1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * NET3: Implementation of the ICMP protocol layer.
4 *
5 * Alan Cox, <alan@lxorguk.ukuu.org.uk>
6 *
7 * Some of the function names and the icmp unreach table for this
8 * module were derived from [icmp.c 1.0.11 06/02/93] by
9 * Ross Biro, Fred N. van Kempen, Mark Evans, Alan Cox, Gerhard Koerting.
10 * Other than that this module is a complete rewrite.
11 *
12 * Fixes:
13 * Clemens Fruhwirth : introduce global icmp rate limiting
14 * with icmp type masking ability instead
15 * of broken per type icmp timeouts.
16 * Mike Shaver : RFC1122 checks.
17 * Alan Cox : Multicast ping reply as self.
18 * Alan Cox : Fix atomicity lockup in ip_build_xmit
19 * call.
20 * Alan Cox : Added 216,128 byte paths to the MTU
21 * code.
22 * Martin Mares : RFC1812 checks.
23 * Martin Mares : Can be configured to follow redirects
24 * if acting as a router _without_ a
25 * routing protocol (RFC 1812).
26 * Martin Mares : Echo requests may be configured to
27 * be ignored (RFC 1812).
28 * Martin Mares : Limitation of ICMP error message
29 * transmit rate (RFC 1812).
30 * Martin Mares : TOS and Precedence set correctly
31 * (RFC 1812).
32 * Martin Mares : Now copying as much data from the
33 * original packet as we can without
34 * exceeding 576 bytes (RFC 1812).
35 * Willy Konynenberg : Transparent proxying support.
36 * Keith Owens : RFC1191 correction for 4.2BSD based
37 * path MTU bug.
38 * Thomas Quinot : ICMP Dest Unreach codes up to 15 are
39 * valid (RFC 1812).
40 * Andi Kleen : Check all packet lengths properly
41 * and moved all kfree_skb() up to
42 * icmp_rcv.
43 * Andi Kleen : Move the rate limit bookkeeping
44 * into the dest entry and use a token
45 * bucket filter (thanks to ANK). Make
46 * the rates sysctl configurable.
47 * Yu Tianli : Fixed two ugly bugs in icmp_send
48 * - IP option length was accounted wrongly
49 * - ICMP header length was not accounted
50 * at all.
51 * Tristan Greaves : Added sysctl option to ignore bogus
52 * broadcast responses from broken routers.
53 *
54 * To Fix:
55 *
56 * - Should use skb_pull() instead of all the manual checking.
57 * This would also greatly simply some upper layer error handlers. --AK
58 */
59
60 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
61
62 #include <linux/module.h>
63 #include <linux/types.h>
64 #include <linux/jiffies.h>
65 #include <linux/kernel.h>
66 #include <linux/fcntl.h>
67 #include <linux/socket.h>
68 #include <linux/in.h>
69 #include <linux/inet.h>
70 #include <linux/inetdevice.h>
71 #include <linux/netdevice.h>
72 #include <linux/string.h>
73 #include <linux/netfilter_ipv4.h>
74 #include <linux/slab.h>
75 #include <net/snmp.h>
76 #include <net/ip.h>
77 #include <net/route.h>
78 #include <net/protocol.h>
79 #include <net/icmp.h>
80 #include <net/tcp.h>
81 #include <net/udp.h>
82 #include <net/raw.h>
83 #include <net/ping.h>
84 #include <linux/skbuff.h>
85 #include <net/sock.h>
86 #include <linux/errno.h>
87 #include <linux/timer.h>
88 #include <linux/init.h>
89 #include <linux/uaccess.h>
90 #include <net/checksum.h>
91 #include <net/xfrm.h>
92 #include <net/inet_common.h>
93 #include <net/ip_fib.h>
94 #include <net/l3mdev.h>
95 #include <net/addrconf.h>
96 #define CREATE_TRACE_POINTS
97 #include <trace/events/icmp.h>
98
99 /*
100 * Build xmit assembly blocks
101 */
102
103 struct icmp_bxm {
104 struct sk_buff *skb;
105 int offset;
106 int data_len;
107
108 struct {
109 struct icmphdr icmph;
110 __be32 times[3];
111 } data;
112 int head_len;
113 struct ip_options_data replyopts;
114 };
115
116 /* An array of errno for error messages from dest unreach. */
117 /* RFC 1122: 3.2.2.1 States that NET_UNREACH, HOST_UNREACH and SR_FAILED MUST be considered 'transient errs'. */
118
119 const struct icmp_err icmp_err_convert[] = {
120 {
121 .errno = ENETUNREACH, /* ICMP_NET_UNREACH */
122 .fatal = 0,
123 },
124 {
125 .errno = EHOSTUNREACH, /* ICMP_HOST_UNREACH */
126 .fatal = 0,
127 },
128 {
129 .errno = ENOPROTOOPT /* ICMP_PROT_UNREACH */,
130 .fatal = 1,
131 },
132 {
133 .errno = ECONNREFUSED, /* ICMP_PORT_UNREACH */
134 .fatal = 1,
135 },
136 {
137 .errno = EMSGSIZE, /* ICMP_FRAG_NEEDED */
138 .fatal = 0,
139 },
140 {
141 .errno = EOPNOTSUPP, /* ICMP_SR_FAILED */
142 .fatal = 0,
143 },
144 {
145 .errno = ENETUNREACH, /* ICMP_NET_UNKNOWN */
146 .fatal = 1,
147 },
148 {
149 .errno = EHOSTDOWN, /* ICMP_HOST_UNKNOWN */
150 .fatal = 1,
151 },
152 {
153 .errno = ENONET, /* ICMP_HOST_ISOLATED */
154 .fatal = 1,
155 },
156 {
157 .errno = ENETUNREACH, /* ICMP_NET_ANO */
158 .fatal = 1,
159 },
160 {
161 .errno = EHOSTUNREACH, /* ICMP_HOST_ANO */
162 .fatal = 1,
163 },
164 {
165 .errno = ENETUNREACH, /* ICMP_NET_UNR_TOS */
166 .fatal = 0,
167 },
168 {
169 .errno = EHOSTUNREACH, /* ICMP_HOST_UNR_TOS */
170 .fatal = 0,
171 },
172 {
173 .errno = EHOSTUNREACH, /* ICMP_PKT_FILTERED */
174 .fatal = 1,
175 },
176 {
177 .errno = EHOSTUNREACH, /* ICMP_PREC_VIOLATION */
178 .fatal = 1,
179 },
180 {
181 .errno = EHOSTUNREACH, /* ICMP_PREC_CUTOFF */
182 .fatal = 1,
183 },
184 };
185 EXPORT_SYMBOL(icmp_err_convert);
186
187 /*
188 * ICMP control array. This specifies what to do with each ICMP.
189 */
190
191 struct icmp_control {
192 enum skb_drop_reason (*handler)(struct sk_buff *skb);
193 short error; /* This ICMP is classed as an error message */
194 };
195
196 static const struct icmp_control icmp_pointers[NR_ICMP_TYPES+1];
197
198 static DEFINE_PER_CPU(struct sock *, ipv4_icmp_sk);
199
200 /* Called with BH disabled */
201 static inline struct sock *icmp_xmit_lock(struct net *net)
202 {
203 struct sock *sk;
204
205 sk = this_cpu_read(ipv4_icmp_sk);
206
207 if (unlikely(!spin_trylock(&sk->sk_lock.slock))) {
208 /* This can happen if the output path signals a
209 * dst_link_failure() for an outgoing ICMP packet.
