net/ipv6/icmp.c

0001 // SPDX-License-Identifier: GPL-2.0-or-later
0002 /*
0003  *  Internet Control Message Protocol (ICMPv6)
0004  *  Linux INET6 implementation
0005  *
0006  *  Authors:
0007  *  Pedro Roque     <roque@di.fc.ul.pt>
0008  *
0009  *  Based on net/ipv4/icmp.c
0010  *
0011  *  RFC 1885
0012  */
0013
0014 /*
0015  *  Changes:
0016  *
0017  *  Andi Kleen      :   exception handling
0018  *  Andi Kleen          add rate limits. never reply to a icmp.
0019  *                  add more length checks and other fixes.
0020  *  yoshfuji        :   ensure to sent parameter problem for
0021  *                  fragments.
0022  *  YOSHIFUJI Hideaki @USAGI:   added sysctl for icmp rate limit.
0023  *  Randy Dunlap and
0024  *  YOSHIFUJI Hideaki @USAGI:   Per-interface statistics support
0025  *  Kazunori MIYAZAWA @USAGI:       change output process to use ip6_append_data
0026  */
0027
0028 #define pr_fmt(fmt) "IPv6: " fmt
0029
0030 #include <linux/module.h>
0031 #include <linux/errno.h>
0032 #include <linux/types.h>
0033 #include <linux/socket.h>
0034 #include <linux/in.h>
0035 #include <linux/kernel.h>
0036 #include <linux/sockios.h>
0037 #include <linux/net.h>
0038 #include <linux/skbuff.h>
0039 #include <linux/init.h>
0040 #include <linux/netfilter.h>
0041 #include <linux/slab.h>
0042
0043 #ifdef CONFIG_SYSCTL
0044 #include <linux/sysctl.h>
0045 #endif
0046
0047 #include <linux/inet.h>
0048 #include <linux/netdevice.h>
0049 #include <linux/icmpv6.h>
0050
0051 #include <net/ip.h>
0052 #include <net/sock.h>
0053
0054 #include <net/ipv6.h>
0055 #include <net/ip6_checksum.h>
0056 #include <net/ping.h>
0057 #include <net/protocol.h>
0058 #include <net/raw.h>
0059 #include <net/rawv6.h>
0060 #include <net/seg6.h>
0061 #include <net/transp_v6.h>
0062 #include <net/ip6_route.h>
0063 #include <net/addrconf.h>
0064 #include <net/icmp.h>
0065 #include <net/xfrm.h>
0066 #include <net/inet_common.h>
0067 #include <net/dsfield.h>
0068 #include <net/l3mdev.h>
0069
0070 #include <linux/uaccess.h>
0071
0072 static DEFINE_PER_CPU(struct sock *, ipv6_icmp_sk);
0073
0074 static int icmpv6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
0075                u8 type, u8 code, int offset, __be32 info)
0076 {
0077     /* icmpv6_notify checks 8 bytes can be pulled, icmp6hdr is 8 bytes */
0078     struct icmp6hdr *icmp6 = (struct icmp6hdr *) (skb->data + offset);
0079     struct net *net = dev_net(skb->dev);
0080
0081     if (type == ICMPV6_PKT_TOOBIG)
0082         ip6_update_pmtu(skb, net, info, skb->dev->ifindex, 0, sock_net_uid(net, NULL));
0083     else if (type == NDISC_REDIRECT)
0084         ip6_redirect(skb, net, skb->dev->ifindex, 0,
0085                  sock_net_uid(net, NULL));
0086
0087     if (!(type & ICMPV6_INFOMSG_MASK))
0088         if (icmp6->icmp6_type == ICMPV6_ECHO_REQUEST)
0089             ping_err(skb, offset, ntohl(info));
0090
0091     return 0;
0092 }
0093
0094 static int icmpv6_rcv(struct sk_buff *skb);
0095
0096 static const struct inet6_protocol icmpv6_protocol = {
0097     .handler    =   icmpv6_rcv,
0098     .err_handler    =   icmpv6_err,
0099     .flags      =   INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL,
0100 };
0101
0102 /* Called with BH disabled */
0103 static struct sock *icmpv6_xmit_lock(struct net *net)
0104 {
0105     struct sock *sk;
0106
0107     sk = this_cpu_read(ipv6_icmp_sk);
0108     if (unlikely(!spin_trylock(&sk->sk_lock.slock))) {
0109         /* This can happen if the output path (f.e. SIT or
0110          * ip6ip6 tunnel) signals dst_link_failure() for an
0111          * outgoing ICMP6 packet.
0112          */
0113         return NULL;
0114     }
0115     sock_net_set(sk, net);
0116     return sk;
0117 }
0118
0119 static void icmpv6_xmit_unlock(struct sock *sk)
0120 {
0121     sock_net_set(sk, &init_net);
0122     spin_unlock(&sk->sk_lock.slock);
0123 }
0124
0125 /*
0126  * Figure out, may we reply to this packet with icmp error.
0127  *
0128  * We do not reply, if:
0129  *  - it was icmp error message.
0130  *  - it is truncated, so that it is known, that protocol is ICMPV6
0131  *    (i.e. in the middle of some exthdr)
0132  *
0133  *  --ANK (980726)
0134  */
0135
0136 static bool is_ineligible(const struct sk_buff *skb)
0137 {
0138     int ptr = (u8 *)(ipv6_hdr(skb) + 1) - skb->data;
0139     int len = skb->len - ptr;
0140     __u8 nexthdr = ipv6_hdr(skb)->nexthdr;
0141     __be16 frag_off;
0142
0143     if (len < 0)
0144         return true;
0145
0146     ptr = ipv6_skip_exthdr(skb, ptr, &nexthdr, &frag_off);
0147     if (ptr < 0)
0148         return false;
0149     if (nexthdr == IPPROTO_ICMPV6) {
0150         u8 _type, *tp;
0151         tp = skb_header_pointer(skb,
0152             ptr+offsetof(struct icmp6hdr, icmp6_type),
0153             sizeof(_type), &_type);
0154
0155         /* Based on RFC 8200, Section 4.5 Fragment Header, return
0156          * false if this is a fragment packet with no icmp header info.
