1 /**
2 * @file
3 *
4 * IPv6 fragmentation and reassembly.
5 */
6
7 /*
8 * Copyright (c) 2010 Inico Technologies Ltd.
9 * All rights reserved.
10 *
11 * Redistribution and use in source and binary forms, with or without modification,
12 * are permitted provided that the following conditions are met:
13 *
14 * 1. Redistributions of source code must retain the above copyright notice,
15 * this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright notice,
17 * this list of conditions and the following disclaimer in the documentation
18 * and/or other materials provided with the distribution.
19 * 3. The name of the author may not be used to endorse or promote products
20 * derived from this software without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
23 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
24 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
25 * SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
26 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
27 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
28 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
29 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
30 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
31 * OF SUCH DAMAGE.
32 *
33 * This file is part of the lwIP TCP/IP stack.
34 *
35 * Author: Ivan Delamer <delamer@inicotech.com>
36 *
37 *
38 * Please coordinate changes and requests with Ivan Delamer
39 * <delamer@inicotech.com>
40 */
41
42 #include "lwip/opt.h"
43 #include "lwip/ip6_frag.h"
44 #include "lwip/ip6.h"
45 #include "lwip/icmp6.h"
46 #include "lwip/nd6.h"
47 #include "lwip/ip.h"
48
49 #include "lwip/pbuf.h"
50 #include "lwip/memp.h"
51 #include "lwip/stats.h"
52
53 #include <string.h>
54
55 #if LWIP_IPV6 && LWIP_IPV6_REASS /* don't build if not configured for use in lwipopts.h */
56
57
58 /** Setting this to 0, you can turn off checking the fragments for overlapping
59 * regions. The code gets a little smaller. Only use this if you know that
60 * overlapping won't occur on your network! */
61 #ifndef IP_REASS_CHECK_OVERLAP
62 #define IP_REASS_CHECK_OVERLAP 1
63 #endif /* IP_REASS_CHECK_OVERLAP */
64
65 /** Set to 0 to prevent freeing the oldest datagram when the reassembly buffer is
66 * full (IP_REASS_MAX_PBUFS pbufs are enqueued). The code gets a little smaller.
67 * Datagrams will be freed by timeout only. Especially useful when MEMP_NUM_REASSDATA
68 * is set to 1, so one datagram can be reassembled at a time, only. */
69 #ifndef IP_REASS_FREE_OLDEST
70 #define IP_REASS_FREE_OLDEST 1
71 #endif /* IP_REASS_FREE_OLDEST */
72
73 #if IPV6_FRAG_COPYHEADER
74 /* The number of bytes we need to "borrow" from (i.e., overwrite in) the header
75 * that precedes the fragment header for reassembly pruposes. */
76 #define IPV6_FRAG_REQROOM ((s16_t)(sizeof(struct ip6_reass_helper) - IP6_FRAG_HLEN))
77 #endif
78
79 #define IP_REASS_FLAG_LASTFRAG 0x01
80
81 /** This is a helper struct which holds the starting
82 * offset and the ending offset of this fragment to
83 * easily chain the fragments.
84 * It has the same packing requirements as the IPv6 header, since it replaces
85 * the Fragment Header in memory in incoming fragments to keep
86 * track of the various fragments.
87 */
88 #ifdef PACK_STRUCT_USE_INCLUDES
89 # include "arch/bpstruct.h"
90 #endif
91 PACK_STRUCT_BEGIN
92 struct ip6_reass_helper {
93 PACK_STRUCT_FIELD(struct pbuf *next_pbuf);
94 PACK_STRUCT_FIELD(u16_t start);
95 PACK_STRUCT_FIELD(u16_t end);
96 } PACK_STRUCT_STRUCT;
97 PACK_STRUCT_END
98 #ifdef PACK_STRUCT_USE_INCLUDES
99 # include "arch/epstruct.h"
100 #endif
101
102 /* static variables */
103 static struct ip6_reassdata *reassdatagrams;
104 static u16_t ip6_reass_pbufcount;
105
106 /* Forward declarations. */
107 static void ip6_reass_free_complete_datagram(struct ip6_reassdata *ipr);
108 #if IP_REASS_FREE_OLDEST
109 static void ip6_reass_remove_oldest_datagram(struct ip6_reassdata *ipr, int pbufs_needed);
110 #endif /* IP_REASS_FREE_OLDEST */
111
112 void
ip6_reass_tmr(void)113 ip6_reass_tmr(void)
114 {
115 struct ip6_reassdata *r, *tmp;
116
117 #if !IPV6_FRAG_COPYHEADER
118 LWIP_ASSERT("sizeof(struct ip6_reass_helper) <= IP6_FRAG_HLEN, set IPV6_FRAG_COPYHEADER to 1",
119 sizeof(struct ip6_reass_helper) <= IP6_FRAG_HLEN);
120 #endif /* !IPV6_FRAG_COPYHEADER */
121
122 r = reassdatagrams;
123 while (r != NULL) {
124 /* Decrement the timer. Once it reaches 0,
125 * clean up the incomplete fragment assembly */
126 if (r->timer > 0) {
127 r->timer--;
128 r = r->next;
129 } else {
130 /* reassembly timed out */
131 tmp = r;
132 /* get the next pointer before freeing */
133 r = r->next;
134 /* free the helper struct and all enqueued pbufs */
135 ip6_reass_free_complete_datagram(tmp);
136 }
137 }
138 }
139
140 /**
141 * Free a datagram (struct ip6_reassdata) and all its pbufs.
