2019-05-27 14:55:01 +08:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* INET An implementation of the TCP/IP protocol suite for the LINUX
|
|
|
|
* operating system. INET is implemented using the BSD Socket
|
|
|
|
* interface as the means of communication with the user level.
|
|
|
|
*
|
|
|
|
* RAW - implementation of IP "raw" sockets.
|
|
|
|
*
|
2005-05-06 07:16:16 +08:00
|
|
|
* Authors: Ross Biro
|
2005-04-17 06:20:36 +08:00
|
|
|
* Fred N. van Kempen, <waltje@uWalt.NL.Mugnet.ORG>
|
|
|
|
*
|
|
|
|
* Fixes:
|
|
|
|
* Alan Cox : verify_area() fixed up
|
|
|
|
* Alan Cox : ICMP error handling
|
|
|
|
* Alan Cox : EMSGSIZE if you send too big a packet
|
|
|
|
* Alan Cox : Now uses generic datagrams and shared
|
|
|
|
* skbuff library. No more peek crashes,
|
|
|
|
* no more backlogs
|
|
|
|
* Alan Cox : Checks sk->broadcast.
|
|
|
|
* Alan Cox : Uses skb_free_datagram/skb_copy_datagram
|
|
|
|
* Alan Cox : Raw passes ip options too
|
|
|
|
* Alan Cox : Setsocketopt added
|
|
|
|
* Alan Cox : Fixed error return for broadcasts
|
|
|
|
* Alan Cox : Removed wake_up calls
|
|
|
|
* Alan Cox : Use ttl/tos
|
|
|
|
* Alan Cox : Cleaned up old debugging
|
|
|
|
* Alan Cox : Use new kernel side addresses
|
|
|
|
* Arnt Gulbrandsen : Fixed MSG_DONTROUTE in raw sockets.
|
|
|
|
* Alan Cox : BSD style RAW socket demultiplexing.
|
|
|
|
* Alan Cox : Beginnings of mrouted support.
|
|
|
|
* Alan Cox : Added IP_HDRINCL option.
|
|
|
|
* Alan Cox : Skip broadcast check if BSDism set.
|
|
|
|
* David S. Miller : New socket lookup architecture.
|
|
|
|
*/
|
2006-09-23 05:00:29 +08:00
|
|
|
|
2006-01-19 09:44:07 +08:00
|
|
|
#include <linux/types.h>
|
2011-07-27 07:09:06 +08:00
|
|
|
#include <linux/atomic.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <asm/byteorder.h>
|
|
|
|
#include <asm/current.h>
|
2016-12-25 03:46:01 +08:00
|
|
|
#include <linux/uaccess.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <asm/ioctls.h>
|
|
|
|
#include <linux/stddef.h>
|
|
|
|
#include <linux/slab.h>
|
|
|
|
#include <linux/errno.h>
|
|
|
|
#include <linux/kernel.h>
|
2011-07-15 23:47:34 +08:00
|
|
|
#include <linux/export.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <linux/spinlock.h>
|
|
|
|
#include <linux/sockios.h>
|
|
|
|
#include <linux/socket.h>
|
|
|
|
#include <linux/in.h>
|
|
|
|
#include <linux/mroute.h>
|
|
|
|
#include <linux/netdevice.h>
|
|
|
|
#include <linux/in_route.h>
|
|
|
|
#include <linux/route.h>
|
|
|
|
#include <linux/skbuff.h>
|
2014-07-23 16:58:01 +08:00
|
|
|
#include <linux/igmp.h>
|
2007-09-12 18:01:34 +08:00
|
|
|
#include <net/net_namespace.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <net/dst.h>
|
|
|
|
#include <net/sock.h>
|
|
|
|
#include <linux/ip.h>
|
|
|
|
#include <linux/net.h>
|
|
|
|
#include <net/ip.h>
|
|
|
|
#include <net/icmp.h>
|
|
|
|
#include <net/udp.h>
|
|
|
|
#include <net/raw.h>
|
|
|
|
#include <net/snmp.h>
|
2005-08-10 11:08:28 +08:00
|
|
|
#include <net/tcp_states.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <net/inet_common.h>
|
|
|
|
#include <net/checksum.h>
|
|
|
|
#include <net/xfrm.h>
|
|
|
|
#include <linux/rtnetlink.h>
|
|
|
|
#include <linux/proc_fs.h>
|
|
|
|
#include <linux/seq_file.h>
|
|
|
|
#include <linux/netfilter.h>
|
|
|
|
#include <linux/netfilter_ipv4.h>
|
2011-01-30 00:15:56 +08:00
|
|
|
#include <linux/compat.h>
|
2014-11-07 21:27:09 +08:00
|
|
|
#include <linux/uio.h>
|
|
|
|
|
|
|
|
struct raw_frag_vec {
|
2014-11-24 23:52:29 +08:00
|
|
|
struct msghdr *msg;
|
2014-11-07 21:27:09 +08:00
|
|
|
union {
|
|
|
|
struct icmphdr icmph;
|
|
|
|
char c[1];
|
|
|
|
} hdr;
|
|
|
|
int hlen;
|
|
|