0157          */
0158         if (!tp && frag_off != 0)
0159             return false;
0160         else if (!tp || !(*tp & ICMPV6_INFOMSG_MASK))
0161             return true;
0162     }
0163     return false;
0164 }
0165
0166 static bool icmpv6_mask_allow(struct net *net, int type)
0167 {
0168     if (type > ICMPV6_MSG_MAX)
0169         return true;
0170
0171     /* Limit if icmp type is set in ratemask. */
0172     if (!test_bit(type, net->ipv6.sysctl.icmpv6_ratemask))
0173         return true;
0174
0175     return false;
0176 }
0177
0178 static bool icmpv6_global_allow(struct net *net, int type)
0179 {
0180     if (icmpv6_mask_allow(net, type))
0181         return true;
0182
0183     if (icmp_global_allow())
0184         return true;
0185
0186     return false;
0187 }
0188
0189 /*
0190  * Check the ICMP output rate limit
0191  */
0192 static bool icmpv6_xrlim_allow(struct sock *sk, u8 type,
0193                    struct flowi6 *fl6)
0194 {
0195     struct net *net = sock_net(sk);
0196     struct dst_entry *dst;
0197     bool res = false;
0198
0199     if (icmpv6_mask_allow(net, type))
0200         return true;
0201
0202     /*
0203      * Look up the output route.
0204      * XXX: perhaps the expire for routing entries cloned by
0205      * this lookup should be more aggressive (not longer than timeout).
0206      */
0207     dst = ip6_route_output(net, sk, fl6);
0208     if (dst->error) {
0209         IP6_INC_STATS(net, ip6_dst_idev(dst),
0210                   IPSTATS_MIB_OUTNOROUTES);
0211     } else if (dst->dev && (dst->dev->flags&IFF_LOOPBACK)) {
0212         res = true;
0213     } else {
0214         struct rt6_info *rt = (struct rt6_info *)dst;
0215         int tmo = net->ipv6.sysctl.icmpv6_time;
0216         struct inet_peer *peer;
0217
0218         /* Give more bandwidth to wider prefixes. */
0219         if (rt->rt6i_dst.plen < 128)
0220             tmo >>= ((128 - rt->rt6i_dst.plen)>>5);
0221
0222         peer = inet_getpeer_v6(net->ipv6.peers, &fl6->daddr, 1);
0223         res = inet_peer_xrlim_allow(peer, tmo);
0224         if (peer)
0225             inet_putpeer(peer);
0226     }
0227     dst_release(dst);
0228     return res;
0229 }
0230
0231 static bool icmpv6_rt_has_prefsrc(struct sock *sk, u8 type,
0232                   struct flowi6 *fl6)
0233 {
0234     struct net *net = sock_net(sk);
0235     struct dst_entry *dst;
0236     bool res = false;
0237
0238     dst = ip6_route_output(net, sk, fl6);
0239     if (!dst->error) {
0240         struct rt6_info *rt = (struct rt6_info *)dst;
0241         struct in6_addr prefsrc;
0242
0243         rt6_get_prefsrc(rt, &prefsrc);
0244         res = !ipv6_addr_any(&prefsrc);
0245     }
0246     dst_release(dst);
0247     return res;
0248 }
0249
0250 /*
0251  *  an inline helper for the "simple" if statement below
0252  *  checks if parameter problem report is caused by an
0253  *  unrecognized IPv6 option that has the Option Type
0254  *  highest-order two bits set to 10
0255  */
0256
0257 static bool opt_unrec(struct sk_buff *skb, __u32 offset)
0258 {
0259     u8 _optval, *op;
0260
0261     offset += skb_network_offset(skb);
0262     op = skb_header_pointer(skb, offset, sizeof(_optval), &_optval);
0263     if (!op)
0264         return true;
0265     return (*op & 0xC0) == 0x80;
0266 }
0267
0268 void icmpv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6,
0269                 struct icmp6hdr *thdr, int len)
0270 {
0271     struct sk_buff *skb;
0272     struct icmp6hdr *icmp6h;
0273
0274     skb = skb_peek(&sk->sk_write_queue);
0275     if (!skb)
0276         return;
0277
0278     icmp6h = icmp6_hdr(skb);
0279     memcpy(icmp6h, thdr, sizeof(struct icmp6hdr));
0280     icmp6h->icmp6_cksum = 0;
0281
0282     if (skb_queue_len(&sk->sk_write_queue) == 1) {
0283         skb->csum = csum_partial(icmp6h,
0284                     sizeof(struct icmp6hdr), skb->csum);
0285         icmp6h->icmp6_cksum = csum_ipv6_magic(&fl6->saddr,
0286                               &fl6->daddr,
0287                               len, fl6->flowi6_proto,
0288                               skb->csum);
0289     } else {
0290         __wsum tmp_csum = 0;
0291
0292         skb_queue_walk(&sk->sk_write_queue, skb) {
0293             tmp_csum = csum_add(tmp_csum, skb->csum);
0294         }
0295
0296         tmp_csum = csum_partial(icmp6h,
0297                     sizeof(struct icmp6hdr), tmp_csum);
0298         icmp6h->icmp6_cksum = csum_ipv6_magic(&fl6->saddr,
0299                               &fl6->daddr,
0300                               len, fl6->flowi6_proto,
0301                               tmp_csum);
0302     }
0303     ip6_push_pending_frames(sk);
0304 }
0305
0306 struct icmpv6_msg {
0307     struct sk_buff  *skb;
0308     int     offset;
0309     uint8_t     type;
0310 };
0311
0312 static int icmpv6_getfrag(void *from, char *to, int offset, int len, int odd, struct sk_buff *skb)
0313 {
0314     struct icmpv6_msg *msg = (struct icmpv6_msg *) from;
0315     struct sk_buff *org_skb = msg->skb;