142 * Updates the total count of enqueued pbufs (ip6_reass_pbufcount),
143 * sends an ICMP time exceeded packet.
144 *
145 * @param ipr datagram to free
146 */
147 static void
ip6_reass_free_complete_datagram(struct ip6_reassdata * ipr)148 ip6_reass_free_complete_datagram(struct ip6_reassdata *ipr)
149 {
150 struct ip6_reassdata *prev;
151 u16_t pbufs_freed = 0;
152 u16_t clen;
153 struct pbuf *p;
154 struct ip6_reass_helper *iprh;
155
156 #if LWIP_ICMP6
157 iprh = (struct ip6_reass_helper *)ipr->p->payload;
158 if (iprh->start == 0) {
159 /* The first fragment was received, send ICMP time exceeded. */
160 /* First, de-queue the first pbuf from r->p. */
161 p = ipr->p;
162 ipr->p = iprh->next_pbuf;
163 /* Restore the part that we've overwritten with our helper structure, or we
164 * might send garbage (and disclose a pointer) in the ICMPv6 reply. */
165 MEMCPY(p->payload, ipr->orig_hdr, sizeof(iprh));
166 /* Then, move back to the original ipv6 header (we are now pointing to Fragment header).
167 This cannot fail since we already checked when receiving this fragment. */
168 if (pbuf_header_force(p, (s16_t)((u8_t*)p->payload - (u8_t*)ipr->iphdr))) {
169 LWIP_ASSERT("ip6_reass_free: moving p->payload to ip6 header failed\n", 0);
170 }
171 else {
172 /* Reconstruct the zoned source and destination addresses, so that we do
173 * not end up sending the ICMP response over the wrong link. */
174 ip6_addr_t src_addr, dest_addr;
175 ip6_addr_copy_from_packed(src_addr, IPV6_FRAG_SRC(ipr));
176 ip6_addr_set_zone(&src_addr, ipr->src_zone);
177 ip6_addr_copy_from_packed(dest_addr, IPV6_FRAG_DEST(ipr));
178 ip6_addr_set_zone(&dest_addr, ipr->dest_zone);
179 /* Send the actual ICMP response. */
180 icmp6_time_exceeded_with_addrs(p, ICMP6_TE_FRAG, &src_addr, &dest_addr);
181 }
182 clen = pbuf_clen(p);
183 LWIP_ASSERT("pbufs_freed + clen <= 0xffff", pbufs_freed + clen <= 0xffff);
184 pbufs_freed += clen;
185 pbuf_free(p);
186 }
187 #endif /* LWIP_ICMP6 */
188
189 /* First, free all received pbufs. The individual pbufs need to be released
190 separately as they have not yet been chained */
191 p = ipr->p;
192 while (p != NULL) {
193 struct pbuf *pcur;
194 iprh = (struct ip6_reass_helper *)p->payload;
195 pcur = p;
196 /* get the next pointer before freeing */
197 p = iprh->next_pbuf;
198 clen = pbuf_clen(pcur);
199 LWIP_ASSERT("pbufs_freed + clen <= 0xffff", pbufs_freed + clen <= 0xffff);
200 pbufs_freed += clen;
201 pbuf_free(pcur);
202 }
203
204 /* Then, unchain the struct ip6_reassdata from the list and free it. */
205 if (ipr == reassdatagrams) {
206 reassdatagrams = ipr->next;
207 } else {
208 prev = reassdatagrams;
209 while (prev != NULL) {
210 if (prev->next == ipr) {
211 break;
212 }
213 prev = prev->next;
214 }
215 if (prev != NULL) {
216 prev->next = ipr->next;
217 }
218 }
219 memp_free(MEMP_IP6_REASSDATA, ipr);
220
221 /* Finally, update number of pbufs in reassembly queue */
222 LWIP_ASSERT("ip_reass_pbufcount >= clen", ip6_reass_pbufcount >= pbufs_freed);
223 ip6_reass_pbufcount -= pbufs_freed;
224 }
225
226 #if IP_REASS_FREE_OLDEST
227 /**
228 * Free the oldest datagram to make room for enqueueing new fragments.
229 * The datagram ipr is not freed!