210 */
211 return NULL;
212 }
213 sock_net_set(sk, net);
214 return sk;
215 }
216
217 static inline void icmp_xmit_unlock(struct sock *sk)
218 {
219 sock_net_set(sk, &init_net);
220 spin_unlock(&sk->sk_lock.slock);
221 }
222
223 int sysctl_icmp_msgs_per_sec __read_mostly = 1000;
224 int sysctl_icmp_msgs_burst __read_mostly = 50;
225
226 static struct {
227 atomic_t credit;
228 u32 stamp;
229 } icmp_global;
230
231 /**
232 * icmp_global_allow - Are we allowed to send one more ICMP message ?
233 *
234 * Uses a token bucket to limit our ICMP messages to ~sysctl_icmp_msgs_per_sec.
235 * Returns false if we reached the limit and can not send another packet.
236 * Works in tandem with icmp_global_consume().
237 */
238 bool icmp_global_allow(void)
239 {
240 u32 delta, now, oldstamp;
241 int incr, new, old;
242
243 /* Note: many cpus could find this condition true.
244 * Then later icmp_global_consume() could consume more credits,
245 * this is an acceptable race.
246 */
247 if (atomic_read(&icmp_global.credit) > 0)
248 return true;
249
250 now = jiffies;
251 oldstamp = READ_ONCE(icmp_global.stamp);
252 delta = min_t(u32, now - oldstamp, HZ);
253 if (delta < HZ / 50)
254 return false;
255
256 incr = READ_ONCE(sysctl_icmp_msgs_per_sec) * delta / HZ;
257 if (!incr)
258 return false;
259
260 if (cmpxchg(&icmp_global.stamp, oldstamp, now) == oldstamp) {
261 old = atomic_read(&icmp_global.credit);
262 do {
263 new = min(old + incr, READ_ONCE(sysctl_icmp_msgs_burst));
264 } while (!atomic_try_cmpxchg(&icmp_global.credit, &old, new));
265 }
266 return true;
267 }
268 EXPORT_SYMBOL(icmp_global_allow);
269
270 void icmp_global_consume(void)
271 {
272 int credits = get_random_u32_below(3);
273
274 /* Note: this might make icmp_global.credit negative. */
275 if (credits)
276 atomic_sub(credits, &icmp_global.credit);
277 }
278 EXPORT_SYMBOL(icmp_global_consume);
279
280 static bool icmpv4_mask_allow(struct net *net, int type, int code)
281 {
282 if (type > NR_ICMP_TYPES)
283 return true;
284
285 /* Don't limit PMTU discovery. */
286 if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED)
287 return true;
288
289 /* Limit if icmp type is enabled in ratemask. */
290 if (!((1 << type) & READ_ONCE(net->ipv4.sysctl_icmp_ratemask)))
291 return true;
292
293 return false;
294 }
295
296 static bool icmpv4_global_allow(struct net *net, int type, int code,
297 bool *apply_ratelimit)
298 {
299 if (icmpv4_mask_allow(net, type, code))
300 return true;
301
302 if (icmp_global_allow()) {
303 *apply_ratelimit = true;
304 return true;
305 }
306 __ICMP_INC_STATS(net, ICMP_MIB_RATELIMITGLOBAL);
307 return false;
308 }
309
310 /*
311 * Send an ICMP frame.
312 */
313
314 static bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt,
315 struct flowi4 *fl4, int type, int code,
316 bool apply_ratelimit)
317 {
318 struct dst_entry *dst = &rt->dst;
319 struct inet_peer *peer;
320 bool rc = true;
321 int vif;
322
323 if (!apply_ratelimit)
324 return true;
325
326 /* No rate limit on loopback */
327 if (dst->dev && (dst->dev->flags&IFF_LOOPBACK))
328 goto out;
329
330 vif = l3mdev_master_ifindex(dst->dev);
331 peer = inet_getpeer_v4(net->ipv4.peers, fl4->daddr, vif, 1);
332 rc = inet_peer_xrlim_allow(peer,
333 READ_ONCE(net->ipv4.sysctl_icmp_ratelimit));
334 if (peer)
335 inet_putpeer(peer);
336 out:
337 if (!rc)
338 __ICMP_INC_STATS(net, ICMP_MIB_RATELIMITHOST);
339 else
340 icmp_global_consume();
341 return rc;
342 }
343
344 /*
345 * Maintain the counters used in the SNMP statistics for outgoing ICMP
346 */
347 void icmp_out_count(struct net *net, unsigned char type)
348 {
349 ICMPMSGOUT_INC_STATS(net, type);
350 ICMP_INC_STATS(net, ICMP_MIB_OUTMSGS);
351 }
352
353 /*
354 * Checksum each fragment, and on the first include the headers and final
355 * checksum.
356 */
357 static int icmp_glue_bits(void *from, char *to, int offset, int len, int odd,
358 struct sk_buff *skb)
359 {
360 struct icmp_bxm *icmp_param = from;
361 __wsum csum;
362
363 csum = skb_copy_and_csum_bits(icmp_param->skb,
364 icmp_param->offset + offset,
365 to, len);
366
367 skb->csum = csum_block_add(skb->csum, csum, odd);
368 if (icmp_pointers[icmp_param->data.icmph.type].error)
369 nf_ct_attach(skb, icmp_param->skb);
370 return 0;
371 }
372
373 static void icmp_push_reply(struct sock *sk,
374 struct icmp_bxm *icmp_param,
375 struct flowi4 *fl4,
376 struct ipcm_cookie *ipc, struct rtable **rt)
377 {
378 struct sk_buff *skb;
379
380 if (ip_append_data(sk, fl4, icmp_glue_bits, icmp_param,
381 icmp_param->data_len+icmp_param->head_len,
382 icmp_param->head_len,
383 ipc, rt, MSG_DONTWAIT) < 0) {
384 __ICMP_INC_STATS(sock_net(sk), ICMP_MIB_OUTERRORS);
385 ip_flush_pending_frames(sk);
386 } else if ((skb = skb_peek(&sk->sk_write_queue)) != NULL) {
387 struct icmphdr *icmph = icmp_hdr(skb);
388 __wsum csum;
389 struct sk_buff *skb1;
390
391 csum = csum_partial_copy_nocheck((void *)&icmp_param->data,
392 (char *)icmph,
393 icmp_param->head_len);
394 skb_queue_walk(&sk->sk_write_queue, skb1) {
395 csum = csum_add(csum, skb1->csum);
396 }
397 icmph->checksum = csum_fold(csum);
398 skb->ip_summed = CHECKSUM_NONE;
399 ip_push_pending_frames(sk, fl4);
400 }
401 }
402
403 /*
404 * Driving logic for building and sending ICMP messages.
