mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3241 lines
108 KiB
3241 lines
108 KiB
// -*- mode: C++; tab-width: 4; indent-tabs-mode: nil -*- (for GNU Emacs)
|
|
//
|
|
// Copyright (c) 1985-2000 Microsoft Corporation
|
|
//
|
|
// This file is part of the Microsoft Research IPv6 Network Protocol Stack.
|
|
// You should have received a copy of the Microsoft End-User License Agreement
|
|
// for this software along with this release; see the file "license.txt".
|
|
// If not, please see http://www.research.microsoft.com/msripv6/license.htm,
|
|
// or write to Microsoft Research, One Microsoft Way, Redmond, WA 98052-6399.
|
|
//
|
|
// Abstract:
|
|
//
|
|
// Receive routines for Internet Protocol Version 6.
|
|
//
|
|
|
|
|
|
#include "oscfg.h"
|
|
#include "ndis.h"
|
|
#include "ip6imp.h"
|
|
#include "ip6def.h"
|
|
#include "icmp.h"
|
|
#include "route.h"
|
|
#include "fragment.h"
|
|
#include "mobile.h"
|
|
#include "security.h"
|
|
#include "info.h"
|
|
|
|
#include "ipsec.h"
|
|
|
|
struct ReassemblyList ReassemblyList;
|
|
|
|
typedef struct Options {
|
|
uint JumboLength; // Length of packet excluding IPv6 header.
|
|
IPv6RouterAlertOption UNALIGNED *Alert;
|
|
IPv6HomeAddressOption UNALIGNED *HomeAddress;
|
|
IPv6BindingUpdateOption UNALIGNED *BindingUpdate;
|
|
} Options;
|
|
|
|
int
|
|
ParseOptions(
|
|
IPv6Packet *Packet, // The packet handed to us by IPv6Receive.
|
|
uchar HdrType, // Hop-by-hop or destination.
|
|
IPv6OptionsHeader *Hdr, // Header with following data.
|
|
uint HdrLength, // Length of the entire options area.
|
|
Options *Opts); // Return option values to caller.
|
|
|
|
extern void TCPRcvComplete(void);
|
|
|
|
//* IPv6ReceiveComplete - Handle a receive complete.
|
|
//
|
|
// Called by the lower layer when receives are temporarily done.
|
|
//
|
|
void
|
|
IPv6ReceiveComplete(void)
|
|
{
|
|
// REVIEW: Original IP implementation had code here to call every
|
|
// REVIEW: UL protocol's receive complete routine (yes, all of them) here.
|
|
|
|
TCPRcvComplete();
|
|
}
|
|
|
|
//
|
|
// By default, test pullup in checked builds.
|
|
//
|
|
#ifndef PULLUP_TEST
|
|
#define PULLUP_TEST DBG
|
|
#endif
|
|
|
|
#if PULLUP_TEST
|
|
|
|
#define PULLUP_TEST_MAX_BUFFERS 8
|
|
#define PULLUP_TEST_MAX_BUFFER_SIZE 32
|
|
|
|
//* PullupTestChooseDistribution
|
|
//
|
|
// Choose a random distribution.
|
|
// Divides Size bytes into NumBuffers pieces,
|
|
// and returns the result in the Counts array.
|
|
//
|
|
void
|
|
PullupTestChooseDistribution(
|
|
uint Counts[],
|
|
uint NumBuffers,
|
|
uint Size)
|
|
{
|
|
uint i;
|
|
uint ThisBuffer;
|
|
|
|
//
|
|
// We are somewhat biased towards cutting the packet
|
|
// up into small pieces with a large remainder.
|
|
// This puts the fragment boundaries at the beginning,
|
|
// where the headers are.
|
|
//
|
|
|
|
for (i = 0; i < NumBuffers - 1; i++) {
|
|
ThisBuffer = RandomNumber(1, PULLUP_TEST_MAX_BUFFER_SIZE);
|
|
|
|
//
|
|
// Make sure that each segment has non-zero length.
|
|
//
|
|
if (ThisBuffer > Size - (NumBuffers - 1 - i))
|
|
ThisBuffer = Size - (NumBuffers - 1 - i);
|
|
|
|
Counts[i] = ThisBuffer;
|
|
Size -= ThisBuffer;
|
|
}
|
|
Counts[i] = Size;
|
|
}
|
|
|
|
//* PullupTestCreatePacket
|
|
//
|
|
// Given an IPv6 packet, creates a new IPv6 packet
|
|
// that can be handed up the receive path.
|
|
//
|
|
// We randomly fragment the IPv6 packet into multiple buffers.
|
|
// This tests pull-up processing in the receive path.
|
|
//
|
|
// Returns NULL if any memory allocation fails.
|
|
//
|
|
IPv6Packet *
|
|
PullupTestCreatePacket(IPv6Packet *Packet)
|
|
{
|
|
IPv6Packet *TestPacket;
|
|
|
|
//
|
|
// We mostly want to test discontiguous packets.
|
|
// But occasionally test a contiguous packet.
|
|
//
|
|
if (RandomNumber(0, 10) == 0) {
|
|
//
|
|
// We need to create a contiguous packet.
|
|
//
|
|
uint Padding;
|
|
uint MemLen;
|
|
void *Mem;
|
|
|
|
//
|
|
// We insert some padding to vary the alignment.
|
|
//
|
|
Padding = RandomNumber(0, 16);
|
|
MemLen = sizeof *TestPacket + Padding + Packet->TotalSize;
|
|
TestPacket = ExAllocatePool(NonPagedPool, MemLen);
|
|
if (TestPacket == NULL)
|
|
return NULL;
|
|
Mem = (void *)((uchar *)(TestPacket + 1) + Padding);
|
|
|
|
if (Packet->NdisPacket == NULL) {
|
|
RtlCopyMemory(Mem, Packet->Data, Packet->TotalSize);
|
|
}
|
|
else {
|
|
PNDIS_BUFFER NdisBuffer;
|
|
uint Offset;
|
|
int Ok;
|
|
|
|
NdisBuffer = NdisFirstBuffer(Packet->NdisPacket);
|
|
Offset = Packet->Position;
|
|
Ok = CopyNdisToFlat(Mem, NdisBuffer, Offset, Packet->TotalSize,
|
|
&NdisBuffer, &Offset);
|
|
ASSERT(Ok);
|
|
}
|
|
|
|
RtlZeroMemory(TestPacket, sizeof *TestPacket);
|
|
TestPacket->Data = TestPacket->FlatData = Mem;
|
|
TestPacket->ContigSize = TestPacket->TotalSize = Packet->TotalSize;
|
|
TestPacket->NTEorIF = Packet->NTEorIF;
|
|
TestPacket->Flags = Packet->Flags;
|
|
}
|
|
else {
|
|
//
|
|
// Create a packet with multiple NDIS buffers.
|
|
// Start with an over-estimate of the size of the MDLs we need.
|
|
//
|
|
uint NumPages = (Packet->TotalSize >> PAGE_SHIFT) + 2;
|
|
uint MdlRawSize = sizeof(MDL) + (NumPages * sizeof(PFN_NUMBER));
|
|
uint MdlAlign = __builtin_alignof(MDL) - 1;
|
|
uint MdlSize = (MdlRawSize + MdlAlign) &~ MdlAlign;
|
|
uint Padding;
|
|
uint MemLen;
|
|
uint Counts[PULLUP_TEST_MAX_BUFFERS];
|
|
uint NumBuffers;
|
|
void *Mem;
|
|
PNDIS_PACKET NdisPacket;
|
|
PNDIS_BUFFER NdisBuffer;
|
|
uint Garbage = 0xdeadbeef;
|
|
uint i;
|
|
|
|
//
|
|
// Choose the number of buffers/MDLs that we will use
|
|
// and the distribution of bytes into those buffers.
|
|
//
|
|
NumBuffers = RandomNumber(1, PULLUP_TEST_MAX_BUFFERS);
|
|
PullupTestChooseDistribution(Counts, NumBuffers, Packet->TotalSize);
|
|
|
|
//
|
|
// Allocate all the memory that we will need.
|
|
// (Actually a bit of an over-estimate.)
|
|
// We insert some padding to vary the initial alignment.
|
|
//
|
|
Padding = RandomNumber(0, 16);
|
|
MemLen = (sizeof *TestPacket + sizeof(NDIS_PACKET) +
|
|
NumBuffers * (MdlSize + sizeof Garbage) +
|
|
Padding + Packet->TotalSize);
|
|
TestPacket = ExAllocatePool(NonPagedPool, MemLen);
|
|
if (TestPacket == NULL)
|
|
return NULL;
|
|
NdisPacket = (PNDIS_PACKET)(TestPacket + 1);
|
|
NdisBuffer = (PNDIS_BUFFER)(NdisPacket + 1);
|
|
Mem = (void *)((uchar *)NdisBuffer + NumBuffers * MdlSize + Padding);
|
|
|
|
//
|
|
// Initialize the NDIS packet and buffers.
|
|
//
|
|
RtlZeroMemory(NdisPacket, sizeof *NdisPacket);
|
|
for (i = 0; i < NumBuffers; i++) {
|
|
MmInitializeMdl(NdisBuffer, Mem, Counts[i]);
|
|
MmBuildMdlForNonPagedPool(NdisBuffer);
|
|
NdisChainBufferAtBack(NdisPacket, NdisBuffer);
|
|
RtlCopyMemory((uchar *)Mem + Counts[i], &Garbage, sizeof Garbage);
|
|
|
|
(uchar *)Mem += Counts[i] + sizeof Garbage;
|
|
(uchar *)NdisBuffer += MdlSize;
|
|
}
|
|
|
|
//
|
|
// Copy data to the new packet.
|
|
//
|
|
CopyToBufferChain((PNDIS_BUFFER)(NdisPacket + 1), 0,
|
|
Packet->NdisPacket, Packet->Position,
|
|
Packet->FlatData, Packet->TotalSize);
|
|
|
|
//
|
|
// Initialize the new packet.
|
|
//
|
|
InitializePacketFromNdis(TestPacket, NdisPacket, 0);
|
|
TestPacket->NTEorIF = Packet->NTEorIF;
|
|
TestPacket->Flags = Packet->Flags;
|
|
}
|
|
|
|
return TestPacket;
|
|
}
|
|
#endif // PULLUP_TEST
|
|
|
|
|
|
//* IPv6Receive - Receive an incoming IPv6 datagram.
|
|
//
|
|
// This is the routine called by the link layer module when an incoming IPv6
|
|
// datagram is to be processed. We validate the datagram and decide what to
|
|
// do with it.
|
|
//
|
|
// The Packet->NTEorIF field holds the NTE or interface that is receiving
|
|
// the packet. Typically this is an interface, but there are some tunnel
|
|
// situations where the link layer has already found an NTE.
|
|
//
|
|
// Either the caller should hold a reference to the NTE or interface
|
|
// across the call, or the caller can place a reference in the Packet
|
|
// with PACKET_HOLDS_REF. If the caller specifies PACKET_HOLDS_REF,
|
|
/// IPv6Receive will release the reference.
|
|
//
|
|
// There is one exception: the caller can supply an interface
|
|
// with zero references (not using PACKET_HOLDS_REF),
|
|
// if the interface is being destroyed but IF->Cleanup has not yet returned.
|
|
//
|
|
// NB: The datagram may either be held in a NDIS_PACKET allocated by the
|
|
// link-layer or the interface driver (in which case 'Packet->NdisPacket'
|
|
// is non-NULL and 'Data' points to the first data buffer in the buffer
|
|
// chain), or the datagram may still be held by NDIS (in which case
|
|
// 'Packet->NdisPacket' is NULL and 'Data' points to a buffer containing
|
|
// the entire datagram).
|
|
//
|
|
// NB: We do NOT check for link-level multi/broadcasts to
|
|
// IPv6 unicast destinations. In the IPv4 world, receivers dropped
|
|
// such packets, but in the IPv6 world they are accepted.
|
|
//
|
|
// Returns count of references for the packet.
|
|
// For now, this should always be zero.
|
|
// Someday in the future this might be used to indicate
|
|
// that the IPv6 layer has not finished its receive processing.
|
|
//
|
|
// Callable from DPC context, not from thread context.
|
|
//
|
|
int
|
|
IPv6Receive(IPv6Packet *Packet)
|
|
{
|
|
uchar NextHeader; // Current header's NextHeader field.
|
|
uchar (*Handler)();
|
|
SALinkage *ThisSA, *NextSA;
|
|
int PktRefs;
|
|
|
|
ASSERT((Packet->FlatData == NULL) != (Packet->NdisPacket == NULL));
|
|
ASSERT(Packet->NTEorIF != NULL);
|
|
ASSERT(Packet->SAPerformed == NULL);
|
|
|
|
IPSIncrementInReceiveCount();
|
|
|
|
//
|
|
// Ensure that the packet is accessible in the kernel address space.
|
|
// If any mappings fail, just drop the packet.
|
|
// In practice, the packet buffers are usually already mapped.
|
|
// But they may not be, for example in loopback.
|
|
//
|
|
if (Packet->NdisPacket != NULL) {
|
|
NDIS_BUFFER *Buffer;
|
|
|
|
Buffer = NdisFirstBuffer(Packet->NdisPacket);
|
|
if (! MapNdisBuffers(Buffer)) {
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_NTOS_ERROR,
|
|
"IPv6Receive(%p): buffer mapping failed\n",
|
|
Packet));
|
|
IPSInfo.ipsi_indiscards++;
|
|
return 0; // Drop the packet.
|
|
}
|
|
}
|
|
|
|
#if PULLUP_TEST
|
|
Packet = PullupTestCreatePacket(Packet);
|
|
if (Packet == NULL) {
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_NTOS_ERROR,
|
|
"IPv6Receive(%p): PullupTestCreatePacket failed\n",
|
|
Packet));
|
|
IPSInfo.ipsi_indiscards++;
|
|
return 0; // Drop the packet.
|
|
}
|
|
#endif
|
|
|
|
//
|
|
// Iteratively switch out to the handler for each successive next header
|
|
// until we reach a handler that reports no more headers follow it.
|
|
//
|
|
// NB: We do NOT check NTE->DADStatus here.
|
|
// That is the responsibility of higher-level protocols.
|
|
//
|
|
NextHeader = IP_PROTOCOL_V6; // Always first header in packet.
|
|
do {
|
|
//
|
|
// Current header indicates that another header follows.
|
|
// See if we have a handler for it.
|
|
//
|
|
Handler = ProtocolSwitchTable[NextHeader].DataReceive;
|
|
if (Handler == NULL) {
|
|
|
|
//
|
|
// We don't have a handler for this header type,
|
|
// so see if there is a raw receiver for it.
|
|
//
|
|
if (!RawReceive(Packet, NextHeader)) {
|
|
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_BAD_PACKET,
|
|
"IPv6 Receive: Next Header type %u not handled.\n",
|
|
NextHeader));
|
|
|
|
//
|
|
// There isn't a raw receiver either.
|
|
// Send an ICMP error message.
|
|
// ICMP Pointer value is the offset from the start of the
|
|
// incoming packet's IPv6 header to the offending field.
|
|
//
|
|
ICMPv6SendError(Packet,
|
|
ICMPv6_PARAMETER_PROBLEM,
|
|
ICMPv6_UNRECOGNIZED_NEXT_HEADER,
|
|
Packet->NextHeaderPosition -
|
|
Packet->IPPosition,
|
|
NextHeader, FALSE);
|
|
|
|
IPSInfo.ipsi_inunknownprotos++;
|
|
} else {
|
|
IPSIncrementInDeliverCount();
|
|
}
|
|
|
|
break; // We can't do anything more with this packet.
|
|
}
|
|
|
|
NextHeader = (*Handler)(Packet);
|
|
} while (NextHeader != IP_PROTOCOL_NONE);
|
|
|
|
//
|
|
// If this packet holds a reference, free it now.
|
|
//
|
|
if (Packet->Flags & PACKET_HOLDS_REF) {
|
|
if (IsNTE(Packet->NTEorIF))
|
|
ReleaseNTE(CastToNTE(Packet->NTEorIF));
|
|
else
|
|
ReleaseIF(CastToIF(Packet->NTEorIF));
|
|
}
|
|
|
|
//
|
|
// Clean up any contiguous regions left by PacketPullup.