230 *
231 * @param ipr ip6_reassdata for the current fragment
232 * @param pbufs_needed number of pbufs needed to enqueue
233 * (used for freeing other datagrams if not enough space)
234 */
235 static void
ip6_reass_remove_oldest_datagram(struct ip6_reassdata * ipr,int pbufs_needed)236 ip6_reass_remove_oldest_datagram(struct ip6_reassdata *ipr, int pbufs_needed)
237 {
238 struct ip6_reassdata *r, *oldest;
239
240 /* Free datagrams until being allowed to enqueue 'pbufs_needed' pbufs,
241 * but don't free the current datagram! */
242 do {
243 r = oldest = reassdatagrams;
244 while (r != NULL) {
245 if (r != ipr) {
246 if (r->timer <= oldest->timer) {
247 /* older than the previous oldest */
248 oldest = r;
249 }
250 }
251 r = r->next;
252 }
253 if (oldest == ipr) {
254 /* nothing to free, ipr is the only element on the list */
255 return;
256 }
257 if (oldest != NULL) {
258 ip6_reass_free_complete_datagram(oldest);
259 }
260 } while (((ip6_reass_pbufcount + pbufs_needed) > IP_REASS_MAX_PBUFS) && (reassdatagrams != NULL));
261 }
262 #endif /* IP_REASS_FREE_OLDEST */
263
264 /**
265 * Reassembles incoming IPv6 fragments into an IPv6 datagram.
266 *
267 * @param p points to the IPv6 Fragment Header
268 * @return NULL if reassembly is incomplete, pbuf pointing to
269 * IPv6 Header if reassembly is complete
270 */
271 struct pbuf *
ip6_reass(struct pbuf * p)272 ip6_reass(struct pbuf *p)
273 {
274 struct ip6_reassdata *ipr, *ipr_prev;
275 struct ip6_reass_helper *iprh, *iprh_tmp, *iprh_prev=NULL;
276 struct ip6_frag_hdr *frag_hdr;
277 u16_t offset, len, start, end;
278 u16_t clen;
279 u8_t valid = 1;
280 struct pbuf *q, *next_pbuf;
281
282 IP6_FRAG_STATS_INC(ip6_frag.recv);
283
284 /* ip6_frag_hdr must be in the first pbuf, not chained. Checked by caller. */
285 LWIP_ASSERT("IPv6 fragment header does not fit in first pbuf",
286 p->len >= sizeof(struct ip6_frag_hdr));
287
288 frag_hdr = (struct ip6_frag_hdr *) p->payload;
289
290 clen = pbuf_clen(p);
291
292 offset = lwip_ntohs(frag_hdr->_fragment_offset);
293
294 /* Calculate fragment length from IPv6 payload length.
295 * Adjust for headers before Fragment Header.
296 * And finally adjust by Fragment Header length. */
297 len = lwip_ntohs(ip6_current_header()->_plen);
298 len -= (u16_t)(((u8_t*)p->payload - (const u8_t*)ip6_current_header()) - IP6_HLEN);
299 len -= IP6_FRAG_HLEN;
300
301 /* Look for the datagram the fragment belongs to in the current datagram queue,
302 * remembering the previous in the queue for later dequeueing. */
303 for (ipr = reassdatagrams, ipr_prev = NULL; ipr != NULL; ipr = ipr->next) {
304 /* Check if the incoming fragment matches the one currently present
305 in the reassembly buffer. If so, we proceed with copying the
306 fragment into the buffer. */
307 if ((frag_hdr->_identification == ipr->identification) &&
308 ip6_addr_cmp_packed(ip6_current_src_addr(), &(IPV6_FRAG_SRC(ipr)), ipr->src_zone) &&
309 ip6_addr_cmp_packed(ip6_current_dest_addr(), &(IPV6_FRAG_DEST(ipr)), ipr->dest_zone)) {
310 IP6_FRAG_STATS_INC(ip6_frag.cachehit);
311 break;
312 }
313 ipr_prev = ipr;
314 }
315
316 if (ipr == NULL) {
317 /* Enqueue a new datagram into the datagram queue */
318 ipr = (struct ip6_reassdata *)memp_malloc(MEMP_IP6_REASSDATA);
319 if (ipr == NULL) {
320 #if IP_REASS_FREE_OLDEST
321 /* Make room and try again. */
322 ip6_reass_remove_oldest_datagram(ipr, clen);
323 ipr = (struct ip6_reassdata *)memp_malloc(MEMP_IP6_REASSDATA);
324 if (ipr != NULL) {
325 /* re-search ipr_prev since it might have been removed */
326 for (ipr_prev = reassdatagrams; ipr_prev != NULL; ipr_prev = ipr_prev->next) {
327 if (ipr_prev->next == ipr) {
328 break;
329 }
330 }
331 } else
332 #endif /* IP_REASS_FREE_OLDEST */
333 {
334 IP6_FRAG_STATS_INC(ip6_frag.memerr);
335 IP6_FRAG_STATS_INC(ip6_frag.drop);
336 goto nullreturn;
337 }
338 }
339
340 memset(ipr, 0, sizeof(struct ip6_reassdata));
341 ipr->timer = IP_REASS_MAXAGE;
342
343 /* enqueue the new structure to the front of the list */
344 ipr->next = reassdatagrams;
345 reassdatagrams = ipr;
346
347 /* Use the current IPv6 header for src/dest address reference.
