1 /*
2 * Copyright (c) 2000-2021 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28 /*
29 * Copyright (c) 1982, 1986, 1988, 1993
30 * The Regents of the University of California. All rights reserved.
31 *
32 * Redistribution and use in source and binary forms, with or without
33 * modification, are permitted provided that the following conditions
34 * are met:
35 * 1. Redistributions of source code must retain the above copyright
36 * notice, this list of conditions and the following disclaimer.
37 * 2. Redistributions in binary form must reproduce the above copyright
38 * notice, this list of conditions and the following disclaimer in the
39 * documentation and/or other materials provided with the distribution.
40 * 3. All advertising materials mentioning features or use of this software
41 * must display the following acknowledgement:
42 * This product includes software developed by the University of
43 * California, Berkeley and its contributors.
44 * 4. Neither the name of the University nor the names of its contributors
45 * may be used to endorse or promote products derived from this software
46 * without specific prior written permission.
47 *
48 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
49 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
50 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
51 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
52 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
53 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
54 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
55 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
56 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
57 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
58 * SUCH DAMAGE.
59 *
60 * @(#)ip_icmp.c 8.2 (Berkeley) 1/4/94
61 */
62 /*
63 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
64 * support for mandatory and extensible security protections. This notice
65 * is included in support of clause 2.2 (b) of the Apple Public License,
66 * Version 2.0.
67 */
68
69 #include <sys/param.h>
70 #include <sys/systm.h>
71 #include <sys/mbuf.h>
72 #include <sys/mcache.h>
73 #include <sys/protosw.h>
74 #include <sys/socket.h>
75 #include <sys/time.h>
76 #include <sys/kernel.h>
77 #include <sys/sysctl.h>
78
79 #include <machine/endian.h>
80
81 #include <net/if.h>
82 #include <net/route.h>
83 #include <net/content_filter.h>
84
85 #define _IP_VHL
86 #include <netinet/in.h>
87 #include <netinet/in_systm.h>
88 #include <netinet/in_var.h>
89 #include <netinet/ip.h>
90 #include <netinet/ip_icmp.h>
91 #include <netinet/ip_var.h>
92 #include <netinet/icmp_var.h>
93 #include <netinet/tcp.h>
94 #include <netinet/tcp_fsm.h>
95 #include <netinet/tcp_seq.h>
96 #include <netinet/tcp_timer.h>
97 #include <netinet/tcp_var.h>
98 #include <netinet/tcpip.h>
99
100 #if IPSEC
101 #include <netinet6/ipsec.h>
102 #include <netkey/key.h>
103 #endif
104
105 #if NECP
106 #include <net/necp.h>
107 #endif /* NECP */
108
109 #include <net/sockaddr_utils.h>
110
111 /*
112 * ICMP routines: error generation, receive packet processing, and
113 * routines to turnaround packets back to the originator, and
114 * host table maintenance routines.
115 */
116
117 struct icmpstat icmpstat;
118 SYSCTL_STRUCT(_net_inet_icmp, ICMPCTL_STATS, stats,
119 CTLFLAG_RD | CTLFLAG_LOCKED,
120 &icmpstat, icmpstat, "");
121
122 static int icmpmaskrepl = 0;
123 SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl,
124 CTLFLAG_RW | CTLFLAG_LOCKED,
125 &icmpmaskrepl, 0, "");
126
127 static int icmptimestamp = 0;
128 SYSCTL_INT(_net_inet_icmp, ICMPCTL_TIMESTAMP, timestamp,
129 CTLFLAG_RW | CTLFLAG_LOCKED,
130 &icmptimestamp, 0, "");
131
132 static int drop_redirect = 1;
133 SYSCTL_INT(_net_inet_icmp, OID_AUTO, drop_redirect,
134 CTLFLAG_RW | CTLFLAG_LOCKED,
135 &drop_redirect, 0, "");
136
137 static int log_redirect = 0;
138 SYSCTL_INT(_net_inet_icmp, OID_AUTO, log_redirect,
139 CTLFLAG_RW | CTLFLAG_LOCKED,
140 &log_redirect, 0, "");
141
142 const static int icmp_datalen = 8;
143 /*
144 * ICMP broadcast echo sysctl
145 */
146 static int icmpbmcastecho = 1;
147 SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW | CTLFLAG_LOCKED,
148 &icmpbmcastecho, 0, "");
149
150 #if (DEBUG | DEVELOPMENT)
151 static int icmpprintfs = 0;
152 SYSCTL_INT(_net_inet_icmp, OID_AUTO, verbose, CTLFLAG_RW | CTLFLAG_LOCKED,
153 &icmpprintfs, 0, "");
154 #endif
155
156 static void icmp_reflect(struct mbuf *);
157 static void icmp_send(struct mbuf *, struct mbuf *);
158
159 /*
160 * Generate packet gencount for ICMP for a given error type
161 * and code.
162 * We do it this way to ensure we only dedup the packets that belong
163 * to the same type, which is usually what port scanning and other such
164 * attack vectors depend on.
165 */
166 static uint32_t
icmp_error_packet_gencount(int type,int code)167 icmp_error_packet_gencount(int type, int code)
168 {
169 return (PF_INET << 24) | (type << 16) | (code << 8);
170 }
171
172 static int suppress_icmp_port_unreach = 0;
173 SYSCTL_INT(_net_inet_icmp, OID_AUTO, suppress_icmp_port_unreach,
174 CTLFLAG_RW | CTLFLAG_LOCKED,
175 &suppress_icmp_port_unreach, 0,
176 "Suppress ICMP destination unreachable type with code port unreachable");
177
178 /*
179 * Generate an error packet of type error
180 * in response to bad packet ip.