|
|
//
|
|
PacketPullupCleanup(Packet);
|
|
|
|
//
|
|
// Clean up list of SA's performed.
|
|
//
|
|
for (ThisSA = Packet->SAPerformed; ThisSA != NULL; ThisSA = NextSA) {
|
|
ReleaseSA(ThisSA->This);
|
|
NextSA = ThisSA->Next;
|
|
ExFreePool(ThisSA);
|
|
}
|
|
|
|
PktRefs = Packet->RefCnt;
|
|
#if PULLUP_TEST
|
|
ExFreePool(Packet);
|
|
#endif
|
|
return PktRefs;
|
|
}
|
|
|
|
|
|
//* IPv6HeaderReceive - Handle a IPv6 header.
|
|
//
|
|
// This is the routine called to process an IPv6 header, a next header
|
|
// value of 41 (e.g. as would be encountered with v6 in v6 tunnels). To
|
|
// avoid code duplication, it is also used to process the initial IPv6
|
|
// header found in all IPv6 packets, in which mode it may be viewed as
|
|
// a continuation of IPv6Receive.
|
|
//
|
|
uchar
|
|
IPv6HeaderReceive(
|
|
IPv6Packet *Packet) // Packet handed to us by IPv6Receive.
|
|
{
|
|
uint PayloadLength;
|
|
uchar NextHeader;
|
|
int Forwarding; // TRUE means Forwarding, FALSE means Receiving.
|
|
|
|
//
|
|
// Sanity-check ContigSize & TotalSize.
|
|
// Higher-level code in the receive path relies on these conditions.
|
|
//
|
|
ASSERT(Packet->ContigSize <= Packet->TotalSize);
|
|
|
|
//
|
|
// If we are decapsulating a packet,
|
|
// remember that this packet was originally tunneled.
|
|
//
|
|
// Some argue that decapsulating and receiving
|
|
// the inner packet on the same interface as the outer packet
|
|
// is incorrect: the inner packet should be received
|
|
// on a tunnel interface distinct from the original interface.
|
|
// (This approach introduces some issues with handling
|
|
// IPsec encapsulation, especially tunnel-mode IPsec between peers
|
|
// where you want the inner & outer source address to be the same.)
|
|
//
|
|
// In any case, for now we receive the inner packet on the original
|
|
// interface. However, this introduces a potential security
|
|
// problem. An off-link node can send an encapsulated packet
|
|
// that when decapsulated, appears to have originated from
|
|
// an on-link neighbor. This is a security problem for ND.
|
|
// We can not conveniently decrement the HopLimit (to make ND's
|
|
// check against 255 effective in this case), because the packet
|
|
// is read-only. Instead, we remember that the packet is tunneled
|
|
// and check this flag bit in the ND code.
|
|
//
|
|
if (Packet->IP != NULL) {
|
|
Packet->Flags |= PACKET_TUNNELED;
|
|
Packet->Flags &= ~PACKET_SAW_HA_OPT; // Forget if we saw one.
|
|
Packet->SkippedHeaderLength = 0;
|
|
|
|
//
|
|
// If we've already done some IPSec processing on this packet,
|
|
// then this is a tunnel header and the preceeding IPSec header
|
|
// is operating in tunnel mode.
|
|
//
|
|
if (Packet->SAPerformed != NULL)
|
|
Packet->SAPerformed->Mode = TUNNEL;
|
|
} else {
|
|
//
|
|
// In the reassembly path, we remember if the fragments were
|
|
// tunneled but we do not have a Packet->IP.
|
|
//
|
|
ASSERT((((Packet->Flags & PACKET_TUNNELED) == 0) ||
|
|
(Packet->Flags & PACKET_REASSEMBLED)) &&
|
|
((Packet->Flags & PACKET_SAW_HA_OPT) == 0) &&
|
|
(Packet->SAPerformed == NULL));
|
|
}
|
|
|
|
//
|
|
// Make sure we have enough contiguous bytes for an IPv6 header, otherwise
|
|
// attempt to pullup that amount. Then stash away a pointer to the header
|
|
// and also remember the offset into the packet at which it begins (needed
|
|
// to calculate an offset for certain ICMP error messages).
|
|
//
|
|
if (! PacketPullup(Packet, sizeof(IPv6Header),
|
|
__builtin_alignof(IPv6Addr), 0)) {
|
|
// Pullup failed.
|
|
if (Packet->TotalSize < sizeof(IPv6Header))
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_BAD_PACKET,
|
|
"IPv6HeaderReceive: "
|
|
"Packet too small to contain IPv6 header\n"));
|
|
IPSInfo.ipsi_inhdrerrors++;
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
Packet->IP = (IPv6Header UNALIGNED *)Packet->Data;
|
|
Packet->IPPosition = Packet->Position;
|
|
Packet->NextHeaderPosition = Packet->Position +
|
|
FIELD_OFFSET(IPv6Header, NextHeader);
|
|
|
|
//
|
|
// Skip over IPv6 header (note we keep our pointer to it).
|
|
//
|
|
AdjustPacketParams(Packet, sizeof(IPv6Header));
|
|
|
|
//
|
|
// Check the IP version is correct.
|
|
// We specifically do NOT check HopLimit.
|
|
// HopLimit is only checked when forwarding.
|
|
//
|
|
if ((Packet->IP->VersClassFlow & IP_VER_MASK) != IP_VERSION) {
|
|
// Silently discard the packet.
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_BAD_PACKET,
|
|
"IPv6HeaderReceive: bad version\n"));
|
|
IPSInfo.ipsi_inhdrerrors++;
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
|
|
//
|
|
// We use a separate pointer to refer to the source address so that
|
|
// later options can change it.
|
|
//
|
|
Packet->SrcAddr = AlignAddr(&Packet->IP->Source);
|
|
|
|
//
|
|
// Protect against attacks that use bogus source addresses.
|
|
//
|
|
if (IsInvalidSourceAddress(Packet->SrcAddr)) {
|
|
// Silently discard the packet.
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_BAD_PACKET,
|
|
"IPv6HeaderReceive: source address is invalid\n"));
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
if (IsLoopback(Packet->SrcAddr) &&
|
|
((Packet->Flags & PACKET_LOOPED_BACK) == 0)) {
|
|
// Silently discard the packet.
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_BAD_PACKET,
|
|
"IPv6HeaderReceive: loopback source addr from wire?\n"));
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
|
|
if (IsNTE(Packet->NTEorIF)) {
|
|
NetTableEntry *NTE;
|
|
|
|
//
|
|
// We were called with an NTE.
|
|
// Our caller (or the packet itself) should be holding a reference.
|
|
// The NTE holds an interface reference.
|
|
//
|
|
NTE = CastToNTE(Packet->NTEorIF);
|
|
|
|
//
|
|
// Verify that the packet's destination address is
|
|
// consistent with this NTE.
|
|
//
|
|
if (!IP6_ADDR_EQUAL(AlignAddr(&Packet->IP->Dest), &NTE->Address)) {
|
|
Interface *IF = NTE->IF;
|
|
|
|
//
|
|
// We can't accept this new header on this NTE.
|
|
// Convert to an Interface and punt to forwarding code below.
|
|
//
|
|
if (Packet->Flags & PACKET_HOLDS_REF) {
|
|
AddRefIF(IF);
|
|
ReleaseNTE(NTE);
|
|
}
|
|
else {
|
|
//
|
|
// Our caller holds a reference for the NTE,
|
|
// which holds a reference for the interface.
|
|
// So the packet does not need to hold a reference.
|
|
//
|
|
}
|
|
Packet->NTEorIF = CastFromIF(IF);
|
|
goto Forward;
|
|
}
|
|
|
|
//
|
|
// We are Receiving the packet.
|
|
//
|
|
Forwarding = FALSE;
|
|
|
|
} else {
|
|
NetTableEntryOrInterface *NTEorIF;
|
|
ushort Type;
|
|
|
|
//
|
|
// We were called with an Interface.
|
|
// In some situations, there is no reference for this interface
|
|
// and the interface is being destroyed. FindAddressOnInterface
|
|
// will return NULL in that case. After this point, we must ensure
|
|
// that the interface does have a reference, by having the packet
|
|
// hold a reference for the interface or a reference for an NTE
|
|
// on the interface.
|
|
//
|
|
NTEorIF = FindAddressOnInterface(CastToIF(Packet->NTEorIF),
|
|
AlignAddr(&Packet->IP->Dest), &Type);
|
|
if (NTEorIF == NULL) {
|
|
//
|
|
// The interface is being destroyed.
|
|
//
|
|
IPSInfo.ipsi_indiscards++;
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
|
|
//
|
|
// FindAddressOnInterface returned a reference to NTEorIF
|
|
// (which could be an interface or an NTE). We either need
|
|
// to put this reference into the packet, or release it
|
|
// if the packet already holds an appropriate reference.
|
|
//
|
|
|
|
if (Type == ADE_NONE) {
|
|
//
|
|
// If the packet does not hold a reference for the interface,
|
|
// give it one now.
|
|
//
|
|
ASSERT(NTEorIF == Packet->NTEorIF);
|
|
if (Packet->Flags & PACKET_HOLDS_REF) {
|
|
//
|
|
// The packet already holds an interface reference,
|
|
// so our reference is not neeeded.
|
|
//
|
|
ReleaseIF(CastToIF(NTEorIF));
|
|
}
|
|
else {
|
|
//
|
|
// Give the packet our interface reference.
|
|
//
|
|
Packet->Flags |= PACKET_HOLDS_REF;
|
|
}
|
|
|
|
//
|
|
// The address is not assigned to this interface. Check to see
|
|
// if it is appropriate for us to forward this packet.
|
|
// If not, drop it. At this point, we are fairly
|
|
// conservative about what we will forward.
|
|
//
|
|
Forward:
|
|
if (!(CastToIF(Packet->NTEorIF)->Flags & IF_FLAG_FORWARDS) ||
|
|
(Packet->Flags & PACKET_NOT_LINK_UNICAST) ||
|
|
IsUnspecified(AlignAddr(&Packet->IP->Source)) ||
|
|
IsLoopback(AlignAddr(&Packet->IP->Source))) {
|
|
//
|
|
// Drop the packet with no ICMP error.
|
|
//
|
|
IPSInfo.ipsi_inaddrerrors++;
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
|
|
//
|
|
// No support yet for forwarding multicast packets.
|
|
//
|
|
if (IsUnspecified(AlignAddr(&Packet->IP->Dest)) ||
|
|
IsLoopback(AlignAddr(&Packet->IP->Dest)) ||
|
|
IsMulticast(AlignAddr(&Packet->IP->Dest))) {
|
|
//
|
|
// Send an ICMP error.
|
|
//
|
|
ICMPv6SendError(Packet,
|
|
ICMPv6_DESTINATION_UNREACHABLE,
|
|
ICMPv6_COMMUNICATION_PROHIBITED,
|
|
0, Packet->IP->NextHeader, FALSE);
|
|
IPSInfo.ipsi_inaddrerrors++;
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
|
|
//
|
|
// We do the actual forwarding below...
|
|
//
|
|
Forwarding = TRUE;
|
|
|
|
} else {
|
|
//
|
|
// If we found a unicast ADE, then remember the NTE.
|
|
// Conceptually, we think of the packet as holding
|
|
// the reference to the NTE. Normally for multicast/anycast
|
|
// addresses, we delay our choice of an appropriate NTE
|
|
// until it is time to reply to the packet.
|
|
//
|
|
if (IsNTE(NTEorIF)) {
|
|
NetTableEntry *NTE = CastToNTE(NTEorIF);
|
|
Interface *IF = NTE->IF;
|
|
|
|
ASSERT(CastFromIF(IF) == Packet->NTEorIF);
|
|
|
|
if (!IsValidNTE(NTE)) {
|
|
//
|
|
// The unicast address is not valid, so it can't
|
|
// receive packets. The address may be assigned
|
|
// to some other node, so forwarding is appropriate.
|
|
//
|
|
// Ensure that the packet holds an interface reference.
|
|
//
|
|
if (!(Packet->Flags & PACKET_HOLDS_REF)) {
|
|
//
|
|
// The packet does not already hold an interface ref,
|
|
// so give it one.
|
|
//
|
|
AddRefIF(IF);
|
|
Packet->Flags |= PACKET_HOLDS_REF;
|
|
}
|
|
//
|
|
// Now our NTE reference is not needed.
|
|
//
|
|
ReleaseNTE(NTE);
|
|
goto Forward;
|
|
}
|
|
|
|
//
|
|
// Ensure that the packet holds a reference for the NTE,
|
|
// which holds an interface reference.
|
|
//
|
|
if (Packet->Flags & PACKET_HOLDS_REF) {
|
|
//
|
|
// The packet already holds an interface reference.
|
|
// Release that reference and give the packet
|
|
// our NTE reference.
|
|
//
|
|
ReleaseIF(IF);
|
|
}
|
|
else {
|
|
//
|
|
// The packet does not hold a reference.
|
|
// Give the packet our NTE reference.
|
|
//
|
|
Packet->Flags |= PACKET_HOLDS_REF;
|
|
}
|
|
Packet->NTEorIF = CastFromNTE(NTE);
|
|
}
|
|
else {
|
|
//
|
|
// Ensure that the packet holds an interface reference.
|
|
//
|
|
ASSERT(NTEorIF == Packet->NTEorIF);
|
|
if (Packet->Flags & PACKET_HOLDS_REF) {
|
|
//
|
|
// The packet already holds an interface reference,
|
|
// so our reference is not needed.
|
|
//
|
|
ReleaseIF(CastToIF(NTEorIF));
|
|
}
|
|
else {
|
|
//
|
|
// Give our interface reference to the packet.
|
|
//
|
|
Packet->Flags |= PACKET_HOLDS_REF;
|
|
}
|
|
}
|
|
|
|
//
|
|
// We found an ADE on this IF to accept the packet,
|
|
// so we will be Receiving it.
|
|
//
|
|
Forwarding = FALSE;
|
|
}
|
|
}
|
|
|
|
//
|
|
// At this point, the Forwarding variable tells us
|
|
// if we are forwarding or receiving the packet.
|
|
//
|
|
|
|
//
|
|
// Before processing any headers, including Hop-by-Hop,
|
|
// check that the amount of payload the IPv6 header thinks is present
|
|
// can actually fit inside the packet data area that the link handed us.
|
|
// Note that a Payload Length of zero *might* mean a Jumbo Payload option.
|
|
//
|
|
PayloadLength = net_short(Packet->IP->PayloadLength);
|
|
if (PayloadLength > Packet->TotalSize) {
|
|
// Silently discard the packet.