|
};
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2022-06-18 11:47:05 +08:00
|
|
|
struct raw_hashinfo raw_v4_hashinfo;
|
2016-10-21 18:03:44 +08:00
|
|
|
EXPORT_SYMBOL_GPL(raw_v4_hashinfo);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2016-02-11 00:50:35 +08:00
|
|
|
int raw_hash_sk(struct sock *sk)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2008-03-23 07:56:51 +08:00
|
|
|
struct raw_hashinfo *h = sk->sk_prot->h.raw_hash;
|
2022-06-18 11:47:05 +08:00
|
|
|
struct hlist_nulls_head *hlist;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2022-06-18 11:47:05 +08:00
|
|
|
hlist = &h->ht[inet_sk(sk)->inet_num & (RAW_HTABLE_SIZE - 1)];
|
2007-11-20 14:37:24 +08:00
|
|
|
|
|
|
|
write_lock_bh(&h->lock);
|
2022-06-20 07:29:27 +08:00
|
|
|
__sk_nulls_add_node_rcu(sk, hlist);
|
2022-06-18 11:47:05 +08:00
|
|
|
sock_set_flag(sk, SOCK_RCU_FREE);
|
2007-11-20 14:37:24 +08:00
|
|
|
write_unlock_bh(&h->lock);
|
2021-11-16 01:11:50 +08:00
|
|
|
sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
|
2016-02-11 00:50:35 +08:00
|
|
|
|
|
|
|
return 0;
|
2007-11-20 14:37:24 +08:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(raw_hash_sk);
|
|
|
|
|
2008-03-23 07:56:51 +08:00
|
|
|
void raw_unhash_sk(struct sock *sk)
|
2007-11-20 14:37:58 +08:00
|
|
|
{
|
2008-03-23 07:56:51 +08:00
|
|
|
struct raw_hashinfo *h = sk->sk_prot->h.raw_hash;
|
|
|
|
|
2007-11-20 14:37:58 +08:00
|
|
|
write_lock_bh(&h->lock);
|
2022-06-18 11:47:05 +08:00
|
|
|
if (__sk_nulls_del_node_init_rcu(sk))
|
2008-04-01 10:41:46 +08:00
|
|
|
sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
|
2007-11-20 14:37:58 +08:00
|
|
|
write_unlock_bh(&h->lock);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(raw_unhash_sk);
|
|
|
|
|
2022-06-18 11:47:04 +08:00
|
|
|
bool raw_v4_match(struct net *net, struct sock *sk, unsigned short num,
|
|
|
|
__be32 raddr, __be32 laddr, int dif, int sdif)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2022-06-18 11:47:04 +08:00
|
|
|
struct inet_sock *inet = inet_sk(sk);
|
|
|
|
|
|
|
|
if (net_eq(sock_net(sk), net) && inet->inet_num == num &&
|
|
|
|
!(inet->inet_daddr && inet->inet_daddr != raddr) &&
|
|
|
|
!(inet->inet_rcv_saddr && inet->inet_rcv_saddr != laddr) &&
|
|
|
|
raw_sk_bound_dev_eq(net, sk->sk_bound_dev_if, dif, sdif))
|
|
|
|
return true;
|
|
|
|
return false;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2022-06-18 11:47:04 +08:00
|
|
|
EXPORT_SYMBOL_GPL(raw_v4_match);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* 0 - deliver
|
|
|
|
* 1 - block
|
|
|
|
*/
|
2012-09-22 08:08:29 +08:00
|
|
|
static int icmp_filter(const struct sock *sk, const struct sk_buff *skb)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2012-09-22 08:08:29 +08:00
|
|
|
struct icmphdr _hdr;
|
|
|
|
const struct icmphdr *hdr;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2012-09-22 08:08:29 +08:00
|
|
|
hdr = skb_header_pointer(skb, skb_transport_offset(skb),
|
|
|
|
sizeof(_hdr), &_hdr);
|
|
|
|
if (!hdr)
|
2005-04-17 06:20:36 +08:00
|
|
|
return 1;
|
|
|
|
|
2012-09-22 08:08:29 +08:00
|
|
|
if (hdr->type < 32) {
|
2005-04-17 06:20:36 +08:00
|
|
|
__u32 data = raw_sk(sk)->filter.data;
|
|
|
|
|
2012-09-22 08:08:29 +08:00
|
|
|
return ((1U << hdr->type) & data) != 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Do not block unknown ICMP types */
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* IP input processing comes here for RAW socket delivery.
|
|
|
|
* Caller owns SKB, so we must make clones.
|
|
|
|
*
|
|
|
|
* RFC 1122: SHOULD pass TOS value up to the transport layer.
|
|
|
|
* -> It does. And not only TOS, but all IP header.