181 */
182 void
icmp_error(struct mbuf * n,int type,int code,u_int32_t dest,u_int32_t nextmtu)183 icmp_error(
184 struct mbuf *n,
185 int type,
186 int code,
187 u_int32_t dest,
188 u_int32_t nextmtu)
189 {
190 struct ip *oip = NULL;
191 struct ip *nip = NULL;
192 struct icmp *icp = NULL;
193 struct mbuf *m = NULL;
194 u_int32_t oiphlen = 0;
195 u_int32_t icmplen = 0;
196 u_int32_t icmpelen = 0;
197 u_int32_t nlen = 0;
198
199 VERIFY((u_int)type <= ICMP_MAXTYPE);
200 VERIFY(code <= UINT8_MAX);
201
202 /* Expect 32-bit aligned data pointer on strict-align platforms */
203 MBUF_STRICT_DATA_ALIGNMENT_CHECK_32(n);
204
205 if (type != ICMP_REDIRECT) {
206 icmpstat.icps_error++;
207 }
208
209 if (suppress_icmp_port_unreach &&
210 type == ICMP_UNREACH && code == ICMP_UNREACH_PORT) {
211 goto freeit;
212 }
213 /*
214 * Don't send error:
215 * if not the first fragment of message
216 * if original packet was a multicast or broadcast packet
217 * if the old packet protocol was ICMP
218 * error message, only known informational types.
219 */
220 if (n->m_flags & (M_BCAST | M_MCAST)) {
221 goto freeit;
222 }
223
224 /*
225 * Drop if IP header plus ICMP_MINLEN bytes are not contiguous
226 * in first mbuf.
227 */
228 if (n->m_len < sizeof(struct ip) + ICMP_MINLEN) {
229 goto freeit;
230 }
231
232 oip = mtod(n, struct ip *);
233 oiphlen = IP_VHL_HL(oip->ip_vhl) << 2;
234 if (n->m_len < oiphlen + ICMP_MINLEN) {
235 goto freeit;
236 }
237
238 #if (DEBUG | DEVELOPMENT)
239 if (icmpprintfs > 1) {
240 printf("icmp_error(0x%llx, %x, %d)\n",
241 (uint64_t)VM_KERNEL_ADDRPERM(oip), type, code);
242 }
243 #endif
244
245 if (oip->ip_off & ~(IP_MF | IP_DF)) {
246 goto freeit;
247 }
248
249 if (oip->ip_p == IPPROTO_ICMP && type != ICMP_REDIRECT &&
250 n->m_len >= oiphlen + ICMP_MINLEN &&
251 !ICMP_INFOTYPE(((struct icmp *)(void *)((caddr_t)oip + oiphlen))->
252 icmp_type)) {
253 icmpstat.icps_oldicmp++;
254 goto freeit;
255 }
256
257 /*
258 * Calculate the length to quote from original packet and prevent
259 * the ICMP mbuf from overflowing.
260 * Unfortunatly this is non-trivial since ip_forward()
261 * sends us truncated packets.
262 */
263 nlen = m_length(n);
264 if (oip->ip_p == IPPROTO_TCP) {
265 struct tcphdr *th = NULL;
266 u_int16_t tcphlen = 0;
267
268 /*
269 * If the packet got truncated and TCP header
270 * is not contained in the packet, send out
271 * standard reply with only IP header as payload
272 */
273 if (oiphlen + sizeof(struct tcphdr) > n->m_len &&
274 n->m_next == NULL) {
275 goto stdreply;
276 }
277
278 /*
279 * Otherwise, pull up to get IP and TCP headers
280 * together
281 */
282 if (n->m_len < (oiphlen + sizeof(struct tcphdr)) &&
283 (n = m_pullup(n, (oiphlen + sizeof(struct tcphdr)))) == NULL) {
284 goto freeit;
285 }
286
287 /*
288 * Reinit pointers derived from mbuf data pointer
289 * as things might have moved around with m_pullup
290 */
291 oip = mtod(n, struct ip *);
292 th = (struct tcphdr *)(void *)((caddr_t)oip + oiphlen);
293
294 if (th != ((struct tcphdr *)P2ROUNDDOWN(th,
295 sizeof(u_int32_t))) ||
296 ((th->th_off << 2) > UINT16_MAX)) {
297 goto freeit;
298 }
299 tcphlen = (uint16_t)(th->th_off << 2);
300
301 /* Sanity checks */
302 if (tcphlen < sizeof(struct tcphdr)) {
303 goto freeit;
304 }
305 if (oip->ip_len < (oiphlen + tcphlen)) {
306 goto freeit;
307 }
308 if ((oiphlen + tcphlen) > n->m_len && n->m_next == NULL) {
309 goto stdreply;
310 }
311 if (n->m_len < (oiphlen + tcphlen) &&
312 (n = m_pullup(n, (oiphlen + tcphlen))) == NULL) {
313 goto freeit;
314 }
315
316 /*
317 * Reinit pointers derived from mbuf data pointer
318 * as things might have moved around with m_pullup
319 */
320 oip = mtod(n, struct ip *);
321 th = (struct tcphdr *)(void *)((caddr_t)oip + oiphlen);
322
323 icmpelen = max(tcphlen, min(icmp_datalen,
324 (oip->ip_len - oiphlen)));
325 } else {
326 stdreply: icmpelen = max(ICMP_MINLEN, min(icmp_datalen,
327 (oip->ip_len - oiphlen)));
328 }
329
330 icmplen = min(oiphlen + icmpelen, nlen);
331 if (icmplen < sizeof(struct ip)) {
332 goto freeit;
333 }
334
335 /*
336 * First, formulate icmp message
337 * Allocate enough space for the IP header, ICMP header
338 * and the payload (part of the original message to be sent back).
339 */
340 if (MHLEN > (sizeof(struct ip) + ICMP_MINLEN + icmplen)) {
341 m = m_gethdr(M_DONTWAIT, MT_HEADER); /* MAC-OK */
342 } else {
343 m = m_getcl(M_DONTWAIT, MT_DATA, M_PKTHDR);
344 }
345
346 if (m == NULL) {
347 goto freeit;
348 }
349
350 /*
351 * Further refine the payload length to the space
352 * remaining in mbuf after including the IP header and ICMP
353 * header.
354 */
355 icmplen = min(icmplen, (u_int)M_TRAILINGSPACE(m) -
356 (u_int)(sizeof(struct ip) - ICMP_MINLEN));
357 m_align(m, ICMP_MINLEN + icmplen);
358 m->m_len = ICMP_MINLEN + icmplen; /* for ICMP header and data */
359
360 icp = mtod(m, struct icmp *);
361 icmpstat.icps_outhist[type]++;
362 icp->icmp_type = (u_char)type;
363 if (type == ICMP_REDIRECT) {
364 icp->icmp_gwaddr.s_addr = dest;
365 } else {
366 icp->icmp_void = 0;
367 /*
368 * The following assignments assume an overlay with the
369 * zeroed icmp_void field.