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_BAD_PACKET,
|
|
"IPv6HeaderReceive: Header's PayloadLength is greater than "
|
|
"the amount of data received\n"));
|
|
IPSInfo.ipsi_inhdrerrors++;
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
|
|
//
|
|
// Check for Hop-by-Hop Options.
|
|
//
|
|
if (Packet->IP->NextHeader == IP_PROTOCOL_HOP_BY_HOP) {
|
|
int RetVal;
|
|
|
|
//
|
|
// If there is a Jumbo Payload option, HopByHopOptionsReceive
|
|
// will adjust the packet size. Otherwise we take care of it
|
|
// now, before reading the Hop-by-Hop header.
|
|
//
|
|
if (PayloadLength != 0) {
|
|
Packet->TotalSize = PayloadLength;
|
|
if (Packet->ContigSize > PayloadLength)
|
|
Packet->ContigSize = PayloadLength;
|
|
}
|
|
|
|
//
|
|
// Parse the Hop-by-Hop options.
|
|
//
|
|
RetVal = HopByHopOptionsReceive(Packet);
|
|
if (RetVal < 0) {
|
|
//
|
|
// The packet had bad Hop-by-Hop Options.
|
|
// Drop it.
|
|
//
|
|
IPSInfo.ipsi_inhdrerrors++;
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
NextHeader = (uchar)RetVal; // Truncate to 8 bits.
|
|
|
|
} else {
|
|
//
|
|
// No Jumbo Payload option. Adjust the packet size.
|
|
//
|
|
Packet->TotalSize = PayloadLength;
|
|
if (Packet->ContigSize > PayloadLength)
|
|
Packet->ContigSize = PayloadLength;
|
|
|
|
//
|
|
// No Hop-by-Hop options.
|
|
//
|
|
NextHeader = Packet->IP->NextHeader;
|
|
}
|
|
|
|
//
|
|
// Check if we are forwarding this packet.
|
|
//
|
|
if (Forwarding) {
|
|
IPv6Header UNALIGNED *FwdIP;
|
|
NDIS_PACKET *FwdPacket;
|
|
NDIS_STATUS NdisStatus;
|
|
uint Offset;
|
|
uint MemLen;
|
|
uchar *Mem;
|
|
uint TunnelStart = NO_TUNNEL, IPSecBytes = 0;
|
|
IPSecProc *IPSecToDo;
|
|
uint Action;
|
|
RouteCacheEntry *RCE;
|
|
IP_STATUS Status;
|
|
|
|
//
|
|
// Verify IPSec was performed.
|
|
//
|
|
if (InboundSecurityCheck(Packet, 0, 0, 0,
|
|
CastToIF(Packet->NTEorIF)) != TRUE) {
|
|
//
|
|
// No policy was found or the policy indicated to drop the packet.
|
|
//
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_NET_ERROR,
|
|
"IPv6Receive: "
|
|
"IPSec lookup failed or policy was to drop\n"));
|
|
IPSInfo.ipsi_inaddrerrors++;
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
|
|
//
|
|
// At this time, we need to copy the incoming packet,
|
|
// for several reasons: We can't hold the Packet
|
|
// once IPv6HeaderReceive returns, yet we need to queue
|
|
// packet to forward it. We need to modify the packet
|
|
// (in IPv6Forward) by decrementing the hop count,
|
|
// yet our incoming packet is read-only. Finally,
|
|
// we need space in the outgoing packet for the outgoing
|
|
// interface's link-level header, which may differ in size
|
|
// from that of the incoming interface. Someday, we can
|
|
// implement support for returning a non-zero reference
|
|
// count from IPv6Receive and only copy the incoming
|
|
// packet's header to construct the outgoing packet.
|
|
//
|
|
|
|
//
|
|
// Find a route to the new destination.
|
|
//
|
|
Status = RouteToDestination(AlignAddr(&Packet->IP->Dest),
|
|
0, Packet->NTEorIF,
|
|
RTD_FLAG_LOOSE, &RCE);
|
|
if (Status != IP_SUCCESS) {
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_INTERNAL_ERROR,
|
|
"IPv6HeaderReceive: "
|
|
"No route to destination for forwarding.\n"));
|
|
ICMPv6SendError(Packet,
|
|
ICMPv6_DESTINATION_UNREACHABLE,
|
|
ICMPv6_NO_ROUTE_TO_DESTINATION,
|
|
0, NextHeader, FALSE);
|
|
IPSInfo.ipsi_outnoroutes++;
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
|
|
//
|
|
// Find the Security Policy for this outbound traffic.
|
|
//
|
|
IPSecToDo = OutboundSPLookup(AlignAddr(&Packet->IP->Source),
|
|
AlignAddr(&Packet->IP->Dest),
|
|
0, 0, 0, RCE->NCE->IF, &Action);
|
|
|
|
if (IPSecToDo == NULL) {
|
|
//
|
|
// Check Action.
|
|
//
|
|
if (Action == LOOKUP_DROP) {
|
|
// Drop packet.
|
|
ReleaseRCE(RCE);
|
|
IPSInfo.ipsi_inaddrerrors++;
|
|
return IP_PROTOCOL_NONE;
|
|
} else {
|
|
if (Action == LOOKUP_IKE_NEG) {
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_NET_ERROR,
|
|
"IPv6HeaderReceive: IKE not supported yet.\n"));
|
|
ReleaseRCE(RCE);
|
|
IPSInfo.ipsi_inaddrerrors++;
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
}
|
|
|
|
//
|
|
// With no IPSec to perform, IPv6Forward won't be changing the
|
|
// outgoing interface from what we currently think it will be.
|
|
// So we can use the exact size of its link-level header.
|
|
//
|
|
Offset = RCE->NCE->IF->LinkHeaderSize;
|
|
|
|
} else {
|
|
//
|
|
// Calculate the space needed for the IPSec headers.
|
|
//
|
|
IPSecBytes = IPSecBytesToInsert(IPSecToDo, &TunnelStart, NULL);
|
|
|
|
if (TunnelStart != 0) {
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_NET_ERROR,
|
|
"IPv6HeaderReceive: IPSec Tunnel mode only.\n"));
|
|
FreeIPSecToDo(IPSecToDo, IPSecToDo->BundleSize);
|
|
ReleaseRCE(RCE);
|
|
IPSInfo.ipsi_inaddrerrors++;
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
|
|
//
|
|
// The IPSec code in IPv6Forward might change the outgoing
|
|
// interface from what we currently think it will be.
|
|
// Leave the max amount of space for its link-level header.
|
|
//
|
|
Offset = MAX_LINK_HEADER_SIZE;
|
|
}
|
|
|
|
PayloadLength = Packet->TotalSize;
|
|
MemLen = Offset + sizeof(IPv6Header) + PayloadLength + IPSecBytes;
|
|
|
|
NdisStatus = IPv6AllocatePacket(MemLen, &FwdPacket, &Mem);
|
|
if (NdisStatus != NDIS_STATUS_SUCCESS) {
|
|
if (IPSecToDo) {
|
|
FreeIPSecToDo(IPSecToDo, IPSecToDo->BundleSize);
|
|
}
|
|
ReleaseRCE(RCE);
|
|
IPSInfo.ipsi_indiscards++;
|
|
return IP_PROTOCOL_NONE; // We can't forward.
|
|
}
|
|
|
|
FwdIP = (IPv6Header UNALIGNED *)(Mem + Offset + IPSecBytes);
|
|
|
|
//
|
|
// Copy from the incoming packet to the outgoing packet.
|
|
//
|
|
CopyPacketToBuffer((uchar *)FwdIP, Packet,
|
|
sizeof(IPv6Header) + PayloadLength,
|
|
Packet->IPPosition);
|
|
|
|
//
|
|
// Send the outgoing packet.
|
|
//
|
|
IPv6Forward(Packet->NTEorIF, FwdPacket, Offset + IPSecBytes, FwdIP,
|
|
PayloadLength, TRUE, // OK to Redirect.
|
|
IPSecToDo, RCE);
|
|
|
|
if (IPSecToDo) {
|
|
FreeIPSecToDo(IPSecToDo, IPSecToDo->BundleSize);
|
|
}
|
|
|
|
ReleaseRCE(RCE);
|
|
|
|
return IP_PROTOCOL_NONE;
|
|
} // end of if (Forwarding)
|
|
|
|
//
|
|
// Packet is for this node.
|
|
// Note: We may only be an intermediate node and not the packet's final
|
|
// destination, if there is a routing header.
|
|
//
|
|
return NextHeader;
|
|
}
|
|
|
|
|
|
//* ReassemblyInit
|
|
//
|
|
// Initialize data structures required for fragment reassembly.
|
|
//
|
|
void
|
|
ReassemblyInit(void)
|
|
{
|
|
KeInitializeSpinLock(&ReassemblyList.Lock);
|
|
ReassemblyList.First = ReassemblyList.Last = SentinelReassembly;
|
|
KeInitializeSpinLock(&ReassemblyList.LockSize);
|
|
}
|
|
|
|
|
|
//* ReassemblyUnload
|
|
//
|
|
// Cleanup the fragment reassembly data structures and
|
|
// prepare for stack unload.
|
|
//
|
|
void
|
|
ReassemblyUnload(void)
|
|
{
|
|
//
|
|
// We are called after all interfaces have been destroyed,
|
|
// so the reassemblies should already be gone.
|
|
//
|
|
|
|
ASSERT(ReassemblyList.Last == SentinelReassembly);
|
|
ASSERT(ReassemblyList.Size == 0);
|
|
}
|
|
|
|
|
|
//* ReassemblyRemove
|
|
//
|
|
// Cleanup the fragment reassembly data structures
|
|
// when an interface becomes invalid.
|
|
//
|
|
// Callable from DPC or thread context.
|
|
//
|
|
void
|
|
ReassemblyRemove(Interface *IF)
|
|
{
|
|
Reassembly *DeleteList = NULL;
|
|
Reassembly *Reass, *NextReass;
|
|
KIRQL OldIrql;
|
|
|
|
KeAcquireSpinLock(&ReassemblyList.Lock, &OldIrql);
|
|
for (Reass = ReassemblyList.First;
|
|
Reass != SentinelReassembly;
|
|
Reass = NextReass) {
|
|
NextReass = Reass->Next;
|
|
|
|
if (Reass->IF == IF) {
|
|
//
|
|
// Remove this reassembly.
|
|
// If it is not already being deleted,
|
|
// put it on our temporary list.
|
|
//
|
|
RemoveReassembly(Reass);
|
|
KeAcquireSpinLockAtDpcLevel(&Reass->Lock);
|
|
if (Reass->State == REASSEMBLY_STATE_DELETING) {
|
|
//
|
|
// Note that it has been removed from the list.
|
|
//
|
|
Reass->State = REASSEMBLY_STATE_REMOVED;
|
|
}
|
|
else {
|
|
Reass->Next = DeleteList;
|
|
DeleteList = Reass;
|
|
}
|
|
KeReleaseSpinLockFromDpcLevel(&Reass->Lock);
|
|
}
|
|
}
|
|
KeReleaseSpinLock(&ReassemblyList.Lock, OldIrql);
|
|
|
|
//
|
|
// Actually free the reassemblies that we removed above.
|
|
//
|
|
while ((Reass = DeleteList) != NULL) {
|
|
DeleteList = Reass->Next;
|
|
DeleteReassembly(Reass);
|
|
}
|
|
}
|
|
|
|
|
|
//* FragmentReceive - Handle a IPv6 datagram fragment.
|
|
//
|
|
// This is the routine called by IPv6 when it receives a fragment of an
|
|
// IPv6 datagram, i.e. a next header value of 44. Here we attempt to
|
|
// reassemble incoming fragments into complete IPv6 datagrams.
|
|
//
|
|
// If a later fragment provides data that conflicts with an earlier
|
|
// fragment, then we use the first-arriving data.
|
|
//
|
|
// We silently drop the fragment and stop reassembly in several
|
|
// cases that are not specified in the spec, to prevent DoS attacks.
|
|
// These include partially overlapping fragments and fragments
|
|
// that carry no data. Legitimate senders should never generate them.
|
|
//
|
|
uchar
|
|
FragmentReceive(
|
|
IPv6Packet *Packet) // Packet handed to us by IPv6Receive.
|
|
{
|
|
Interface *IF = Packet->NTEorIF->IF;
|
|
FragmentHeader UNALIGNED *Frag;
|
|
Reassembly *Reass;
|
|
ushort FragOffset;
|
|
PacketShim *Shim, *ThisShim, **MoveShim;
|
|
uint NextHeaderPosition;
|
|
|
|
IPSInfo.ipsi_reasmreqds++;
|
|
|
|
//
|
|
// We can not reassemble fragments that have had IPsec processing.
|
|
// It can't work because the IPsec headers in the unfragmentable part
|
|
// of the offset-zero fragment will authenticate/decrypt that fragment.
|
|
// Then the same headers would be copied to the reassembled packet.
|
|
// They couldn't possibly successfully authenticate/decrypt again.
|
|
// Also see RFC 2401 B.2.
|
|
//
|
|
if (Packet->SAPerformed != NULL) {
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_BAD_PACKET,
|
|
"FragmentReceive: IPsec on fragment\n"));
|
|
//
|
|
// The spec does not tell us what ICMP error to generate in this case,
|
|
// but flagging the fragment header seems reasonable.
|
|
//
|
|
goto BadFragment;
|
|
}
|
|
|
|
//
|
|
// If a jumbo payload option was seen, send an ICMP error.
|
|
// Set ICMP pointer to the offset of the fragment header.
|
|
//
|
|
if (Packet->Flags & PACKET_JUMBO_OPTION) {
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_BAD_PACKET,
|
|
"FragmentReceive: jumbo fragment\n"));
|
|
|
|
BadFragment:
|
|
//
|
|
// The NextHeader value passed to ICMPv6SendError
|
|
// is IP_PROTOCOL_FRAGMENT because we haven't moved
|
|
// past the fragment header yet.
|
|
//
|
|
ICMPv6SendError(Packet,
|
|
ICMPv6_PARAMETER_PROBLEM,
|
|
ICMPv6_ERRONEOUS_HEADER_FIELD,
|
|
Packet->Position - Packet->IPPosition,
|
|
IP_PROTOCOL_FRAGMENT, FALSE);
|
|
goto Failed; // Drop packet.
|
|
}
|
|
|
|
//
|
|
// Verify that we have enough contiguous data to overlay a FragmentHeader
|
|
// structure on the incoming packet. Then do so.
|
|
//
|
|
if (! PacketPullup(Packet, sizeof *Frag, 1, 0)) {
|
|
// Pullup failed.
|
|
if (Packet->TotalSize < sizeof *Frag)
|
|
ICMPv6SendError(Packet,
|
|
ICMPv6_PARAMETER_PROBLEM,
|
|
ICMPv6_ERRONEOUS_HEADER_FIELD,
|
|
FIELD_OFFSET(IPv6Header, PayloadLength),
|
|
IP_PROTOCOL_NONE, FALSE);
|
|
goto Failed; // Drop packet.
|
|
}
|
|
Frag = (FragmentHeader UNALIGNED *) Packet->Data;
|
|
|
|
//
|
|
// Remember offset to this header's NextHeader field.
|
|
// But don't overwrite offset to previous header's NextHeader just yet.
|
|
//
|
|
NextHeaderPosition = Packet->Position +
|
|
FIELD_OFFSET(FragmentHeader, NextHeader);
|
|
|
|
//
|
|
// Skip over fragment header.
|
|
//
|
|
AdjustPacketParams(Packet, sizeof *Frag);
|
|
|
|
//
|
|
// Lookup this fragment triple (Source Address, Destination
|
|
// Address, and Identification field) per-interface to see if
|
|
// we've already received other fragments of this packet.
|
|
//
|
|
Reass = FragmentLookup(IF, Frag->Id,
|
|
AlignAddr(&Packet->IP->Source),
|
|
AlignAddr(&Packet->IP->Dest));
|
|
if (Reass == NULL) {
|
|
//
|
|
// We hold the global reassembly list lock.
|
|
//
|
|
// Handle a special case first: if this is the first, last, and only
|
|
// fragment, then we can just continue parsing without reassembly.
|
|
// Test both paths in checked builds.
|
|
//
|
|
if ((Frag->OffsetFlag == 0)
|
|
#if DBG
|
|
&& ((int)Random() < 0)
|
|
#endif
|
|
) {
|
|
//
|
|
// Return next header value.
|
|
//
|
|
KeReleaseSpinLockFromDpcLevel(&ReassemblyList.Lock);
|
|
Packet->NextHeaderPosition = NextHeaderPosition;
|
|
Packet->SkippedHeaderLength += sizeof(FragmentHeader);
|
|
IPSInfo.ipsi_reasmoks++;
|
|
return Frag->NextHeader;
|
|
}
|
|
|
|
//
|
|
// We must avoid creating new reassembly records
|
|
// if the interface is going away, to prevent races
|
|
// with DestroyIF/ReassemblyRemove.
|
|
//
|
|
if (IsDisabledIF(IF)) {
|
|
KeReleaseSpinLockFromDpcLevel(&ReassemblyList.Lock);
|
|
goto Failed;
|
|
}
|
|
|
|
//
|
|
// This is the first fragment of this datagram we've received.
|
|
// Allocate a reassembly structure to keep track of the pieces.
|
|
//
|
|
Reass = ExAllocatePool(NonPagedPool, sizeof(struct Reassembly));
|
|
if (Reass == NULL) {
|
|
KeReleaseSpinLockFromDpcLevel(&ReassemblyList.Lock);
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_NTOS_ERROR,
|
|
"FragmentReceive: Couldn't allocate memory!?!\n"));
|
|
goto Failed;
|
|
}
|
|
|
|
KeInitializeSpinLock(&Reass->Lock);
|
|
Reass->State = REASSEMBLY_STATE_NORMAL;
|
|
|
|
RtlCopyMemory(&Reass->IPHdr, Packet->IP, sizeof(IPv6Header));
|
|
Reass->IF = IF;
|
|
Reass->Id = Frag->Id;
|
|
Reass->ContigList = NULL;
|
|
#if DBG
|
|
Reass->ContigEnd = NULL;
|
|
#endif
|
|
Reass->GapList = NULL;
|
|
Reass->Timer = DEFAULT_REASSEMBLY_TIMEOUT;
|
|
Reass->Marker = 0;
|
|
Reass->MaxGap = 0;
|
|
//
|
|
// We must initialize DataLength to an invalid value.
