1 /* $OpenBSD: in6_pcb.c,v 1.95 2016/07/22 11:14:41 mpi Exp $ */ 2 3 /* 4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the project nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 /* 33 * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 34 * 35 * NRL grants permission for redistribution and use in source and binary 36 * forms, with or without modification, of the software and documentation 37 * created at NRL provided that the following conditions are met: 38 * 39 * 1. Redistributions of source code must retain the above copyright 40 * notice, this list of conditions and the following disclaimer. 41 * 2. Redistributions in binary form must reproduce the above copyright 42 * notice, this list of conditions and the following disclaimer in the 43 * documentation and/or other materials provided with the distribution. 44 * 3. All advertising materials mentioning features or use of this software 45 * must display the following acknowledgements: 46 * This product includes software developed by the University of 47 * California, Berkeley and its contributors. 48 * This product includes software developed at the Information 49 * Technology Division, US Naval Research Laboratory. 50 * 4. Neither the name of the NRL nor the names of its contributors 51 * may be used to endorse or promote products derived from this software 52 * without specific prior written permission. 53 * 54 * THE SOFTWARE PROVIDED BY NRL IS PROVIDED BY NRL AND CONTRIBUTORS ``AS 55 * IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 56 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 57 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NRL OR 58 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 59 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 60 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 61 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 62 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 63 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 64 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 65 * 66 * The views and conclusions contained in the software and documentation 67 * are those of the authors and should not be interpreted as representing 68 * official policies, either expressed or implied, of the US Naval 69 * Research Laboratory (NRL). 70 */ 71 72 /* 73 * Copyright (c) 1982, 1986, 1990, 1993, 1995 74 * Regents of the University of California. All rights reserved. 75 * 76 * Redistribution and use in source and binary forms, with or without 77 * modification, are permitted provided that the following conditions 78 * are met: 79 * 1. Redistributions of source code must retain the above copyright 80 * notice, this list of conditions and the following disclaimer. 81 * 2. Redistributions in binary form must reproduce the above copyright 82 * notice, this list of conditions and the following disclaimer in the 83 * documentation and/or other materials provided with the distribution. 84 * 3. Neither the name of the University nor the names of its contributors 85 * may be used to endorse or promote products derived from this software 86 * without specific prior written permission. 87 * 88 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 89 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 90 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 91 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 92 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 93 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 94 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 95 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 96 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 97 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 98 * SUCH DAMAGE. 