370 */
371 if (type == ICMP_PARAMPROB) {
372 icp->icmp_pptr = (u_char)code;
373 code = 0;
374 } else if (type == ICMP_UNREACH &&
375 code == ICMP_UNREACH_NEEDFRAG && nextmtu != 0) {
376 icp->icmp_nextmtu = htons((uint16_t)nextmtu);
377 }
378 }
379
380 icp->icmp_code = (u_char)code;
381
382 /*
383 * Copy icmplen worth of content from original
384 * mbuf (n) to the new packet after ICMP header.
385 */
386 m_copydata(n, 0, icmplen, (caddr_t)&icp->icmp_ip);
387 nip = &icp->icmp_ip;
388
389 /*
390 * Convert fields to network representation.
391 */
392 #if BYTE_ORDER != BIG_ENDIAN
393 HTONS(nip->ip_len);
394 HTONS(nip->ip_off);
395 #endif
396 /*
397 * Set up ICMP message mbuf and copy old IP header (without options
398 * in front of ICMP message.
399 */
400 m->m_data -= sizeof(struct ip);
401 m->m_len += sizeof(struct ip);
402 m->m_pkthdr.len = m->m_len;
403 m->m_pkthdr.rcvif = n->m_pkthdr.rcvif;
404 /*
405 * To avoid some flavors of port scanning and other attacks,
406 * use packet suppression without using any other sort of
407 * rate limiting with static bounds.
408 * XXX Not setting PKTF_FLOW_ID here because we were concerned
409 * about it triggering regression elsewhere outside of network stack
410 * where there might be an assumption around flow ID being non-zero.
411 * It should be noted though that previously if PKTF_FLOW_ID was not
412 * set, PF would have generated flow hash irrespective of ICMPv4/v6
413 * type. That doesn't happen now and PF only computes hash for ICMP
414 * types that need state creation (which is not true of error types).
415 * It would have been a problem because we really want all the ICMP
416 * error type packets to share the same flow ID for global suppression.
417 */
418 m->m_pkthdr.comp_gencnt = icmp_error_packet_gencount(type, code);
419
420 nip = mtod(m, struct ip *);
421 bcopy((caddr_t)oip, (caddr_t)nip, sizeof(struct ip));
422 nip->ip_len = (uint16_t)m->m_len;
423 nip->ip_vhl = IP_VHL_BORING;
424 nip->ip_p = IPPROTO_ICMP;
425 nip->ip_tos = 0;
426 nip->ip_off = 0;
427 icmp_reflect(m);
428 freeit:
429 m_freem(n);
430 }
431
432 /*
433 * Process a received ICMP message.
434 */
435 void
icmp_input(struct mbuf * m,int hlen)436 icmp_input(struct mbuf *m, int hlen)
437 {
438 struct sockaddr_in icmpsrc, icmpdst, icmpgw;
439 struct icmp *icp;
440 struct ip *ip = mtod(m, struct ip *);
441 int icmplen;
442 int i;
443 struct in_ifaddr *ia;
444 void (*ctlfunc)(int, struct sockaddr *, void *, struct ifnet *);
445 int code;
446 boolean_t should_log_redirect = false;
447
448 /* Expect 32-bit aligned data pointer on strict-align platforms */
449 MBUF_STRICT_DATA_ALIGNMENT_CHECK_32(m);
450
451 icmplen = ip->ip_len;
452
453 /*
454 * Locate icmp structure in mbuf, and check
455 * that not corrupted and of at least minimum length.
456 */
457 #if (DEBUG | DEVELOPMENT)
458 if (icmpprintfs > 2) {
459 char src_str[MAX_IPv4_STR_LEN];
460 char dst_str[MAX_IPv4_STR_LEN];
461
462 inet_ntop(AF_INET, &ip->ip_src, src_str, sizeof(src_str));
463 inet_ntop(AF_INET, &ip->ip_dst, dst_str, sizeof(dst_str));
464 printf("%s: from %s to %s, len %d\n",
465 __func__, src_str, dst_str, icmplen);
466 }
467 #endif
468 if (icmplen < ICMP_MINLEN) {
469 icmpstat.icps_tooshort++;
470 goto freeit;
471 }
472 i = hlen + min(icmplen, ICMP_ADVLENMIN);
473 if (m->m_len < i && (m = m_pullup(m, i)) == NULL) {
474 icmpstat.icps_tooshort++;
475 return;
476 }
477 /* Re-seat the pointers, since `m_pullup' might have moved `m'. `icp' is re-seated below. */
478 ip = mtod(m, struct ip *);
479
480 m->m_len -= hlen;
481 m->m_data += hlen;
482 icp = mtod(m, struct icmp *);
483 if (in_cksum(m, icmplen) != 0) {
484 icmpstat.icps_checksum++;
485 goto freeit;
486 }
487 m->m_len += hlen;
488 m->m_data -= hlen;
489
490 #if (DEBUG | DEVELOPMENT)
491 if (icmpprintfs > 2) {
492 printf("icmp_input, type %d code %d\n", icp->icmp_type,
493 icp->icmp_code);
494 }
495 #endif
496
497 /*
498 * Message type specific processing.
499 */
500 if (icp->icmp_type > ICMP_MAXTYPE) {
501 goto raw;
502 }
503
504 /* Initialize */
505 SOCKADDR_ZERO(&icmpsrc, sizeof(icmpsrc));
506 icmpsrc.sin_len = sizeof(struct sockaddr_in);
507 icmpsrc.sin_family = AF_INET;
508 SOCKADDR_ZERO(&icmpdst, sizeof(icmpdst));
509 icmpdst.sin_len = sizeof(struct sockaddr_in);
510 icmpdst.sin_family = AF_INET;
511 SOCKADDR_ZERO(&icmpgw, sizeof(icmpgw));
512 icmpgw.sin_len = sizeof(struct sockaddr_in);
513 icmpgw.sin_family = AF_INET;
514
515 icmpstat.icps_inhist[icp->icmp_type]++;
516 code = icp->icmp_code;
517 switch (icp->icmp_type) {
518 case ICMP_UNREACH:
519 switch (code) {
520 case ICMP_UNREACH_NET:
521 case ICMP_UNREACH_HOST:
522 case ICMP_UNREACH_SRCFAIL:
523 case ICMP_UNREACH_NET_UNKNOWN:
524 case ICMP_UNREACH_HOST_UNKNOWN:
525 case ICMP_UNREACH_ISOLATED:
526 case ICMP_UNREACH_TOSNET:
527 case ICMP_UNREACH_TOSHOST:
528 case ICMP_UNREACH_HOST_PRECEDENCE:
529 case ICMP_UNREACH_PRECEDENCE_CUTOFF:
530 code = PRC_UNREACH_NET;
531 break;
532
533 case ICMP_UNREACH_NEEDFRAG:
534 code = PRC_MSGSIZE;
535 break;
536
537 /*
538 * RFC 1122, Sections 3.2.2.1 and 4.2.3.9.