|
|
// Initializing to zero doesn't work.
|
|
//
|
|
Reass->DataLength = (uint)-1;
|
|
Reass->UnfragmentLength = 0;
|
|
Reass->UnfragData = NULL;
|
|
Reass->Flags = 0;
|
|
Reass->Size = REASSEMBLY_SIZE_PACKET;
|
|
|
|
//
|
|
// Add new Reassembly struct to front of the ReassemblyList.
|
|
// Acquires the reassembly record lock and
|
|
// releases the global reassembly list lock.
|
|
//
|
|
AddToReassemblyList(Reass);
|
|
}
|
|
else {
|
|
//
|
|
// We have found and locked an existing reassembly structure.
|
|
// Because we remove the reassembly structure in every
|
|
// error situation below, an existing reassembly structure
|
|
// must have a shim that has been successfully added to it.
|
|
//
|
|
ASSERT((Reass->ContigList != NULL) || (Reass->GapList != NULL));
|
|
}
|
|
|
|
//
|
|
// At this point, we have a locked reassembly record.
|
|
// We do not hold the global reassembly list lock
|
|
// while we perform the relatively expensive work
|
|
// of copying the fragment.
|
|
//
|
|
ASSERT(Reass->State == REASSEMBLY_STATE_NORMAL);
|
|
|
|
//
|
|
// Update the saved packet flags from this fragment packet.
|
|
// We are really only interested in PACKET_NOT_LINK_UNICAST.
|
|
//
|
|
Reass->Flags |= Packet->Flags;
|
|
|
|
FragOffset = net_short(Frag->OffsetFlag) & FRAGMENT_OFFSET_MASK;
|
|
|
|
//
|
|
// Send ICMP error if this fragment causes the total packet length
|
|
// to exceed 65,535 bytes. Set ICMP pointer equal to the offset to
|
|
// the Fragment Offset field.
|
|
//
|
|
if (FragOffset + Packet->TotalSize > MAX_IPv6_PAYLOAD) {
|
|
DeleteFromReassemblyList(Reass);
|
|
ICMPv6SendError(Packet,
|
|
ICMPv6_PARAMETER_PROBLEM,
|
|
ICMPv6_ERRONEOUS_HEADER_FIELD,
|
|
(Packet->Position - sizeof(FragmentHeader) +
|
|
(uint)FIELD_OFFSET(FragmentHeader, OffsetFlag) -
|
|
Packet->IPPosition),
|
|
((FragOffset == 0) ?
|
|
Frag->NextHeader : IP_PROTOCOL_NONE),
|
|
FALSE);
|
|
goto Failed;
|
|
}
|
|
|
|
if ((Packet->TotalSize == 0) && (Frag->OffsetFlag != 0)) {
|
|
//
|
|
// We allow a moot fragment header (Frag->OffsetFlag == 0),
|
|
// because some test programs might generate them.
|
|
// (The first/last/only check above catches this in free builds.)
|
|
// But otherwise, we disallow fragments that do not actually
|
|
// carry any data for DoS protection.
|
|
//
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_NET_ERROR,
|
|
"FragmentReceive: zero data fragment\n"));
|
|
DeleteFromReassemblyList(Reass);
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
|
|
//
|
|
// If this is the last fragment (more fragments bit not set), then
|
|
// remember the total data length, else, check that the length
|
|
// is a multiple of 8 bytes.
|
|
//
|
|
if ((net_short(Frag->OffsetFlag) & FRAGMENT_FLAG_MASK) == 0) {
|
|
if (Reass->DataLength != (uint)-1) {
|
|
//
|
|
// We already received a last fragment.
|
|
// This can happen if a packet is duplicated.
|
|
//
|
|
if (FragOffset + Packet->TotalSize != Reass->DataLength) {
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_NET_ERROR,
|
|
"FragmentReceive: second last fragment\n"));
|
|
DeleteFromReassemblyList(Reass);
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
}
|
|
else {
|
|
//
|
|
// Set expected data length from this fragment.
|
|
//
|
|
Reass->DataLength = FragOffset + Packet->TotalSize;
|
|
|
|
//
|
|
// Do we have any fragments beyond this length?
|
|
//
|
|
if ((Reass->Marker > Reass->DataLength) ||
|
|
(Reass->MaxGap > Reass->DataLength))
|
|
goto BadFragmentBeyondData;
|
|
}
|
|
} else {
|
|
if ((Packet->TotalSize % 8) != 0) {
|
|
//
|
|
// Length is not multiple of 8, send ICMP error with a pointer
|
|
// value equal to offset of payload length field in IP header.
|
|
//
|
|
DeleteFromReassemblyList(Reass);
|
|
ICMPv6SendError(Packet,
|
|
ICMPv6_PARAMETER_PROBLEM,
|
|
ICMPv6_ERRONEOUS_HEADER_FIELD,
|
|
FIELD_OFFSET(IPv6Header, PayloadLength),
|
|
((FragOffset == 0) ?
|
|
Frag->NextHeader : IP_PROTOCOL_NONE),
|
|
FALSE);
|
|
goto Failed; // Drop packet.
|
|
}
|
|
|
|
if ((Reass->DataLength != (uint)-1) &&
|
|
(FragOffset + Packet->TotalSize > Reass->DataLength)) {
|
|
//
|
|
// This fragment falls beyond the data length.
|
|
// As part of our DoS prevention, drop the reassembly.
|
|
//
|
|
BadFragmentBeyondData:
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_NET_ERROR,
|
|
"FragmentReceive: fragment beyond data length\n"));
|
|
DeleteFromReassemblyList(Reass);
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Allocate and initialize a shim structure to hold the fragment data.
|
|
//
|
|
Shim = ExAllocatePool(NonPagedPool, sizeof *Shim + Packet->TotalSize);
|
|
if (Shim == NULL) {
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_NTOS_ERROR,
|
|
"FragmentReceive: Couldn't allocate memory!?!\n"));
|
|
DeleteFromReassemblyList(Reass);
|
|
goto Failed;
|
|
}
|
|
|
|
IncreaseReassemblySize(Reass, REASSEMBLY_SIZE_FRAG + Packet->TotalSize);
|
|
Shim->Len = (ushort)Packet->TotalSize;
|
|
Shim->Offset = FragOffset;
|
|
Shim->Next = NULL;
|
|
|
|
//
|
|
// Determine where this fragment fits among the previous ones.
|
|
//
|
|
// There is no good reason for senders to ever generate overlapping
|
|
// fragments. However, packets may sometimes be duplicated in the network.
|
|
// If we receive a fragment that duplicates previously received fragments,
|
|
// then we just discard it. If we receive a fragment that only partially
|
|
// overlaps previously received fragments, then we assume a malicious
|
|
// sender and just drop the reassembly. This gives us better behavior
|
|
// under some kinds of DoS attacks, although the upper bound on reassembly
|
|
// buffers (see CheckReassemblyQuota) is the ultimate protection.
|
|
//
|
|
if (FragOffset == Reass->Marker) {
|
|
//
|
|
// This fragment extends the contiguous list.
|
|
//
|
|
|
|
if (Reass->ContigList == NULL) {
|
|
//
|
|
// We're first on the list.
|
|
// We use info from the (first) offset zero fragment to recreate
|
|
// the original datagram. Info in a second offset zero fragment
|
|
// is ignored.
|
|
//
|
|
ASSERT(FragOffset == 0);
|
|
ASSERT(Reass->UnfragData == NULL);
|
|
Reass->ContigList = Shim;
|
|
|
|
// Save the next header value.
|
|
Reass->NextHeader = Frag->NextHeader;
|
|
|
|
//
|
|
// Grab the unfragmentable data, i.e. the extension headers that
|
|
// preceded the fragment header.
|
|
//
|
|
Reass->UnfragmentLength = (ushort)
|
|
(Packet->Position - sizeof(FragmentHeader)) -
|
|
(Packet->IPPosition + sizeof(IPv6Header));
|
|
|
|
if (Reass->UnfragmentLength != 0) {
|
|
Reass->UnfragData = ExAllocatePool(NonPagedPool,
|
|
Reass->UnfragmentLength);
|
|
if (Reass->UnfragData == NULL) {
|
|
// Out of memory!?! Clean up and drop packet.
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_NTOS_ERROR,
|
|
"FragmentReceive: "
|
|
"Couldn't allocate memory?\n"));
|
|
// Will also free Shim because of Reass->ContigList.
|
|
DeleteFromReassemblyList(Reass);
|
|
goto Failed;
|
|
}
|
|
IncreaseReassemblySize(Reass, Reass->UnfragmentLength);
|
|
CopyPacketToBuffer(Reass->UnfragData, Packet,
|
|
Reass->UnfragmentLength,
|
|
Packet->IPPosition + sizeof(IPv6Header));
|
|
|
|
Reass->NextHeaderOffset = Packet->NextHeaderPosition -
|
|
Packet->IPPosition;
|
|
} else
|
|
Reass->NextHeaderOffset = FIELD_OFFSET(IPv6Header, NextHeader);
|
|
|
|
//
|
|
// We need to have the IP header of the offset-zero fragment.
|
|
// (Every fragment normally will have the same IP header,
|
|
// except for PayloadLength, and unfragmentable headers,
|
|
// but they might not.) ReassembleDatagram and
|
|
// CreateFragmentPacket both need it.
|
|
//
|
|
// Of the 40 bytes in the header, the 32 bytes in the source
|
|
// and destination addresses are already correct.
|
|
// So we just copy the other 8 bytes now.
|
|
//
|
|
RtlCopyMemory(&Reass->IPHdr, Packet->IP, 8);
|
|
|
|
} else {
|
|
//
|
|
// Add us to the end of the list.
|
|
//
|
|
Reass->ContigEnd->Next = Shim;
|
|
}
|
|
Reass->ContigEnd = Shim;
|
|
|
|
//
|
|
// Increment our contiguous extent marker.
|
|
//
|
|
Reass->Marker += (ushort)Packet->TotalSize;
|
|
|
|
//
|
|
// Now peruse the non-contiguous list here to see if we already
|
|
// have the next fragment to extend the contiguous list, and if so,
|
|
// move it on over. Repeat until we can't.
|
|
//
|
|
MoveShim = &Reass->GapList;
|
|
while ((ThisShim = *MoveShim) != NULL) {
|
|
if (ThisShim->Offset == Reass->Marker) {
|
|
//
|
|
// This fragment now extends the contiguous list.
|
|
// Add it to the end of the list.
|
|
//
|
|
Reass->ContigEnd->Next = ThisShim;
|
|
Reass->ContigEnd = ThisShim;
|
|
Reass->Marker += ThisShim->Len;
|
|
|
|
//
|
|
// Remove it from non-contiguous list.
|
|
//
|
|
*MoveShim = ThisShim->Next;
|
|
ThisShim->Next = NULL;
|
|
}
|
|
else if (ThisShim->Offset > Reass->Marker) {
|
|
//
|
|
// This fragment lies beyond the contiguous list.
|
|
// Because the gap list is sorted, we can stop now.
|
|
//
|
|
break;
|
|
}
|
|
else {
|
|
//
|
|
// This fragment overlaps the contiguous list.
|
|
// For DoS prevention, drop the reassembly.
|
|
//
|
|
BadFragmentOverlap:
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_NET_ERROR,
|
|
"FragmentReceive: overlapping fragment\n"));
|
|
DeleteFromReassemblyList(Reass);
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
}
|
|
} else {
|
|
//
|
|
// Exile this fragment to the non-contiguous (gap) list.
|
|
// The gap list is sorted by Offset.
|
|
//
|
|
MoveShim = &Reass->GapList;
|
|
for (;;) {
|
|
ThisShim = *MoveShim;
|
|
if (ThisShim == NULL) {
|
|
//
|
|
// Insert Shim at the end of the gap list.
|
|
//
|
|
Reass->MaxGap = Shim->Offset + Shim->Len;
|
|
break;
|
|
}
|
|
|
|
if (Shim->Offset < ThisShim->Offset) {
|
|
//
|
|
// Check for partial overlap.
|
|
//
|
|
if (Shim->Offset + Shim->Len > ThisShim->Offset) {
|
|
ExFreePool(Shim);
|
|
goto BadFragmentOverlap;
|
|
}
|
|
|
|
//
|
|
// OK, insert Shim before ThisShim.
|
|
//
|
|
break;
|
|
}
|
|
else if (ThisShim->Offset < Shim->Offset) {
|
|
//
|
|
// Check for partial overlap.
|
|
//
|
|
if (ThisShim->Offset + ThisShim->Len > Shim->Offset) {
|
|
ExFreePool(Shim);
|
|
goto BadFragmentOverlap;
|
|
}
|
|
|
|
//
|
|
// OK, insert Shim somewhere after ThisShim.
|
|
// Keep looking for the right spot.
|
|
//
|
|
MoveShim = &ThisShim->Next;
|
|
}
|
|
else {
|
|
//
|
|
// If the new fragment duplicates the old,
|
|
// then just ignore the new fragment.
|
|
//
|
|
if (Shim->Len == ThisShim->Len) {
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_NET_ERROR,
|
|
"FragmentReceive: duplicate fragment\n"));
|
|
ExFreePool(Shim);
|
|
KeReleaseSpinLockFromDpcLevel(&Reass->Lock);
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
else {
|
|
ExFreePool(Shim);
|
|
goto BadFragmentOverlap;
|
|
}
|
|
}
|
|
}
|
|
|
|
Shim->Next = *MoveShim;
|
|
*MoveShim = Shim;
|
|
}
|
|
|
|
//
|
|
// Now that we have added the shim to the reassembly record
|
|
// and passed various checks (particularly DoS checks),
|
|
// copy the actual fragment data to the shim.
|
|
//
|
|
CopyPacketToBuffer(PacketShimData(Shim), Packet,
|
|
Packet->TotalSize, Packet->Position);
|
|
|
|
if (Reass->Marker == Reass->DataLength) {
|
|
//
|
|
// We have received all the fragments.
|
|
// Because of the overlapping/data-length/zero-size sanity checks
|
|
// above, when this happens there should be no fragments
|
|
// left on the gap list. However, ReassembleDatagram does not
|
|
// rely on having an empty gap list.
|
|
//
|
|
ASSERT(Reass->GapList == NULL);
|
|
ReassembleDatagram(Packet, Reass);
|
|
}
|
|
else {
|
|
//
|
|
// Finally, check if we're too close to our limit for
|
|
// reassembly buffers. If so, drop this packet. Otherwise,
|
|
// wait for more fragments to arrive.
|
|
//
|
|
CheckReassemblyQuota(Reass);
|
|
}
|
|
return IP_PROTOCOL_NONE;
|
|
|
|
Failed:
|
|
IPSInfo.ipsi_reasmfails++;
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
|
|
|
|
//* FragmentLookup - look for record of previous fragments from this datagram.
|
|
//
|
|
// A datagram on an interface is uniquely identified by its
|
|
// {source address, destination address, identification field} triple.
|
|
// This function checks our reassembly list for previously
|
|
// received fragments of a given datagram.
|
|
//
|
|
// If an existing reassembly record is found,
|
|
// it is returned locked.
|
|
//
|
|
// If there is no existing reassembly record, returns NULL
|
|
// and leaves the global reassembly list locked.
|
|
//
|
|
// Callable from DPC context, not from thread context.
|
|
//
|
|
Reassembly *
|
|
FragmentLookup(
|
|
Interface *IF, // Receiving interface.
|
|
ulong Id, // Fragment identification field to match.
|
|
const IPv6Addr *Src, // Source address to match.
|
|
const IPv6Addr *Dst) // Destination address to match.