99 * 100 */ 101 102 #include <sys/param.h> 103 #include <sys/systm.h> 104 #include <sys/mbuf.h> 105 #include <sys/domain.h> 106 #include <sys/protosw.h> 107 #include <sys/socket.h> 108 #include <sys/socketvar.h> 109 #include <sys/errno.h> 110 #include <sys/time.h> 111 #include <sys/proc.h> 112 #include <sys/pledge.h> 113 114 #include <net/if.h> 115 #include <net/if_var.h> 116 #include <net/route.h> 117 118 #include <netinet/in.h> 119 #include <netinet/ip.h> 120 #include <netinet/in_pcb.h> 121 #include <netinet/ip_var.h> 122 123 #include <netinet6/in6_var.h> 124 #include <netinet/ip6.h> 125 #include <netinet6/ip6_var.h> 126 127 /* 128 * External globals 129 */ 130 131 /* 132 * Globals 133 */ 134 135 struct in6_addr zeroin6_addr; 136 137 /* 138 * Keep separate inet6ctlerrmap, because I may remap some of these. 139 * I also put it here, because, quite frankly, it belongs here, not in 140 * ip{v6,}_input(). 141 */ 142 #if 0 143 u_char inet6ctlerrmap[PRC_NCMDS] = { 144 0, 0, 0, 0, 145 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH, 146 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, 147 EMSGSIZE, EHOSTUNREACH, 0, 0, 148 0, 0, 0, 0, 149 ENOPROTOOPT 150 }; 151 #endif 152 153 int 154 in6_pcbaddrisavail(struct inpcb *inp, struct sockaddr_in6 *sin6, int wild, 155 struct proc *p) 156 { 157 struct socket *so = inp->inp_socket; 158 struct inpcbtable *table = inp->inp_table; 159 u_short lport = sin6->sin6_port; 160 int reuseport = (so->so_options & SO_REUSEPORT); 161 162 wild |= INPLOOKUP_IPV6; 163 /* KAME hack: embed scopeid */ 164 if (in6_embedscope(&sin6->sin6_addr, sin6, inp) != 0) 165 return (EINVAL); 166 /* this must be cleared for ifa_ifwithaddr() */ 167 sin6->sin6_scope_id = 0; 168 /* reject IPv4 mapped address, we have no support for it */ 169 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) 170 return (EADDRNOTAVAIL); 171 172 if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) { 173 /* 174 * Treat SO_REUSEADDR as SO_REUSEPORT for multicast; 175 * allow complete duplication of binding if 176 * SO_REUSEPORT is set, or if SO_REUSEADDR is set 177 * and a multicast address is bound on both 178 * new and duplicated sockets. 179 */ 180 if (so->so_options & (SO_REUSEADDR|SO_REUSEPORT)) 181 reuseport = SO_REUSEADDR | SO_REUSEPORT; 182 } else if (!IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) { 183 struct ifaddr *ifa = NULL; 184 185 sin6->sin6_port = 0; /* 186 * Yechhhh, because of upcoming 187 * call to ifa_ifwithaddr(), which 188 * does bcmp's over the PORTS as 189 * well. (What about flow?) 190 */ 191 sin6->sin6_flowinfo = 0; 192 if (!(so->so_options & SO_BINDANY) && 193 (ifa = ifa_ifwithaddr(sin6tosa(sin6), 194 inp->inp_rtableid)) == NULL) 195 return (EADDRNOTAVAIL); 196 sin6->sin6_port = lport; 197 198 /* 199 * bind to an anycast address might accidentally 200 * cause sending a packet with an anycast source 201 * address, so we forbid it. 202 * 203 * We should allow to bind to a deprecated address, 204 * since the application dare to use it. 205 * But, can we assume that they are careful enough 206 * to check if the address is deprecated or not? 207 * Maybe, as a safeguard, we should have a setsockopt 208 * flag to control the bind(2) behavior against 209 * deprecated addresses (default: forbid bind(2)). 210 */ 211 if (ifa && ifatoia6(ifa)->ia6_flags & (IN6_IFF_ANYCAST| 212 IN6_IFF_TENTATIVE|IN6_IFF_DUPLICATED|IN6_IFF_DETACHED)) 213 return (EADDRNOTAVAIL); 214 } 215 if (lport) { 216 struct inpcb *t; 217 218 if (so->so_euid) { 219 t = in_pcblookup_local(table, 220 (struct in_addr *)&sin6->sin6_addr, lport, 221 INPLOOKUP_WILDCARD | INPLOOKUP_IPV6, 222 inp->inp_rtableid); 223 if (t && (so->so_euid != t->inp_socket->so_euid)) 224 return (EADDRINUSE); 225 } 226 t = in_pcblookup_local(table, 227 (struct in_addr *)&sin6->sin6_addr, lport, 228 wild, inp->inp_rtableid); 229 if (t && (reuseport & t->inp_socket->so_options) == 0) 230 return (EADDRINUSE); 231 } 232 return (0); 233 } 234 235 /* 236 * Connect from a socket to a specified address. 237 * Both address and port must be specified in argument sin6. 