0316     __wsum csum;
0317
0318     csum = skb_copy_and_csum_bits(org_skb, msg->offset + offset,
0319                       to, len);
0320     skb->csum = csum_block_add(skb->csum, csum, odd);
0321     if (!(msg->type & ICMPV6_INFOMSG_MASK))
0322         nf_ct_attach(skb, org_skb);
0323     return 0;
0324 }
0325
0326 #if IS_ENABLED(CONFIG_IPV6_MIP6)
0327 static void mip6_addr_swap(struct sk_buff *skb, const struct inet6_skb_parm *opt)
0328 {
0329     struct ipv6hdr *iph = ipv6_hdr(skb);
0330     struct ipv6_destopt_hao *hao;
0331     struct in6_addr tmp;
0332     int off;
0333
0334     if (opt->dsthao) {
0335         off = ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO);
0336         if (likely(off >= 0)) {
0337             hao = (struct ipv6_destopt_hao *)
0338                     (skb_network_header(skb) + off);
0339             tmp = iph->saddr;
0340             iph->saddr = hao->addr;
0341             hao->addr = tmp;
0342         }
0343     }
0344 }
0345 #else
0346 static inline void mip6_addr_swap(struct sk_buff *skb, const struct inet6_skb_parm *opt) {}
0347 #endif
0348
0349 static struct dst_entry *icmpv6_route_lookup(struct net *net,
0350                          struct sk_buff *skb,
0351                          struct sock *sk,
0352                          struct flowi6 *fl6)
0353 {
0354     struct dst_entry *dst, *dst2;
0355     struct flowi6 fl2;
0356     int err;
0357
0358     err = ip6_dst_lookup(net, sk, &dst, fl6);
0359     if (err)
0360         return ERR_PTR(err);
0361
0362     /*
0363      * We won't send icmp if the destination is known
0364      * anycast.
0365      */
0366     if (ipv6_anycast_destination(dst, &fl6->daddr)) {
0367         net_dbg_ratelimited("icmp6_send: acast source\n");
0368         dst_release(dst);
0369         return ERR_PTR(-EINVAL);
0370     }
0371
0372     /* No need to clone since we're just using its address. */
0373     dst2 = dst;
0374
0375     dst = xfrm_lookup(net, dst, flowi6_to_flowi(fl6), sk, 0);
0376     if (!IS_ERR(dst)) {
0377         if (dst != dst2)
0378             return dst;
0379     } else {
0380         if (PTR_ERR(dst) == -EPERM)
0381             dst = NULL;
0382         else
0383             return dst;
0384     }
0385
0386     err = xfrm_decode_session_reverse(skb, flowi6_to_flowi(&fl2), AF_INET6);
0387     if (err)
0388         goto relookup_failed;
0389
0390     err = ip6_dst_lookup(net, sk, &dst2, &fl2);
0391     if (err)
0392         goto relookup_failed;
0393
0394     dst2 = xfrm_lookup(net, dst2, flowi6_to_flowi(&fl2), sk, XFRM_LOOKUP_ICMP);
0395     if (!IS_ERR(dst2)) {
0396         dst_release(dst);
0397         dst = dst2;
0398     } else {
0399         err = PTR_ERR(dst2);
0400         if (err == -EPERM) {
0401             dst_release(dst);
0402             return dst2;
0403         } else
0404             goto relookup_failed;
0405     }
0406
0407 relookup_failed:
0408     if (dst)
0409         return dst;
0410     return ERR_PTR(err);
0411 }
0412
0413 static struct net_device *icmp6_dev(const struct sk_buff *skb)
0414 {
0415     struct net_device *dev = skb->dev;
0416
0417     /* for local traffic to local address, skb dev is the loopback
0418      * device. Check if there is a dst attached to the skb and if so
0419      * get the real device index. Same is needed for replies to a link
0420      * local address on a device enslaved to an L3 master device
0421      */
0422     if (unlikely(dev->ifindex == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) {
0423         const struct rt6_info *rt6 = skb_rt6_info(skb);
0424
0425         if (rt6)
0426             dev = rt6->rt6i_idev->dev;
0427     }
0428
0429     return dev;
0430 }
0431
0432 static int icmp6_iif(const struct sk_buff *skb)
0433 {
0434     return icmp6_dev(skb)->ifindex;
0435 }
0436
0437 /*
0438  *  Send an ICMP message in response to a packet in error
0439  */
0440 void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info,
0441         const struct in6_addr *force_saddr,
0442         const struct inet6_skb_parm *parm)
0443 {
0444     struct inet6_dev *idev = NULL;
0445     struct ipv6hdr *hdr = ipv6_hdr(skb);
0446     struct sock *sk;
0447     struct net *net;
0448     struct ipv6_pinfo *np;
0449     const struct in6_addr *saddr = NULL;
0450     struct dst_entry *dst;
0451     struct icmp6hdr tmp_hdr;
0452     struct flowi6 fl6;
0453     struct icmpv6_msg msg;
0454     struct ipcm6_cookie ipc6;
0455     int iif = 0;
0456     int addr_type = 0;
0457     int len;
0458     u32 mark;
0459
0460     if ((u8 *)hdr < skb->head ||
0461         (skb_network_header(skb) + sizeof(*hdr)) > skb_tail_pointer(skb))
0462         return;
0463
0464     if (!skb->dev)
0465         return;
0466     net = dev_net(skb->dev);
0467     mark = IP6_REPLY_MARK(net, skb->mark);
0468     /*
0469      *  Make sure we respect the rules
0470      *  i.e. RFC 1885 2.4(e)
0471      *  Rule (e.1) is enforced by not using icmp6_send
0472      *  in any code that processes icmp errors.