|
|
{
|
|
Reassembly *Reass;
|
|
|
|
KeAcquireSpinLockAtDpcLevel(&ReassemblyList.Lock);
|
|
|
|
for (Reass = ReassemblyList.First;; Reass = Reass->Next) {
|
|
if (Reass == SentinelReassembly) {
|
|
//
|
|
// Return with the global reassembly list lock still held.
|
|
//
|
|
return NULL;
|
|
}
|
|
|
|
if ((Reass->IF == IF) &&
|
|
(Reass->Id == Id) &&
|
|
IP6_ADDR_EQUAL(&Reass->IPHdr.Source, Src) &&
|
|
IP6_ADDR_EQUAL(&Reass->IPHdr.Dest, Dst)) {
|
|
//
|
|
// Is this reassembly record being deleted?
|
|
// If so, ignore it.
|
|
//
|
|
KeAcquireSpinLockAtDpcLevel(&Reass->Lock);
|
|
ASSERT((Reass->State == REASSEMBLY_STATE_NORMAL) ||
|
|
(Reass->State == REASSEMBLY_STATE_DELETING));
|
|
|
|
if (Reass->State == REASSEMBLY_STATE_DELETING) {
|
|
KeReleaseSpinLockFromDpcLevel(&Reass->Lock);
|
|
continue;
|
|
}
|
|
|
|
//
|
|
// Return with the reassembly record lock still held.
|
|
//
|
|
KeReleaseSpinLockFromDpcLevel(&ReassemblyList.Lock);
|
|
return Reass;
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
//* AddToReassemblyList
|
|
//
|
|
// Add the reassembly record to the list.
|
|
// It must NOT already be on the list.
|
|
//
|
|
// Called with the global reassembly list lock held.
|
|
// Returns with the reassembly record lock held.
|
|
//
|
|
// Callable from DPC context, not from thread context.
|
|
//
|
|
void
|
|
AddToReassemblyList(Reassembly *Reass)
|
|
{
|
|
Reassembly *AfterReass = SentinelReassembly;
|
|
|
|
Reass->Prev = AfterReass;
|
|
(Reass->Next = AfterReass->Next)->Prev = Reass;
|
|
AfterReass->Next = Reass;
|
|
|
|
KeAcquireSpinLockAtDpcLevel(&ReassemblyList.LockSize);
|
|
ReassemblyList.Size += Reass->Size;
|
|
KeReleaseSpinLockFromDpcLevel(&ReassemblyList.LockSize);
|
|
|
|
//
|
|
// We must acquire the reassembly record lock
|
|
// *before* releasing the global reassembly list lock,
|
|
// to prevent the reassembly from diappearing underneath us.
|
|
//
|
|
KeAcquireSpinLockAtDpcLevel(&Reass->Lock);
|
|
KeReleaseSpinLockFromDpcLevel(&ReassemblyList.Lock);
|
|
}
|
|
|
|
|
|
//* RemoveReassembly
|
|
//
|
|
// Remove a reassembly record from the list.
|
|
//
|
|
// Called with the global reassembly lock held.
|
|
// The reassembly record lock may be held.
|
|
//
|
|
void
|
|
RemoveReassembly(Reassembly *Reass)
|
|
{
|
|
Reass->Prev->Next = Reass->Next;
|
|
Reass->Next->Prev = Reass->Prev;
|
|
|
|
KeAcquireSpinLockAtDpcLevel(&ReassemblyList.LockSize);
|
|
ReassemblyList.Size -= Reass->Size;
|
|
KeReleaseSpinLockFromDpcLevel(&ReassemblyList.LockSize);
|
|
}
|
|
|
|
|
|
//* IncreaseReassemblySize
|
|
//
|
|
// Increase the size of the reassembly record.
|
|
// Called with the reassembly record lock held.
|
|
//
|
|
// Callable from DPC context, not from thread context.
|
|
//
|
|
void
|
|
IncreaseReassemblySize(Reassembly *Reass, uint Size)
|
|
{
|
|
Reass->Size += Size;
|
|
KeAcquireSpinLockAtDpcLevel(&ReassemblyList.LockSize);
|
|
ReassemblyList.Size += Size;
|
|
KeReleaseSpinLockFromDpcLevel(&ReassemblyList.LockSize);
|
|
}
|
|
|
|
|
|
//* DeleteReassembly
|
|
//
|
|
// Delete a reassembly record.
|
|
//
|
|
void
|
|
DeleteReassembly(Reassembly *Reass)
|
|
{
|
|
PacketShim *ThisShim, *PrevShim;
|
|
|
|
//
|
|
// Free ContigList if populated.
|
|
//
|
|
PrevShim = ThisShim = Reass->ContigList;
|
|
while (ThisShim != NULL) {
|
|
PrevShim = ThisShim;
|
|
ThisShim = ThisShim->Next;
|
|
ExFreePool(PrevShim);
|
|
}
|
|
|
|
//
|
|
// Free GapList if populated.
|
|
//
|
|
PrevShim = ThisShim = Reass->GapList;
|
|
while (ThisShim != NULL) {
|
|
PrevShim = ThisShim;
|
|
ThisShim = ThisShim->Next;
|
|
ExFreePool(PrevShim);
|
|
}
|
|
|
|
//
|
|
// Free unfragmentable data.
|
|
//
|
|
if (Reass->UnfragData != NULL)
|
|
ExFreePool(Reass->UnfragData);
|
|
|
|
ExFreePool(Reass);
|
|
}
|
|
|
|
|
|
//* DeleteFromReassemblyList
|
|
//
|
|
// Remove and delete the reassembly record.
|
|
// The reassembly record MUST be on the list.
|
|
//
|
|
// Callable from DPC context, not from thread context.
|
|
// Called with the reassembly record lock held,
|
|
// but not the global reassembly list lock.
|
|
//
|
|
void
|
|
DeleteFromReassemblyList(Reassembly *Reass)
|
|
{
|
|
//
|
|
// Mark the reassembly as being deleted.
|
|
// This will prevent someone else from freeing it.
|
|
//
|
|
ASSERT(Reass->State == REASSEMBLY_STATE_NORMAL);
|
|
Reass->State = REASSEMBLY_STATE_DELETING;
|
|
KeReleaseSpinLockFromDpcLevel(&Reass->Lock);
|
|
|
|
KeAcquireSpinLockAtDpcLevel(&ReassemblyList.Lock);
|
|
KeAcquireSpinLockAtDpcLevel(&Reass->Lock);
|
|
ASSERT((Reass->State == REASSEMBLY_STATE_DELETING) ||
|
|
(Reass->State == REASSEMBLY_STATE_REMOVED));
|
|
|
|
//
|
|
// Remove the reassembly record from the list,
|
|
// if someone else hasn't already removed it.
|
|
//
|
|
if (Reass->State != REASSEMBLY_STATE_REMOVED)
|
|
RemoveReassembly(Reass);
|
|
|
|
KeReleaseSpinLockFromDpcLevel(&Reass->Lock);
|
|
KeReleaseSpinLockFromDpcLevel(&ReassemblyList.Lock);
|
|
|
|
//
|
|
// Delete the reassembly record.
|
|
//
|
|
DeleteReassembly(Reass);
|
|
}
|
|
|
|
//* CheckReassemblyQuota
|
|
//
|
|
// Delete reassembly record if necessary,
|
|
// to keep the reassembly buffering under quota.
|
|
//
|
|
// Callable from DPC context, not from thread context.
|
|
// Called with the reassembly record lock held,
|
|
// but not the global reassembly list lock.
|
|
//
|
|
void
|
|
CheckReassemblyQuota(Reassembly *Reass)
|
|
{
|
|
int Prune = FALSE;
|
|
uint Threshold = ReassemblyList.Limit / 2;
|
|
|
|
//
|
|
// Decide whether to drop the reassembly record based on a RED-like
|
|
// algorithm. If the total size is less than 50% of the max, never
|
|
// drop. If the total size is over the max, always drop. If between
|
|
// 50% and 100% full, drop based on a probability proportional to the
|
|
// amount over 50%. This is an O(1) algorithm which is proportionally
|
|
// biased against large packets, and against sources which send more
|
|
// packets. This should provide a decent level of protection against
|
|
// DoS attacks.
|
|
//
|
|
KeAcquireSpinLockAtDpcLevel(&ReassemblyList.LockSize);
|
|
if ((ReassemblyList.Size > Threshold) &&
|
|
(RandomNumber(0, Threshold) < ReassemblyList.Size - Threshold))
|
|
Prune = TRUE;
|
|
KeReleaseSpinLockFromDpcLevel(&ReassemblyList.LockSize);
|
|
|
|
if (Prune) {
|
|
//
|
|
// Delete this reassembly record.
|
|
// We do not send ICMP errors in this situation.
|
|
// The reassembly timer has not expired.
|
|
// This is more analogous to a router dropping packets
|
|
// when a queue gets full, and no ICMP error is sent
|
|
// in that situation.
|
|
//
|
|
#if DBG
|
|
char Buffer1[INET6_ADDRSTRLEN], Buffer2[INET6_ADDRSTRLEN];
|
|
|
|
FormatV6AddressWorker(Buffer1, &Reass->IPHdr.Source);
|
|
FormatV6AddressWorker(Buffer2, &Reass->IPHdr.Dest);
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_NET_ERROR,
|
|
"CheckReassemblyQuota: Src %s Dst %s Id %x\n",
|
|
Buffer1, Buffer2, Reass->Id));
|
|
#endif
|
|
DeleteFromReassemblyList(Reass);
|
|
}
|
|
else
|
|
KeReleaseSpinLockFromDpcLevel(&Reass->Lock);
|
|
}
|
|
|
|
typedef struct ReassembledReceiveContext {
|
|
WORK_QUEUE_ITEM WQItem;
|
|
IPv6Packet Packet;
|
|
uchar Data[];
|
|
} ReassembledReceiveContext;
|
|
|
|
//* ReassembledReceive
|
|
//
|
|
// Receive a reassembled packet.
|
|
// This function is called from a kernel worker thread context.
|
|
// It prevents "reassembly recursion".
|
|
//
|
|
void
|
|
ReassembledReceive(PVOID Context)
|
|
{
|
|
ReassembledReceiveContext *rrc = (ReassembledReceiveContext *) Context;
|
|
KIRQL Irql;
|
|
int PktRefs;
|
|
|
|
//
|
|
// All receive processing normally happens at DPC level,
|
|
// so we must pretend to be a DPC, so we raise IRQL.
|
|
// (System worker threads typically run at PASSIVE_LEVEL).
|
|
//
|
|
KeRaiseIrql(DISPATCH_LEVEL, &Irql);
|
|
PktRefs = IPv6Receive(&rrc->Packet);
|
|
ASSERT(PktRefs == 0);
|
|
KeLowerIrql(Irql);
|
|
ExFreePool(rrc);
|
|
}
|
|
|
|
|
|
//* ReassembleDatagram - put all the fragments together.
|
|
//
|
|
// Called when we have all the fragments to complete a datagram.
|
|
// Patch them together and pass the packet up.
|
|
//
|
|
// We allocate a single contiguous buffer and copy the fragments
|
|
// into this buffer.
|
|
// REVIEW: Instead use ndis buffers to chain the fragments?
|
|
//
|
|
// Callable from DPC context, not from thread context.
|
|
// Called with the reassembly record lock held,
|
|
// but not the global reassembly list lock.
|
|
//
|
|
// Deletes the reassembly record.
|
|
//
|
|
void
|
|
ReassembleDatagram(
|
|
IPv6Packet *Packet, // The packet being currently received.
|
|
Reassembly *Reass) // Reassembly record for fragmented datagram.
|
|
{
|
|
uint DataLen;
|
|
uint TotalLength;
|
|
uint memptr = sizeof(IPv6Header);
|
|
PacketShim *ThisShim, *PrevShim;
|
|
ReassembledReceiveContext *rrc;
|
|
IPv6Packet *ReassPacket;
|
|
uchar *ReassBuffer;
|
|
uchar *pNextHeader;
|
|
|
|
DataLen = Reass->DataLength + Reass->UnfragmentLength;
|
|
ASSERT(DataLen <= MAX_IPv6_PAYLOAD);
|
|
TotalLength = sizeof(IPv6Header) + DataLen;
|
|
|
|
//
|
|
// Allocate memory for buffer and copy fragment data into it.
|
|
// At the same time we allocate space for context information
|
|
// and an IPv6 packet structure.
|
|
//
|
|
rrc = ExAllocatePool(NonPagedPool, sizeof *rrc + TotalLength);
|
|
if (rrc == NULL) {
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_NTOS_ERROR,
|
|
"ReassembleDatagram: Couldn't allocate memory!?!\n"));
|
|
DeleteFromReassemblyList(Reass);
|
|
IPSInfo.ipsi_reasmfails++;
|
|
return;
|
|
}
|
|
|
|
//
|
|
// We must take a reference on the interface before
|
|
// DeleteFromReassemblyList releases the record lock.
|
|
//
|
|
ReassPacket = &rrc->Packet;
|
|
ReassBuffer = rrc->Data;
|
|
|
|
//
|
|
// Generate the original IP hdr and copy it and any unfragmentable
|
|
// data into the new packet. Note we have to update the next header
|
|
// field in the last unfragmentable header (or the IP hdr, if none).
|
|
//
|
|
Reass->IPHdr.PayloadLength = net_short((ushort)DataLen);
|
|
RtlCopyMemory(ReassBuffer, (uchar *)&Reass->IPHdr, sizeof(IPv6Header));
|
|
|
|
RtlCopyMemory(ReassBuffer + memptr, Reass->UnfragData,
|
|
Reass->UnfragmentLength);
|
|
memptr += Reass->UnfragmentLength;
|
|
|
|
pNextHeader = ReassBuffer + Reass->NextHeaderOffset;
|
|
ASSERT(*pNextHeader == IP_PROTOCOL_FRAGMENT);
|
|
*pNextHeader = Reass->NextHeader;
|
|
|
|
//
|
|
// Run through the contiguous list, copying data over to our new packet.
|
|
//
|
|
PrevShim = ThisShim = Reass->ContigList;
|
|
while(ThisShim != NULL) {
|
|
RtlCopyMemory(ReassBuffer + memptr, PacketShimData(ThisShim),
|
|
ThisShim->Len);
|
|
memptr += ThisShim->Len;
|
|
if (memptr > TotalLength) {
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_INTERNAL_ERROR,
|
|
"ReassembleDatagram: packets don't add up\n"));
|
|
}
|
|
PrevShim = ThisShim;
|
|
ThisShim = ThisShim->Next;
|
|
|
|
ExFreePool(PrevShim);
|
|
}
|
|
|
|
//
|
|
// Initialize the reassembled packet structure.
|
|
//
|
|
RtlZeroMemory(ReassPacket, sizeof *ReassPacket);
|
|
AddRefIF(Reass->IF);
|
|
ReassPacket->NTEorIF = CastFromIF(Reass->IF);
|
|
ReassPacket->FlatData = ReassBuffer;
|
|
ReassPacket->Data = ReassBuffer;
|
|
ReassPacket->ContigSize = TotalLength;
|
|
ReassPacket->TotalSize = TotalLength;
|
|
ReassPacket->Flags = PACKET_HOLDS_REF | PACKET_REASSEMBLED |
|
|
(Reass->Flags & PACKET_INHERITED_FLAGS);
|
|
|
|
//
|
|
// Explicitly null out the ContigList which was freed above and
|
|
// clean up the reassembly struct. This also drops our lock
|
|
// on the reassembly struct.
|
|
//
|
|
Reass->ContigList = NULL;
|
|
DeleteFromReassemblyList(Reass);
|
|
|
|
IPSInfo.ipsi_reasmoks++;
|
|
|
|
//
|
|
// Receive the reassembled packet.
|
|
// If the current fragment was reassembled,
|
|
// then we should avoid another level of recursion.
|
|
// We must prevent "reassembly recursion".
|
|
// Test both paths in checked builds.
|
|
//
|
|
if ((Packet->Flags & PACKET_REASSEMBLED)
|
|
#if DBG
|
|
|| ((int)Random() < 0)
|
|
#endif
|
|
) {
|
|
ExInitializeWorkItem(&rrc->WQItem, ReassembledReceive, rrc);
|
|
ExQueueWorkItem(&rrc->WQItem, CriticalWorkQueue);
|
|
}
|
|
else {
|
|
int PktRefs = IPv6Receive(ReassPacket);
|
|
ASSERT(PktRefs == 0);
|
|
ExFreePool(rrc);
|
|
}
|
|
}
|
|
|
|
|
|
//* CreateFragmentPacket
|
|
//
|
|
// Recreates the first fragment packet for purposes of notifying a source
|
|
// of a 'fragment reassembly time exceeded'.