|
|
|
|
*/
|
2011-04-22 12:53:02 +08:00
|
|
|
static int raw_v4_input(struct sk_buff *skb, const struct iphdr *iph, int hash)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2022-06-18 11:47:04 +08:00
|
|
|
struct net *net = dev_net(skb->dev);
|
2022-06-18 11:47:05 +08:00
|
|
|
struct hlist_nulls_head *hlist;
|
|
|
|
struct hlist_nulls_node *hnode;
|
2017-08-07 23:44:18 +08:00
|
|
|
int sdif = inet_sdif(skb);
|
2019-05-08 11:44:59 +08:00
|
|
|
int dif = inet_iif(skb);
|
2005-08-10 10:45:02 +08:00
|
|
|
int delivered = 0;
|
2022-06-18 11:47:04 +08:00
|
|
|
struct sock *sk;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2022-06-18 11:47:05 +08:00
|
|
|
hlist = &raw_v4_hashinfo.ht[hash];
|
|
|
|
rcu_read_lock();
|
2022-06-20 07:29:27 +08:00
|
|
|
sk_nulls_for_each(sk, hnode, hlist) {
|
2022-06-18 11:47:04 +08:00
|
|
|
if (!raw_v4_match(net, sk, iph->protocol,
|
|
|
|
iph->saddr, iph->daddr, dif, sdif))
|
|
|
|
continue;
|
2005-08-10 10:45:02 +08:00
|
|
|
delivered = 1;
|
2014-07-23 16:58:01 +08:00
|
|
|
if ((iph->protocol != IPPROTO_ICMP || !icmp_filter(sk, skb)) &&
|
|
|
|
ip_mc_sf_allow(sk, iph->daddr, iph->saddr,
|
2017-08-07 23:44:19 +08:00
|
|
|
skb->dev->ifindex, sdif)) {
|
2005-04-17 06:20:36 +08:00
|
|
|
struct sk_buff *clone = skb_clone(skb, GFP_ATOMIC);
|
|
|
|
|
|
|
|
/* Not releasing hash table! */
|
|
|
|
if (clone)
|
|
|
|
raw_rcv(sk, clone);
|
|
|
|
}
|
|
|
|
}
|
2022-06-18 11:47:05 +08:00
|
|
|
rcu_read_unlock();
|
2005-08-10 10:45:02 +08:00
|
|
|
return delivered;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2007-11-20 14:35:07 +08:00
|
|
|
int raw_local_deliver(struct sk_buff *skb, int protocol)
|
|
|
|
{
|
2022-06-18 11:47:04 +08:00
|
|
|
int hash = protocol & (RAW_HTABLE_SIZE - 1);
|
2007-11-20 14:35:07 +08:00
|
|
|
|
2022-06-18 11:47:04 +08:00
|
|
|
return raw_v4_input(skb, ip_hdr(skb), hash);
|
2007-11-20 14:35:07 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static void raw_err(struct sock *sk, struct sk_buff *skb, u32 info)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
struct inet_sock *inet = inet_sk(sk);
|
2007-03-14 01:43:18 +08:00
|
|
|
const int type = icmp_hdr(skb)->type;
|
|
|
|
const int code = icmp_hdr(skb)->code;
|
2005-04-17 06:20:36 +08:00
|
|
|
int err = 0;
|
|
|
|
int harderr = 0;
|
|
|
|
|
2012-06-15 13:21:46 +08:00
|
|
|
if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED)
|
|
|
|
ipv4_sk_update_pmtu(skb, sk, info);
|
2013-09-20 18:21:25 +08:00
|
|
|
else if (type == ICMP_REDIRECT) {
|
2012-07-12 12:27:49 +08:00
|
|
|
ipv4_sk_redirect(skb, sk);
|
2013-09-20 18:21:25 +08:00
|
|
|
return;
|
|
|
|
}
|
2012-06-15 13:21:46 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/* Report error on raw socket, if:
|
|
|
|
1. User requested ip_recverr.
|
|
|
|
2. Socket is connected (otherwise the error indication
|
|
|
|
is useless without ip_recverr and error is hard.
|
|
|
|
*/
|
|
|
|
if (!inet->recverr && sk->sk_state != TCP_ESTABLISHED)
|
|
|
|
return;
|
|
|
|
|
|
|
|
switch (type) {
|
|
|
|
default:
|
|
|
|
case ICMP_TIME_EXCEEDED:
|
|
|
|
err = EHOSTUNREACH;
|
|
|
|
break;
|
|
|
|
case ICMP_SOURCE_QUENCH:
|
|
|
|
return;
|
|
|
|
case ICMP_PARAMETERPROB:
|
|
|
|
err = EPROTO;
|
|
|
|
harderr = 1;
|
|
|
|
break;
|
|
|
|
case ICMP_DEST_UNREACH:
|
|
|
|
err = EHOSTUNREACH;
|
|
|
|
if (code > NR_ICMP_UNREACH)
|
|
|
|
break;
|
|
|
|
if (code == ICMP_FRAG_NEEDED) {
|
|
|
|
harderr = inet->pmtudisc != IP_PMTUDISC_DONT;
|
|
|
|
err = EMSGSIZE;
|
2020-08-24 19:15:04 +08:00
|
|
|
} else {
|
|
|
|
err = icmp_err_convert[code].errno;
|
|
|
|
harderr = icmp_err_convert[code].fatal;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (inet->recverr) {
|
2011-04-22 12:53:02 +08:00
|
|
|
const struct iphdr *iph = (const struct iphdr *)skb->data;
|
2005-04-17 06:20:36 +08:00
|
|
|
u8 *payload = skb->data + (iph->ihl << 2);
|
|
|
|
|
|
|
|
if (inet->hdrincl)
|
|
|
|
payload = skb->data;
|
|
|
|
ip_icmp_error(sk, skb, err, 0, info, payload);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (inet->recverr || harderr) {
|
|
|
|
sk->sk_err = err;
|
2021-06-28 06:48:21 +08:00
|
|
|
sk_error_report(sk);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2007-11-20 14:35:07 +08:00
|
|
|
void raw_icmp_error(struct sk_buff *skb, int protocol, u32 info)
|
|
|
|
{
|
2022-06-20 07:29:26 +08:00
|
|
|
struct net *net = dev_net(skb->dev);
|
2022-06-18 11:47:05 +08:00
|
|
|
struct hlist_nulls_head *hlist;
|
|
|
|
struct hlist_nulls_node *hnode;
|
2022-06-18 11:47:04 +08:00
|
|
|
int dif = skb->dev->ifindex;
|
|
|
|
int sdif = inet_sdif(skb);
|
2011-04-22 12:53:02 +08:00
|
|
|
const struct iphdr *iph;