348 * Eventually, we will replace it when we get the first fragment
349 * (it might be this one, in any case, it is done later). */
350 /* need to use the none-const pointer here: */
351 ipr->iphdr = ip_data.current_ip6_header;
352 #if IPV6_FRAG_COPYHEADER
353 MEMCPY(&ipr->src, &ip6_current_header()->src, sizeof(ipr->src));
354 MEMCPY(&ipr->dest, &ip6_current_header()->dest, sizeof(ipr->dest));
355 #endif /* IPV6_FRAG_COPYHEADER */
356 #if LWIP_IPV6_SCOPES
357 /* Also store the address zone information.
358 * @todo It is possible that due to netif destruction and recreation, the
359 * stored zones end up resolving to a different interface. In that case, we
360 * risk sending a "time exceeded" ICMP response over the wrong link.
361 * Ideally, netif destruction would clean up matching pending reassembly
362 * structures, but custom zone mappings would make that non-trivial. */
363 ipr->src_zone = ip6_addr_zone(ip6_current_src_addr());
364 ipr->dest_zone = ip6_addr_zone(ip6_current_dest_addr());
365 #endif /* LWIP_IPV6_SCOPES */
366 /* copy the fragmented packet id. */
367 ipr->identification = frag_hdr->_identification;
368
369 /* copy the nexth field */
370 ipr->nexth = frag_hdr->_nexth;
371 }
372
373 /* Check if we are allowed to enqueue more datagrams. */
374 if ((ip6_reass_pbufcount + clen) > IP_REASS_MAX_PBUFS) {
375 #if IP_REASS_FREE_OLDEST
376 ip6_reass_remove_oldest_datagram(ipr, clen);
377 if ((ip6_reass_pbufcount + clen) <= IP_REASS_MAX_PBUFS) {
378 /* re-search ipr_prev since it might have been removed */
379 for (ipr_prev = reassdatagrams; ipr_prev != NULL; ipr_prev = ipr_prev->next) {
380 if (ipr_prev->next == ipr) {
381 break;
382 }
383 }
384 } else
385 #endif /* IP_REASS_FREE_OLDEST */
386 {
387 /* @todo: send ICMPv6 time exceeded here? */
388 /* drop this pbuf */
389 IP6_FRAG_STATS_INC(ip6_frag.memerr);
390 IP6_FRAG_STATS_INC(ip6_frag.drop);
391 goto nullreturn;
392 }
393 }
394
395 /* Overwrite Fragment Header with our own helper struct. */
396 #if IPV6_FRAG_COPYHEADER
397 if (IPV6_FRAG_REQROOM > 0) {
398 /* Make room for struct ip6_reass_helper (only required if sizeof(void*) > 4).
399 This cannot fail since we already checked when receiving this fragment. */
400 u8_t hdrerr = pbuf_header_force(p, IPV6_FRAG_REQROOM);
401 LWIP_UNUSED_ARG(hdrerr); /* in case of LWIP_NOASSERT */
402 LWIP_ASSERT("no room for struct ip6_reass_helper", hdrerr == 0);
403 }
404 #else /* IPV6_FRAG_COPYHEADER */
405 LWIP_ASSERT("sizeof(struct ip6_reass_helper) <= IP6_FRAG_HLEN, set IPV6_FRAG_COPYHEADER to 1",
406 sizeof(struct ip6_reass_helper) <= IP6_FRAG_HLEN);
407 #endif /* IPV6_FRAG_COPYHEADER */
408
409 /* Prepare the pointer to the helper structure, and its initial values.