405 */
406
407 static void icmp_reply(struct icmp_bxm *icmp_param, struct sk_buff *skb)
408 {
409 struct ipcm_cookie ipc;
410 struct rtable *rt = skb_rtable(skb);
411 struct net *net = dev_net(rt->dst.dev);
412 bool apply_ratelimit = false;
413 struct flowi4 fl4;
414 struct sock *sk;
415 struct inet_sock *inet;
416 __be32 daddr, saddr;
417 u32 mark = IP4_REPLY_MARK(net, skb->mark);
418 int type = icmp_param->data.icmph.type;
419 int code = icmp_param->data.icmph.code;
420
421 if (ip_options_echo(net, &icmp_param->replyopts.opt.opt, skb))
422 return;
423
424 /* Needed by both icmpv4_global_allow and icmp_xmit_lock */
425 local_bh_disable();
426
427 /* is global icmp_msgs_per_sec exhausted ? */
428 if (!icmpv4_global_allow(net, type, code, &apply_ratelimit))
429 goto out_bh_enable;
430
431 sk = icmp_xmit_lock(net);
432 if (!sk)
433 goto out_bh_enable;
434 inet = inet_sk(sk);
435
436 icmp_param->data.icmph.checksum = 0;
437
438 ipcm_init(&ipc);
439 inet->tos = ip_hdr(skb)->tos;
440 ipc.sockc.mark = mark;
441 daddr = ipc.addr = ip_hdr(skb)->saddr;
442 saddr = fib_compute_spec_dst(skb);
443
444 if (icmp_param->replyopts.opt.opt.optlen) {
445 ipc.opt = &icmp_param->replyopts.opt;
446 if (ipc.opt->opt.srr)
447 daddr = icmp_param->replyopts.opt.opt.faddr;
448 }
449 memset(&fl4, 0, sizeof(fl4));
450 fl4.daddr = daddr;
451 fl4.saddr = saddr;
452 fl4.flowi4_mark = mark;
453 fl4.flowi4_uid = sock_net_uid(net, NULL);
454 fl4.flowi4_tos = RT_TOS(ip_hdr(skb)->tos);
455 fl4.flowi4_proto = IPPROTO_ICMP;
456 fl4.flowi4_oif = l3mdev_master_ifindex(skb->dev);
457 security_skb_classify_flow(skb, flowi4_to_flowi_common(&fl4));
458 rt = ip_route_output_key(net, &fl4);
459 if (IS_ERR(rt))
460 goto out_unlock;
461 if (icmpv4_xrlim_allow(net, rt, &fl4, type, code, apply_ratelimit))
462 icmp_push_reply(sk, icmp_param, &fl4, &ipc, &rt);
463 ip_rt_put(rt);
464 out_unlock:
465 icmp_xmit_unlock(sk);
466 out_bh_enable:
467 local_bh_enable();
468 }
469
470 /*
471 * The device used for looking up which routing table to use for sending an ICMP
472 * error is preferably the source whenever it is set, which should ensure the
473 * icmp error can be sent to the source host, else lookup using the routing
474 * table of the destination device, else use the main routing table (index 0).
475 */
476 static struct net_device *icmp_get_route_lookup_dev(struct sk_buff *skb)
477 {
478 struct net_device *route_lookup_dev = NULL;
479
480 if (skb->dev)
481 route_lookup_dev = skb->dev;
482 else if (skb_dst(skb))
483 route_lookup_dev = skb_dst(skb)->dev;
484 return route_lookup_dev;
485 }
486
487 static struct rtable *icmp_route_lookup(struct net *net,
488 struct flowi4 *fl4,
489 struct sk_buff *skb_in,
490 const struct iphdr *iph,
491 __be32 saddr, u8 tos, u32 mark,
492 int type, int code,
493 struct icmp_bxm *param)
494 {
495 struct net_device *route_lookup_dev;
496 struct dst_entry *dst, *dst2;
497 struct rtable *rt, *rt2;
498 struct flowi4 fl4_dec;
499 int err;
500
501 memset(fl4, 0, sizeof(*fl4));
502 fl4->daddr = (param->replyopts.opt.opt.srr ?
503 param->replyopts.opt.opt.faddr : iph->saddr);
504 fl4->saddr = saddr;
505 fl4->flowi4_mark = mark;
506 fl4->flowi4_uid = sock_net_uid(net, NULL);
507 fl4->flowi4_tos = RT_TOS(tos);
508 fl4->flowi4_proto = IPPROTO_ICMP;
509 fl4->fl4_icmp_type = type;
510 fl4->fl4_icmp_code = code;
511 route_lookup_dev = icmp_get_route_lookup_dev(skb_in);
512 fl4->flowi4_oif = l3mdev_master_ifindex(route_lookup_dev);
513
514 security_skb_classify_flow(skb_in, flowi4_to_flowi_common(fl4));
515 rt = ip_route_output_key_hash(net, fl4, skb_in);
516 if (IS_ERR(rt))
517 return rt;
518
519 /* No need to clone since we're just using its address. */
520 rt2 = rt;
521
522 dst = xfrm_lookup(net, &rt->dst,
523 flowi4_to_flowi(fl4), NULL, 0);
524 rt = dst_rtable(dst);
525 if (!IS_ERR(dst)) {
526 if (rt != rt2)
527 return rt;
528 } else if (PTR_ERR(dst) == -EPERM) {
529 rt = NULL;
530 } else {
531 return rt;
532 }
533 err = xfrm_decode_session_reverse(net, skb_in, flowi4_to_flowi(&fl4_dec), AF_INET);
534 if (err)
535 goto relookup_failed;
536
537 if (inet_addr_type_dev_table(net, route_lookup_dev,
538 fl4_dec.saddr) == RTN_LOCAL) {
539 rt2 = __ip_route_output_key(net, &fl4_dec);
540 if (IS_ERR(rt2))
541 err = PTR_ERR(rt2);
542 } else {
543 struct flowi4 fl4_2 = {};
544 unsigned long orefdst;
545
546 fl4_2.daddr = fl4_dec.saddr;
547 rt2 = ip_route_output_key(net, &fl4_2);
548 if (IS_ERR(rt2)) {
549 err = PTR_ERR(rt2);
550 goto relookup_failed;
551 }
552 /* Ugh! */
553 orefdst = skb_in->_skb_refdst; /* save old refdst */
554 skb_dst_set(skb_in, NULL);
555 err = ip_route_input(skb_in, fl4_dec.daddr, fl4_dec.saddr,
556 RT_TOS(tos), rt2->dst.dev);
557
558 dst_release(&rt2->dst);
559 rt2 = skb_rtable(skb_in);
560 skb_in->_skb_refdst = orefdst; /* restore old refdst */
561 }
562
563 if (err)
564 goto relookup_failed;
565
566 dst2 = xfrm_lookup(net, &rt2->dst, flowi4_to_flowi(&fl4_dec), NULL,
567 XFRM_LOOKUP_ICMP);
568 rt2 = dst_rtable(dst2);
569 if (!IS_ERR(dst2)) {
570 dst_release(&rt->dst);
571 memcpy(fl4, &fl4_dec, sizeof(*fl4));
572 rt = rt2;
573 } else if (PTR_ERR(dst2) == -EPERM) {
574 if (rt)
575 dst_release(&rt->dst);
576 return rt2;
577 } else {
578 err = PTR_ERR(dst2);
579 goto relookup_failed;
580 }
581 return rt;
582
583 relookup_failed:
584 if (rt)
585 return rt;
586 return ERR_PTR(err);
587 }
588
589 /*
590 * Send an ICMP message in response to a situation
591 *
592 * RFC 1122: 3.2.2 MUST send at least the IP header and 8 bytes of header.
