl.icmpv6_time;
1229                table[1].data = &net->ipv6.sysctl.icmpv6_echo_ignore_all;
1230                table[2].data = &net->ipv6.sysctl.icmpv6_echo_ignore_multicast;
1231                table[3].data = &net->ipv6.sysctl.icmpv6_echo_ignore_anycast;
1232                table[4].data = &net->ipv6.sysctl.icmpv6_ratemask_ptr;
1233        }
1234        return table;
1235}
1236#endif
1237