410 * Do not yet write to the structure itself, as we still have to make a
411 * backup of the original data, and we should not do that until we know for
412 * sure that we are going to add this packet to the list. */
413 iprh = (struct ip6_reass_helper *)p->payload;
414 next_pbuf = NULL;
415 start = (offset & IP6_FRAG_OFFSET_MASK);
416 end = (offset & IP6_FRAG_OFFSET_MASK) + len;
417
418 /* find the right place to insert this pbuf */
419 /* Iterate through until we either get to the end of the list (append),
420 * or we find on with a larger offset (insert). */
421 for (q = ipr->p; q != NULL;) {
422 iprh_tmp = (struct ip6_reass_helper*)q->payload;
423 if (start < iprh_tmp->start) {
424 #if IP_REASS_CHECK_OVERLAP
425 if (end > iprh_tmp->start) {
426 /* fragment overlaps with following, throw away */
427 IP6_FRAG_STATS_INC(ip6_frag.proterr);
428 IP6_FRAG_STATS_INC(ip6_frag.drop);
429 goto nullreturn;
430 }
431 if (iprh_prev != NULL) {
432 if (start < iprh_prev->end) {
433 /* fragment overlaps with previous, throw away */
434 IP6_FRAG_STATS_INC(ip6_frag.proterr);
435 IP6_FRAG_STATS_INC(ip6_frag.drop);
436 goto nullreturn;
437 }
438 }
439 #endif /* IP_REASS_CHECK_OVERLAP */
440 /* the new pbuf should be inserted before this */
441 next_pbuf = q;
442 if (iprh_prev != NULL) {
443 /* not the fragment with the lowest offset */
444 iprh_prev->next_pbuf = p;
445 } else {
446 /* fragment with the lowest offset */
447 ipr->p = p;
448 }
449 break;
450 } else if (start == iprh_tmp->start) {
451 /* received the same datagram twice: no need to keep the datagram */
452 IP6_FRAG_STATS_INC(ip6_frag.drop);
453 goto nullreturn;
454 #if IP_REASS_CHECK_OVERLAP
455 } else if (start < iprh_tmp->end) {
456 /* overlap: no need to keep the new datagram */
457 IP6_FRAG_STATS_INC(ip6_frag.proterr);
458 IP6_FRAG_STATS_INC(ip6_frag.drop);
459 goto nullreturn;
460 #endif /* IP_REASS_CHECK_OVERLAP */
461 } else {
462 /* Check if the fragments received so far have no gaps. */
463 if (iprh_prev != NULL) {
464 if (iprh_prev->end != iprh_tmp->start) {
465 /* There is a fragment missing between the current
466 * and the previous fragment */
467 valid = 0;
468 }
469 }
470 }
471 q = iprh_tmp->next_pbuf;
472 iprh_prev = iprh_tmp;
473 }
474
475 /* If q is NULL, then we made it to the end of the list. Determine what to do now */
476 if (q == NULL) {
477 if (iprh_prev != NULL) {
478 /* this is (for now), the fragment with the highest offset:
479 * chain it to the last fragment */
480 #if IP_REASS_CHECK_OVERLAP
481 LWIP_ASSERT("check fragments don't overlap", iprh_prev->end <= start);
482 #endif /* IP_REASS_CHECK_OVERLAP */
483 iprh_prev->next_pbuf = p;
484 if (iprh_prev->end != start) {
485 valid = 0;
486 }
487 } else {
488 #if IP_REASS_CHECK_OVERLAP
489 LWIP_ASSERT("no previous fragment, this must be the first fragment!",
490 ipr->p == NULL);
491 #endif /* IP_REASS_CHECK_OVERLAP */
492 /* this is the first fragment we ever received for this ip datagram */
493 ipr->p = p;
494 }
495 }
496
497 /* Track the current number of pbufs current 'in-flight', in order to limit
498 the number of fragments that may be enqueued at any one time */
499 ip6_reass_pbufcount += clen;
500
501 /* Remember IPv6 header if this is the first fragment. */
502 if (start == 0) {
503 /* need to use the none-const pointer here: */
504 ipr->iphdr = ip_data.current_ip6_header;
505 /* Make a backup of the part of the packet data that we are about to
506 * overwrite, so that we can restore the original later. */
507 MEMCPY(ipr->orig_hdr, p->payload, sizeof(*iprh));
508 /* For IPV6_FRAG_COPYHEADER there is no need to copy src/dst again, as they
509 * will be the same as they were. With LWIP_IPV6_SCOPES, the same applies
510 * to the source/destination zones. */
511 }
512 /* Only after the backup do we get to fill in the actual helper structure. */
513 iprh->next_pbuf = next_pbuf;
514 iprh->start = start;
515 iprh->end = end;
516
517 /* If this is the last fragment, calculate total packet length. */
518 if ((offset & IP6_FRAG_MORE_FLAG) == 0) {
519 ipr->datagram_len = iprh->end;
520 }
521
522 /* Additional validity tests: we have received first and last fragment. */