539 * Treat subcodes 2,3 as immediate RST
540 */
541 case ICMP_UNREACH_PROTOCOL:
542 case ICMP_UNREACH_PORT:
543 code = PRC_UNREACH_PORT;
544 break;
545
546 case ICMP_UNREACH_NET_PROHIB:
547 case ICMP_UNREACH_HOST_PROHIB:
548 case ICMP_UNREACH_FILTER_PROHIB:
549 code = PRC_UNREACH_ADMIN_PROHIB;
550 break;
551
552 default:
553 goto badcode;
554 }
555 goto deliver;
556
557 case ICMP_TIMXCEED:
558 if (code > 1) {
559 goto badcode;
560 }
561 code += PRC_TIMXCEED_INTRANS;
562 goto deliver;
563
564 case ICMP_PARAMPROB:
565 if (code > 1) {
566 goto badcode;
567 }
568 code = PRC_PARAMPROB;
569 goto deliver;
570
571 case ICMP_SOURCEQUENCH:
572 if (code) {
573 goto badcode;
574 }
575 code = PRC_QUENCH;
576 deliver:
577 /*
578 * Problem with datagram; advise higher level routines.
579 */
580 if (icmplen < ICMP_ADVLENMIN || icmplen < ICMP_ADVLEN(icp)
581 || IP_VHL_HL(icp->icmp_ip.ip_vhl) <
582 (sizeof(struct ip) >> 2) ||
583 (m = m_pullup(m, hlen + ICMP_ADVLEN(icp))) == NULL) {
584 icmpstat.icps_badlen++;
585 goto freeit;
586 }
587
588 /* Re-seat the pointers, since `m_pullup' might have moved `m'*/
589 ip = mtod(m, struct ip *);
590 icp = (struct icmp *)(void *)(mtod(m, uint8_t *) + hlen);
591
592 #if BYTE_ORDER != BIG_ENDIAN
593 NTOHS(icp->icmp_ip.ip_len);
594 #endif
595
596 /* Discard ICMP's in response to multicast packets */
597 if (IN_MULTICAST(ntohl(icp->icmp_ip.ip_dst.s_addr))) {
598 goto badcode;
599 }
600 #if (DEBUG | DEVELOPMENT)
601 if (icmpprintfs > 2) {
602 printf("deliver to protocol %d\n",
603 icp->icmp_ip.ip_p);
604 }
605 #endif
606 icmpsrc.sin_addr = icp->icmp_ip.ip_dst;
607
608 /*
609 * if the packet contains [IPv4 AH TCP], we can't make a
610 * notification to TCP layer.
611 */
612 ctlfunc = ip_protox[icp->icmp_ip.ip_p]->pr_ctlinput;
613
614 if (ctlfunc) {
615 struct ipctlparam ctl_param = {
616 .ipc_m = m,
617 .ipc_icmp = icp,
618 .ipc_icmp_ip = &icp->icmp_ip,
619 .ipc_off = hlen + offsetof(struct icmp, icmp_ip) + (IP_VHL_HL(icp->icmp_ip.ip_vhl) << 2)
620 };
621 LCK_MTX_ASSERT(inet_domain_mutex, LCK_MTX_ASSERT_OWNED);
622
623 lck_mtx_unlock(inet_domain_mutex);
624
625 (*ctlfunc)(code, SA(&icmpsrc),
626 (void *)&ctl_param, m->m_pkthdr.rcvif);
627
628 lck_mtx_lock(inet_domain_mutex);
629 }
630 break;
631
632 badcode:
633 icmpstat.icps_badcode++;
634 break;
635
636 case ICMP_ECHO:
637 if ((m->m_flags & (M_MCAST | M_BCAST))) {
638 if (icmpbmcastecho == 0) {
639 icmpstat.icps_bmcastecho++;
640 break;
641 }
642 }
643
644 /*
645 * rdar://18644769
646 * Do not reply when the destination is link local multicast or broadcast
647 * and the source is not from a directly connected subnet
648 */
649 if ((IN_LOCAL_GROUP(ntohl(ip->ip_dst.s_addr)) ||
650 in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif)) &&
651 in_localaddr(ip->ip_src) == 0) {
652 icmpstat.icps_bmcastecho++;
653 #if (DEBUG | DEVELOPMENT)
654 if (icmpprintfs > 0) {
655 char src_str[MAX_IPv4_STR_LEN];
656 char dst_str[MAX_IPv4_STR_LEN];
657
658 inet_ntop(AF_INET, &ip->ip_src, src_str, sizeof(src_str));
659 inet_ntop(AF_INET, &ip->ip_dst, dst_str, sizeof(dst_str));
660 printf("%s: non local (B|M)CAST %s to %s, len %d\n",
661 __func__, src_str, dst_str, icmplen);
662 }
663 #endif
664 break;
665 }
666
667 icp->icmp_type = ICMP_ECHOREPLY;
668 goto reflect;
669
670 case ICMP_TSTAMP:
671 if (icmptimestamp == 0) {
672 break;
673 }
674
675 if (!icmpbmcastecho
676 && (m->m_flags & (M_MCAST | M_BCAST)) != 0) {
677 icmpstat.icps_bmcasttstamp++;
678 break;
679 }
680 if (icmplen < ICMP_TSLEN) {
681 icmpstat.icps_badlen++;
682 break;
683 }
684 icp->icmp_type = ICMP_TSTAMPREPLY;
685 icp->icmp_rtime = iptime();
686 icp->icmp_ttime = icp->icmp_rtime; /* bogus, do later! */
687 goto reflect;
688
689 case ICMP_MASKREQ:
690 if (icmpmaskrepl == 0) {
691 break;
692 }
693 /*
694 * We are not able to respond with all ones broadcast
695 * unless we receive it over a point-to-point interface.