238 * Eventually, flow labels will have to be dealt with here, as well. 239 * 240 * If don't have a local address for this socket yet, 241 * then pick one. 242 */ 243 int 244 in6_pcbconnect(struct inpcb *inp, struct mbuf *nam) 245 { 246 struct in6_addr *in6a = NULL; 247 struct sockaddr_in6 *sin6 = mtod(nam, struct sockaddr_in6 *); 248 int error = 0; 249 struct sockaddr_in6 tmp; 250 251 (void)&in6a; /* XXX fool gcc */ 252 253 if (nam->m_len != sizeof(*sin6)) 254 return (EINVAL); 255 if (sin6->sin6_family != AF_INET6) 256 return (EAFNOSUPPORT); 257 if (sin6->sin6_port == 0) 258 return (EADDRNOTAVAIL); 259 260 /* reject IPv4 mapped address, we have no support for it */ 261 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) 262 return EADDRNOTAVAIL; 263 264 /* sanity check for mapped address case */ 265 if (IN6_IS_ADDR_V4MAPPED(&inp->inp_laddr6)) 266 return EINVAL; 267 268 /* protect *sin6 from overwrites */ 269 tmp = *sin6; 270 sin6 = &tmp; 271 272 /* KAME hack: embed scopeid */ 273 if (in6_embedscope(&sin6->sin6_addr, sin6, inp) != 0) 274 return EINVAL; 275 /* this must be cleared for ifa_ifwithaddr() */ 276 sin6->sin6_scope_id = 0; 277 278 /* Source address selection. */ 279 /* 280 * XXX: in6_selectsrc might replace the bound local address 281 * with the address specified by setsockopt(IPV6_PKTINFO). 282 * Is it the intended behavior? 283 */ 284 error = in6_selectsrc(&in6a, sin6, inp->inp_outputopts6, 285 inp->inp_moptions6, &inp->inp_route6, &inp->inp_laddr6, 286 inp->inp_rtableid); 287 if (error) 288 return (error); 289 290 inp->inp_ipv6.ip6_hlim = (u_int8_t)in6_selecthlim(inp); 291 292 if (in6_pcbhashlookup(inp->inp_table, &sin6->sin6_addr, sin6->sin6_port, 293 IN6_IS_ADDR_UNSPECIFIED(&inp->inp_laddr6) ? in6a : &inp->inp_laddr6, 294 inp->inp_lport, inp->inp_rtableid)) { 295 return (EADDRINUSE); 296 } 297 298 KASSERT(IN6_IS_ADDR_UNSPECIFIED(&inp->inp_laddr6) || inp->inp_lport); 299 300 if (IN6_IS_ADDR_UNSPECIFIED(&inp->inp_laddr6)) { 301 if (inp->inp_lport == 0 && 302 in_pcbbind(inp, NULL, curproc) == EADDRNOTAVAIL) 303 return (EADDRNOTAVAIL); 304 inp->inp_laddr6 = *in6a; 305 } 306 inp->inp_faddr6 = sin6->sin6_addr; 307 inp->inp_fport = sin6->sin6_port; 308 inp->inp_flowinfo &= ~IPV6_FLOWLABEL_MASK; 309 if (ip6_auto_flowlabel) 310 inp->inp_flowinfo |= 311 (htonl(ip6_randomflowlabel()) & IPV6_FLOWLABEL_MASK); 312 in_pcbrehash(inp); 313 return (0); 314 } 315 316 /* 317 * Pass some notification to all connections of a protocol 318 * associated with address dst. The local address and/or port numbers 319 * may be specified to limit the search. The "usual action" will be 320 * taken, depending on the ctlinput cmd. The caller must filter any 321 * cmds that are uninteresting (e.g., no error in the map). 322 * Call the protocol specific routine (if any) to report 323 * any errors for each matching socket. 324 * 325 * Also perform input-side security policy check 326 * once PCB to be notified has been located. 327 */ 328 int 329 in6_pcbnotify(struct inpcbtable *head, struct sockaddr_in6 *dst, 330 uint fport_arg, const struct sockaddr_in6 *src, uint lport_arg, 331 u_int rdomain, int cmd, void *cmdarg, void (*notify)(struct inpcb *, int)) 332 { 333 struct inpcb *inp, *ninp; 334 u_short fport = fport_arg, lport = lport_arg; 335 struct sockaddr_in6 sa6_src; 336 int errno, nmatch = 0; 337 u_int32_t flowinfo; 338 339 if ((unsigned)cmd >= PRC_NCMDS) 340 return (0); 341 342 if (IN6_IS_ADDR_UNSPECIFIED(&dst->sin6_addr)) 343 return (0); 344 if (IN6_IS_ADDR_V4MAPPED(&dst->sin6_addr)) { 345 #ifdef DIAGNOSTIC 346 printf("Huh? Thought in6_pcbnotify() never got " 347 "called with mapped!\n"); 348 #endif 349 return (0); 350 } 351 352 rdomain = rtable_l2(rdomain); 353 /* 354 * note that src can be NULL when we get notify by local fragmentation. 355 */ 356 sa6_src = (src == NULL) ? sa6_any : *src; 357 flowinfo = sa6_src.sin6_flowinfo; 358 359 /* 360 * Redirects go to all references to the destination, 361 * and use in_rtchange to invalidate the route cache. 362 * Dead host indications: also use in_rtchange to invalidate 363 * the cache, and deliver the error to all the sockets. 364 * Otherwise, if we have knowledge of the local port and address, 365 * deliver only to that socket. 366 */ 367 if (PRC_IS_REDIRECT(cmd) || cmd == PRC_HOSTDEAD) { 368 fport = 0; 369 lport = 0; 370 sa6_src.sin6_addr = in6addr_any; 371 372 if (cmd != PRC_HOSTDEAD) 373 notify = in_rtchange; 374 } 375 errno = inet6ctlerrmap[cmd]; 376 377 TAILQ_FOREACH_SAFE(inp, &head->inpt_queue, inp_queue, ninp) { 378 if ((inp->inp_flags & INP_IPV6) == 0) 379 continue; 380 381 /* 382 * Under the following condition, notify of redirects 383 * to the pcb, without making address matches against inpcb. 