|
2022-06-18 11:47:04 +08:00
|
|
|
struct sock *sk;
|
|
|
|
int hash;
|
2007-11-20 14:35:07 +08:00
|
|
|
|
2007-11-20 14:36:45 +08:00
|
|
|
hash = protocol & (RAW_HTABLE_SIZE - 1);
|
2022-06-18 11:47:05 +08:00
|
|
|
hlist = &raw_v4_hashinfo.ht[hash];
|
2007-11-20 14:35:07 +08:00
|
|
|
|
2022-06-18 11:47:05 +08:00
|
|
|
rcu_read_lock();
|
2022-06-20 07:29:27 +08:00
|
|
|
sk_nulls_for_each(sk, hnode, hlist) {
|
2011-04-22 12:53:02 +08:00
|
|
|
iph = (const struct iphdr *)skb->data;
|
2022-06-18 11:47:04 +08:00
|
|
|
if (!raw_v4_match(net, sk, iph->protocol,
|
|
|
|
iph->saddr, iph->daddr, dif, sdif))
|
|
|
|
continue;
|
|
|
|
raw_err(sk, skb, info);
|
2007-11-20 14:35:07 +08:00
|
|
|
}
|
2022-06-18 11:47:05 +08:00
|
|
|
rcu_read_unlock();
|
2007-11-20 14:35:07 +08:00
|
|
|
}
|
|
|
|
|
2012-04-15 09:34:41 +08:00
|
|
|
static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
/* Charge it to the socket. */
|
2007-02-09 22:24:47 +08:00
|
|
|
|
2013-10-08 00:01:40 +08:00
|
|
|
ipv4_pktinfo_prepare(sk, skb);
|
ipv4: PKTINFO doesnt need dst reference
Le lundi 07 novembre 2011 à 15:33 +0100, Eric Dumazet a écrit :
> At least, in recent kernels we dont change dst->refcnt in forwarding
> patch (usinf NOREF skb->dst)
>
> One particular point is the atomic_inc(dst->refcnt) we have to perform
> when queuing an UDP packet if socket asked PKTINFO stuff (for example a
> typical DNS server has to setup this option)
>
> I have one patch somewhere that stores the information in skb->cb[] and
> avoid the atomic_{inc|dec}(dst->refcnt).
>
OK I found it, I did some extra tests and believe its ready.
[PATCH net-next] ipv4: IP_PKTINFO doesnt need dst reference
When a socket uses IP_PKTINFO notifications, we currently force a dst
reference for each received skb. Reader has to access dst to get needed
information (rt_iif & rt_spec_dst) and must release dst reference.
We also forced a dst reference if skb was put in socket backlog, even
without IP_PKTINFO handling. This happens under stress/load.
We can instead store the needed information in skb->cb[], so that only
softirq handler really access dst, improving cache hit ratios.
This removes two atomic operations per packet, and false sharing as
well.
On a benchmark using a mono threaded receiver (doing only recvmsg()
calls), I can reach 720.000 pps instead of 570.000 pps.
IP_PKTINFO is typically used by DNS servers, and any multihomed aware
UDP application.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-11-09 15:24:35 +08:00
|
|
|
if (sock_queue_rcv_skb(sk, skb) < 0) {
|
2005-04-17 06:20:36 +08:00
|
|
|
kfree_skb(skb);
|
|
|
|
return NET_RX_DROP;
|
|
|
|
}
|
|
|
|
|
|
|
|
return NET_RX_SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
int raw_rcv(struct sock *sk, struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
|
2007-11-14 12:30:01 +08:00
|
|
|
atomic_inc(&sk->sk_drops);
|
2005-04-17 06:20:36 +08:00
|
|
|
kfree_skb(skb);
|
|
|
|
return NET_RX_DROP;
|
|
|
|
}
|
2019-09-30 02:54:03 +08:00
|
|
|
nf_reset_ct(skb);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2007-04-11 11:50:43 +08:00
|
|
|
skb_push(skb, skb->data - skb_network_header(skb));
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
raw_rcv_skb(sk, skb);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-05-09 08:12:19 +08:00
|
|
|
static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4,
|
2014-11-28 08:30:51 +08:00
|
|
|
struct msghdr *msg, size_t length,
|
2016-04-03 11:08:12 +08:00
|
|
|
struct rtable **rtp, unsigned int flags,
|
|
|
|
const struct sockcm_cookie *sockc)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
struct inet_sock *inet = inet_sk(sk);
|
2008-07-15 14:00:43 +08:00
|
|
|
struct net *net = sock_net(sk);
|
2005-04-17 06:20:36 +08:00
|
|
|
struct iphdr *iph;
|
|
|
|
struct sk_buff *skb;
|
2008-01-06 15:14:44 +08:00
|
|
|
unsigned int iphlen;
|
2005-04-17 06:20:36 +08:00
|
|
|
int err;
|
2010-06-04 06:23:57 +08:00
|
|
|
struct rtable *rt = *rtp;
|
2011-11-18 10:20:04 +08:00
|
|
|
int hlen, tlen;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-06-11 14:31:35 +08:00
|
|
|
if (length > rt->dst.dev->mtu) {
|
2011-05-09 08:12:19 +08:00
|
|
|
ip_local_error(sk, EMSGSIZE, fl4->daddr, inet->inet_dport,
|
2010-06-11 14:31:35 +08:00
|
|
|
rt->dst.dev->mtu);
|
2005-04-17 06:20:36 +08:00
|
|
|
return -EMSGSIZE;
|
|
|
|
}
|
ipv4, ipv6: ensure raw socket message is big enough to hold an IP header
raw_send_hdrinc() and rawv6_send_hdrinc() expect that the buffer copied
from the userspace contains the IPv4/IPv6 header, so if too few bytes are
copied, parts of the header may remain uninitialized.