|
|
//
|
|
IPv6Packet *
|
|
CreateFragmentPacket(
|
|
Reassembly *Reass)
|
|
{
|
|
PacketShim *FirstFrag;
|
|
IPv6Packet *Packet;
|
|
FragmentHeader *FragHdr;
|
|
uint PayloadLength;
|
|
uint PacketLength;
|
|
uint MemLen;
|
|
uchar *Mem;
|
|
|
|
//
|
|
// There must be a first (offset-zero) fragment.
|
|
//
|
|
FirstFrag = Reass->ContigList;
|
|
ASSERT((FirstFrag != NULL) && (FirstFrag->Offset == 0));
|
|
|
|
//
|
|
// Allocate memory for creating the first fragment, i.e. the first
|
|
// buffer in our contig list. We include space for an IPv6Packet.
|
|
//
|
|
PayloadLength = (Reass->UnfragmentLength + sizeof(FragmentHeader) +
|
|
FirstFrag->Len);
|
|
PacketLength = sizeof(IPv6Header) + PayloadLength;
|
|
MemLen = sizeof(IPv6Packet) + PacketLength;
|
|
Mem = ExAllocatePool(NonPagedPool, MemLen);
|
|
if (Mem == NULL) {
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_NTOS_ERROR,
|
|
"CreateFragmentPacket: Couldn't allocate memory!?!\n"));
|
|
return NULL;
|
|
}
|
|
|
|
Packet = (IPv6Packet *) Mem;
|
|
Mem += sizeof(IPv6Packet);
|
|
|
|
Packet->Next = NULL;
|
|
Packet->IP = (IPv6Header UNALIGNED *) Mem;
|
|
Packet->IPPosition = 0;
|
|
Packet->Data = Packet->FlatData = Mem;
|
|
Packet->Position = 0;
|
|
Packet->ContigSize = Packet->TotalSize = PacketLength;
|
|
Packet->NdisPacket = NULL;
|
|
Packet->AuxList = NULL;
|
|
Packet->Flags = 0;
|
|
Packet->SrcAddr = AlignAddr(&Packet->IP->Source);
|
|
Packet->SAPerformed = NULL;
|
|
// Our caller must initialize Packet->NTEorIF.
|
|
AdjustPacketParams(Packet, sizeof(IPv6Header));
|
|
|
|
//
|
|
// Copy the original IPv6 header into the packet.
|
|
// Note that FragmentReceive ensures that
|
|
// Reass->IPHdr, Reass->UnfragData, and FirstFrag
|
|
// are all consistent.
|
|
//
|
|
RtlCopyMemory(Mem, (uchar *)&Reass->IPHdr, sizeof(IPv6Header));
|
|
Mem += sizeof(IPv6Header);
|
|
|
|
ASSERT(Reass->IPHdr.PayloadLength == net_short((ushort)PayloadLength));
|
|
|
|
//
|
|
// Copy the unfragmentable data into the packet.
|
|
//
|
|
RtlCopyMemory(Mem, Reass->UnfragData, Reass->UnfragmentLength);
|
|
Mem += Reass->UnfragmentLength;
|
|
|
|
//
|
|
// Create a fragment header in the packet.
|
|
//
|
|
FragHdr = (FragmentHeader *) Mem;
|
|
Mem += sizeof(FragmentHeader);
|
|
|
|
//
|
|
// Note that if the original offset-zero fragment had
|
|
// a non-zero value in the Reserved field, then we will
|
|
// not recreate it properly. It shouldn't do that.
|
|
//
|
|
FragHdr->NextHeader = Reass->NextHeader;
|
|
FragHdr->Reserved = 0;
|
|
FragHdr->OffsetFlag = net_short(FRAGMENT_FLAG_MASK);
|
|
FragHdr->Id = Reass->Id;
|
|
|
|
//
|
|
// Copy the original fragment data into the packet.
|
|
//
|
|
RtlCopyMemory(Mem, PacketShimData(FirstFrag), FirstFrag->Len);
|
|
|
|
return Packet;
|
|
}
|
|
|
|
|
|
//* ReassemblyTimeout - Handle a reassembly timer event.
|
|
//
|
|
// This routine is called periodically by IPv6Timeout to check for
|
|
// timed out fragments.
|
|
//
|
|
void
|
|
ReassemblyTimeout(void)
|
|
{
|
|
Reassembly *ThisReass, *NextReass;
|
|
Reassembly *Expired = NULL;
|
|
|
|
//
|
|
// Scan the ReassemblyList checking for expired reassembly contexts.
|
|
//
|
|
KeAcquireSpinLockAtDpcLevel(&ReassemblyList.Lock);
|
|
for (ThisReass = ReassemblyList.First;
|
|
ThisReass != SentinelReassembly;
|
|
ThisReass = NextReass) {
|
|
NextReass = ThisReass->Next;
|
|
|
|
//
|
|
// First decrement the timer then check if it has expired. If so,
|
|
// remove the reassembly record. This is basically the same code
|
|
// as in DeleteFromReassemblyList().
|
|
//
|
|
ThisReass->Timer--;
|
|
|
|
if (ThisReass->Timer == 0) {
|
|
RemoveReassembly(ThisReass);
|
|
|
|
KeAcquireSpinLockAtDpcLevel(&ThisReass->Lock);
|
|
ASSERT((ThisReass->State == REASSEMBLY_STATE_NORMAL) ||
|
|
(ThisReass->State == REASSEMBLY_STATE_DELETING));
|
|
|
|
if (ThisReass->State == REASSEMBLY_STATE_DELETING) {
|
|
//
|
|
// Note that we've removed it from the list already.
|
|
//
|
|
ThisReass->State = REASSEMBLY_STATE_REMOVED;
|
|
}
|
|
else {
|
|
//
|
|
// Move this reassembly context to the expired list.
|
|
// We must take a reference on the interface
|
|
// before releasing the reassembly record lock.
|
|
//
|
|
AddRefIF(ThisReass->IF);
|
|
ThisReass->Next = Expired;
|
|
Expired = ThisReass;
|
|
}
|
|
KeReleaseSpinLockFromDpcLevel(&ThisReass->Lock);
|
|
}
|
|
}
|
|
KeReleaseSpinLockFromDpcLevel(&ReassemblyList.Lock);
|
|
|
|
//
|
|
// Now that we no longer need the reassembly list lock,
|
|
// we can send ICMP errors at our leisure.
|
|
//
|
|
|
|
while ((ThisReass = Expired) != NULL) {
|
|
Interface *IF = ThisReass->IF;
|
|
#if DBG
|
|
char Buffer1[INET6_ADDRSTRLEN], Buffer2[INET6_ADDRSTRLEN];
|
|
|
|
FormatV6AddressWorker(Buffer1, &ThisReass->IPHdr.Source);
|
|
FormatV6AddressWorker(Buffer2, &ThisReass->IPHdr.Dest);
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_NET_ERROR,
|
|
"ReassemblyTimeout: Src %s Dst %s Id %x\n",
|
|
Buffer1, Buffer2, ThisReass->Id));
|
|
#endif
|
|
|
|
Expired = ThisReass->Next;
|
|
|
|
//
|
|
// Send ICMP error IF we have received the first fragment.
|
|
// NB: Checking Marker != 0 is wrong, because we might have
|
|
// received a zero-length first fragment.
|
|
//
|
|
if (ThisReass->ContigList != NULL) {
|
|
IPv6Packet *Packet;
|
|
|
|
Packet = CreateFragmentPacket(ThisReass);
|
|
if (Packet != NULL) {
|
|
NetTableEntryOrInterface *NTEorIF;
|
|
ushort Type;
|
|
|
|
NTEorIF = FindAddressOnInterface(IF,
|
|
&ThisReass->IPHdr.Dest,
|
|
&Type);
|
|
if (NTEorIF != NULL) {
|
|
Packet->NTEorIF = NTEorIF;
|
|
|
|
ICMPv6SendError(Packet,
|
|
ICMPv6_TIME_EXCEEDED,
|
|
ICMPv6_REASSEMBLY_TIME_EXCEEDED, 0,
|
|
Packet->IP->NextHeader, FALSE);
|
|
|
|
if (IsNTE(NTEorIF))
|
|
ReleaseNTE(CastToNTE(NTEorIF));
|
|
else
|
|
ReleaseIF(CastToIF(NTEorIF));
|
|
}
|
|
|
|
ExFreePool(Packet);
|
|
}
|
|
}
|
|
|
|
//
|
|
// Delete the reassembly record.
|
|
//
|
|
ReleaseIF(IF);
|
|
DeleteReassembly(ThisReass);
|
|
}
|
|
}
|
|
|
|
|
|
//* DestinationOptionsReceive - Handle IPv6 Destination options.
|
|
//
|
|
// This is the routine called to process a Destination Options Header,
|
|
// a next header value of 60.
|
|
//
|
|
uchar
|
|
DestinationOptionsReceive(
|
|
IPv6Packet *Packet) // Packet handed to us by IPv6Receive.
|
|
{
|
|
IPv6OptionsHeader *DestOpt;
|
|
uint ExtLen;
|
|
Options Opts;
|
|
|
|
//
|
|
// Verify that we have enough contiguous data to overlay a Destination
|
|
// Options Header structure on the incoming packet. Then do so.
|
|
//
|
|
if (! PacketPullup(Packet, sizeof *DestOpt,
|
|
__builtin_alignof(IPv6OptionsHeader), 0)) {
|
|
if (Packet->TotalSize < sizeof *DestOpt) {
|
|
BadPayloadLength:
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_BAD_PACKET,
|
|
"DestinationOptionsReceive: Incoming packet too small"
|
|
" to contain destination options header\n"));
|
|
ICMPv6SendError(Packet,
|
|
ICMPv6_PARAMETER_PROBLEM,
|
|
ICMPv6_ERRONEOUS_HEADER_FIELD,
|
|
FIELD_OFFSET(IPv6Header, PayloadLength),
|
|
IP_PROTOCOL_NONE, FALSE);
|
|
}
|
|
return IP_PROTOCOL_NONE; // Drop packet.
|
|
}
|
|
DestOpt = (IPv6OptionsHeader *) Packet->Data;
|
|
|
|
//
|
|
// Check that length of destination options also fit in remaining data.
|
|
// The options must also be aligned for any addresses in them.
|
|
//
|
|
ExtLen = (DestOpt->HeaderExtLength + 1) * EXT_LEN_UNIT;
|
|
if (! PacketPullup(Packet, ExtLen,
|
|
MAX(__builtin_alignof(IPv6OptionsHeader),
|
|
__builtin_alignof(IPv6Addr)), 0)) {
|
|
if (Packet->TotalSize < ExtLen)
|
|
goto BadPayloadLength;
|
|
return IP_PROTOCOL_NONE; // Drop packet.
|
|
}
|
|
DestOpt = (IPv6OptionsHeader *) Packet->Data;
|
|
|
|
//
|
|
// Remember offset to this header's NextHeader field.
|
|
//
|
|
Packet->NextHeaderPosition = Packet->Position +
|
|
FIELD_OFFSET(IPv6OptionsHeader, NextHeader);
|
|
|
|
//
|
|
// Skip over the extension header.
|
|
// We need to do this now so subsequent ICMP error generation works.
|
|
//
|
|
AdjustPacketParams(Packet, ExtLen);
|
|
|
|
//
|
|
// Parse options in this extension header. If an error occurs
|
|
// while parsing the options, discard packet.
|
|
//
|
|
if (!ParseOptions(Packet, IP_PROTOCOL_DEST_OPTS, DestOpt, ExtLen, &Opts)) {
|
|
return IP_PROTOCOL_NONE; // Drop packet.
|
|
}
|
|
|
|
//
|
|
// The processing of any additional options should be added here,
|
|
// before the home address option.
|
|
//
|
|
|
|
//
|
|
// Process the home address option.
|
|
//
|
|
if (Opts.HomeAddress) {
|
|
if (IPv6RecvHomeAddress(Packet, Opts.HomeAddress)) {
|
|
//
|
|
// Couldn't process the home address option. Drop the packet.
|
|
//
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Process binding update option.
|
|
//
|
|
// Note that the Mobile IP spec says that the effects of processing the
|
|
// Home Address option should not be visible until all other options in
|
|
// the same Destination Options header have been processed. Although
|
|
// we process the Binding Update option after the Home Address option,
|
|
// we achieve the same effect by requiring IPv6RecvBindingUpdate to
|
|
// know that the Packet->SrcAddr has already been updated.
|
|
//
|
|
if (Opts.BindingUpdate) {
|
|
if (IPv6RecvBindingUpdate(Packet, Opts.BindingUpdate)) {
|
|
//
|
|
// Couldn't process the binding update. Drop the packet.
|
|
//
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Return next header value.
|
|
//
|
|
return DestOpt->NextHeader;
|
|
}
|
|
|
|
|
|
//* HopByHopOptionsReceive - Handle a IPv6 Hop-by-Hop Options.
|
|
//
|
|
// This is the routine called to process a Hop-by-Hop Options Header,
|
|
// next header value of 0.
|
|
//
|
|
// Note that this routine is not a normal handler in the Protocol Switch
|
|
// Table. Instead, it receives special treatment in IPv6HeaderReceive.
|
|
// Because of this, it returns -1 instead of IP_PROTOCOL_NONE on error.
|
|
//
|
|
int
|
|
HopByHopOptionsReceive(
|
|
IPv6Packet *Packet) // Packet handed to us by IPv6Receive.
|
|
{
|
|
IPv6OptionsHeader *HopByHop;
|
|
uint ExtLen;
|
|
Options Opts;
|
|
|
|
//
|
|
// Verify that we have enough contiguous data to overlay a minimum
|
|
// length Hop-by-Hop Options Header. Then do so.
|
|
//
|
|
if (! PacketPullup(Packet, sizeof *HopByHop,
|
|
__builtin_alignof(IPv6OptionsHeader), 0)) {
|
|
if (Packet->TotalSize < sizeof *HopByHop) {
|
|
BadPayloadLength:
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_BAD_PACKET,
|
|
"HopByHopOptionsReceive: Incoming packet too small"
|
|
" to contain Hop-by-Hop Options header\n"));
|
|
ICMPv6SendError(Packet,
|
|
ICMPv6_PARAMETER_PROBLEM,
|
|
ICMPv6_ERRONEOUS_HEADER_FIELD,
|
|
FIELD_OFFSET(IPv6Header, PayloadLength),
|
|
IP_PROTOCOL_NONE, FALSE);
|
|
}
|
|
return -1; // Drop packet.
|
|
}
|
|
HopByHop = (IPv6OptionsHeader *) Packet->Data;
|
|
|
|
//
|
|
// Check that length of the Hop-by-Hop options also fits in remaining data.
|
|
// The options must also be aligned for any addresses in them.
|
|
//
|
|
ExtLen = (HopByHop->HeaderExtLength + 1) * EXT_LEN_UNIT;
|
|
if (! PacketPullup(Packet, ExtLen,
|
|
MAX(__builtin_alignof(IPv6OptionsHeader),
|
|
__builtin_alignof(IPv6Addr)), 0)) {
|
|
if (Packet->TotalSize < ExtLen)
|
|
goto BadPayloadLength;
|
|
return -1; // Drop packet.
|
|
}
|
|
HopByHop = (IPv6OptionsHeader *) Packet->Data;
|
|
|
|
//
|
|
// Remember offset to this header's NextHeader field.
|
|
//
|
|
Packet->NextHeaderPosition = Packet->Position +
|
|
FIELD_OFFSET(IPv6OptionsHeader, NextHeader);
|
|
|
|
//
|
|
// Skip over the extension header.
|
|
// We need to do this now so subsequent ICMP error generation works.
|
|
//
|
|
AdjustPacketParams(Packet, ExtLen);
|
|
|
|
//
|
|
// Parse options in this extension header. If an error occurs
|
|
// while parsing the options, discard packet.
|
|
//
|
|
if (!ParseOptions(Packet, IP_PROTOCOL_HOP_BY_HOP, HopByHop,
|
|
ExtLen, &Opts)) {
|
|
return -1; // Drop packet.
|
|
}
|
|
|
|
//
|
|
// If we have a valid Jumbo Payload Option, use its value as
|
|
// the packet PayloadLength.
|
|
//
|
|
if (Opts.JumboLength) {
|
|
uint PayloadLength = Opts.JumboLength;
|
|
|
|
ASSERT(Packet->IP->PayloadLength == 0);
|
|
|
|
//
|
|
// Check that the jumbo length is big enough to include
|
|
// the extension header length. This must be true because
|
|
// the extension-header length is at most 11 bits,
|
|
// while the jumbo length is at least 16 bits.
|
|
//
|
|
ASSERT(PayloadLength > ExtLen);
|
|
PayloadLength -= ExtLen;
|
|
|
|
//
|
|
// Check that the amount of payload specified in the Jumbo
|
|
// Payload value fits in the buffer handed to us.
|
|
//
|
|
if (PayloadLength > Packet->TotalSize) {
|
|
// Silently discard data.