523 iprh_tmp = (struct ip6_reass_helper*)ipr->p->payload;
524 if (iprh_tmp->start != 0) {
525 valid = 0;
526 }
527 if (ipr->datagram_len == 0) {
528 valid = 0;
529 }
530
531 /* Final validity test: no gaps between current and last fragment. */
532 iprh_prev = iprh;
533 q = iprh->next_pbuf;
534 while ((q != NULL) && valid) {
535 iprh = (struct ip6_reass_helper*)q->payload;
536 if (iprh_prev->end != iprh->start) {
537 valid = 0;
538 break;
539 }
540 iprh_prev = iprh;
541 q = iprh->next_pbuf;
542 }
543
544 if (valid) {
545 /* All fragments have been received */
546 struct ip6_hdr* iphdr_ptr;
547
548 /* chain together the pbufs contained within the ip6_reassdata list. */
549 iprh = (struct ip6_reass_helper*) ipr->p->payload;
550 while (iprh != NULL) {
551 next_pbuf = iprh->next_pbuf;
552 if (next_pbuf != NULL) {
553 /* Save next helper struct (will be hidden in next step). */
554 iprh_tmp = (struct ip6_reass_helper*)next_pbuf->payload;
555
556 /* hide the fragment header for every succeeding fragment */
557 pbuf_header(next_pbuf, -IP6_FRAG_HLEN);
558 #if IPV6_FRAG_COPYHEADER
559 if (IPV6_FRAG_REQROOM > 0) {
560 /* hide the extra bytes borrowed from ip6_hdr for struct ip6_reass_helper */
561 u8_t hdrerr = pbuf_header(next_pbuf, -(s16_t)(IPV6_FRAG_REQROOM));
562 LWIP_UNUSED_ARG(hdrerr); /* in case of LWIP_NOASSERT */
563 LWIP_ASSERT("no room for struct ip6_reass_helper", hdrerr == 0);
564 }
565 #endif
566 pbuf_cat(ipr->p, next_pbuf);
567 }
568 else {
569 iprh_tmp = NULL;
570 }
571
572 iprh = iprh_tmp;
573 }
574
575 /* Get the first pbuf. */
576 p = ipr->p;
577
578 #if IPV6_FRAG_COPYHEADER
579 if (IPV6_FRAG_REQROOM > 0) {
580 u8_t hdrerr;
581 /* Restore (only) the bytes that we overwrote beyond the fragment header.
582 * Those bytes may belong to either the IPv6 header or an extension
583 * header placed before the fragment header. */
584 MEMCPY(p->payload, ipr->orig_hdr, IPV6_FRAG_REQROOM);
585 /* get back room for struct ip6_reass_helper (only required if sizeof(void*) > 4) */
586 hdrerr = pbuf_header(p, -(s16_t)(IPV6_FRAG_REQROOM));
587 LWIP_UNUSED_ARG(hdrerr); /* in case of LWIP_NOASSERT */
588 LWIP_ASSERT("no room for struct ip6_reass_helper", hdrerr == 0);
589 }
590 #endif
591
592 /* We need to get rid of the fragment header itself, which is somewhere in
593 * the middle of the packet (but still in the first pbuf of the chain).
594 * Getting rid of the header is required by RFC 2460 Sec. 4.5 and necessary
595 * in order to be able to reassemble packets that are close to full size
596 * (i.e., around 65535 bytes). We simply move up all the headers before the
597 * fragment header, including the IPv6 header, and adjust the payload start
598 * accordingly. This works because all these headers are in the first pbuf
599 * of the chain, and because the caller adjusts all its pointers on
600 * successful reassembly. */
601 MEMMOVE((u8_t*)ipr->iphdr + sizeof(struct ip6_frag_hdr), ipr->iphdr,
602 (u8_t*)p->payload - (u8_t*)ipr->iphdr);
603
604 /* This is where the IPv6 header is now. */
605 iphdr_ptr = (struct ip6_hdr*)((u8_t*)ipr->iphdr +
606 sizeof(struct ip6_frag_hdr));
607
608 /* Adjust datagram length by adding header lengths. */
609 ipr->datagram_len += (u16_t)(((u8_t*)p->payload - (u8_t*)iphdr_ptr)
610 - IP6_HLEN);
611
612 /* Set payload length in ip header. */
613 iphdr_ptr->_plen = lwip_htons(ipr->datagram_len);
614
615 /* With the fragment header gone, we now need to adjust the next-header
616 * field of whatever header was originally before it. Since the packet made
617 * it through the original header processing routines at least up to the
618 * fragment header, we do not need any further sanity checks here. */
619 if (IP6H_NEXTH(iphdr_ptr) == IP6_NEXTH_FRAGMENT) {
620 iphdr_ptr->_nexth = ipr->nexth;
621 } else {
622 u8_t *ptr = (u8_t *)iphdr_ptr + IP6_HLEN;
623 while (*ptr != IP6_NEXTH_FRAGMENT) {
624 ptr += 8 * (1 + ptr[1]);
625 }
626 *ptr = ipr->nexth;
627 }
628
629 /* release the resources allocated for the fragment queue entry */
630 if (reassdatagrams == ipr) {
631 /* it was the first in the list */
632 reassdatagrams = ipr->next;
633 } else {
634 /* it wasn't the first, so it must have a valid 'prev' */