593 * MAY send more (we do).
594 * MUST NOT change this header information.
595 * MUST NOT reply to a multicast/broadcast IP address.
596 * MUST NOT reply to a multicast/broadcast MAC address.
597 * MUST reply to only the first fragment.
598 */
599
600 void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info,
601 const struct ip_options *opt)
602 {
603 struct iphdr *iph;
604 int room;
605 struct icmp_bxm icmp_param;
606 struct rtable *rt = skb_rtable(skb_in);
607 bool apply_ratelimit = false;
608 struct ipcm_cookie ipc;
609 struct flowi4 fl4;
610 __be32 saddr;
611 u8 tos;
612 u32 mark;
613 struct net *net;
614 struct sock *sk;
615
616 if (!rt)
617 goto out;
618
619 if (rt->dst.dev)
620 net = dev_net(rt->dst.dev);
621 else if (skb_in->dev)
622 net = dev_net(skb_in->dev);
623 else
624 goto out;
625
626 /*
627 * Find the original header. It is expected to be valid, of course.
628 * Check this, icmp_send is called from the most obscure devices
629 * sometimes.
630 */
631 iph = ip_hdr(skb_in);
632
633 if ((u8 *)iph < skb_in->head ||
634 (skb_network_header(skb_in) + sizeof(*iph)) >
635 skb_tail_pointer(skb_in))
636 goto out;
637
638 /*
639 * No replies to physical multicast/broadcast
640 */
641 if (skb_in->pkt_type != PACKET_HOST)
642 goto out;
643
644 /*
645 * Now check at the protocol level
646 */
647 if (rt->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST))
648 goto out;
649
650 /*
651 * Only reply to fragment 0. We byte re-order the constant
652 * mask for efficiency.
653 */
654 if (iph->frag_off & htons(IP_OFFSET))
655 goto out;
656
657 /*
658 * If we send an ICMP error to an ICMP error a mess would result..
659 */
660 if (icmp_pointers[type].error) {
661 /*
662 * We are an error, check if we are replying to an
663 * ICMP error
664 */
665 if (iph->protocol == IPPROTO_ICMP) {
666 u8 _inner_type, *itp;
667
668 itp = skb_header_pointer(skb_in,
669 skb_network_header(skb_in) +
670 (iph->ihl << 2) +
671 offsetof(struct icmphdr,
672 type) -
673 skb_in->data,
674 sizeof(_inner_type),
675 &_inner_type);
676 if (!itp)
677 goto out;
678
679 /*
680 * Assume any unknown ICMP type is an error. This
681 * isn't specified by the RFC, but think about it..
682 */
683 if (*itp > NR_ICMP_TYPES ||
684 icmp_pointers[*itp].error)
685 goto out;
686 }
687 }
688
689 /* Needed by both icmpv4_global_allow and icmp_xmit_lock */
690 local_bh_disable();
691
692 /* Check global sysctl_icmp_msgs_per_sec ratelimit, unless
693 * incoming dev is loopback. If outgoing dev change to not be
694 * loopback, then peer ratelimit still work (in icmpv4_xrlim_allow)
695 */
696 if (!(skb_in->dev && (skb_in->dev->flags&IFF_LOOPBACK)) &&
697 !icmpv4_global_allow(net, type, code, &apply_ratelimit))
698 goto out_bh_enable;
699
700 sk = icmp_xmit_lock(net);
701 if (!sk)
702 goto out_bh_enable;
703
704 /*
705 * Construct source address and options.
706 */
707
708 saddr = iph->daddr;
709 if (!(rt->rt_flags & RTCF_LOCAL)) {
710 struct net_device *dev = NULL;
711
712 rcu_read_lock();
713 if (rt_is_input_route(rt) &&
714 READ_ONCE(net->ipv4.sysctl_icmp_errors_use_inbound_ifaddr))
715 dev = dev_get_by_index_rcu(net, inet_iif(skb_in));
716
717 if (dev)
718 saddr = inet_select_addr(dev, iph->saddr,
719 RT_SCOPE_LINK);
720 else
721 saddr = 0;
722 rcu_read_unlock();
723 }
724
725 tos = icmp_pointers[type].error ? (RT_TOS(iph->tos) |
726 IPTOS_PREC_INTERNETCONTROL) :
727 iph->tos;
728 mark = IP4_REPLY_MARK(net, skb_in->mark);
729
730 if (__ip_options_echo(net, &icmp_param.replyopts.opt.opt, skb_in, opt))
731 goto out_unlock;
732
733
734 /*
735 * Prepare data for ICMP header.
736 */
737
738 icmp_param.data.icmph.type = type;
739 icmp_param.data.icmph.code = code;
740 icmp_param.data.icmph.un.gateway = info;
741 icmp_param.data.icmph.checksum = 0;
742 icmp_param.skb = skb_in;
743 icmp_param.offset = skb_network_offset(skb_in);
744 inet_sk(sk)->tos = tos;
745 ipcm_init(&ipc);
746 ipc.addr = iph->saddr;
747 ipc.opt = &icmp_param.replyopts.opt;
748 ipc.sockc.mark = mark;
749
750 rt = icmp_route_lookup(net, &fl4, skb_in, iph, saddr, tos, mark,
751 type, code, &icmp_param);
752 if (IS_ERR(rt))
753 goto out_unlock;
754
755 /* peer icmp_ratelimit */
756 if (!icmpv4_xrlim_allow(net, rt, &fl4, type, code, apply_ratelimit))
757 goto ende;
758
759 /* RFC says return as much as we can without exceeding 576 bytes. */
760
761 room = dst_mtu(&rt->dst);
762 if (room > 576)
763 room = 576;
764 room -= sizeof(struct iphdr) + icmp_param.replyopts.opt.opt.optlen;
765 room -= sizeof(struct icmphdr);
766 /* Guard against tiny mtu. We need to include at least one
767 * IP network header for this message to make any sense.