696 */
697 if (icmplen < ICMP_MASKLEN) {
698 break;
699 }
700 switch (ip->ip_dst.s_addr) {
701 case INADDR_BROADCAST:
702 case INADDR_ANY:
703 icmpdst.sin_addr = ip->ip_src;
704 break;
705
706 default:
707 icmpdst.sin_addr = ip->ip_dst;
708 }
709 ia = (struct in_ifaddr *)ifaof_ifpforaddr(
710 SA(&icmpdst), m->m_pkthdr.rcvif);
711 if (ia == 0) {
712 break;
713 }
714 IFA_LOCK(&ia->ia_ifa);
715 if (ia->ia_ifp == 0) {
716 IFA_UNLOCK(&ia->ia_ifa);
717 ifa_remref(&ia->ia_ifa);
718 ia = NULL;
719 break;
720 }
721 icp->icmp_type = ICMP_MASKREPLY;
722 icp->icmp_mask = ia->ia_sockmask.sin_addr.s_addr;
723 if (ip->ip_src.s_addr == 0) {
724 if (ia->ia_ifp->if_flags & IFF_BROADCAST) {
725 ip->ip_src = satosin(&ia->ia_broadaddr)->sin_addr;
726 } else if (ia->ia_ifp->if_flags & IFF_POINTOPOINT) {
727 ip->ip_src = satosin(&ia->ia_dstaddr)->sin_addr;
728 }
729 }
730 IFA_UNLOCK(&ia->ia_ifa);
731 ifa_remref(&ia->ia_ifa);
732 reflect:
733 ip->ip_len += hlen; /* since ip_input deducts this */
734 icmpstat.icps_reflect++;
735 icmpstat.icps_outhist[icp->icmp_type]++;
736 icmp_reflect(m);
737 return;
738
739 case ICMP_REDIRECT:
740 if (drop_redirect) {
741 break;
742 }
743 if (code > 3) {
744 goto badcode;
745 }
746 if (icmplen < ICMP_ADVLENMIN || icmplen < ICMP_ADVLEN(icp) ||
747 IP_VHL_HL(icp->icmp_ip.ip_vhl) < (sizeof(struct ip) >> 2)) {
748 icmpstat.icps_badlen++;
749 break;
750 }
751
752 #if (DEBUG | DEVELOPMENT)
753 should_log_redirect = log_redirect || (icmpprintfs > 0);
754 #else
755 should_log_redirect = log_redirect;
756 #endif
757 /*
758 * Short circuit routing redirects to force
759 * immediate change in the kernel's routing
760 * tables. The message is also handed to anyone
761 * listening on a raw socket (e.g. the routing
762 * daemon for use in updating its tables).
763 */
764 icmpgw.sin_addr = ip->ip_src;
765 icmpdst.sin_addr = icp->icmp_gwaddr;
766
767 if (should_log_redirect) {
768 char src_str[MAX_IPv4_STR_LEN];
769 char dst_str[MAX_IPv4_STR_LEN];
770 char gw_str[MAX_IPv4_STR_LEN];
771
772 inet_ntop(AF_INET, &ip->ip_src, src_str, sizeof(src_str));
773 inet_ntop(AF_INET, &icp->icmp_ip.ip_dst, dst_str, sizeof(dst_str));
774 inet_ntop(AF_INET, &icp->icmp_gwaddr, gw_str, sizeof(gw_str));
775 printf("%s: redirect dst %s to %s from %s\n", __func__,
776 dst_str, gw_str, src_str);
777 }
778 icmpsrc.sin_addr = icp->icmp_ip.ip_dst;
779 rtredirect(m->m_pkthdr.rcvif, SA(&icmpsrc),
780 SA(&icmpdst), NULL, RTF_GATEWAY | RTF_HOST,
781 SA(&icmpgw), NULL);
782 pfctlinput(PRC_REDIRECT_HOST, SA(&icmpsrc));
783 #if IPSEC
784 key_sa_routechange(SA(&icmpsrc));
785 #endif
786 break;
787
788 /*
789 * No kernel processing for the following;
790 * just fall through to send to raw listener.
791 */
792 case ICMP_ECHOREPLY:
793 case ICMP_ROUTERADVERT:
794 case ICMP_ROUTERSOLICIT:
795 case ICMP_TSTAMPREPLY:
796 case ICMP_IREQREPLY:
797 case ICMP_MASKREPLY:
798 default:
799 break;
800 }
801
802 raw:
803 rip_input(m, hlen);
804 return;
805
806 freeit:
807 m_freem(m);
808 }
809
810 /*
811 * Reflect the ip packet back to the source
812 */
813 static void
icmp_reflect(struct mbuf * m)814 icmp_reflect(struct mbuf *m)
815 {
816 struct ip *ip = mtod(m, struct ip *);
817 struct sockaddr_in icmpdst;
818 struct in_ifaddr *ia;
819 struct in_addr t;
820 struct mbuf *opts = NULL;
821 int optlen = (IP_VHL_HL(ip->ip_vhl) << 2) - sizeof(struct ip);
822
823 if (!in_canforward(ip->ip_src) &&
824 ((ntohl(ip->ip_src.s_addr) & IN_CLASSA_NET) !=
825 (IN_LOOPBACKNET << IN_CLASSA_NSHIFT))) {
826 m_freem(m); /* Bad return address */
827 goto done; /* Ip_output() will check for broadcast */
828 }
829 t = ip->ip_dst;
830 ip->ip_dst = ip->ip_src;
831 /*
832 * If the incoming packet was addressed directly to us,
833 * use dst as the src for the reply. Otherwise (broadcast
834 * or anonymous), use the address which corresponds
835 * to the incoming interface.
836 */
837 lck_rw_lock_shared(&in_ifaddr_rwlock);
838 TAILQ_FOREACH(ia, INADDR_HASH(t.s_addr), ia_hash) {
839 IFA_LOCK(&ia->ia_ifa);
840 if (t.s_addr == IA_SIN(ia)->sin_addr.s_addr) {
841 ifa_addref(&ia->ia_ifa);
842 IFA_UNLOCK(&ia->ia_ifa);
843 goto match;
844 }
845 IFA_UNLOCK(&ia->ia_ifa);
846 }
847 /*
848 * Slow path; check for broadcast addresses. Find a source
849 * IP address to use when replying to the broadcast request;
850 * let IP handle the source interface selection work.