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_BAD_PACKET,
|
|
"HopByHopOptionsReceive: "
|
|
"Jumbo payload length too big\n"));
|
|
return -1;
|
|
}
|
|
|
|
//
|
|
// As in IPv6HeaderReceive, adjust the TotalSize to be exactly the
|
|
// IP payload size (assume excess is media padding).
|
|
//
|
|
Packet->TotalSize = PayloadLength;
|
|
if (Packet->ContigSize > PayloadLength)
|
|
Packet->ContigSize = PayloadLength;
|
|
|
|
//
|
|
// Set the jumbo option packet flag.
|
|
//
|
|
Packet->Flags |= PACKET_JUMBO_OPTION;
|
|
}
|
|
else if (Packet->IP->PayloadLength == 0) {
|
|
//
|
|
// We should have a Jumbo Payload option,
|
|
// but we didn't find it. Send an ICMP error.
|
|
//
|
|
ICMPv6SendError(Packet,
|
|
ICMPv6_PARAMETER_PROBLEM,
|
|
ICMPv6_ERRONEOUS_HEADER_FIELD,
|
|
FIELD_OFFSET(IPv6Header, PayloadLength),
|
|
HopByHop->NextHeader, FALSE);
|
|
return -1;
|
|
}
|
|
|
|
//
|
|
// Return next header value.
|
|
//
|
|
return HopByHop->NextHeader;
|
|
}
|
|
|
|
|
|
//* ParseOptions - Routine for generic header options parsing.
|
|
//
|
|
// Returns TRUE if the options were successfully parsed.
|
|
// Returns FALSE if the packet should be discarded.
|
|
//
|
|
int
|
|
ParseOptions(
|
|
IPv6Packet *Packet, // The packet handed to us by IPv6Receive.
|
|
uchar HdrType, // Hop-by-hop or destination.
|
|
IPv6OptionsHeader *Hdr, // Header with following data.
|
|
uint HdrLength, // Length of the entire options area.
|
|
Options *Opts) // Return option values to caller.
|
|
{
|
|
uchar *OptPtr;
|
|
uint OptSizeLeft;
|
|
OptionHeader *OptHdr;
|
|
uint OptLen;
|
|
|
|
ASSERT((HdrType == IP_PROTOCOL_DEST_OPTS) ||
|
|
(HdrType == IP_PROTOCOL_HOP_BY_HOP));
|
|
|
|
//
|
|
// Zero out the Options struct that is returned.
|
|
//
|
|
RtlZeroMemory(Opts, sizeof *Opts);
|
|
|
|
//
|
|
// Skip over the extension header.
|
|
//
|
|
OptPtr = (uchar *)(Hdr + 1);
|
|
OptSizeLeft = HdrLength - sizeof *Hdr;
|
|
|
|
//
|
|
// Note that if there are multiple options
|
|
// of the same type, we just use the last one encountered
|
|
// unless the spec says specifically it is an error.
|
|
//
|
|
|
|
while (OptSizeLeft > 0) {
|
|
|
|
//
|
|
// First we check the option length and ensure that it fits.
|
|
// We move OptPtr past this option while leaving OptHdr
|
|
// for use by the option processing code below.
|
|
//
|
|
|
|
OptHdr = (OptionHeader *) OptPtr;
|
|
if (OptHdr->Type == OPT6_PAD_1) {
|
|
//
|
|
// This is a special pad option which is just a one byte field,
|
|
// i.e. it has no length or data field.
|
|
//
|
|
OptLen = 1;
|
|
}
|
|
else {
|
|
//
|
|
// This is a multi-byte option.
|
|
//
|
|
if ((sizeof *OptHdr > OptSizeLeft) ||
|
|
((OptLen = sizeof *OptHdr + OptHdr->DataLength) >
|
|
OptSizeLeft)) {
|
|
//
|
|
// Bad length, generate error and discard packet.
|
|
//
|
|
ICMPv6SendError(Packet,
|
|
ICMPv6_PARAMETER_PROBLEM,
|
|
ICMPv6_ERRONEOUS_HEADER_FIELD,
|
|
(GetPacketPositionFromPointer(Packet,
|
|
&Hdr->HeaderExtLength) -
|
|
Packet->IPPosition),
|
|
Hdr->NextHeader, FALSE);
|
|
return FALSE;
|
|
}
|
|
}
|
|
OptPtr += OptLen;
|
|
OptSizeLeft -= OptLen;
|
|
|
|
switch (OptHdr->Type) {
|
|
case OPT6_PAD_1:
|
|
case OPT6_PAD_N:
|
|
break;
|
|
|
|
case OPT6_JUMBO_PAYLOAD:
|
|
if (HdrType != IP_PROTOCOL_HOP_BY_HOP)
|
|
goto BadOptionType;
|
|
|
|
if (OptHdr->DataLength != sizeof Opts->JumboLength)
|
|
goto BadOptionLength;
|
|
|
|
if (Packet->IP->PayloadLength != 0) {
|
|
//
|
|
// Jumbo option encountered when IP payload is not zero.
|
|
// Send ICMP error, set pointer to offset of this option type.
|
|
//
|
|
goto BadOptionType;
|
|
}
|
|
|
|
Opts->JumboLength = net_long(*(ulong UNALIGNED *)(OptHdr + 1));
|
|
if (Opts->JumboLength <= MAX_IPv6_PAYLOAD) {
|
|
//
|
|
// Jumbo payload length is not jumbo, send ICMP error.
|
|
// ICMP pointer is set to offset of jumbo payload len field.
|
|
//
|
|
goto BadOptionData;
|
|
}
|
|
break;
|
|
|
|
case OPT6_ROUTER_ALERT:
|
|
if (HdrType != IP_PROTOCOL_HOP_BY_HOP)
|
|
goto BadOptionType;
|
|
|
|
if (OptLen != sizeof *Opts->Alert)
|
|
goto BadOptionLength;
|
|
|
|
if (Opts->Alert != NULL) {
|
|
//
|
|
// Can only have one router alert option.
|
|
//
|
|
goto BadOptionType;
|
|
}
|
|
|
|
//
|
|
// Return the pointer to the router alert struct.
|
|
//
|
|
Opts->Alert = (IPv6RouterAlertOption UNALIGNED *)(OptHdr + 1);
|
|
break;
|
|
|
|
case OPT6_HOME_ADDRESS:
|
|
if (HdrType != IP_PROTOCOL_DEST_OPTS)
|
|
goto BadOptionType;
|
|
|
|
if (OptLen < sizeof *Opts->HomeAddress)
|
|
goto BadOptionLength;
|
|
|
|
//
|
|
// Return the pointer to the home address option
|
|
// after checking to make sure the address is reasonable.
|
|
// The option must be aligned so that the home address
|
|
// is appropriately aligned.
|
|
//
|
|
Opts->HomeAddress = (IPv6HomeAddressOption UNALIGNED *)OptHdr;
|
|
if (((UINT_PTR)&Opts->HomeAddress->HomeAddress % __builtin_alignof(IPv6Addr)) != 0) {
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_BAD_PACKET,
|
|
"ParseOptions: misaligned home address\n"));
|
|
goto BadOptionType;
|
|
}
|
|
if (IsInvalidSourceAddress(AlignAddr(&Opts->HomeAddress->HomeAddress)) ||
|
|
IsUnspecified(AlignAddr(&Opts->HomeAddress->HomeAddress)) ||
|
|
IsLoopback(AlignAddr(&Opts->HomeAddress->HomeAddress))) {
|
|
//
|
|
// Address contained in option is invalid.
|
|
// Send ICMP error, set pointer to offset of home address.
|
|
//
|
|
goto BadOptionData;
|
|
}
|
|
break;
|
|
|
|
case OPT6_BINDING_UPDATE:
|
|
if (HdrType != IP_PROTOCOL_DEST_OPTS)
|
|
goto BadOptionType;
|
|
|
|
//
|
|
// At a minimum, the binding update must include all of the
|
|
// base header fields.
|
|
//
|
|
if (OptLen < sizeof(IPv6BindingUpdateOption)) {
|
|
//
|
|
// draft-ietf-mobileip-ipv6-13 sec 8.2 says we must
|
|
// silently drop the packet. Normally we would
|
|
// goto BadOptionLength to send an ICMP error.
|
|
//
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// Save pointer to the binding update option. Note we still
|
|
// need to do further length checking.
|
|
//
|
|
Opts->BindingUpdate = (IPv6BindingUpdateOption UNALIGNED *)OptHdr;
|
|
break;
|
|
|
|
default:
|
|
if (OPT6_ACTION(OptHdr->Type) == OPT6_A_SKIP) {
|
|
//
|
|
// Ignore the unrecognized option.
|
|
//
|
|
break;
|
|
}
|
|
else if (OPT6_ACTION(OptHdr->Type) == OPT6_A_DISCARD) {
|
|
//
|
|
// Discard the packet.
|
|
//
|
|
return FALSE;
|
|
}
|
|
else {
|
|
//
|
|
// Send an ICMP error.
|
|
//
|
|
ICMPv6SendError(Packet,
|
|
ICMPv6_PARAMETER_PROBLEM,
|
|
ICMPv6_UNRECOGNIZED_OPTION,
|
|
(GetPacketPositionFromPointer(Packet,
|
|
&OptHdr->Type) -
|
|
Packet->IPPosition),
|
|
Hdr->NextHeader,
|
|
OPT6_ACTION(OptHdr->Type) ==
|
|
OPT6_A_SEND_ICMP_ALL);
|
|
return FALSE; // discard the packet.
|
|
}
|
|
}
|
|
}
|
|
|
|
return TRUE;
|
|
|
|
BadOptionType:
|
|
ICMPv6SendError(Packet,
|
|
ICMPv6_PARAMETER_PROBLEM,
|
|
ICMPv6_ERRONEOUS_HEADER_FIELD,
|
|
(GetPacketPositionFromPointer(Packet,
|
|
&OptHdr->Type) -
|
|
Packet->IPPosition),
|
|
Hdr->NextHeader, FALSE);
|
|
return FALSE; // discard packet.
|
|
|
|
BadOptionLength:
|
|
ICMPv6SendError(Packet,
|
|
ICMPv6_PARAMETER_PROBLEM,
|
|
ICMPv6_ERRONEOUS_HEADER_FIELD,
|
|
(GetPacketPositionFromPointer(Packet,
|
|
&OptHdr->DataLength) -
|
|
Packet->IPPosition),
|
|
Hdr->NextHeader, FALSE);
|
|
return FALSE; // discard packet.
|
|
|
|
BadOptionData:
|
|
ICMPv6SendError(Packet,
|
|
ICMPv6_PARAMETER_PROBLEM,
|
|
ICMPv6_ERRONEOUS_HEADER_FIELD,
|
|
(GetPacketPositionFromPointer(Packet,
|
|
(uchar *)(OptHdr + 1)) -
|
|
Packet->IPPosition),
|
|
Hdr->NextHeader, FALSE);
|
|
return FALSE; // discard packet.
|
|
}
|
|
|
|
|
|
//* ExtHdrControlReceive - generic extension header skip-over routine.
|
|
//
|
|
// Routine for processing the extension headers in an ICMP error message
|
|
// before delivering the error message to the upper-layer protocol.
|
|
//
|
|
uchar
|
|
ExtHdrControlReceive(
|
|
IPv6Packet *Packet, // Packet handed to us by ICMPv6ErrorReceive.
|
|
StatusArg *StatArg) // ICMP Error code and offset pointer.
|
|
{
|
|
uchar NextHdr = StatArg->IP->NextHeader;
|
|
uint HdrLen;
|
|
|
|
for (;;) {
|
|
switch (NextHdr) {
|
|
case IP_PROTOCOL_HOP_BY_HOP:
|
|
case IP_PROTOCOL_DEST_OPTS:
|
|
case IP_PROTOCOL_ROUTING: {
|
|
ExtensionHeader *ExtHdr; // Generic exension header.
|
|
|
|
//
|
|
// Here we take advantage of the fact that all of these extension
|
|
// headers share the same first two fields (except as noted below).
|
|
// Since those two fields (Next Header and Header Extension Length)
|
|
// provide us with all the information we need to skip over the
|
|
// header, they're all we need to look at here.
|
|
//
|
|
if (! PacketPullup(Packet, sizeof *ExtHdr,
|
|
__builtin_alignof(ExtensionHeader), 0)) {
|
|
if (Packet->TotalSize < sizeof *ExtHdr) {
|
|
PacketTooSmall:
|
|
//
|
|
// Pullup failed. There isn't enough of the invoking
|
|
// packet included in the error message to figure out
|
|
// what upper layer protocol it originated with.
|
|
//
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_BAD_PACKET,
|
|
"ExtHdrControlReceive: "
|
|
"Incoming ICMP error packet "
|
|
"doesn't contain enough of invoking packet\n"));
|
|
}
|
|
return IP_PROTOCOL_NONE; // Drop packet.
|
|
}
|
|
|
|
ExtHdr = (ExtensionHeader *) Packet->Data;
|
|
HdrLen = (ExtHdr->HeaderExtLength + 1) * EXT_LEN_UNIT;
|
|
|
|
//
|
|
// Now that we know the actual length of this extension header,
|
|
// skip over it.
|
|
//
|
|
// REVIEW: We could rework this to use PositionPacketAt
|
|
// REVIEW: here instead of PacketPullup as we don't need to
|
|
// REVIEW: look at the data we're skipping over. Better?
|
|
//
|
|
if (! PacketPullup(Packet, HdrLen, 1, 0)) {
|
|
if (Packet->TotalSize < HdrLen)
|
|
goto PacketTooSmall;
|
|
return IP_PROTOCOL_NONE; // Drop packet.
|
|
}
|
|
|
|
NextHdr = ExtHdr->NextHeader;
|
|
break;
|
|
}
|
|
|
|
case IP_PROTOCOL_FRAGMENT: {
|
|
FragmentHeader UNALIGNED *FragHdr;
|
|
|
|
if (! PacketPullup(Packet, sizeof *FragHdr, 1, 0)) {
|
|
if (Packet->TotalSize < sizeof *FragHdr)
|
|
goto PacketTooSmall;
|
|
return IP_PROTOCOL_NONE; // Drop packet.
|
|
}
|
|
|
|
FragHdr = (FragmentHeader UNALIGNED *) Packet->Data;
|
|
|
|
if ((net_short(FragHdr->OffsetFlag) & FRAGMENT_OFFSET_MASK) != 0) {
|
|
//
|
|
// We can only continue parsing if this
|
|
// fragment has offset zero.
|
|
//
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_BAD_PACKET,
|
|
"ExtHdrControlReceive: "
|
|
"non-zero-offset fragment\n"));
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
|
|
HdrLen = sizeof *FragHdr;
|
|
NextHdr = FragHdr->NextHeader;
|
|
break;
|
|
}
|
|
|
|
case IP_PROTOCOL_AH:
|
|
case IP_PROTOCOL_ESP:
|
|
//
|
|
// REVIEW - What is the correct thing here?
|
|
//
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_BAD_PACKET,
|
|
"ExtHdrControlReceive: found AH/ESP\n"));
|
|
return IP_PROTOCOL_NONE;
|
|
|
|
default:
|
|
//
|
|
// We came to a header that we do not recognize,
|
|
// so we can not continue parsing here.