635 LWIP_ASSERT("sanity check linked list", ipr_prev != NULL);
636 ipr_prev->next = ipr->next;
637 }
638 memp_free(MEMP_IP6_REASSDATA, ipr);
639
640 /* adjust the number of pbufs currently queued for reassembly. */
641 ip6_reass_pbufcount -= pbuf_clen(p);
642
643 /* Move pbuf back to IPv6 header. This should never fail. */
644 if (pbuf_header_force(p, (s16_t)((u8_t*)p->payload - (u8_t*)iphdr_ptr))) {
645 LWIP_ASSERT("ip6_reass: moving p->payload to ip6 header failed\n", 0);
646 pbuf_free(p);
647 return NULL;
648 }
649
650 /* Return the pbuf chain */
651 return p;
652 }
653 /* the datagram is not (yet?) reassembled completely */
654 return NULL;
655
656 nullreturn:
657 pbuf_free(p);
658 return NULL;
659 }
660
661 #endif /* LWIP_IPV6 && LWIP_IPV6_REASS */
662
663 #if LWIP_IPV6 && LWIP_IPV6_FRAG
664
665 #if !LWIP_NETIF_TX_SINGLE_PBUF
666 /** Allocate a new struct pbuf_custom_ref */
667 static struct pbuf_custom_ref*
ip6_frag_alloc_pbuf_custom_ref(void)668 ip6_frag_alloc_pbuf_custom_ref(void)
669 {
670 return (struct pbuf_custom_ref*)memp_malloc(MEMP_FRAG_PBUF);
671 }
672
673 /** Free a struct pbuf_custom_ref */
674 static void
ip6_frag_free_pbuf_custom_ref(struct pbuf_custom_ref * p)675 ip6_frag_free_pbuf_custom_ref(struct pbuf_custom_ref* p)
676 {
677 LWIP_ASSERT("p != NULL", p != NULL);
678 memp_free(MEMP_FRAG_PBUF, p);
679 }
680
681 /** Free-callback function to free a 'struct pbuf_custom_ref', called by
682 * pbuf_free. */
683 static void
ip6_frag_free_pbuf_custom(struct pbuf * p)684 ip6_frag_free_pbuf_custom(struct pbuf *p)
685 {
686 struct pbuf_custom_ref *pcr = (struct pbuf_custom_ref*)p;
687 LWIP_ASSERT("pcr != NULL", pcr != NULL);
688 LWIP_ASSERT("pcr == p", (void*)pcr == (void*)p);
689 if (pcr->original != NULL) {
690 pbuf_free(pcr->original);
691 }
692 ip6_frag_free_pbuf_custom_ref(pcr);
693 }
694 #endif /* !LWIP_NETIF_TX_SINGLE_PBUF */
695
696 /**
697 * Fragment an IPv6 datagram if too large for the netif or path MTU.
698 *
699 * Chop the datagram in MTU sized chunks and send them in order
700 * by pointing PBUF_REFs into p
701 *
702 * @param p ipv6 packet to send
703 * @param netif the netif on which to send
704 * @param dest destination ipv6 address to which to send
705 *
706 * @return ERR_OK if sent successfully, err_t otherwise
707 */
708 err_t
ip6_frag(struct pbuf * p,struct netif * netif,const ip6_addr_t * dest)709 ip6_frag(struct pbuf *p, struct netif *netif, const ip6_addr_t *dest)
710 {
711 struct ip6_hdr *original_ip6hdr;
712 struct ip6_hdr *ip6hdr;
713 struct ip6_frag_hdr *frag_hdr;
714 struct pbuf *rambuf;
715 #if !LWIP_NETIF_TX_SINGLE_PBUF
716 struct pbuf *newpbuf;
717 u16_t newpbuflen = 0;
718 u16_t left_to_copy;
719 #endif
720 static u32_t identification;
721 u16_t nfb;
722 u16_t left, cop;
723 u16_t mtu;
724 u16_t fragment_offset = 0;
725 u16_t last;
726 u16_t poff = IP6_HLEN;
727
728 identification++;
729
730 original_ip6hdr = (struct ip6_hdr *)p->payload;
731
732 mtu = nd6_get_destination_mtu(dest, netif);
733
734 /* @todo we assume there are no options in the unfragmentable part (IPv6 header). */
735 left = p->tot_len - IP6_HLEN;
736
737 nfb = (mtu - (IP6_HLEN + IP6_FRAG_HLEN)) & IP6_FRAG_OFFSET_MASK;
738
739 while (left) {
740 last = (left <= nfb);
741
742 /* Fill this fragment */
743 cop = last ? left : nfb;
744
745 #if LWIP_NETIF_TX_SINGLE_PBUF
746 rambuf = pbuf_alloc(PBUF_IP, cop + IP6_FRAG_HLEN, PBUF_RAM);
747 if (rambuf == NULL) {
748 IP6_FRAG_STATS_INC(ip6_frag.memerr);
749 return ERR_MEM;
750 }
751 LWIP_ASSERT("this needs a pbuf in one piece!",
752 (rambuf->len == rambuf->tot_len) && (rambuf->next == NULL));
753 poff += pbuf_copy_partial(p, (u8_t*)rambuf->payload + IP6_FRAG_HLEN, cop, poff);
754 /* make room for the IP header */
755 if (pbuf_header(rambuf, IP6_HLEN)) {
756 pbuf_free(rambuf);
757 IP6_FRAG_STATS_INC(ip6_frag.memerr);
758 return ERR_MEM;
759 }
760 /* fill in the IP header */
761 SMEMCPY(rambuf->payload, original_ip6hdr, IP6_HLEN);
762 ip6hdr = (struct ip6_hdr *)rambuf->payload;
763 frag_hdr = (struct ip6_frag_hdr *)((u8_t*)rambuf->payload + IP6_HLEN);
764 #else
765 /* When not using a static buffer, create a chain of pbufs.