851 */
852 for (ia = in_ifaddrhead.tqh_first; ia; ia = ia->ia_link.tqe_next) {
853 IFA_LOCK(&ia->ia_ifa);
854 if (ia->ia_ifp && (ia->ia_ifp->if_flags & IFF_BROADCAST) &&
855 t.s_addr == satosin(&ia->ia_broadaddr)->sin_addr.s_addr) {
856 ifa_addref(&ia->ia_ifa);
857 IFA_UNLOCK(&ia->ia_ifa);
858 break;
859 }
860 IFA_UNLOCK(&ia->ia_ifa);
861 }
862 match:
863 lck_rw_done(&in_ifaddr_rwlock);
864
865 /* Initialize */
866 SOCKADDR_ZERO(&icmpdst, sizeof(icmpdst));
867 icmpdst.sin_len = sizeof(struct sockaddr_in);
868 icmpdst.sin_family = AF_INET;
869 icmpdst.sin_addr = t;
870 if ((ia == (struct in_ifaddr *)0) && m->m_pkthdr.rcvif) {
871 ia = (struct in_ifaddr *)ifaof_ifpforaddr(
872 SA(&icmpdst), m->m_pkthdr.rcvif);
873 }
874 /*
875 * The following happens if the packet was not addressed to us,
876 * and was received on an interface with no IP address.
877 */
878 if (ia == (struct in_ifaddr *)0) {
879 lck_rw_lock_shared(&in_ifaddr_rwlock);
880 ia = in_ifaddrhead.tqh_first;
881 if (ia == (struct in_ifaddr *)0) {/* no address yet, bail out */
882 lck_rw_done(&in_ifaddr_rwlock);
883 m_freem(m);
884 goto done;
885 }
886 ifa_addref(&ia->ia_ifa);
887 lck_rw_done(&in_ifaddr_rwlock);
888 }
889 IFA_LOCK_SPIN(&ia->ia_ifa);
890 t = IA_SIN(ia)->sin_addr;
891 IFA_UNLOCK(&ia->ia_ifa);
892 ip->ip_src = t;
893 ip->ip_ttl = (u_char)ip_defttl;
894 ifa_remref(&ia->ia_ifa);
895 ia = NULL;
896
897 if (optlen > 0) {
898 u_char *cp;
899 int opt, cnt;
900 u_int len;
901
902 /*
903 * Retrieve any source routing from the incoming packet;
904 * add on any record-route or timestamp options.
905 */
906 cp = (u_char *) (ip + 1);
907 if ((opts = ip_srcroute()) == 0 &&
908 (opts = m_gethdr(M_DONTWAIT, MT_HEADER))) { /* MAC-OK */
909 opts->m_len = sizeof(struct in_addr);
910 mtod(opts, struct in_addr *)->s_addr = 0;
911 }
912 if (opts) {
913 #if (DEBUG | DEVELOPMENT)
914 if (icmpprintfs > 1) {
915 printf("icmp_reflect optlen %d rt %d => ",
916 optlen, opts->m_len);
917 }
918 #endif
919 for (cnt = optlen; cnt > 0; cnt -= len, cp += len) {
920 opt = cp[IPOPT_OPTVAL];
921 if (opt == IPOPT_EOL) {
922 break;
923 }
924 if (opt == IPOPT_NOP) {
925 len = 1;
926 } else {
927 if (cnt < IPOPT_OLEN + sizeof(*cp)) {
928 break;
929 }
930 len = cp[IPOPT_OLEN];
931 if (len < IPOPT_OLEN + sizeof(*cp) ||
932 len > cnt) {
933 break;
934 }
935 }
936 /*
937 * Should check for overflow, but it "can't happen"
938 */
939 if (opt == IPOPT_RR || opt == IPOPT_TS ||
940 opt == IPOPT_SECURITY) {
941 bcopy((caddr_t)cp,
942 mtod(opts, caddr_t) + opts->m_len, len);
943 opts->m_len += len;
944 }
945 }
946 /* Terminate & pad, if necessary */
947 cnt = opts->m_len % 4;
948 if (cnt) {
949 for (; cnt < 4; cnt++) {
950 *(mtod(opts, caddr_t) + opts->m_len) =
951 IPOPT_EOL;
952 opts->m_len++;
953 }
954 }
955 #if (DEBUG | DEVELOPMENT)
956 if (icmpprintfs > 1) {
957 printf("%d\n", opts->m_len);
958 }
959 #endif
960 }
961 /*
962 * Now strip out original options by copying rest of first
963 * mbuf's data back, and adjust the IP length.
964 */
965 ip->ip_len -= optlen;
966 ip->ip_vhl = IP_VHL_BORING;
967 m->m_len -= optlen;
968 if (m->m_flags & M_PKTHDR) {
969 m->m_pkthdr.len -= optlen;
970 }
971 optlen += sizeof(struct ip);
972 bcopy((caddr_t)ip + optlen, (caddr_t)(ip + 1),
973 (unsigned)(m->m_len - sizeof(struct ip)));
974 }
975 m->m_flags &= ~(M_BCAST | M_MCAST);
976 icmp_send(m, opts);
977 done:
978 if (opts) {
979 (void)m_free(opts);
980 }
981 }
982
983 /*
984 * Send an icmp packet back to the ip level,
985 * after supplying a checksum.