This bug has been detected with KMSAN.
For the record, the KMSAN report:
==================================================================
BUG: KMSAN: use of unitialized memory in nf_ct_frag6_gather+0xf5a/0x44a0
inter: 0
CPU: 0 PID: 1036 Comm: probe Not tainted 4.11.0-rc5+ #2455
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0x143/0x1b0 lib/dump_stack.c:52
kmsan_report+0x16b/0x1e0 mm/kmsan/kmsan.c:1078
__kmsan_warning_32+0x5c/0xa0 mm/kmsan/kmsan_instr.c:510
nf_ct_frag6_gather+0xf5a/0x44a0 net/ipv6/netfilter/nf_conntrack_reasm.c:577
ipv6_defrag+0x1d9/0x280 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68
nf_hook_entry_hookfn ./include/linux/netfilter.h:102
nf_hook_slow+0x13f/0x3c0 net/netfilter/core.c:310
nf_hook ./include/linux/netfilter.h:212
NF_HOOK ./include/linux/netfilter.h:255
rawv6_send_hdrinc net/ipv6/raw.c:673
rawv6_sendmsg+0x2fcb/0x41a0 net/ipv6/raw.c:919
inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:633
sock_sendmsg net/socket.c:643
SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696
SyS_sendto+0xbc/0xe0 net/socket.c:1664
do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285
entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:246
RIP: 0033:0x436e03
RSP: 002b:00007ffce48baf38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000436e03
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007ffce48baf90 R08: 00007ffce48baf50 R09: 000000000000001c
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000401790 R14: 0000000000401820 R15: 0000000000000000
origin: 00000000d9400053
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:362
kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:257
kmsan_poison_shadow+0x6d/0xc0 mm/kmsan/kmsan.c:270
slab_alloc_node mm/slub.c:2735
__kmalloc_node_track_caller+0x1f4/0x390 mm/slub.c:4341
__kmalloc_reserve net/core/skbuff.c:138
__alloc_skb+0x2cd/0x740 net/core/skbuff.c:231
alloc_skb ./include/linux/skbuff.h:933
alloc_skb_with_frags+0x209/0xbc0 net/core/skbuff.c:4678
sock_alloc_send_pskb+0x9ff/0xe00 net/core/sock.c:1903
sock_alloc_send_skb+0xe4/0x100 net/core/sock.c:1920
rawv6_send_hdrinc net/ipv6/raw.c:638
rawv6_sendmsg+0x2918/0x41a0 net/ipv6/raw.c:919
inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:633
sock_sendmsg net/socket.c:643
SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696
SyS_sendto+0xbc/0xe0 net/socket.c:1664
do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285
return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:246
==================================================================
, triggered by the following syscalls:
socket(PF_INET6, SOCK_RAW, IPPROTO_RAW) = 3
sendto(3, NULL, 0, 0, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "ff00::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EPERM
A similar report is triggered in net/ipv4/raw.c if we use a PF_INET socket
instead of a PF_INET6 one.
Signed-off-by: Alexander Potapenko <glider@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-05-03 23:06:58 +08:00
|
|
|
if (length < sizeof(struct iphdr))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
if (flags&MSG_PROBE)
|
|
|
|
goto out;
|
|
|
|
|
2011-11-18 10:20:04 +08:00
|
|
|
hlen = LL_RESERVED_SPACE(rt->dst.dev);
|
|
|
|
tlen = rt->dst.dev->needed_tailroom;
|
2008-05-13 11:48:31 +08:00
|
|
|
skb = sock_alloc_send_skb(sk,
|
2011-11-18 10:20:04 +08:00
|
|
|
length + hlen + tlen + 15,
|
2008-05-13 11:48:31 +08:00
|
|
|
flags & MSG_DONTWAIT, &err);
|
2015-04-03 16:17:26 +08:00
|
|
|
if (!skb)
|
2007-02-09 22:24:47 +08:00
|
|
|
goto error;
|
2011-11-18 10:20:04 +08:00
|
|
|
skb_reserve(skb, hlen);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
skb->priority = sk->sk_priority;
|
2019-09-12 03:50:51 +08:00
|
|
|
skb->mark = sockc->mark;
|
2018-07-04 06:42:49 +08:00
|
|
|
skb->tstamp = sockc->transmit_time;
|
2010-06-11 14:31:35 +08:00
|
|
|
skb_dst_set(skb, &rt->dst);
|
2010-06-04 06:23:57 +08:00
|
|
|
*rtp = NULL;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2007-03-11 05:40:59 +08:00
|
|
|
skb_reset_network_header(skb);
|
2007-04-21 13:47:35 +08:00
|
|
|
iph = ip_hdr(skb);
|
2007-03-11 05:40:59 +08:00
|
|
|
skb_put(skb, length);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
skb->ip_summed = CHECKSUM_NONE;
|
|
|
|
|
2018-12-18 01:24:00 +08:00
|
|
|
skb_setup_tx_timestamp(skb, sockc->tsflags);
|
2014-07-15 05:55:06 +08:00
|
|
|
|
2017-02-07 05:14:16 +08:00
|
|
|
if (flags & MSG_CONFIRM)
|
|
|
|
skb_set_dst_pending_confirm(skb, 1);
|
|
|
|
|
2007-04-11 12:21:55 +08:00
|
|
|
skb->transport_header = skb->network_header;
|
AF_RAW: Augment raw_send_hdrinc to expand skb to fit iphdr->ihl (v2)
Augment raw_send_hdrinc to correct for incorrect ip header length values
A series of oopses was reported to me recently. Apparently when using AF_RAW
sockets to send data to peers that were reachable via ipsec encapsulation,
people could panic or BUG halt their systems.