768 */
769 if (room <= (int)sizeof(struct iphdr))
770 goto ende;
771
772 icmp_param.data_len = skb_in->len - icmp_param.offset;
773 if (icmp_param.data_len > room)
774 icmp_param.data_len = room;
775 icmp_param.head_len = sizeof(struct icmphdr);
776
777 /* if we don't have a source address at this point, fall back to the
778 * dummy address instead of sending out a packet with a source address
779 * of 0.0.0.0
780 */
781 if (!fl4.saddr)
782 fl4.saddr = htonl(INADDR_DUMMY);
783
784 trace_icmp_send(skb_in, type, code);
785
786 icmp_push_reply(sk, &icmp_param, &fl4, &ipc, &rt);
787 ende:
788 ip_rt_put(rt);
789 out_unlock:
790 icmp_xmit_unlock(sk);
791 out_bh_enable:
792 local_bh_enable();
793 out:;
794 }
795 EXPORT_SYMBOL(__icmp_send);
796
797 #if IS_ENABLED(CONFIG_NF_NAT)
798 #include <net/netfilter/nf_conntrack.h>
799 void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info)
800 {
801 struct sk_buff *cloned_skb = NULL;
802 struct ip_options opts = { 0 };
803 enum ip_conntrack_info ctinfo;
804 struct nf_conn *ct;
805 __be32 orig_ip;
806
807 ct = nf_ct_get(skb_in, &ctinfo);
808 if (!ct || !(ct->status & IPS_SRC_NAT)) {
809 __icmp_send(skb_in, type, code, info, &opts);
810 return;
811 }
812
813 if (skb_shared(skb_in))
814 skb_in = cloned_skb = skb_clone(skb_in, GFP_ATOMIC);
815
816 if (unlikely(!skb_in || skb_network_header(skb_in) < skb_in->head ||
817 (skb_network_header(skb_in) + sizeof(struct iphdr)) >
818 skb_tail_pointer(skb_in) || skb_ensure_writable(skb_in,
819 skb_network_offset(skb_in) + sizeof(struct iphdr))))
820 goto out;
821
822 orig_ip = ip_hdr(skb_in)->saddr;
823 ip_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.ip;
824 __icmp_send(skb_in, type, code, info, &opts);
825 ip_hdr(skb_in)->saddr = orig_ip;
826 out:
827 consume_skb(cloned_skb);
828 }
829 EXPORT_SYMBOL(icmp_ndo_send);
830 #endif
831
832 static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
833 {
834 const struct iphdr *iph = (const struct iphdr *)skb->data;
835 const struct net_protocol *ipprot;
836 int protocol = iph->protocol;
837
838 /* Checkin full IP header plus 8 bytes of protocol to
839 * avoid additional coding at protocol handlers.
840 */
841 if (!pskb_may_pull(skb, iph->ihl * 4 + 8)) {
842 __ICMP_INC_STATS(dev_net(skb->dev), ICMP_MIB_INERRORS);
843 return;
844 }
845
846 raw_icmp_error(skb, protocol, info);
847
848 ipprot = rcu_dereference(inet_protos[protocol]);
849 if (ipprot && ipprot->err_handler)
850 ipprot->err_handler(skb, info);
851 }
852
853 static bool icmp_tag_validation(int proto)
854 {
855 bool ok;
856
857 rcu_read_lock();
858 ok = rcu_dereference(inet_protos[proto])->icmp_strict_tag_validation;
859 rcu_read_unlock();
860 return ok;
861 }
862
863 /*
864 * Handle ICMP_DEST_UNREACH, ICMP_TIME_EXCEEDED, ICMP_QUENCH, and
865 * ICMP_PARAMETERPROB.
866 */
867
868 static enum skb_drop_reason icmp_unreach(struct sk_buff *skb)
869 {
870 enum skb_drop_reason reason = SKB_NOT_DROPPED_YET;
871 const struct iphdr *iph;
872 struct icmphdr *icmph;
873 struct net *net;
874 u32 info = 0;
875
876 net = dev_net(skb_dst(skb)->dev);
877
878 /*
879 * Incomplete header ?
880 * Only checks for the IP header, there should be an
881 * additional check for longer headers in upper levels.
882 */
883
884 if (!pskb_may_pull(skb, sizeof(struct iphdr)))
885 goto out_err;
886
887 icmph = icmp_hdr(skb);
888 iph = (const struct iphdr *)skb->data;
889
890 if (iph->ihl < 5) { /* Mangled header, drop. */
891 reason = SKB_DROP_REASON_IP_INHDR;
892 goto out_err;
893 }
894
895 switch (icmph->type) {
896 case ICMP_DEST_UNREACH:
897 switch (icmph->code & 15) {
898 case ICMP_NET_UNREACH:
899 case ICMP_HOST_UNREACH:
900 case ICMP_PROT_UNREACH:
901 case ICMP_PORT_UNREACH:
902 break;
903 case ICMP_FRAG_NEEDED:
904 /* for documentation of the ip_no_pmtu_disc
905 * values please see
906 * Documentation/networking/ip-sysctl.rst
907 */
908 switch (READ_ONCE(net->ipv4.sysctl_ip_no_pmtu_disc)) {
909 default:
910 net_dbg_ratelimited("%pI4: fragmentation needed and DF set\n",
911 &iph->daddr);
912 break;
913 case 2:
914 goto out;
915 case 3:
916 if (!icmp_tag_validation(iph->protocol))
917 goto out;
918 fallthrough;
919 case 0:
920 info = ntohs(icmph->un.frag.mtu);
921 }
922 break;
923 case ICMP_SR_FAILED:
924 net_dbg_ratelimited("%pI4: Source Route Failed\n",
925 &iph->daddr);
926 break;
927 default:
928 break;
929 }
930 if (icmph->code > NR_ICMP_UNREACH)
931 goto out;
932 break;
933 case ICMP_PARAMETERPROB:
934 info = ntohl(icmph->un.gateway) >> 24;
935 break;
936 case ICMP_TIME_EXCEEDED:
937 __ICMP_INC_STATS(net, ICMP_MIB_INTIMEEXCDS);
938 if (icmph->code == ICMP_EXC_FRAGTIME)
939 goto out;
940 break;
941 }
942
943 /*
944 * Throw it at our lower layers
945 *
946 * RFC 1122: 3.2.2 MUST extract the protocol ID from the passed
947 * header.
948 * RFC 1122: 3.2.2.1 MUST pass ICMP unreach messages to the
949 * transport layer.
950 * RFC 1122: 3.2.2.2 MUST pass ICMP time expired messages to
951 * transport layer.
952 */
953
954 /*
955 * Check the other end isn't violating RFC 1122. Some routers send
956 * bogus responses to broadcast frames. If you see this message
957 * first check your netmask matches at both ends, if it does then
958 * get the other vendor to fix their kit.
959 */
960
961 if (!READ_ONCE(net->ipv4.sysctl_icmp_ignore_bogus_error_responses) &&
962 inet_addr_type_dev_table(net, skb->dev, iph->daddr) == RTN_BROADCAST) {
963 net_warn_ratelimited("%pI4 sent an invalid ICMP type %u, code %u error to a broadcast: %pI4 on %s\n",
964 &ip_hdr(skb)->saddr,
965 icmph->type, icmph->code,
966 &iph->daddr, skb->dev->name);
967 goto out;
968 }
969
970 icmp_socket_deliver(skb, info);
971
972 out:
973 return reason;
974 out_err:
975 __ICMP_INC_STATS(net, ICMP_MIB_INERRORS);
976 return reason ?: SKB_DROP_REASON_NOT_SPECIFIED;
977 }
978
979
980 /*
981 * Handle ICMP_REDIRECT.
982 */
983
984 static enum skb_drop_reason icmp_redirect(struct sk_buff *skb)
985 {
986 if (skb->len < sizeof(struct iphdr)) {
987 __ICMP_INC_STATS(dev_net(skb->dev), ICMP_MIB_INERRORS);
988 return SKB_DROP_REASON_PKT_TOO_SMALL;
989 }
990
991 if (!pskb_may_pull(skb, sizeof(struct iphdr))) {
992 /* there aught to be a stat */
993 return SKB_DROP_REASON_NOMEM;
994 }
995
996 icmp_socket_deliver(skb, ntohl(icmp_hdr(skb)->un.gateway));
997 return SKB_NOT_DROPPED_YET;
998 }
999
1000 /*
1001 * Handle ICMP_ECHO ("ping") and ICMP_EXT_ECHO ("PROBE") requests.