|
|
// But our caller might recognize this header type.
|
|
//
|
|
return NextHdr;
|
|
}
|
|
|
|
//
|
|
// Move past this extension header.
|
|
//
|
|
AdjustPacketParams(Packet, HdrLen);
|
|
}
|
|
}
|
|
|
|
|
|
//* RoutingReceive - Handle the IPv6 Routing Header.
|
|
//
|
|
// Called from IPv6Receive when we encounter a Routing Header,
|
|
// next header value of 43.
|
|
//
|
|
uchar
|
|
RoutingReceive(
|
|
IPv6Packet *Packet) // Packet handed to us by link layer.
|
|
{
|
|
IPv6RoutingHeader *RH;
|
|
uint HeaderLength;
|
|
uint SegmentsLeft;
|
|
uint NumAddresses, i;
|
|
IPv6Addr *Addresses;
|
|
IP_STATUS Status;
|
|
uchar *Mem;
|
|
uint MemLen, Offset;
|
|
NDIS_PACKET *FwdPacket;
|
|
NDIS_STATUS NdisStatus;
|
|
IPv6Header UNALIGNED *FwdIP;
|
|
IPv6RoutingHeader UNALIGNED *FwdRH;
|
|
IPv6Addr UNALIGNED *FwdAddresses;
|
|
IPv6Addr FwdDest;
|
|
int Delta;
|
|
uint PayloadLength;
|
|
uint TunnelStart = NO_TUNNEL, IPSecBytes = 0;
|
|
IPSecProc *IPSecToDo;
|
|
RouteCacheEntry *RCE;
|
|
uint Action;
|
|
|
|
//
|
|
// Verify that we have enough contiguous data,
|
|
// then get a pointer to the routing header.
|
|
//
|
|
if (! PacketPullup(Packet, sizeof *RH,
|
|
__builtin_alignof(IPv6RoutingHeader), 0)) {
|
|
if (Packet->TotalSize < sizeof *RH) {
|
|
BadPayloadLength:
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_BAD_PACKET,
|
|
"RoutingReceive: Incoming packet too small"
|
|
" to contain routing header\n"));
|
|
ICMPv6SendError(Packet,
|
|
ICMPv6_PARAMETER_PROBLEM,
|
|
ICMPv6_ERRONEOUS_HEADER_FIELD,
|
|
FIELD_OFFSET(IPv6Header, PayloadLength),
|
|
IP_PROTOCOL_NONE, FALSE);
|
|
}
|
|
return IP_PROTOCOL_NONE; // Drop packet.
|
|
}
|
|
RH = (IPv6RoutingHeader *) Packet->Data;
|
|
|
|
//
|
|
// Now get the entire routing header.
|
|
// Also align for the address array.
|
|
//
|
|
HeaderLength = (RH->HeaderExtLength + 1) * EXT_LEN_UNIT;
|
|
if (! PacketPullup(Packet, HeaderLength,
|
|
MAX(__builtin_alignof(IPv6RoutingHeader),
|
|
__builtin_alignof(IPv6Addr)), 0)) {
|
|
if (Packet->TotalSize < HeaderLength)
|
|
goto BadPayloadLength;
|
|
return IP_PROTOCOL_NONE; // Drop packet.
|
|
}
|
|
RH = (IPv6RoutingHeader *) Packet->Data;
|
|
|
|
//
|
|
// Remember offset to this header's NextHeader field.
|
|
//
|
|
Packet->NextHeaderPosition = Packet->Position +
|
|
FIELD_OFFSET(IPv6RoutingHeader, NextHeader);
|
|
|
|
//
|
|
// Move past the routing header.
|
|
// We need to do this now so subsequent ICMP error generation works.
|
|
//
|
|
AdjustPacketParams(Packet, HeaderLength);
|
|
|
|
//
|
|
// If SegmentsLeft is zero, we proceed directly to the next header.
|
|
// We must not check the Type value or HeaderLength.
|
|
//
|
|
SegmentsLeft = RH->SegmentsLeft;
|
|
if (SegmentsLeft == 0) {
|
|
//
|
|
// Return next header value.
|
|
//
|
|
return RH->NextHeader;
|
|
}
|
|
|
|
//
|
|
// If we do not recognize the Type value, generate an ICMP error.
|
|
//
|
|
if (RH->RoutingType != 0) {
|
|
ICMPv6SendError(Packet,
|
|
ICMPv6_PARAMETER_PROBLEM,
|
|
ICMPv6_ERRONEOUS_HEADER_FIELD,
|
|
(GetPacketPositionFromPointer(Packet,
|
|
&RH->RoutingType) -
|
|
Packet->IPPosition),
|
|
RH->NextHeader, FALSE);
|
|
return IP_PROTOCOL_NONE; // No further processing of this packet.
|
|
}
|
|
|
|
//
|
|
// We must have an integral number of IPv6 addresses
|
|
// in the routing header.
|
|
//
|
|
if (RH->HeaderExtLength & 1) {
|
|
ICMPv6SendError(Packet,
|
|
ICMPv6_PARAMETER_PROBLEM,
|
|
ICMPv6_ERRONEOUS_HEADER_FIELD,
|
|
(GetPacketPositionFromPointer(Packet,
|
|
&RH->HeaderExtLength) -
|
|
Packet->IPPosition),
|
|
RH->NextHeader, FALSE);
|
|
return IP_PROTOCOL_NONE; // No further processing of this packet.
|
|
}
|
|
|
|
NumAddresses = RH->HeaderExtLength / 2;
|
|
|
|
//
|
|
// Sanity check SegmentsLeft.
|
|
//
|
|
if (SegmentsLeft > NumAddresses) {
|
|
ICMPv6SendError(Packet,
|
|
ICMPv6_PARAMETER_PROBLEM,
|
|
ICMPv6_ERRONEOUS_HEADER_FIELD,
|
|
(GetPacketPositionFromPointer(Packet,
|
|
&RH->SegmentsLeft) -
|
|
Packet->IPPosition),
|
|
RH->NextHeader, FALSE);
|
|
return IP_PROTOCOL_NONE; // No further processing of this packet.
|
|
}
|
|
|
|
//
|
|
// Sanity check the destination address.
|
|
// Packets carrying a Type 0 Routing Header must not
|
|
// be sent to a multicast destination.
|
|
//
|
|
if (IsMulticast(AlignAddr(&Packet->IP->Dest))) {
|
|
//
|
|
// Just drop the packet, no ICMP error in this case.
|
|
//
|
|
return IP_PROTOCOL_NONE; // No further processing of this packet.
|
|
}
|
|
|
|
i = NumAddresses - SegmentsLeft;
|
|
Addresses = AlignAddr((IPv6Addr UNALIGNED *) (RH + 1));
|
|
|
|
//
|
|
// Sanity check the new destination.
|
|
// RFC 2460 doesn't mention checking for an unspecified address,
|
|
// but I think it's a good idea. Similarly, for security reasons,
|
|
// we also check the scope of the destination. This allows
|
|
// applications to check the scope of the eventual destination address
|
|
// and know that the packet originated within that scope.
|
|
// RFC 2460 says to discard the packet without an ICMP error
|
|
// (at least when the new destination is multicast),
|
|
// but I think an ICMP error is helpful in this situation.
|
|
//
|
|
if (IsMulticast(&Addresses[i]) ||
|
|
IsUnspecified(&Addresses[i]) ||
|
|
(UnicastAddressScope(&Addresses[i]) <
|
|
UnicastAddressScope(AlignAddr(&Packet->IP->Dest)))) {
|
|
|
|
ICMPv6SendError(Packet,
|
|
ICMPv6_PARAMETER_PROBLEM,
|
|
ICMPv6_ERRONEOUS_HEADER_FIELD,
|
|
(GetPacketPositionFromPointer(Packet, (uchar *)
|
|
&Addresses[i]) -
|
|
Packet->IPPosition),
|
|
RH->NextHeader, FALSE);
|
|
return IP_PROTOCOL_NONE; // No further processing of this packet.
|
|
}
|
|
|
|
//
|
|
// Verify IPSec was performed.
|
|
//
|
|
if (InboundSecurityCheck(Packet, 0, 0, 0, Packet->NTEorIF->IF) != TRUE) {
|
|
//
|
|
// No policy was found or the policy indicated to drop the packet.
|
|
//
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_NET_ERROR,
|
|
"RoutingReceive: "
|
|
"IPSec lookup failed or policy was to drop\n"));
|
|
return IP_PROTOCOL_NONE; // Drop packet.
|
|
}
|
|
|
|
//
|
|
// Find a route to the new destination.
|
|
//
|
|
Status = RouteToDestination(&Addresses[i],
|
|
0, Packet->NTEorIF,
|
|
RTD_FLAG_LOOSE, &RCE);
|
|
if (Status != IP_SUCCESS) {
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_INTERNAL_ERROR,
|
|
"RoutingReceive: "
|
|
"No route to destination for forwarding.\n"));
|
|
ICMPv6SendError(Packet,
|
|
ICMPv6_DESTINATION_UNREACHABLE,
|
|
ICMPv6_NO_ROUTE_TO_DESTINATION,
|
|
0, RH->NextHeader, FALSE);
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
|
|
//
|
|
// For security reasons, we prevent source routing
|
|
// in some situations. Check those now.
|
|
//
|
|
if (Packet->NTEorIF->IF->Flags & IF_FLAG_FORWARDS) {
|
|
//
|
|
// The interface is forwarding, so source-routing is allowed.
|
|
//
|
|
}
|
|
else if (Packet->NTEorIF->IF == RCE->NCE->IF) {
|
|
//
|
|
// Same-interface rule says source-routing is allowed,
|
|
// because the host is not acting as a conduit
|
|
// between two networks. See RFC 1122 section 3.3.5.
|
|
//
|
|
}
|
|
else if ((SegmentsLeft == 1) && RCE->NCE->IsLoopback) {
|
|
//
|
|
// The packet is locally destined, so source-routing is allowed.
|
|
// Mobile IPv6 uses the Routing Header in this way.
|
|
//
|
|
}
|
|
else {
|
|
//
|
|
// We can not allow this use of source-routing.
|
|
// Instead of reporting an error, we could
|
|
// redo RouteToDestination with RTD_FLAG_STRICT
|
|
// to constrain to the same interface.
|
|
// However, an ICMP error is more in keeping
|
|
// with the treatment of scoped source addresses,
|
|
// which can produce a destination-unreachable error.
|
|
//
|
|
ReleaseRCE(RCE);
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_BAD_PACKET,
|
|
"RoutingReceive: Inappropriate route.\n"));
|
|
ICMPv6SendError(Packet,
|
|
ICMPv6_DESTINATION_UNREACHABLE,
|
|
ICMPv6_COMMUNICATION_PROHIBITED,
|
|
0, RH->NextHeader, FALSE);
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
|
|
//
|
|
// Find the Security Policy for this outbound traffic.
|
|
// The source address is the same but the destination address is the
|
|
// next hop from the routing header.
|
|
//
|
|
IPSecToDo = OutboundSPLookup(AlignAddr(&Packet->IP->Source),
|
|
&Addresses[i],
|
|
0, 0, 0, RCE->NCE->IF, &Action);
|
|
|
|
if (IPSecToDo == NULL) {
|
|
//
|
|
// Check Action.
|
|
//
|
|
if (Action == LOOKUP_DROP) {
|
|
// Drop packet.
|
|
ReleaseRCE(RCE);
|
|
return IP_PROTOCOL_NONE;
|
|
} else {
|
|
if (Action == LOOKUP_IKE_NEG) {
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_NET_ERROR,
|
|
"RoutingReceive: IKE not supported yet.\n"));
|
|
ReleaseRCE(RCE);
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
}
|
|
|
|
//
|
|
// With no IPSec to perform, IPv6Forward won't be changing the
|
|
// outgoing interface from what we currently think it will be.
|
|
// So we can use the exact size of its link-level header.
|
|
//
|
|
Offset = RCE->NCE->IF->LinkHeaderSize;
|
|
|
|
} else {
|
|
//
|
|
// Calculate the space needed for the IPSec headers.
|
|
//
|
|
IPSecBytes = IPSecBytesToInsert(IPSecToDo, &TunnelStart, NULL);
|
|
|
|
if (TunnelStart != 0) {
|
|
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_NET_ERROR,
|
|
"RoutingReceive: IPSec Tunnel mode only.\n"));
|
|
FreeIPSecToDo(IPSecToDo, IPSecToDo->BundleSize);
|
|
ReleaseRCE(RCE);
|
|
return IP_PROTOCOL_NONE;
|
|
}
|
|
|
|
//
|
|
// The IPSec code in IPv6Forward might change the outgoing
|
|
// interface from what we currently think it will be. Play it
|
|
// safe and leave the max amount of space for its link-level header.
|
|
//
|
|
Offset = MAX_LINK_HEADER_SIZE;
|
|
}
|
|
|
|
//
|
|
// The packet has passed all our checks.
|
|
// We can construct a revised packet for transmission.
|
|
// First we allocate a packet, buffer, and memory.
|
|
//
|
|
// NB: The original packet is read-only for us. Furthermore
|
|
// we can not keep a pointer to it beyond the return of this
|
|
// function. So we must copy the packet and then modify it.
|
|
//
|
|
|
|
// Packet->IP->PayloadLength might be zero with jumbograms.
|
|
Delta = Packet->Position - Packet->IPPosition;
|
|
PayloadLength = Packet->TotalSize + Delta - sizeof(IPv6Header);
|
|
MemLen = Offset + sizeof(IPv6Header) + PayloadLength + IPSecBytes;
|
|
|
|
NdisStatus = IPv6AllocatePacket(MemLen, &FwdPacket, &Mem);
|
|
if (NdisStatus != NDIS_STATUS_SUCCESS) {
|
|
if (IPSecToDo) {
|
|
FreeIPSecToDo(IPSecToDo, IPSecToDo->BundleSize);
|
|
}
|
|
ReleaseRCE(RCE);
|
|
return IP_PROTOCOL_NONE; // No further processing of this packet.
|
|
}
|
|
|
|
FwdIP = (IPv6Header UNALIGNED *)(Mem + Offset + IPSecBytes);
|
|
FwdRH = (IPv6RoutingHeader UNALIGNED *)
|
|
((uchar *)FwdIP + Delta - HeaderLength);
|
|
FwdAddresses = (IPv6Addr UNALIGNED *) (FwdRH + 1);
|
|
|
|
//
|
|
// Now we copy from the original packet to the new packet.
|
|
//
|
|
CopyPacketToBuffer((uchar *)FwdIP, Packet,
|
|
sizeof(IPv6Header) + PayloadLength,
|
|
Packet->IPPosition);
|
|
|
|
//
|
|
// Fix up the new packet - put in the new destination address
|
|
// and decrement SegmentsLeft.
|
|
// NB: We pass the Reserved field through unmodified!
|
|
// This violates a strict reading of the spec,
|
|
// but Steve Deering has confirmed that this is his intent.
|
|
//
|
|
FwdDest = *AlignAddr(&FwdAddresses[i]);
|
|
*AlignAddr(&FwdAddresses[i]) = *AlignAddr(&FwdIP->Dest);
|
|
*AlignAddr(&FwdIP->Dest) = FwdDest;
|
|
FwdRH->SegmentsLeft--;
|
|
|
|
//
|
|
// Forward the packet. This decrements the Hop Limit and generates
|
|
// any applicable ICMP errors (Time Limit Exceeded, Destination
|
|
// Unreachable, Packet Too Big). Note that previous ICMP errors
|
|
// that we generated were based on the unmodified incoming packet,
|
|
// while from here on the ICMP errors are based on the new FwdPacket.
|
|
//
|
|
IPv6Forward(Packet->NTEorIF, FwdPacket, Offset + IPSecBytes, FwdIP,
|
|
PayloadLength, FALSE, // Don't Redirect.
|
|
IPSecToDo, RCE);
|
|
|
|
if (IPSecToDo) {
|
|
FreeIPSecToDo(IPSecToDo, IPSecToDo->BundleSize);
|
|
}
|
|
|
|
ReleaseRCE(RCE);
|
|
return IP_PROTOCOL_NONE; // No further processing of this packet.
|
|
}
|