I've tracked the problem down to user space sending an invalid ip header over an
AF_RAW socket with IP_HDRINCL set to 1.
Basically what happens is that userspace sends down an ip frame that includes
only the header (no data), but sets the ip header ihl value to a large number,
one that is larger than the total amount of data passed to the sendmsg call. In
raw_send_hdrincl, we allocate an skb based on the size of the data in the msghdr
that was passed in, but assume the data is all valid. Later during ipsec
encapsulation, xfrm4_tranport_output moves the entire frame back in the skbuff
to provide headroom for the ipsec headers. During this operation, the
skb->transport_header is repointed to a spot computed by
skb->network_header + the ip header length (ihl). Since so little data was
passed in relative to the value of ihl provided by the raw socket, we point
transport header to an unknown location, resulting in various crashes.
This fix for this is pretty straightforward, simply validate the value of of
iph->ihl when sending over a raw socket. If (iph->ihl*4U) > user data buffer
size, drop the frame and return -EINVAL. I just confirmed this fixes the
reported crashes.
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-10-28 16:59:47 +08:00
|
|
|
err = -EFAULT;
|
2014-11-29 04:48:29 +08:00
|
|
|
if (memcpy_from_msg(iph, msg, length))
|
AF_RAW: Augment raw_send_hdrinc to expand skb to fit iphdr->ihl (v2)
Augment raw_send_hdrinc to correct for incorrect ip header length values
A series of oopses was reported to me recently. Apparently when using AF_RAW
sockets to send data to peers that were reachable via ipsec encapsulation,
people could panic or BUG halt their systems.
I've tracked the problem down to user space sending an invalid ip header over an
AF_RAW socket with IP_HDRINCL set to 1.
Basically what happens is that userspace sends down an ip frame that includes
only the header (no data), but sets the ip header ihl value to a large number,
one that is larger than the total amount of data passed to the sendmsg call. In
raw_send_hdrincl, we allocate an skb based on the size of the data in the msghdr
that was passed in, but assume the data is all valid. Later during ipsec
encapsulation, xfrm4_tranport_output moves the entire frame back in the skbuff
to provide headroom for the ipsec headers. During this operation, the
skb->transport_header is repointed to a spot computed by
skb->network_header + the ip header length (ihl). Since so little data was
passed in relative to the value of ihl provided by the raw socket, we point
transport header to an unknown location, resulting in various crashes.
This fix for this is pretty straightforward, simply validate the value of of
iph->ihl when sending over a raw socket. If (iph->ihl*4U) > user data buffer
size, drop the frame and return -EINVAL. I just confirmed this fixes the
reported crashes.
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-10-28 16:59:47 +08:00
|
|
|
goto error_free;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2008-01-06 15:14:44 +08:00
|
|
|
iphlen = iph->ihl * 4;
|
AF_RAW: Augment raw_send_hdrinc to expand skb to fit iphdr->ihl (v2)
Augment raw_send_hdrinc to correct for incorrect ip header length values
A series of oopses was reported to me recently. Apparently when using AF_RAW
sockets to send data to peers that were reachable via ipsec encapsulation,
people could panic or BUG halt their systems.
I've tracked the problem down to user space sending an invalid ip header over an
AF_RAW socket with IP_HDRINCL set to 1.
Basically what happens is that userspace sends down an ip frame that includes
only the header (no data), but sets the ip header ihl value to a large number,
one that is larger than the total amount of data passed to the sendmsg call. In
raw_send_hdrincl, we allocate an skb based on the size of the data in the msghdr
that was passed in, but assume the data is all valid. Later during ipsec
encapsulation, xfrm4_tranport_output moves the entire frame back in the skbuff
to provide headroom for the ipsec headers. During this operation, the
skb->transport_header is repointed to a spot computed by
skb->network_header + the ip header length (ihl). Since so little data was
passed in relative to the value of ihl provided by the raw socket, we point
transport header to an unknown location, resulting in various crashes.
This fix for this is pretty straightforward, simply validate the value of of
iph->ihl when sending over a raw socket. If (iph->ihl*4U) > user data buffer
size, drop the frame and return -EINVAL. I just confirmed this fixes the
reported crashes.
