| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: frag6.c,v 1.77 2023/08/29 17:01:35 christos Exp $ */ | | 1 | /* $NetBSD: frag6.c,v 1.78 2024/04/19 05:04:06 ozaki-r Exp $ */ |
2 | /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ | | 2 | /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ |
3 | | | 3 | |
4 | /* | | 4 | /* |
5 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. | | 5 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. |
6 | * All rights reserved. | | 6 | * All rights reserved. |
7 | * | | 7 | * |
8 | * Redistribution and use in source and binary forms, with or without | | 8 | * Redistribution and use in source and binary forms, with or without |
9 | * modification, are permitted provided that the following conditions | | 9 | * modification, are permitted provided that the following conditions |
10 | * are met: | | 10 | * are met: |
11 | * 1. Redistributions of source code must retain the above copyright | | 11 | * 1. Redistributions of source code must retain the above copyright |
12 | * notice, this list of conditions and the following disclaimer. | | 12 | * notice, this list of conditions and the following disclaimer. |
13 | * 2. Redistributions in binary form must reproduce the above copyright | | 13 | * 2. Redistributions in binary form must reproduce the above copyright |
14 | * notice, this list of conditions and the following disclaimer in the | | 14 | * notice, this list of conditions and the following disclaimer in the |
| @@ -21,27 +21,27 @@ | | | @@ -21,27 +21,27 @@ |
21 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | | 21 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | | 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE | | 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE |
24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | | 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | | 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | | 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | | 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | | 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | | 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
30 | * SUCH DAMAGE. | | 30 | * SUCH DAMAGE. |
31 | */ | | 31 | */ |
32 | | | 32 | |
33 | #include <sys/cdefs.h> | | 33 | #include <sys/cdefs.h> |
34 | __KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.77 2023/08/29 17:01:35 christos Exp $"); | | 34 | __KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.78 2024/04/19 05:04:06 ozaki-r Exp $"); |
35 | | | 35 | |
36 | #ifdef _KERNEL_OPT | | 36 | #ifdef _KERNEL_OPT |
37 | #include "opt_net_mpsafe.h" | | 37 | #include "opt_net_mpsafe.h" |
38 | #endif | | 38 | #endif |
39 | | | 39 | |
40 | #include <sys/param.h> | | 40 | #include <sys/param.h> |
41 | #include <sys/systm.h> | | 41 | #include <sys/systm.h> |
42 | #include <sys/mbuf.h> | | 42 | #include <sys/mbuf.h> |
43 | #include <sys/errno.h> | | 43 | #include <sys/errno.h> |
44 | #include <sys/time.h> | | 44 | #include <sys/time.h> |
45 | #include <sys/kmem.h> | | 45 | #include <sys/kmem.h> |
46 | #include <sys/kernel.h> | | 46 | #include <sys/kernel.h> |
47 | #include <sys/syslog.h> | | 47 | #include <sys/syslog.h> |
| @@ -196,29 +196,30 @@ frag6_input(struct mbuf **mp, int *offp, | | | @@ -196,29 +196,30 @@ frag6_input(struct mbuf **mp, int *offp, |
196 | /* jumbo payload can't contain a fragment header */ | | 196 | /* jumbo payload can't contain a fragment header */ |
197 | if (ip6->ip6_plen == 0) { | | 197 | if (ip6->ip6_plen == 0) { |
198 | icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, offset); | | 198 | icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, offset); |
199 | in6_ifstat_inc(dstifp, ifs6_reass_fail); | | 199 | in6_ifstat_inc(dstifp, ifs6_reass_fail); |
200 | goto done; | | 200 | goto done; |
201 | } | | 201 | } |
202 | | | 202 | |
203 | /* | | 203 | /* |