986 */
987 static void
icmp_send(struct mbuf * m,struct mbuf * opts)988 icmp_send(struct mbuf *m, struct mbuf *opts)
989 {
990 struct ip *ip = mtod(m, struct ip *);
991 int hlen;
992 struct icmp *icp;
993 struct route ro;
994 struct ip_out_args ipoa;
995
996 bzero(&ipoa, sizeof(ipoa));
997 ipoa.ipoa_boundif = IFSCOPE_NONE;
998 ipoa.ipoa_flags = IPOAF_SELECT_SRCIF | IPOAF_BOUND_SRCADDR;
999 ipoa.ipoa_sotc = SO_TC_UNSPEC;
1000 ipoa.ipoa_netsvctype = _NET_SERVICE_TYPE_UNSPEC;
1001
1002 if (!(m->m_pkthdr.pkt_flags & PKTF_LOOP) && m->m_pkthdr.rcvif != NULL) {
1003 ipoa.ipoa_boundif = m->m_pkthdr.rcvif->if_index;
1004 ipoa.ipoa_flags |= IPOAF_BOUND_IF;
1005 }
1006
1007 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
1008 m->m_data += hlen;
1009 m->m_len -= hlen;
1010 icp = mtod(m, struct icmp *);
1011 icp->icmp_cksum = 0;
1012 icp->icmp_cksum = in_cksum(m, ip->ip_len - hlen);
1013 m->m_data -= hlen;
1014 m->m_len += hlen;
1015 m->m_pkthdr.rcvif = NULL;
1016 m->m_pkthdr.csum_data = 0;
1017 m->m_pkthdr.csum_flags = 0;
1018 #if (DEBUG | DEVELOPMENT)
1019 if (icmpprintfs > 2) {
1020 char src_str[MAX_IPv4_STR_LEN];
1021 char dst_str[MAX_IPv4_STR_LEN];
1022
1023 inet_ntop(AF_INET, &ip->ip_src, src_str, sizeof(src_str));
1024 inet_ntop(AF_INET, &ip->ip_dst, dst_str, sizeof(dst_str));
1025 printf("%s: dst %s src %s\n", __func__, dst_str, src_str);
1026 }
1027 #endif
1028 bzero(&ro, sizeof ro);
1029 (void) ip_output(m, opts, &ro, IP_OUTARGS, NULL, &ipoa);
1030 ROUTE_RELEASE(&ro);
1031 }
1032
1033 u_int32_t
iptime(void)1034 iptime(void)
1035 {
1036 struct timeval atv;
1037 u_int32_t t;
1038
1039 getmicrotime(&atv);
1040 t = (atv.tv_sec % (24 * 60 * 60)) * 1000 + atv.tv_usec / 1000;
1041 return htonl(t);
1042 }
1043
1044 #if 1
1045 /*
1046 * Return the next larger or smaller MTU plateau (table from RFC 1191)
1047 * given current value MTU. If DIR is less than zero, a larger plateau
1048 * is returned; otherwise, a smaller value is returned.
1049 */
1050 int
ip_next_mtu(int mtu,int dir)1051 ip_next_mtu(int mtu, int dir)
1052 {
1053 static int mtutab[] = {
1054 65535, 32000, 17914, 8166, 4352, 2002, 1492, 1006, 508, 296,
1055 68, 0
1056 };
1057 int i;
1058
1059 for (i = 0; i < (sizeof mtutab) / (sizeof mtutab[0]); i++) {
1060 if (mtu >= mtutab[i]) {
1061 break;
1062 }
1063 }
1064
1065 if (dir < 0) {
1066 if (i == 0) {
1067 return 0;
1068 } else {
1069 return mtutab[i - 1];
1070 }
1071 } else {
1072 if (mtutab[i] == 0) {
1073 return 0;
1074 } else if (mtu > mtutab[i]) {
1075 return mtutab[i];
1076 } else {
1077 return mtutab[i + 1];
1078 }
1079 }
1080 }
1081 #endif
1082
1083 #if __APPLE__
1084
1085 /*
1086 * Non-privileged ICMP socket operations
1087 * - send ICMP echo request
1088 * - all ICMP
1089 * - limited socket options
1090 */
1091
1092 #include <netinet/ip_icmp.h>
1093 #include <netinet/in_pcb.h>
1094
1095 extern u_int32_t rip_sendspace;
1096 extern u_int32_t rip_recvspace;
1097 extern struct inpcbinfo ripcbinfo;
1098
1099 int rip_abort(struct socket *);
1100 int rip_bind(struct socket *, struct sockaddr *, struct proc *);
1101 int rip_connect(struct socket *, struct sockaddr *, struct proc *);
1102 int rip_detach(struct socket *);
1103 int rip_disconnect(struct socket *);
1104 int rip_shutdown(struct socket *);
1105
1106 __private_extern__ int icmp_dgram_send(struct socket *so, int flags, struct mbuf *m, struct sockaddr *nam, struct mbuf *control, struct proc *p);
1107 __private_extern__ int icmp_dgram_attach(struct socket *so, int proto, struct proc *p);
1108 __private_extern__ int icmp_dgram_ctloutput(struct socket *so, struct sockopt *sopt);
1109
1110 __private_extern__ struct pr_usrreqs icmp_dgram_usrreqs = {
1111 .pru_abort = rip_abort,
1112 .pru_attach = icmp_dgram_attach,
1113 .pru_bind = rip_bind,
1114 .pru_connect = rip_connect,
1115 .pru_control = in_control,
1116 .pru_detach = rip_detach,
1117 .pru_disconnect = rip_disconnect,
1118 .pru_peeraddr = in_getpeeraddr,
1119 .pru_send = icmp_dgram_send,
1120 .pru_shutdown = rip_shutdown,
1121 .pru_sockaddr = in_getsockaddr,
1122 .pru_sosend = sosend,
1123 .pru_soreceive = soreceive,
1124 };
1125
1126 /* Like rip_attach but without root privilege enforcement */
1127 __private_extern__ int
icmp_dgram_attach(struct socket * so,__unused int proto,struct proc * p)1128 icmp_dgram_attach(struct socket *so, __unused int proto, struct proc *p)
1129 {
1130 struct inpcb *inp;
1131 int error;
1132
1133 inp = sotoinpcb(so);
1134 if (inp) {
1135 panic("icmp_dgram_attach");
1136 }
1137
1138 error = soreserve(so, rip_sendspace, rip_recvspace);
1139 if (error) {
1140 return error;
1141 }
1142 error = in_pcballoc(so, &ripcbinfo, p);
1143 if (error) {
1144 return error;
1145 }
1146 inp = (struct inpcb *)so->so_pcb;
1147 inp->inp_vflag |= INP_IPV4;
1148 inp->inp_ip_p = IPPROTO_ICMP;
1149 inp->inp_ip_ttl = (u_char)ip_defttl;
1150 return 0;
1151 }
1152
1153 /*
1154 * Raw IP socket option processing.