1002 *
1003 * RFC 1122: 3.2.2.6 MUST have an echo server that answers ICMP echo
1004 * requests.
1005 * RFC 1122: 3.2.2.6 Data received in the ICMP_ECHO request MUST be
1006 * included in the reply.
1007 * RFC 1812: 4.3.3.6 SHOULD have a config option for silently ignoring
1008 * echo requests, MUST have default=NOT.
1009 * RFC 8335: 8 MUST have a config option to enable/disable ICMP
1010 * Extended Echo Functionality, MUST be disabled by default
1011 * See also WRT handling of options once they are done and working.
1012 */
1013
1014 static enum skb_drop_reason icmp_echo(struct sk_buff *skb)
1015 {
1016 struct icmp_bxm icmp_param;
1017 struct net *net;
1018
1019 net = dev_net(skb_dst(skb)->dev);
1020 /* should there be an ICMP stat for ignored echos? */
1021 if (READ_ONCE(net->ipv4.sysctl_icmp_echo_ignore_all))
1022 return SKB_NOT_DROPPED_YET;
1023
1024 icmp_param.data.icmph = *icmp_hdr(skb);
1025 icmp_param.skb = skb;
1026 icmp_param.offset = 0;
1027 icmp_param.data_len = skb->len;
1028 icmp_param.head_len = sizeof(struct icmphdr);
1029
1030 if (icmp_param.data.icmph.type == ICMP_ECHO)
1031 icmp_param.data.icmph.type = ICMP_ECHOREPLY;
1032 else if (!icmp_build_probe(skb, &icmp_param.data.icmph))
1033 return SKB_NOT_DROPPED_YET;
1034
1035 icmp_reply(&icmp_param, skb);
1036 return SKB_NOT_DROPPED_YET;
1037 }
1038
1039 /* Helper for icmp_echo and icmpv6_echo_reply.
1040 * Searches for net_device that matches PROBE interface identifier
1041 * and builds PROBE reply message in icmphdr.
1042 *
1043 * Returns false if PROBE responses are disabled via sysctl
1044 */
1045
1046 bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr)
1047 {
1048 struct icmp_ext_hdr *ext_hdr, _ext_hdr;
1049 struct icmp_ext_echo_iio *iio, _iio;
1050 struct net *net = dev_net(skb->dev);
1051 struct inet6_dev *in6_dev;
1052 struct in_device *in_dev;
1053 struct net_device *dev;
1054 char buff[IFNAMSIZ];
1055 u16 ident_len;
1056 u8 status;
1057
1058 if (!READ_ONCE(net->ipv4.sysctl_icmp_echo_enable_probe))
1059 return false;
1060
1061 /* We currently only support probing interfaces on the proxy node
1062 * Check to ensure L-bit is set
1063 */
1064 if (!(ntohs(icmphdr->un.echo.sequence) & 1))
1065 return false;
1066 /* Clear status bits in reply message */
1067 icmphdr->un.echo.sequence &= htons(0xFF00);
1068 if (icmphdr->type == ICMP_EXT_ECHO)
1069 icmphdr->type = ICMP_EXT_ECHOREPLY;
1070 else
1071 icmphdr->type = ICMPV6_EXT_ECHO_REPLY;
1072 ext_hdr = skb_header_pointer(skb, 0, sizeof(_ext_hdr), &_ext_hdr);
1073 /* Size of iio is class_type dependent.
1074 * Only check header here and assign length based on ctype in the switch statement
1075 */
1076 iio = skb_header_pointer(skb, sizeof(_ext_hdr), sizeof(iio->extobj_hdr), &_iio);
1077 if (!ext_hdr || !iio)
1078 goto send_mal_query;
1079 if (ntohs(iio->extobj_hdr.length) <= sizeof(iio->extobj_hdr) ||
1080 ntohs(iio->extobj_hdr.length) > sizeof(_iio))
1081 goto send_mal_query;
1082 ident_len = ntohs(iio->extobj_hdr.length) - sizeof(iio->extobj_hdr);
1083 iio = skb_header_pointer(skb, sizeof(_ext_hdr),
1084 sizeof(iio->extobj_hdr) + ident_len, &_iio);
1085 if (!iio)
1086 goto send_mal_query;
1087
1088 status = 0;
1089 dev = NULL;
1090 switch (iio->extobj_hdr.class_type) {
1091 case ICMP_EXT_ECHO_CTYPE_NAME:
1092 if (ident_len >= IFNAMSIZ)
1093 goto send_mal_query;
1094 memset(buff, 0, sizeof(buff));
1095 memcpy(buff, &iio->ident.name, ident_len);
1096 dev = dev_get_by_name(net, buff);
1097 break;
1098 case ICMP_EXT_ECHO_CTYPE_INDEX:
1099 if (ident_len != sizeof(iio->ident.ifindex))
1100 goto send_mal_query;
1101 dev = dev_get_by_index(net, ntohl(iio->ident.ifindex));
1102 break;
1103 case ICMP_EXT_ECHO_CTYPE_ADDR:
1104 if (ident_len < sizeof(iio->ident.addr.ctype3_hdr) ||
1105 ident_len != sizeof(iio->ident.addr.ctype3_hdr) +
1106 iio->ident.addr.ctype3_hdr.addrlen)
1107 goto send_mal_query;
1108 switch (ntohs(iio->ident.addr.ctype3_hdr.afi)) {
1109 case ICMP_AFI_IP:
1110 if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in_addr))
1111 goto send_mal_query;
1112 dev = ip_dev_find(net, iio->ident.addr.ip_addr.ipv4_addr);
1113 break;
1114 #if IS_ENABLED(CONFIG_IPV6)
1115 case ICMP_AFI_IP6:
1116 if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in6_addr))
1117 goto send_mal_query;
1118 dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
1119 dev_hold(dev);
1120 break;
1121 #endif
1122 default:
1123 goto send_mal_query;
1124 }
1125 break;
1126 default:
1127 goto send_mal_query;
1128 }
1129 if (!dev) {
1130 icmphdr->code = ICMP_EXT_CODE_NO_IF;
1131 return true;
1132 }
1133 /* Fill bits in reply message */
1134 if (dev->flags & IFF_UP)
1135 status |= ICMP_EXT_ECHOREPLY_ACTIVE;
1136
1137 in_dev = __in_dev_get_rcu(dev);
1138 if (in_dev && rcu_access_pointer(in_dev->ifa_list))
1139 status |= ICMP_EXT_ECHOREPLY_IPV4;
1140
1141 in6_dev = __in6_dev_get(dev);
1142 if (in6_dev && !list_empty(&in6_dev->addr_list))
1143 status |= ICMP_EXT_ECHOREPLY_IPV6;
1144
1145 dev_put(dev);
1146 icmphdr->un.echo.sequence |= htons(status);
1147 return true;
1148 send_mal_query:
1149 icmphdr->code = ICMP_EXT_CODE_MAL_QUERY;
1150 return true;
1151 }
1152 EXPORT_SYMBOL_GPL(icmp_build_probe);
1153
1154 /*
1155 * Handle ICMP Timestamp requests.