0473      */
0474     addr_type = ipv6_addr_type(&hdr->daddr);
0475
0476     if (ipv6_chk_addr(net, &hdr->daddr, skb->dev, 0) ||
0477         ipv6_chk_acast_addr_src(net, skb->dev, &hdr->daddr))
0478         saddr = &hdr->daddr;
0479
0480     /*
0481      *  Dest addr check
0482      */
0483
0484     if (addr_type & IPV6_ADDR_MULTICAST || skb->pkt_type != PACKET_HOST) {
0485         if (type != ICMPV6_PKT_TOOBIG &&
0486             !(type == ICMPV6_PARAMPROB &&
0487               code == ICMPV6_UNK_OPTION &&
0488               (opt_unrec(skb, info))))
0489             return;
0490
0491         saddr = NULL;
0492     }
0493
0494     addr_type = ipv6_addr_type(&hdr->saddr);
0495
0496     /*
0497      *  Source addr check
0498      */
0499
0500     if (__ipv6_addr_needs_scope_id(addr_type)) {
0501         iif = icmp6_iif(skb);
0502     } else {
0503         /*
0504          * The source device is used for looking up which routing table
0505          * to use for sending an ICMP error.
0506          */
0507         iif = l3mdev_master_ifindex(skb->dev);
0508     }
0509
0510     /*
0511      *  Must not send error if the source does not uniquely
0512      *  identify a single node (RFC2463 Section 2.4).
0513      *  We check unspecified / multicast addresses here,
0514      *  and anycast addresses will be checked later.
0515      */
0516     if ((addr_type == IPV6_ADDR_ANY) || (addr_type & IPV6_ADDR_MULTICAST)) {
0517         net_dbg_ratelimited("icmp6_send: addr_any/mcast source [%pI6c > %pI6c]\n",
0518                     &hdr->saddr, &hdr->daddr);
0519         return;
0520     }
0521
0522     /*
0523      *  Never answer to a ICMP packet.
0524      */
0525     if (is_ineligible(skb)) {
0526         net_dbg_ratelimited("icmp6_send: no reply to icmp error [%pI6c > %pI6c]\n",
0527                     &hdr->saddr, &hdr->daddr);
0528         return;
0529     }
0530
0531     /* Needed by both icmp_global_allow and icmpv6_xmit_lock */
0532     local_bh_disable();
0533
0534     /* Check global sysctl_icmp_msgs_per_sec ratelimit */
0535     if (!(skb->dev->flags & IFF_LOOPBACK) && !icmpv6_global_allow(net, type))
0536         goto out_bh_enable;
0537
0538     mip6_addr_swap(skb, parm);
0539
0540     sk = icmpv6_xmit_lock(net);
0541     if (!sk)
0542         goto out_bh_enable;
0543
0544     memset(&fl6, 0, sizeof(fl6));
0545     fl6.flowi6_proto = IPPROTO_ICMPV6;
0546     fl6.daddr = hdr->saddr;
0547     if (force_saddr)
0548         saddr = force_saddr;
0549     if (saddr) {
0550         fl6.saddr = *saddr;
0551     } else if (!icmpv6_rt_has_prefsrc(sk, type, &fl6)) {
0552         /* select a more meaningful saddr from input if */
0553         struct net_device *in_netdev;
0554
0555         in_netdev = dev_get_by_index(net, parm->iif);
0556         if (in_netdev) {
0557             ipv6_dev_get_saddr(net, in_netdev, &fl6.daddr,
0558                        inet6_sk(sk)->srcprefs,
0559                        &fl6.saddr);
0560             dev_put(in_netdev);
0561         }
0562     }
0563     fl6.flowi6_mark = mark;
0564     fl6.flowi6_oif = iif;
0565     fl6.fl6_icmp_type = type;
0566     fl6.fl6_icmp_code = code;
0567     fl6.flowi6_uid = sock_net_uid(net, NULL);
0568     fl6.mp_hash = rt6_multipath_hash(net, &fl6, skb, NULL);
0569     security_skb_classify_flow(skb, flowi6_to_flowi_common(&fl6));
0570
0571     np = inet6_sk(sk);
0572
0573     if (!icmpv6_xrlim_allow(sk, type, &fl6))
0574         goto out;
0575
0576     tmp_hdr.icmp6_type = type;
0577     tmp_hdr.icmp6_code = code;
0578     tmp_hdr.icmp6_cksum = 0;
0579     tmp_hdr.icmp6_pointer = htonl(info);
0580
0581     if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr))
0582         fl6.flowi6_oif = np->mcast_oif;
0583     else if (!fl6.flowi6_oif)
0584         fl6.flowi6_oif = np->ucast_oif;
0585
0586     ipcm6_init_sk(&ipc6, np);
0587     ipc6.sockc.mark = mark;
0588     fl6.flowlabel = ip6_make_flowinfo(ipc6.tclass, fl6.flowlabel);
0589
0590     dst = icmpv6_route_lookup(net, skb, sk, &fl6);
0591     if (IS_ERR(dst))
0592         goto out;
0593
0594     ipc6.hlimit = ip6_sk_dst_hoplimit(np, &fl6, dst);
0595
0596     msg.skb = skb;
0597     msg.offset = skb_network_offset(skb);
0598     msg.type = type;
0599
0600     len = skb->len - msg.offset;
0601     len = min_t(unsigned int, len, IPV6_MIN_MTU - sizeof(struct ipv6hdr) - sizeof(struct icmp6hdr));
0602     if (len < 0) {
0603         net_dbg_ratelimited("icmp: len problem [%pI6c > %pI6c]\n",
0604                     &hdr->saddr, &hdr->daddr);
0605         goto out_dst_release;
0606     }
0607
0608     rcu_read_lock();
0609     idev = __in6_dev_get(skb->dev);
0610
0611     if (ip6_append_data(sk, icmpv6_getfrag, &msg,
0612                 len + sizeof(struct icmp6hdr),
0613                 sizeof(struct icmp6hdr),
0614                 &ipc6, &fl6, (struct rt6_info *)dst,
0615                 MSG_DONTWAIT)) {
0616         ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTERRORS);
0617         ip6_flush_pending_frames(sk);
0618     } else {
0619         icmpv6_push_pending_frames(sk, &fl6, &tmp_hdr,
0620                        len + sizeof(struct icmp6hdr));
0621     }
0622     rcu_read_unlock();
0623 out_dst_release:
0624     dst_release(dst);
0625 out:
0626     icmpv6_xmit_unlock(sk);
0627 out_bh_enable:
0628     local_bh_enable();
0629 }
0630 EXPORT_SYMBOL(icmp6_send);
0631
0632 /* Slightly more convenient version of icmp6_send with drop reasons.