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-10-28 16:59:47 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* We don't want to modify the ip header, but we do need to
|
|
|
|
* be sure that it won't cause problems later along the network
|
|
|
|
* stack. Specifically we want to make sure that iph->ihl is a
|
|
|
|
* sane value. If ihl points beyond the length of the buffer passed
|
|
|
|
* in, reject the frame as invalid
|
|
|
|
*/
|
|
|
|
err = -EINVAL;
|
|
|
|
if (iphlen > length)
|
|
|
|
goto error_free;
|
|
|
|
|
|
|
|
if (iphlen >= sizeof(*iph)) {
|
2005-04-17 06:20:36 +08:00
|
|
|
if (!iph->saddr)
|
2011-05-09 08:12:19 +08:00
|
|
|
iph->saddr = fl4->saddr;
|
2005-04-17 06:20:36 +08:00
|
|
|
iph->check = 0;
|
|
|
|
iph->tot_len = htons(length);
|
|
|
|
if (!iph->id)
|
2015-03-26 00:07:44 +08:00
|
|
|
ip_select_ident(net, skb, NULL);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
|
2015-11-14 23:13:58 +08:00
|
|
|
skb->transport_header += iphlen;
|
|
|
|
if (iph->protocol == IPPROTO_ICMP &&
|
|
|
|
length >= iphlen + sizeof(struct icmphdr))
|
|
|
|
icmp_out_count(net, ((struct icmphdr *)
|
|
|
|
skb_transport_header(skb))->type);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2015-09-16 09:04:16 +08:00
|
|
|
err = NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT,
|
|
|
|
net, sk, skb, NULL, rt->dst.dev,
|
2015-10-08 05:48:35 +08:00
|
|
|
dst_output);
|
2005-04-17 06:20:36 +08:00
|
|
|
if (err > 0)
|
ip: Report qdisc packet drops
Christoph Lameter pointed out that packet drops at qdisc level where not
accounted in SNMP counters. Only if application sets IP_RECVERR, drops
are reported to user (-ENOBUFS errors) and SNMP counters updated.
IP_RECVERR is used to enable extended reliable error message passing,
but these are not needed to update system wide SNMP stats.
This patch changes things a bit to allow SNMP counters to be updated,
regardless of IP_RECVERR being set or not on the socket.
Example after an UDP tx flood
# netstat -s
...
IP:
1487048 outgoing packets dropped
...
Udp:
...
SndbufErrors: 1487048
send() syscalls, do however still return an OK status, to not
break applications.
Note : send() manual page explicitly says for -ENOBUFS error :
"The output queue for a network interface was full.
This generally indicates that the interface has stopped sending,
but may be caused by transient congestion.
(Normally, this does not occur in Linux. Packets are just silently
dropped when a device queue overflows.) "
This is not true for IP_RECVERR enabled sockets : a send() syscall
that hit a qdisc drop returns an ENOBUFS error.
Many thanks to Christoph, David, and last but not least, Alexey !
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-09-03 09:05:33 +08:00
|
|
|
err = net_xmit_errno(err);
|
2005-04-17 06:20:36 +08:00
|
|
|
if (err)
|
|
|
|
goto error;
|
|
|
|
out:
|
|
|
|
return 0;
|
|
|
|
|
AF_RAW: Augment raw_send_hdrinc to expand skb to fit iphdr->ihl (v2)
Augment raw_send_hdrinc to correct for incorrect ip header length values
A series of oopses was reported to me recently. Apparently when using AF_RAW
sockets to send data to peers that were reachable via ipsec encapsulation,
people could panic or BUG halt their systems.
I've tracked the problem down to user space sending an invalid ip header over an
AF_RAW socket with IP_HDRINCL set to 1.
Basically what happens is that userspace sends down an ip frame that includes
only the header (no data), but sets the ip header ihl value to a large number,
one that is larger than the total amount of data passed to the sendmsg call. In
raw_send_hdrincl, we allocate an skb based on the size of the data in the msghdr
that was passed in, but assume the data is all valid. Later during ipsec
encapsulation, xfrm4_tranport_output moves the entire frame back in the skbuff
to provide headroom for the ipsec headers. During this operation, the
skb->transport_header is repointed to a spot computed by
skb->network_header + the ip header length (ihl). Since so little data was
passed in relative to the value of ihl provided by the raw socket, we point
transport header to an unknown location, resulting in various crashes.
This fix for this is pretty straightforward, simply validate the value of of
iph->ihl when sending over a raw socket. If (iph->ihl*4U) > user data buffer
size, drop the frame and return -EINVAL. I just confirmed this fixes the
reported crashes.
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-10-28 16:59:47 +08:00
|
|
|
error_free:
|
2005-04-17 06:20:36 +08:00
|
|
|
kfree_skb(skb);
|
|
|
|
error:
|
2008-07-17 11:19:49 +08:00
|
|
|
IP_INC_STATS(net, IPSTATS_MIB_OUTDISCARDS);
|
ip: Report qdisc packet drops
Christoph Lameter pointed out that packet drops at qdisc level where not
accounted in SNMP counters. Only if application sets IP_RECVERR, drops
are reported to user (-ENOBUFS errors) and SNMP counters updated.
IP_RECVERR is used to enable extended reliable error message passing,
but these are not needed to update system wide SNMP stats.
This patch changes things a bit to allow SNMP counters to be updated,
regardless of IP_RECVERR being set or not on the socket.
Example after an UDP tx flood
# netstat -s
...
IP:
1487048 outgoing packets dropped
...
Udp:
...
SndbufErrors: 1487048
send() syscalls, do however still return an OK status, to not
break applications.
Note : send() manual page explicitly says for -ENOBUFS error :
"The output queue for a network interface was full.
This generally indicates that the interface has stopped sending,
but may be caused by transient congestion.
(Normally, this does not occur in Linux. Packets are just silently
dropped when a device queue overflows.) "
This is not true for IP_RECVERR enabled sockets : a send() syscall
that hit a qdisc drop returns an ENOBUFS error.
Many thanks to Christoph, David, and last but not least, Alexey !