1156 * RFC 1122: 3.2.2.8 MAY implement ICMP timestamp requests.
1157 * SHOULD be in the kernel for minimum random latency.
1158 * MUST be accurate to a few minutes.
1159 * MUST be updated at least at 15Hz.
1160 */
1161 static enum skb_drop_reason icmp_timestamp(struct sk_buff *skb)
1162 {
1163 struct icmp_bxm icmp_param;
1164 /*
1165 * Too short.
1166 */
1167 if (skb->len < 4)
1168 goto out_err;
1169
1170 /*
1171 * Fill in the current time as ms since midnight UT:
1172 */
1173 icmp_param.data.times[1] = inet_current_timestamp();
1174 icmp_param.data.times[2] = icmp_param.data.times[1];
1175
1176 BUG_ON(skb_copy_bits(skb, 0, &icmp_param.data.times[0], 4));
1177
1178 icmp_param.data.icmph = *icmp_hdr(skb);
1179 icmp_param.data.icmph.type = ICMP_TIMESTAMPREPLY;
1180 icmp_param.data.icmph.code = 0;
1181 icmp_param.skb = skb;
1182 icmp_param.offset = 0;
1183 icmp_param.data_len = 0;
1184 icmp_param.head_len = sizeof(struct icmphdr) + 12;
1185 icmp_reply(&icmp_param, skb);
1186 return SKB_NOT_DROPPED_YET;
1187
1188 out_err:
1189 __ICMP_INC_STATS(dev_net(skb_dst(skb)->dev), ICMP_MIB_INERRORS);
1190 return SKB_DROP_REASON_PKT_TOO_SMALL;
1191 }
1192
1193 static enum skb_drop_reason icmp_discard(struct sk_buff *skb)
1194 {
1195 /* pretend it was a success */
1196 return SKB_NOT_DROPPED_YET;
1197 }
1198
1199 /*
1200 * Deal with incoming ICMP packets.
1201 */
1202 int icmp_rcv(struct sk_buff *skb)
1203 {
1204 enum skb_drop_reason reason = SKB_DROP_REASON_NOT_SPECIFIED;
1205 struct rtable *rt = skb_rtable(skb);
1206 struct net *net = dev_net(rt->dst.dev);
1207 struct icmphdr *icmph;
1208
1209 if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) {
1210 struct sec_path *sp = skb_sec_path(skb);
1211 int nh;
1212
1213 if (!(sp && sp->xvec[sp->len - 1]->props.flags &
1214 XFRM_STATE_ICMP)) {
1215 reason = SKB_DROP_REASON_XFRM_POLICY;
1216 goto drop;
1217 }
1218
1219 if (!pskb_may_pull(skb, sizeof(*icmph) + sizeof(struct iphdr)))
1220 goto drop;
1221
1222 nh = skb_network_offset(skb);
1223 skb_set_network_header(skb, sizeof(*icmph));
1224
1225 if (!xfrm4_policy_check_reverse(NULL, XFRM_POLICY_IN,
1226 skb)) {
1227 reason = SKB_DROP_REASON_XFRM_POLICY;
1228 goto drop;
1229 }
1230
1231 skb_set_network_header(skb, nh);
1232 }
1233
1234 __ICMP_INC_STATS(net, ICMP_MIB_INMSGS);
1235
1236 if (skb_checksum_simple_validate(skb))
1237 goto csum_error;
1238
1239 if (!pskb_pull(skb, sizeof(*icmph)))
1240 goto error;
1241
1242 icmph = icmp_hdr(skb);
1243
1244 ICMPMSGIN_INC_STATS(net, icmph->type);
1245
1246 /* Check for ICMP Extended Echo (PROBE) messages */
1247 if (icmph->type == ICMP_EXT_ECHO) {
1248 /* We can't use icmp_pointers[].handler() because it is an array of
1249 * size NR_ICMP_TYPES + 1 (19 elements) and PROBE has code 42.
1250 */
1251 reason = icmp_echo(skb);
1252 goto reason_check;
1253 }
1254
1255 if (icmph->type == ICMP_EXT_ECHOREPLY) {
1256 reason = ping_rcv(skb);
1257 goto reason_check;
1258 }
1259
1260 /*
1261 * 18 is the highest 'known' ICMP type. Anything else is a mystery
1262 *
1263 * RFC 1122: 3.2.2 Unknown ICMP messages types MUST be silently
1264 * discarded.
1265 */
1266 if (icmph->type > NR_ICMP_TYPES) {
1267 reason = SKB_DROP_REASON_UNHANDLED_PROTO;
1268 goto error;
1269 }
1270
1271 /*
1272 * Parse the ICMP message
1273 */
1274
1275 if (rt->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST)) {
1276 /*
1277 * RFC 1122: 3.2.2.6 An ICMP_ECHO to broadcast MAY be
1278 * silently ignored (we let user decide with a sysctl).
1279 * RFC 1122: 3.2.2.8 An ICMP_TIMESTAMP MAY be silently
1280 * discarded if to broadcast/multicast.