0633  */
0634 void icmpv6_param_prob_reason(struct sk_buff *skb, u8 code, int pos,
0635                   enum skb_drop_reason reason)
0636 {
0637     icmp6_send(skb, ICMPV6_PARAMPROB, code, pos, NULL, IP6CB(skb));
0638     kfree_skb_reason(skb, reason);
0639 }
0640
0641 /* Generate icmpv6 with type/code ICMPV6_DEST_UNREACH/ICMPV6_ADDR_UNREACH
0642  * if sufficient data bytes are available
0643  * @nhs is the size of the tunnel header(s) :
0644  *  Either an IPv4 header for SIT encap
0645  *         an IPv4 header + GRE header for GRE encap
0646  */
0647 int ip6_err_gen_icmpv6_unreach(struct sk_buff *skb, int nhs, int type,
0648                    unsigned int data_len)
0649 {
0650     struct in6_addr temp_saddr;
0651     struct rt6_info *rt;
0652     struct sk_buff *skb2;
0653     u32 info = 0;
0654
0655     if (!pskb_may_pull(skb, nhs + sizeof(struct ipv6hdr) + 8))
0656         return 1;
0657
0658     /* RFC 4884 (partial) support for ICMP extensions */
0659     if (data_len < 128 || (data_len & 7) || skb->len < data_len)
0660         data_len = 0;
0661
0662     skb2 = data_len ? skb_copy(skb, GFP_ATOMIC) : skb_clone(skb, GFP_ATOMIC);
0663
0664     if (!skb2)
0665         return 1;
0666
0667     skb_dst_drop(skb2);
0668     skb_pull(skb2, nhs);
0669     skb_reset_network_header(skb2);
0670
0671     rt = rt6_lookup(dev_net(skb->dev), &ipv6_hdr(skb2)->saddr, NULL, 0,
0672             skb, 0);
0673
0674     if (rt && rt->dst.dev)
0675         skb2->dev = rt->dst.dev;
0676
0677     ipv6_addr_set_v4mapped(ip_hdr(skb)->saddr, &temp_saddr);
0678
0679     if (data_len) {
0680         /* RFC 4884 (partial) support :
0681          * insert 0 padding at the end, before the extensions
0682          */
0683         __skb_push(skb2, nhs);
0684         skb_reset_network_header(skb2);
0685         memmove(skb2->data, skb2->data + nhs, data_len - nhs);
0686         memset(skb2->data + data_len - nhs, 0, nhs);
0687         /* RFC 4884 4.5 : Length is measured in 64-bit words,
0688          * and stored in reserved[0]
0689          */
0690         info = (data_len/8) << 24;
0691     }
0692     if (type == ICMP_TIME_EXCEEDED)
0693         icmp6_send(skb2, ICMPV6_TIME_EXCEED, ICMPV6_EXC_HOPLIMIT,
0694                info, &temp_saddr, IP6CB(skb2));
0695     else
0696         icmp6_send(skb2, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH,
0697                info, &temp_saddr, IP6CB(skb2));
0698     if (rt)
0699         ip6_rt_put(rt);
0700
0701     kfree_skb(skb2);
0702
0703     return 0;
0704 }
0705 EXPORT_SYMBOL(ip6_err_gen_icmpv6_unreach);
0706
0707 static void icmpv6_echo_reply(struct sk_buff *skb)
0708 {
0709     struct net *net = dev_net(skb->dev);
0710     struct sock *sk;
0711     struct inet6_dev *idev;
0712     struct ipv6_pinfo *np;
0713     const struct in6_addr *saddr = NULL;
0714     struct icmp6hdr *icmph = icmp6_hdr(skb);
0715     struct icmp6hdr tmp_hdr;
0716     struct flowi6 fl6;
0717     struct icmpv6_msg msg;
0718     struct dst_entry *dst;
0719     struct ipcm6_cookie ipc6;
0720     u32 mark = IP6_REPLY_MARK(net, skb->mark);
0721     bool acast;
0722     u8 type;
0723
0724     if (ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr) &&
0725         net->ipv6.sysctl.icmpv6_echo_ignore_multicast)
0726         return;
0727
0728     saddr = &ipv6_hdr(skb)->daddr;
0729
0730     acast = ipv6_anycast_destination(skb_dst(skb), saddr);
0731     if (acast && net->ipv6.sysctl.icmpv6_echo_ignore_anycast)
0732         return;
0733
0734     if (!ipv6_unicast_destination(skb) &&
0735         !(net->ipv6.sysctl.anycast_src_echo_reply && acast))
0736         saddr = NULL;
0737
0738     if (icmph->icmp6_type == ICMPV6_EXT_ECHO_REQUEST)
0739         type = ICMPV6_EXT_ECHO_REPLY;
0740     else
0741         type = ICMPV6_ECHO_REPLY;
0742
0743     memcpy(&tmp_hdr, icmph, sizeof(tmp_hdr));
0744     tmp_hdr.icmp6_type = type;
0745
0746     memset(&fl6, 0, sizeof(fl6));
0747     if (net->ipv6.sysctl.flowlabel_reflect & FLOWLABEL_REFLECT_ICMPV6_ECHO_REPLIES)
0748         fl6.flowlabel = ip6_flowlabel(ipv6_hdr(skb));
0749
0750     fl6.flowi6_proto = IPPROTO_ICMPV6;
0751     fl6.daddr = ipv6_hdr(skb)->saddr;
0752     if (saddr)
0753         fl6.saddr = *saddr;
0754     fl6.flowi6_oif = icmp6_iif(skb);
0755     fl6.fl6_icmp_type = type;
0756     fl6.flowi6_mark = mark;
0757     fl6.flowi6_uid = sock_net_uid(net, NULL);
0758     security_skb_classify_flow(skb, flowi6_to_flowi_common(&fl6));
0759
0760     local_bh_disable();
0761     sk = icmpv6_xmit_lock(net);
0762     if (!sk)
0763         goto out_bh_enable;
0764     np = inet6_sk(sk);
0765
0766     if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr))
0767         fl6.flowi6_oif = np->mcast_oif;
0768     else if (!fl6.flowi6_oif)