766 * The first will be a PBUF_RAM holding the link, IPv6, and Fragment header.
767 * The rest will be PBUF_REFs mirroring the pbuf chain to be fragged,
768 * but limited to the size of an mtu.
769 */
770 rambuf = pbuf_alloc(PBUF_LINK, IP6_HLEN + IP6_FRAG_HLEN, PBUF_RAM);
771 if (rambuf == NULL) {
772 IP6_FRAG_STATS_INC(ip6_frag.memerr);
773 return ERR_MEM;
774 }
775 LWIP_ASSERT("this needs a pbuf in one piece!",
776 (p->len >= (IP6_HLEN)));
777 SMEMCPY(rambuf->payload, original_ip6hdr, IP6_HLEN);
778 ip6hdr = (struct ip6_hdr *)rambuf->payload;
779 frag_hdr = (struct ip6_frag_hdr *)((u8_t*)rambuf->payload + IP6_HLEN);
780
781 /* Can just adjust p directly for needed offset. */
782 p->payload = (u8_t *)p->payload + poff;
783 p->len -= poff;
784 p->tot_len -= poff;
785
786 left_to_copy = cop;
787 while (left_to_copy) {
788 struct pbuf_custom_ref *pcr;
789 newpbuflen = (left_to_copy < p->len) ? left_to_copy : p->len;
790 /* Is this pbuf already empty? */
791 if (!newpbuflen) {
792 p = p->next;
793 continue;
794 }
795 pcr = ip6_frag_alloc_pbuf_custom_ref();
796 if (pcr == NULL) {
797 pbuf_free(rambuf);
798 IP6_FRAG_STATS_INC(ip6_frag.memerr);
799 return ERR_MEM;
800 }
801 /* Mirror this pbuf, although we might not need all of it. */
802 newpbuf = pbuf_alloced_custom(PBUF_RAW, newpbuflen, PBUF_REF, &pcr->pc, p->payload, newpbuflen);
803 if (newpbuf == NULL) {
804 ip6_frag_free_pbuf_custom_ref(pcr);
805 pbuf_free(rambuf);
806 IP6_FRAG_STATS_INC(ip6_frag.memerr);
807 return ERR_MEM;
808 }
809 pbuf_ref(p);
810 pcr->original = p;
811 pcr->pc.custom_free_function = ip6_frag_free_pbuf_custom;
812
813 /* Add it to end of rambuf's chain, but using pbuf_cat, not pbuf_chain
814 * so that it is removed when pbuf_dechain is later called on rambuf.
815 */
816 pbuf_cat(rambuf, newpbuf);
817 left_to_copy -= newpbuflen;
818 if (left_to_copy) {
819 p = p->next;
820 }
821 }
822 poff = newpbuflen;
823 #endif /* LWIP_NETIF_TX_SINGLE_PBUF */
824
825 /* Set headers */
826 frag_hdr->_nexth = original_ip6hdr->_nexth;
827 frag_hdr->reserved = 0;
828 frag_hdr->_fragment_offset = lwip_htons((fragment_offset & IP6_FRAG_OFFSET_MASK) | (last ? 0 : IP6_FRAG_MORE_FLAG));
829 frag_hdr->_identification = lwip_htonl(identification);
830
831 IP6H_NEXTH_SET(ip6hdr, IP6_NEXTH_FRAGMENT);
832 IP6H_PLEN_SET(ip6hdr, cop + IP6_FRAG_HLEN);
833
834 /* No need for separate header pbuf - we allowed room for it in rambuf
835 * when allocated.
836 */
837 IP6_FRAG_STATS_INC(ip6_frag.xmit);
838 netif->output_ip6(netif, rambuf, dest);
839
840 /* Unfortunately we can't reuse rambuf - the hardware may still be
841 * using the buffer. Instead we free it (and the ensuing chain) and
842 * recreate it next time round the loop. If we're lucky the hardware
843 * will have already sent the packet, the free will really free, and
844 * there will be zero memory penalty.
845 */
846
847 pbuf_free(rambuf);
848 left -= cop;
849 fragment_offset += cop;
850 }
851 return ERR_OK;
852 }
853
854 #endif /* LWIP_IPV6 && LWIP_IPV6_FRAG */
855