204 | * Check whether fragment packet's fragment length is non-zero and | | 204 | * Check whether fragment packet's fragment length is non-zero and |
205 | * multiple of 8 octets. | | 205 | * multiple of 8 octets. |
206 | * sizeof(struct ip6_frag) == 8 | | 206 | * sizeof(struct ip6_frag) == 8 |
207 | * sizeof(struct ip6_hdr) = 40 | | 207 | * sizeof(struct ip6_hdr) = 40 |
208 | */ | | 208 | */ |
209 | if ((ip6f->ip6f_offlg & IP6F_MORE_FRAG) && | | 209 | frgpartlen = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen) - offset |
210 | (((ntohs(ip6->ip6_plen) - offset) == 0) || | | 210 | - sizeof(struct ip6_frag); |
211 | ((ntohs(ip6->ip6_plen) - offset) & 0x7) != 0)) { | | 211 | if ((frgpartlen == 0) || |
| | | 212 | ((ip6f->ip6f_offlg & IP6F_MORE_FRAG) && (frgpartlen & 0x7) != 0)) { |
212 | icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, | | 213 | icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, |
213 | offsetof(struct ip6_hdr, ip6_plen)); | | 214 | offsetof(struct ip6_hdr, ip6_plen)); |
214 | in6_ifstat_inc(dstifp, ifs6_reass_fail); | | 215 | in6_ifstat_inc(dstifp, ifs6_reass_fail); |
215 | goto done; | | 216 | goto done; |
216 | } | | 217 | } |
217 | | | 218 | |
218 | IP6_STATINC(IP6_STAT_FRAGMENTS); | | 219 | IP6_STATINC(IP6_STAT_FRAGMENTS); |
219 | in6_ifstat_inc(dstifp, ifs6_reass_reqd); | | 220 | in6_ifstat_inc(dstifp, ifs6_reass_reqd); |
220 | | | 221 | |
221 | /* offset now points to data portion */ | | 222 | /* offset now points to data portion */ |
222 | offset += sizeof(struct ip6_frag); | | 223 | offset += sizeof(struct ip6_frag); |
223 | | | 224 | |
224 | /* | | 225 | /* |
| @@ -306,27 +307,26 @@ frag6_input(struct mbuf **mp, int *offp, | | | @@ -306,27 +307,26 @@ frag6_input(struct mbuf **mp, int *offp, |
306 | * unfragmentable part and the next header of the fragment header. | | 307 | * unfragmentable part and the next header of the fragment header. |
307 | */ | | 308 | */ |
308 | if (fragoff == 0) { | | 309 | if (fragoff == 0) { |
309 | q6->ip6q_unfrglen = offset - sizeof(struct ip6_hdr) - | | 310 | q6->ip6q_unfrglen = offset - sizeof(struct ip6_hdr) - |
310 | sizeof(struct ip6_frag); | | 311 | sizeof(struct ip6_frag); |
311 | q6->ip6q_nxt = ip6f->ip6f_nxt; | | 312 | q6->ip6q_nxt = ip6f->ip6f_nxt; |
312 | } | | 313 | } |
313 | | | 314 | |
314 | /* | | 315 | /* |
315 | * Check that the reassembled packet would not exceed 65535 bytes | | 316 | * Check that the reassembled packet would not exceed 65535 bytes |
316 | * in size. If it would exceed, discard the fragment and return an | | 317 | * in size. If it would exceed, discard the fragment and return an |
317 | * ICMP error. | | 318 | * ICMP error. |
318 | */ | | 319 | */ |
319 | frgpartlen = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen) - offset; | | | |
320 | if (q6->ip6q_unfrglen >= 0) { | | 320 | if (q6->ip6q_unfrglen >= 0) { |
321 | /* The 1st fragment has already arrived. */ | | 321 | /* The 1st fragment has already arrived. */ |
322 | if (q6->ip6q_unfrglen + fragoff + frgpartlen > IPV6_MAXPACKET) { | | 322 | if (q6->ip6q_unfrglen + fragoff + frgpartlen > IPV6_MAXPACKET) { |
323 | mutex_exit(&frag6_lock); | | 323 | mutex_exit(&frag6_lock); |
324 | icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, | | 324 | icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, |
325 | offset - sizeof(struct ip6_frag) + | | 325 | offset - sizeof(struct ip6_frag) + |
326 | offsetof(struct ip6_frag, ip6f_offlg)); | | 326 | offsetof(struct ip6_frag, ip6f_offlg)); |
327 | goto done; | | 327 | goto done; |
328 | } | | 328 | } |
329 | } else if (fragoff + frgpartlen > IPV6_MAXPACKET) { | | 329 | } else if (fragoff + frgpartlen > IPV6_MAXPACKET) { |
330 | mutex_exit(&frag6_lock); | | 330 | mutex_exit(&frag6_lock); |
331 | icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, | | 331 | icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, |
332 | offset - sizeof(struct ip6_frag) + | | 332 | offset - sizeof(struct ip6_frag) + |