0769         fl6.flowi6_oif = np->ucast_oif;
0770
0771     if (ip6_dst_lookup(net, sk, &dst, &fl6))
0772         goto out;
0773     dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), sk, 0);
0774     if (IS_ERR(dst))
0775         goto out;
0776
0777     /* Check the ratelimit */
0778     if ((!(skb->dev->flags & IFF_LOOPBACK) && !icmpv6_global_allow(net, ICMPV6_ECHO_REPLY)) ||
0779         !icmpv6_xrlim_allow(sk, ICMPV6_ECHO_REPLY, &fl6))
0780         goto out_dst_release;
0781
0782     idev = __in6_dev_get(skb->dev);
0783
0784     msg.skb = skb;
0785     msg.offset = 0;
0786     msg.type = type;
0787
0788     ipcm6_init_sk(&ipc6, np);
0789     ipc6.hlimit = ip6_sk_dst_hoplimit(np, &fl6, dst);
0790     ipc6.tclass = ipv6_get_dsfield(ipv6_hdr(skb));
0791     ipc6.sockc.mark = mark;
0792
0793     if (icmph->icmp6_type == ICMPV6_EXT_ECHO_REQUEST)
0794         if (!icmp_build_probe(skb, (struct icmphdr *)&tmp_hdr))
0795             goto out_dst_release;
0796
0797     if (ip6_append_data(sk, icmpv6_getfrag, &msg,
0798                 skb->len + sizeof(struct icmp6hdr),
0799                 sizeof(struct icmp6hdr), &ipc6, &fl6,
0800                 (struct rt6_info *)dst, MSG_DONTWAIT)) {
0801         __ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTERRORS);
0802         ip6_flush_pending_frames(sk);
0803     } else {
0804         icmpv6_push_pending_frames(sk, &fl6, &tmp_hdr,
0805                        skb->len + sizeof(struct icmp6hdr));
0806     }
0807 out_dst_release:
0808     dst_release(dst);
0809 out:
0810     icmpv6_xmit_unlock(sk);
0811 out_bh_enable:
0812     local_bh_enable();
0813 }
0814
0815 void icmpv6_notify(struct sk_buff *skb, u8 type, u8 code, __be32 info)
0816 {
0817     struct inet6_skb_parm *opt = IP6CB(skb);
0818     const struct inet6_protocol *ipprot;
0819     int inner_offset;
0820     __be16 frag_off;
0821     u8 nexthdr;
0822     struct net *net = dev_net(skb->dev);
0823
0824     if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
0825         goto out;
0826
0827     seg6_icmp_srh(skb, opt);
0828
0829     nexthdr = ((struct ipv6hdr *)skb->data)->nexthdr;
0830     if (ipv6_ext_hdr(nexthdr)) {
0831         /* now skip over extension headers */
0832         inner_offset = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr),
0833                         &nexthdr, &frag_off);
0834         if (inner_offset < 0)
0835             goto out;
0836     } else {
0837         inner_offset = sizeof(struct ipv6hdr);
0838     }
0839
0840     /* Checkin header including 8 bytes of inner protocol header. */
0841     if (!pskb_may_pull(skb, inner_offset+8))
0842         goto out;
0843
0844     /* BUGGG_FUTURE: we should try to parse exthdrs in this packet.
0845        Without this we will not able f.e. to make source routed
0846        pmtu discovery.
0847        Corresponding argument (opt) to notifiers is already added.
0848        --ANK (980726)
0849      */
0850
0851     ipprot = rcu_dereference(inet6_protos[nexthdr]);
0852     if (ipprot && ipprot->err_handler)
0853         ipprot->err_handler(skb, opt, type, code, inner_offset, info);
0854
0855     raw6_icmp_error(skb, nexthdr, type, code, inner_offset, info);
0856     return;
0857
0858 out:
0859     __ICMP6_INC_STATS(net, __in6_dev_get(skb->dev), ICMP6_MIB_INERRORS);
0860 }
0861
0862 /*
0863  *  Handle icmp messages
0864  */
0865
0866 static int icmpv6_rcv(struct sk_buff *skb)
0867 {
0868     enum skb_drop_reason reason = SKB_DROP_REASON_NOT_SPECIFIED;
0869     struct net *net = dev_net(skb->dev);
0870     struct net_device *dev = icmp6_dev(skb);
0871     struct inet6_dev *idev = __in6_dev_get(dev);
0872     const struct in6_addr *saddr, *daddr;
0873     struct icmp6hdr *hdr;
0874     u8 type;
0875
0876     if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
0877         struct sec_path *sp = skb_sec_path(skb);
0878         int nh;
0879
0880         if (!(sp && sp->xvec[sp->len - 1]->props.flags &
0881                  XFRM_STATE_ICMP)) {
0882             reason = SKB_DROP_REASON_XFRM_POLICY;
0883             goto drop_no_count;
0884         }
0885
0886         if (!pskb_may_pull(skb, sizeof(*hdr) + sizeof(struct ipv6hdr)))
0887             goto drop_no_count;
0888
0889         nh = skb_network_offset(skb);
0890         skb_set_network_header(skb, sizeof(*hdr));
0891
0892         if (!xfrm6_policy_check_reverse(NULL, XFRM_POLICY_IN,
0893                         skb)) {
0894             reason = SKB_DROP_REASON_XFRM_POLICY;
0895             goto drop_no_count;
0896         }
0897
0898         skb_set_network_header(skb, nh);
0899     }
0900
0901     __ICMP6_INC_STATS(dev_net(dev), idev, ICMP6_MIB_INMSGS);
0902
0903     saddr = &ipv6_hdr(skb)->saddr;
0904     daddr = &ipv6_hdr(skb)->daddr;