384 * - redirect notification is arrived. 385 * - the inpcb is unconnected. 386 * - the inpcb is caching !RTF_HOST routing entry. 387 * - the ICMPv6 notification is from the gateway cached in the 388 * inpcb. i.e. ICMPv6 notification is from nexthop gateway 389 * the inpcb used very recently. 390 * 391 * This is to improve interaction between netbsd/openbsd 392 * redirect handling code, and inpcb route cache code. 393 * without the clause, !RTF_HOST routing entry (which carries 394 * gateway used by inpcb right before the ICMPv6 redirect) 395 * will be cached forever in unconnected inpcb. 396 * 397 * There still is a question regarding to what is TRT: 398 * - On bsdi/freebsd, RTF_HOST (cloned) routing entry will be 399 * generated on packet output. inpcb will always cache 400 * RTF_HOST routing entry so there's no need for the clause 401 * (ICMPv6 redirect will update RTF_HOST routing entry, 402 * and inpcb is caching it already). 403 * However, bsdi/freebsd are vulnerable to local DoS attacks 404 * due to the cloned routing entries. 405 * - Specwise, "destination cache" is mentioned in RFC2461. 406 * Jinmei says that it implies bsdi/freebsd behavior, itojun 407 * is not really convinced. 408 * - Having hiwat/lowat on # of cloned host route (redirect/ 409 * pmtud) may be a good idea. netbsd/openbsd has it. see 410 * icmp6_mtudisc_update(). 411 */ 412 if ((PRC_IS_REDIRECT(cmd) || cmd == PRC_HOSTDEAD) && 413 IN6_IS_ADDR_UNSPECIFIED(&inp->inp_laddr6) && 414 inp->inp_route.ro_rt && 415 !(inp->inp_route.ro_rt->rt_flags & RTF_HOST)) { 416 struct sockaddr_in6 *dst6; 417 418 dst6 = satosin6(&inp->inp_route.ro_dst); 419 if (IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, 420 &dst->sin6_addr)) 421 goto do_notify; 422 } 423 424 /* 425 * Detect if we should notify the error. If no source and 426 * destination ports are specified, but non-zero flowinfo and 427 * local address match, notify the error. This is the case 428 * when the error is delivered with an encrypted buffer 429 * by ESP. Otherwise, just compare addresses and ports 430 * as usual. 431 */ 432 if (lport == 0 && fport == 0 && flowinfo && 433 inp->inp_socket != NULL && 434 flowinfo == (inp->inp_flowinfo & IPV6_FLOWLABEL_MASK) && 435 IN6_ARE_ADDR_EQUAL(&inp->inp_laddr6, &sa6_src.sin6_addr)) 436 goto do_notify; 437 else if (!IN6_ARE_ADDR_EQUAL(&inp->inp_faddr6, 438 &dst->sin6_addr) || 439 rtable_l2(inp->inp_rtableid) != rdomain || 440 inp->inp_socket == 0 || 441 (lport && inp->inp_lport != lport) || 442 (!IN6_IS_ADDR_UNSPECIFIED(&sa6_src.sin6_addr) && 443 !IN6_ARE_ADDR_EQUAL(&inp->inp_laddr6, 444 &sa6_src.sin6_addr)) || 445 (fport && inp->inp_fport != fport)) { 446 continue; 447 } 448 do_notify: 449 nmatch++; 450 if (notify) 451 (*notify)(inp, errno); 452 } 453 return (nmatch); 454 } 455 456 /* 457 * Get the local address/port, and put it in a sockaddr_in6. 458 * This services the getsockname(2) call. 459 */ 460 int 461 in6_setsockaddr(struct inpcb *inp, struct mbuf *nam) 462 { 463 struct sockaddr_in6 *sin6; 464 465 nam->m_len = sizeof(struct sockaddr_in6); 466 sin6 = mtod(nam,struct sockaddr_in6 *); 467 468 bzero ((caddr_t)sin6,sizeof(struct sockaddr_in6)); 469 sin6->sin6_family = AF_INET6; 470 sin6->sin6_len = sizeof(struct sockaddr_in6); 471 sin6->sin6_port = inp->inp_lport; 472 sin6->sin6_addr = inp->inp_laddr6; 473 /* KAME hack: recover scopeid */ 474 in6_recoverscope(sin6, &inp->inp_laddr6); 475 476 return 0; 477 } 478 479 /* 480 * Get the foreign address/port, and put it in a sockaddr_in6. 481 * This services the getpeername(2) call. 482 */ 483 int 484 in6_setpeeraddr(struct inpcb *inp, struct mbuf *nam) 485 { 486 struct sockaddr_in6 *sin6; 487 488 nam->m_len = sizeof(struct sockaddr_in6); 489 sin6 = mtod(nam,struct sockaddr_in6 *); 490 491 bzero ((caddr_t)sin6,sizeof(struct sockaddr_in6)); 492 sin6->sin6_family = AF_INET6; 493 sin6->sin6_len = sizeof(struct sockaddr_in6); 494 sin6->sin6_port = inp->inp_fport; 495 sin6->sin6_addr = inp->inp_faddr6; 496 /* KAME hack: recover scopeid */ 497 in6_recoverscope(sin6, &inp->inp_faddr6); 498 499 return 0; 500 } 501