1281 */
1282 if ((icmph->type == ICMP_ECHO ||
1283 icmph->type == ICMP_TIMESTAMP) &&
1284 READ_ONCE(net->ipv4.sysctl_icmp_echo_ignore_broadcasts)) {
1285 reason = SKB_DROP_REASON_INVALID_PROTO;
1286 goto error;
1287 }
1288 if (icmph->type != ICMP_ECHO &&
1289 icmph->type != ICMP_TIMESTAMP &&
1290 icmph->type != ICMP_ADDRESS &&
1291 icmph->type != ICMP_ADDRESSREPLY) {
1292 reason = SKB_DROP_REASON_INVALID_PROTO;
1293 goto error;
1294 }
1295 }
1296
1297 reason = icmp_pointers[icmph->type].handler(skb);
1298 reason_check:
1299 if (!reason) {
1300 consume_skb(skb);
1301 return NET_RX_SUCCESS;
1302 }
1303
1304 drop:
1305 kfree_skb_reason(skb, reason);
1306 return NET_RX_DROP;
1307 csum_error:
1308 reason = SKB_DROP_REASON_ICMP_CSUM;
1309 __ICMP_INC_STATS(net, ICMP_MIB_CSUMERRORS);
1310 error:
1311 __ICMP_INC_STATS(net, ICMP_MIB_INERRORS);
1312 goto drop;
1313 }
1314
1315 static bool ip_icmp_error_rfc4884_validate(const struct sk_buff *skb, int off)
1316 {
1317 struct icmp_extobj_hdr *objh, _objh;
1318 struct icmp_ext_hdr *exth, _exth;
1319 u16 olen;
1320
1321 exth = skb_header_pointer(skb, off, sizeof(_exth), &_exth);
1322 if (!exth)
1323 return false;
1324 if (exth->version != 2)
1325 return true;
1326
1327 if (exth->checksum &&
1328 csum_fold(skb_checksum(skb, off, skb->len - off, 0)))
1329 return false;
1330
1331 off += sizeof(_exth);
1332 while (off < skb->len) {
1333 objh = skb_header_pointer(skb, off, sizeof(_objh), &_objh);
1334 if (!objh)
1335 return false;
1336
1337 olen = ntohs(objh->length);
1338 if (olen < sizeof(_objh))
1339 return false;
1340
1341 off += olen;
1342 if (off > skb->len)
1343 return false;
1344 }
1345
1346 return true;
1347 }
1348
1349 void ip_icmp_error_rfc4884(const struct sk_buff *skb,
1350 struct sock_ee_data_rfc4884 *out,
1351 int thlen, int off)
1352 {
1353 int hlen;
1354
1355 /* original datagram headers: end of icmph to payload (skb->data) */
1356 hlen = -skb_transport_offset(skb) - thlen;
1357
1358 /* per rfc 4884: minimal datagram length of 128 bytes */
1359 if (off < 128 || off < hlen)
1360 return;
1361
1362 /* kernel has stripped headers: return payload offset in bytes */
1363 off -= hlen;
1364 if (off + sizeof(struct icmp_ext_hdr) > skb->len)
1365 return;
1366
1367 out->len = off;
1368
1369 if (!ip_icmp_error_rfc4884_validate(skb, off))
1370 out->flags |= SO_EE_RFC4884_FLAG_INVALID;
1371 }
1372 EXPORT_SYMBOL_GPL(ip_icmp_error_rfc4884);
1373
1374 int icmp_err(struct sk_buff *skb, u32 info)
1375 {
1376 struct iphdr *iph = (struct iphdr *)skb->data;
1377 int offset = iph->ihl<<2;
1378 struct icmphdr *icmph = (struct icmphdr *)(skb->data + offset);
1379 int type = icmp_hdr(skb)->type;
1380 int code = icmp_hdr(skb)->code;
1381 struct net *net = dev_net(skb->dev);
1382
1383 /*
1384 * Use ping_err to handle all icmp errors except those
1385 * triggered by ICMP_ECHOREPLY which sent from kernel.
1386 */
1387 if (icmph->type != ICMP_ECHOREPLY) {
1388 ping_err(skb, offset, info);
1389 return 0;
1390 }
1391
1392 if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED)
1393 ipv4_update_pmtu(skb, net, info, 0, IPPROTO_ICMP);
1394 else if (type == ICMP_REDIRECT)
1395 ipv4_redirect(skb, net, 0, IPPROTO_ICMP);
1396
1397 return 0;
1398 }
1399
1400 /*
1401 * This table is the definition of how we handle ICMP.
1402 */
1403 static const struct icmp_control icmp_pointers[NR_ICMP_TYPES + 1] = {
1404 [ICMP_ECHOREPLY] = {
1405 .handler = ping_rcv,
1406 },
1407 [1] = {
1408 .handler = icmp_discard,
1409 .error = 1,
1410 },
1411 [2] = {
1412 .handler = icmp_discard,
1413 .error = 1,
1414 },
1415 [ICMP_DEST_UNREACH] = {
1416 .handler = icmp_unreach,
1417 .error = 1,
1418 },
1419 [ICMP_SOURCE_QUENCH] = {
1420 .handler = icmp_unreach,
1421 .error = 1,
1422 },
1423 [ICMP_REDIRECT] = {
1424 .handler = icmp_redirect,
1425 .error = 1,
1426 },
1427 [6] = {
1428 .handler = icmp_discard,
1429 .error = 1,
1430 },
1431 [7] = {
1432 .handler = icmp_discard,
1433 .error = 1,
1434 },
1435 [ICMP_ECHO] = {
1436 .handler = icmp_echo,
1437 },
1438 [9] = {
1439 .handler = icmp_discard,
1440 .error = 1,
1441 },
1442 [10] = {
1443 .handler = icmp_discard,
1444 .error = 1,
1445 },
1446 [ICMP_TIME_EXCEEDED] = {
1447 .handler = icmp_unreach,
1448 .error = 1,
1449 },
1450 [ICMP_PARAMETERPROB] = {
1451 .handler = icmp_unreach,
1452 .error = 1,
1453 },
1454 [ICMP_TIMESTAMP] = {
1455 .handler = icmp_timestamp,
1456 },
1457 [ICMP_TIMESTAMPREPLY] = {
1458 .handler = icmp_discard,
1459 },
1460 [ICMP_INFO_REQUEST] = {
1461 .handler = icmp_discard,
1462 },
1463 [ICMP_INFO_REPLY] = {
1464 .handler = icmp_discard,
1465 },
1466 [ICMP_ADDRESS] = {
1467 .handler = icmp_discard,
1468 },
1469 [ICMP_ADDRESSREPLY] = {
1470 .handler = icmp_discard,
1471 },
1472 };
1473
1474 static int __net_init icmp_sk_init(struct net *net)
1475 {
1476 /* Control parameters for ECHO replies. */
1477 net->ipv4.sysctl_icmp_echo_ignore_all = 0;
1478 net->ipv4.sysctl_icmp_echo_enable_probe = 0;
1479 net->ipv4.sysctl_icmp_echo_ignore_broadcasts = 1;
1480
1481 /* Control parameter - ignore bogus broadcast responses? */
1482 net->ipv4.sysctl_icmp_ignore_bogus_error_responses = 1;
1483
1484 /*
1485 * Configurable global rate limit.
1486 *
1487 * ratelimit defines tokens/packet consumed for dst->rate_token
1488 * bucket ratemask defines which icmp types are ratelimited by
1489 * setting it's bit position.
1490 *
1491 * default:
1492 * dest unreachable (3), source quench (4),
1493 * time exceeded (11), parameter problem (12)
1494 */
1495
1496 net->ipv4.sysctl_icmp_ratelimit = 1 * HZ;
1497 net->ipv4.sysctl_icmp_ratemask = 0x1818;
1498 net->ipv4.sysctl_icmp_errors_use_inbound_ifaddr = 0;
1499
1500 return 0;
1501 }
1502
1503 static struct pernet_operations __net_initdata icmp_sk_ops = {
1504 .init = icmp_sk_init,
1505 };
1506
1507 int __init icmp_init(void)
1508 {
1509 int err, i;
1510
1511 for_each_possible_cpu(i) {
1512 struct sock *sk;
1513
1514 err = inet_ctl_sock_create(&sk, PF_INET,
1515 SOCK_RAW, IPPROTO_ICMP, &init_net);
1516 if (err < 0)
1517 return err;
1518
1519 per_cpu(ipv4_icmp_sk, i) = sk;
1520
1521 /* Enough space for 2 64K ICMP packets, including
1522 * sk_buff/skb_shared_info struct overhead.
1523 */
1524 sk->sk_sndbuf = 2 * SKB_TRUESIZE(64 * 1024);
1525
1526 /*
1527 * Speedup sock_wfree()
1528 */
1529 sock_set_flag(sk, SOCK_USE_WRITE_QUEUE);
1530 inet_sk(sk)->pmtudisc = IP_PMTUDISC_DONT;
1531 }
1532 return register_pernet_subsys(&icmp_sk_ops);
1533 }
1534
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.