0905
0906     if (skb_checksum_validate(skb, IPPROTO_ICMPV6, ip6_compute_pseudo)) {
0907         net_dbg_ratelimited("ICMPv6 checksum failed [%pI6c > %pI6c]\n",
0908                     saddr, daddr);
0909         goto csum_error;
0910     }
0911
0912     if (!pskb_pull(skb, sizeof(*hdr)))
0913         goto discard_it;
0914
0915     hdr = icmp6_hdr(skb);
0916
0917     type = hdr->icmp6_type;
0918
0919     ICMP6MSGIN_INC_STATS(dev_net(dev), idev, type);
0920
0921     switch (type) {
0922     case ICMPV6_ECHO_REQUEST:
0923         if (!net->ipv6.sysctl.icmpv6_echo_ignore_all)
0924             icmpv6_echo_reply(skb);
0925         break;
0926     case ICMPV6_EXT_ECHO_REQUEST:
0927         if (!net->ipv6.sysctl.icmpv6_echo_ignore_all &&
0928             READ_ONCE(net->ipv4.sysctl_icmp_echo_enable_probe))
0929             icmpv6_echo_reply(skb);
0930         break;
0931
0932     case ICMPV6_ECHO_REPLY:
0933         reason = ping_rcv(skb);
0934         break;
0935
0936     case ICMPV6_EXT_ECHO_REPLY:
0937         reason = ping_rcv(skb);
0938         break;
0939
0940     case ICMPV6_PKT_TOOBIG:
0941         /* BUGGG_FUTURE: if packet contains rthdr, we cannot update
0942            standard destination cache. Seems, only "advanced"
0943            destination cache will allow to solve this problem
0944            --ANK (980726)
0945          */
0946         if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
0947             goto discard_it;
0948         hdr = icmp6_hdr(skb);
0949
0950         /* to notify */
0951         fallthrough;
0952     case ICMPV6_DEST_UNREACH:
0953     case ICMPV6_TIME_EXCEED:
0954     case ICMPV6_PARAMPROB:
0955         icmpv6_notify(skb, type, hdr->icmp6_code, hdr->icmp6_mtu);
0956         break;
0957
0958     case NDISC_ROUTER_SOLICITATION:
0959     case NDISC_ROUTER_ADVERTISEMENT:
0960     case NDISC_NEIGHBOUR_SOLICITATION:
0961     case NDISC_NEIGHBOUR_ADVERTISEMENT:
0962     case NDISC_REDIRECT:
0963         ndisc_rcv(skb);
0964         break;
0965
0966     case ICMPV6_MGM_QUERY:
0967         igmp6_event_query(skb);
0968         return 0;
0969
0970     case ICMPV6_MGM_REPORT:
0971         igmp6_event_report(skb);
0972         return 0;
0973
0974     case ICMPV6_MGM_REDUCTION:
0975     case ICMPV6_NI_QUERY:
0976     case ICMPV6_NI_REPLY:
0977     case ICMPV6_MLD2_REPORT:
0978     case ICMPV6_DHAAD_REQUEST:
0979     case ICMPV6_DHAAD_REPLY:
0980     case ICMPV6_MOBILE_PREFIX_SOL:
0981     case ICMPV6_MOBILE_PREFIX_ADV:
0982         break;
0983
0984     default:
0985         /* informational */
0986         if (type & ICMPV6_INFOMSG_MASK)
0987             break;
0988
0989         net_dbg_ratelimited("icmpv6: msg of unknown type [%pI6c > %pI6c]\n",
0990                     saddr, daddr);
0991
0992         /*
0993          * error of unknown type.
0994          * must pass to upper level
0995          */
0996
0997         icmpv6_notify(skb, type, hdr->icmp6_code, hdr->icmp6_mtu);
0998     }
0999
1000     /* until the v6 path can be better sorted assume failure and
1001      * preserve the status quo behaviour for the rest of the paths to here
1002      */
1003     if (reason)
1004         kfree_skb_reason(skb, reason);
1005     else
1006         consume_skb(skb);
1007
1008     return 0;
1009
1010 csum_error:
1011     reason = SKB_DROP_REASON_ICMP_CSUM;
1012     __ICMP6_INC_STATS(dev_net(dev), idev, ICMP6_MIB_CSUMERRORS);
1013 discard_it:
1014     __ICMP6_INC_STATS(dev_net(dev), idev, ICMP6_MIB_INERRORS);
1015 drop_no_count:
1016     kfree_skb_reason(skb, reason);
1017     return 0;
1018 }
1019
1020 void icmpv6_flow_init(struct sock *sk, struct flowi6 *fl6,
1021               u8 type,
1022               const struct in6_addr *saddr,
1023               const struct in6_addr *daddr,
1024               int oif)
1025 {
1026     memset(fl6, 0, sizeof(*fl6));
1027     fl6->saddr = *saddr;
1028     fl6->daddr = *daddr;
1029     fl6->flowi6_proto   = IPPROTO_ICMPV6;
1030     fl6->fl6_icmp_type  = type;
1031     fl6->fl6_icmp_code  = 0;
1032     fl6->flowi6_oif     = oif;
1033     security_sk_classify_flow(sk, flowi6_to_flowi_common(fl6));
1034 }
1035
1036 int __init icmpv6_init(void)
1037 {
1038     struct sock *sk;
1039     int err, i;
1040
1041     for_each_possible_cpu(i) {
1042         err = inet_ctl_sock_create(&sk, PF_INET6,
1043                        SOCK_RAW, IPPROTO_ICMPV6, &init_net);
1044         if (err < 0) {
1045             pr_err("Failed to initialize the ICMP6 control socket (err %d)\n",
1046                    err);
1047             return err;
1048         }
1049
1050         per_cpu(ipv6_icmp_sk, i) = sk;
1051
1052         /* Enough space for 2 64K ICMP packets, including
1053          * sk_buff struct overhead.