1155 */
1156 __private_extern__ int
icmp_dgram_ctloutput(struct socket * so,struct sockopt * sopt)1157 icmp_dgram_ctloutput(struct socket *so, struct sockopt *sopt)
1158 {
1159 int error;
1160
1161 if (sopt->sopt_level != IPPROTO_IP) {
1162 return EINVAL;
1163 }
1164
1165 switch (sopt->sopt_name) {
1166 case IP_OPTIONS:
1167 case IP_HDRINCL:
1168 case IP_TOS:
1169 case IP_TTL:
1170 case IP_RECVOPTS:
1171 case IP_RECVRETOPTS:
1172 case IP_RECVDSTADDR:
1173 case IP_RETOPTS:
1174 case IP_MULTICAST_IF:
1175 case IP_MULTICAST_IFINDEX:
1176 case IP_MULTICAST_TTL:
1177 case IP_MULTICAST_LOOP:
1178 case IP_ADD_MEMBERSHIP:
1179 case IP_DROP_MEMBERSHIP:
1180 case IP_MULTICAST_VIF:
1181 case IP_PORTRANGE:
1182 case IP_RECVIF:
1183 case IP_IPSEC_POLICY:
1184 case IP_STRIPHDR:
1185 case IP_RECVTTL:
1186 case IP_BOUND_IF:
1187 case IP_DONTFRAG:
1188 case IP_NO_IFT_CELLULAR:
1189 error = rip_ctloutput(so, sopt);
1190 break;
1191
1192 default:
1193 error = EINVAL;
1194 break;
1195 }
1196
1197 return error;
1198 }
1199
1200 __private_extern__ int
icmp_dgram_send(struct socket * so,int flags,struct mbuf * m,struct sockaddr * nam,struct mbuf * control,struct proc * p)1201 icmp_dgram_send(struct socket *so, int flags, struct mbuf *m,
1202 struct sockaddr *nam, struct mbuf *control, struct proc *p)
1203 {
1204 struct ip *ip;
1205 struct inpcb *inp = sotoinpcb(so);
1206 int hlen;
1207 struct icmp *icp;
1208 struct in_ifaddr *ia = NULL;
1209 int icmplen;
1210 int error = EINVAL;
1211 int inp_flags = inp ? inp->inp_flags : 0;
1212
1213 if (inp == NULL
1214 #if NECP
1215 || (necp_socket_should_use_flow_divert(inp))
1216 #endif /* NECP */
1217 ) {
1218 if (inp != NULL) {
1219 error = EPROTOTYPE;
1220 }
1221 goto bad;
1222 }
1223
1224 #if CONTENT_FILTER
1225 /*
1226 * If socket is subject to Content Filter, get inp_flags from saved state
1227 */
1228 if (CFIL_DGRAM_FILTERED(so) && nam == NULL) {
1229 cfil_dgram_peek_socket_state(m, &inp_flags);
1230 }
1231 #endif
1232
1233 if ((inp_flags & INP_HDRINCL) != 0) {
1234 /* Expect 32-bit aligned data ptr on strict-align platforms */
1235 MBUF_STRICT_DATA_ALIGNMENT_CHECK_32(m);
1236 /*
1237 * This is not raw IP, we liberal only for fields TOS,
1238 * id and TTL.
1239 */
1240 ip = mtod(m, struct ip *);
1241
1242 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
1243 /* Some sanity checks */
1244 if (m->m_pkthdr.len < hlen + ICMP_MINLEN) {
1245 goto bad;
1246 }
1247 /* Only IPv4 */
1248 if (IP_VHL_V(ip->ip_vhl) != 4) {
1249 goto bad;
1250 }
1251 if (hlen < 20 || hlen > 40 || ip->ip_len != m->m_pkthdr.len) {
1252 goto bad;
1253 }
1254 /* Bogus fragments can tie up peer resources */
1255 if ((ip->ip_off & ~IP_DF) != 0) {
1256 goto bad;
1257 }
1258 /* Allow only ICMP even for user provided IP header */
1259 if (ip->ip_p != IPPROTO_ICMP) {
1260 goto bad;
1261 }
1262 /*
1263 * To prevent spoofing, specified source address must
1264 * be one of ours.
1265 */
1266 if (ip->ip_src.s_addr != INADDR_ANY) {
1267 socket_unlock(so, 0);
1268 lck_rw_lock_shared(&in_ifaddr_rwlock);
1269 if (TAILQ_EMPTY(&in_ifaddrhead)) {
1270 lck_rw_done(&in_ifaddr_rwlock);
1271 socket_lock(so, 0);
1272 goto bad;
1273 }
1274 TAILQ_FOREACH(ia, INADDR_HASH(ip->ip_src.s_addr),
1275 ia_hash) {
1276 IFA_LOCK(&ia->ia_ifa);
1277 if (IA_SIN(ia)->sin_addr.s_addr ==
1278 ip->ip_src.s_addr) {
1279 IFA_UNLOCK(&ia->ia_ifa);
1280 lck_rw_done(&in_ifaddr_rwlock);
1281 socket_lock(so, 0);
1282 goto ours;
1283 }
1284 IFA_UNLOCK(&ia->ia_ifa);
1285 }
1286 lck_rw_done(&in_ifaddr_rwlock);
1287 socket_lock(so, 0);
1288 goto bad;
1289 }
1290 ours:
1291 /* Do not trust we got a valid checksum */
1292 ip->ip_sum = 0;
1293
1294 icp = (struct icmp *)(void *)(((char *)m->m_data) + hlen);
1295 icmplen = m->m_pkthdr.len - hlen;
1296 } else {
1297 if ((icmplen = m->m_pkthdr.len) < ICMP_MINLEN) {
1298 goto bad;
1299 }
1300 icp = mtod(m, struct icmp *);
1301 }
1302 /*
1303 * Allow only to send request types with code 0
1304 */
1305 if (icp->icmp_code != 0) {
1306 goto bad;
1307 }
1308 switch (icp->icmp_type) {
1309 case ICMP_ECHO:
1310 break;
1311 case ICMP_TSTAMP:
1312 if (icmplen != 20) {
1313 goto bad;
1314 }
1315 break;
1316 case ICMP_MASKREQ:
1317 if (icmplen != 12) {
1318 goto bad;
1319 }
1320 break;
1321 default:
1322 goto bad;
1323 }
1324 return rip_send(so, flags, m, nam, control, p);
1325 bad:
1326 VERIFY(error != 0);
1327
1328 if (m != NULL) {
1329 m_freem(m);
1330 }
1331 if (control != NULL) {
1332 m_freem(control);
1333 }
1334
1335 return error;
1336 }
1337
1338 #endif /* __APPLE__ */
1339