1054          */
1055         sk->sk_sndbuf = 2 * SKB_TRUESIZE(64 * 1024);
1056     }
1057
1058     err = -EAGAIN;
1059     if (inet6_add_protocol(&icmpv6_protocol, IPPROTO_ICMPV6) < 0)
1060         goto fail;
1061
1062     err = inet6_register_icmp_sender(icmp6_send);
1063     if (err)
1064         goto sender_reg_err;
1065     return 0;
1066
1067 sender_reg_err:
1068     inet6_del_protocol(&icmpv6_protocol, IPPROTO_ICMPV6);
1069 fail:
1070     pr_err("Failed to register ICMP6 protocol\n");
1071     return err;
1072 }
1073
1074 void icmpv6_cleanup(void)
1075 {
1076     inet6_unregister_icmp_sender(icmp6_send);
1077     inet6_del_protocol(&icmpv6_protocol, IPPROTO_ICMPV6);
1078 }
1079
1080
1081 static const struct icmp6_err {
1082     int err;
1083     int fatal;
1084 } tab_unreach[] = {
1085     {   /* NOROUTE */
1086         .err    = ENETUNREACH,
1087         .fatal  = 0,
1088     },
1089     {   /* ADM_PROHIBITED */
1090         .err    = EACCES,
1091         .fatal  = 1,
1092     },
1093     {   /* Was NOT_NEIGHBOUR, now reserved */
1094         .err    = EHOSTUNREACH,
1095         .fatal  = 0,
1096     },
1097     {   /* ADDR_UNREACH */
1098         .err    = EHOSTUNREACH,
1099         .fatal  = 0,
1100     },
1101     {   /* PORT_UNREACH */
1102         .err    = ECONNREFUSED,
1103         .fatal  = 1,
1104     },
1105     {   /* POLICY_FAIL */
1106         .err    = EACCES,
1107         .fatal  = 1,
1108     },
1109     {   /* REJECT_ROUTE */
1110         .err    = EACCES,
1111         .fatal  = 1,
1112     },
1113 };
1114
1115 int icmpv6_err_convert(u8 type, u8 code, int *err)
1116 {
1117     int fatal = 0;
1118
1119     *err = EPROTO;
1120
1121     switch (type) {
1122     case ICMPV6_DEST_UNREACH:
1123         fatal = 1;
1124         if (code < ARRAY_SIZE(tab_unreach)) {
1125             *err  = tab_unreach[code].err;
1126             fatal = tab_unreach[code].fatal;
1127         }
1128         break;
1129
1130     case ICMPV6_PKT_TOOBIG:
1131         *err = EMSGSIZE;
1132         break;
1133
1134     case ICMPV6_PARAMPROB:
1135         *err = EPROTO;
1136         fatal = 1;
1137         break;
1138
1139     case ICMPV6_TIME_EXCEED:
1140         *err = EHOSTUNREACH;
1141         break;
1142     }
1143
1144     return fatal;
1145 }
1146 EXPORT_SYMBOL(icmpv6_err_convert);
1147
1148 #ifdef CONFIG_SYSCTL
1149 static struct ctl_table ipv6_icmp_table_template[] = {
1150     {
1151         .procname   = "ratelimit",
1152         .data       = &init_net.ipv6.sysctl.icmpv6_time,
1153         .maxlen     = sizeof(int),
1154         .mode       = 0644,
1155         .proc_handler   = proc_dointvec_ms_jiffies,
1156     },
1157     {
1158         .procname   = "echo_ignore_all",
1159         .data       = &init_net.ipv6.sysctl.icmpv6_echo_ignore_all,
1160         .maxlen     = sizeof(u8),
1161         .mode       = 0644,
1162         .proc_handler = proc_dou8vec_minmax,
1163     },
1164     {
1165         .procname   = "echo_ignore_multicast",
1166         .data       = &init_net.ipv6.sysctl.icmpv6_echo_ignore_multicast,
1167         .maxlen     = sizeof(u8),
1168         .mode       = 0644,
1169         .proc_handler = proc_dou8vec_minmax,
1170     },
1171     {
1172         .procname   = "echo_ignore_anycast",
1173         .data       = &init_net.ipv6.sysctl.icmpv6_echo_ignore_anycast,
1174         .maxlen     = sizeof(u8),
1175         .mode       = 0644,
1176         .proc_handler = proc_dou8vec_minmax,
1177     },
1178     {
1179         .procname   = "ratemask",
1180         .data       = &init_net.ipv6.sysctl.icmpv6_ratemask_ptr,
1181         .maxlen     = ICMPV6_MSG_MAX + 1,
1182         .mode       = 0644,
1183         .proc_handler = proc_do_large_bitmap,
1184     },
1185     { },
1186 };
1187
1188 struct ctl_table * __net_init ipv6_icmp_sysctl_init(struct net *net)
1189 {
1190     struct ctl_table *table;
1191
1192     table = kmemdup(ipv6_icmp_table_template,
1193             sizeof(ipv6_icmp_table_template),
1194             GFP_KERNEL);
1195
1196     if (table) {
1197         table[0].data = &net->ipv6.sysctl.icmpv6_time;
1198         table[1].data = &net->ipv6.sysctl.icmpv6_echo_ignore_all;
1199         table[2].data = &net->ipv6.sysctl.icmpv6_echo_ignore_multicast;
1200         table[3].data = &net->ipv6.sysctl.icmpv6_echo_ignore_anycast;
1201         table[4].data = &net->ipv6.sysctl.icmpv6_ratemask_ptr;
1202     }
1203     return table;
1204 }
1205 #endif