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-09-03 09:05:33 +08:00
|
|
|
if (err == -ENOBUFS && !inet->recverr)
|
|
|
|
err = 0;
|
2007-02-09 22:24:47 +08:00
|
|
|
return err;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2014-11-07 21:27:09 +08:00
|
|
|
static int raw_probe_proto_opt(struct raw_frag_vec *rfv, struct flowi4 *fl4)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2014-11-07 21:27:08 +08:00
|
|
|
int err;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2014-11-07 21:27:08 +08:00
|
|
|
if (fl4->flowi4_proto != IPPROTO_ICMP)
|
2006-10-31 07:06:12 +08:00
|
|
|
return 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2014-11-07 21:27:08 +08:00
|
|
|
/* We only need the first two bytes. */
|
2014-11-07 21:27:09 +08:00
|
|
|
rfv->hlen = 2;
|
|
|
|
|
2014-11-24 23:52:29 +08:00
|
|
|
err = memcpy_from_msg(rfv->hdr.c, rfv->msg, rfv->hlen);
|
2014-11-07 21:27:08 +08:00
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
|
2014-11-07 21:27:09 +08:00
|
|
|
fl4->fl4_icmp_type = rfv->hdr.icmph.type;
|
|
|
|
fl4->fl4_icmp_code = rfv->hdr.icmph.code;
|
2014-11-07 21:27:08 +08:00
|
|
|
|
2006-10-31 07:06:12 +08:00
|
|
|
return 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2014-11-07 21:27:09 +08:00
|
|
|
static int raw_getfrag(void *from, char *to, int offset, int len, int odd,
|
|
|
|
struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
struct raw_frag_vec *rfv = from;
|
|
|
|
|
|
|
|
if (offset < rfv->hlen) {
|
|
|
|
int copy = min(rfv->hlen - offset, len);
|
|
|
|
|
|
|
|
if (skb->ip_summed == CHECKSUM_PARTIAL)
|
|
|
|
memcpy(to, rfv->hdr.c + offset, copy);
|
|
|
|
else
|
|
|
|
skb->csum = csum_block_add(
|
|
|
|
skb->csum,
|
|
|
|
csum_partial_copy_nocheck(rfv->hdr.c + offset,
|
2020-07-11 12:12:07 +08:00
|
|
|
to, copy),
|
2014-11-07 21:27:09 +08:00
|
|
|
odd);
|
|
|
|
|
|
|
|
odd = 0;
|
|
|
|
offset += copy;
|
|
|
|
to += copy;
|
|
|
|
len -= copy;
|
|
|
|
|
|
|
|
if (!len)
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
offset -= rfv->hlen;
|
|
|
|
|
2014-11-25 02:23:40 +08:00
|
|
|
return ip_generic_getfrag(rfv->msg, to, offset, len, odd, skb);
|
2014-11-07 21:27:09 +08:00
|
|
|
}
|
|
|
|
|
2015-03-02 15:37:48 +08:00
|
|
|
static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
struct inet_sock *inet = inet_sk(sk);
|
2015-10-05 23:51:27 +08:00
|
|
|
struct net *net = sock_net(sk);
|
2005-04-17 06:20:36 +08:00
|
|
|
struct ipcm_cookie ipc;
|
|
|
|
struct rtable *rt = NULL;
|
2011-05-09 08:12:19 +08:00
|
|
|
struct flowi4 fl4;
|
2005-04-17 06:20:36 +08:00
|
|
|
int free = 0;
|
2006-09-28 09:28:07 +08:00
|
|
|
__be32 daddr;
|
2006-09-28 09:28:28 +08:00
|
|
|
__be32 saddr;
|
2005-04-17 06:20:36 +08:00
|
|
|
u8 tos;
|
|
|
|
int err;
|
2011-04-21 17:45:37 +08:00
|
|
|
struct ip_options_data opt_copy;
|
2014-11-07 21:27:09 +08:00
|
|
|
struct raw_frag_vec rfv;
|
2017-12-10 11:50:58 +08:00
|
|
|
int hdrincl;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
err = -EMSGSIZE;
|
2005-06-19 14:00:00 +08:00
|
|
|
if (len > 0xFFFF)
|
2005-04-17 06:20:36 +08:00
|
|
|
goto out;
|
|
|
|
|
2017-12-10 11:50:58 +08:00
|
|
|
/* hdrincl should be READ_ONCE(inet->hdrincl)
|
2018-01-08 22:54:44 +08:00
|
|
|
* but READ_ONCE() doesn't work with bit fields.
|
|
|
|
* Doing this indirectly yields the same result.
|
2017-12-10 11:50:58 +08:00
|
|
|
*/
|
|
|
|
hdrincl = inet->hdrincl;
|
2018-01-08 22:54:44 +08:00
|
|
|
hdrincl = READ_ONCE(hdrincl);
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* Check the flags.
|
|
|
|
*/
|
|
|
|
|
|
|
|
err = -EOPNOTSUPP;
|
|
|
|
if (msg->msg_flags & MSG_OOB) /* Mirror BSD error message */
|
|
|
|
goto out; /* compatibility */
|
2007-02-09 22:24:47 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
2007-02-09 22:24:47 +08:00
|
|
|
* Get and verify the address.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
|
|
|
|
|
|
|
if (msg->msg_namelen) {
|
2014-01-18 05:53:15 +08:00
|
|
|
DECLARE_SOCKADDR(struct sockaddr_in *, usin, msg->msg_name);
|
2005-04-17 06:20:36 +08:00
|
|
|
err = -EINVAL;
|
|
|
|
if (msg->msg_namelen < sizeof(*usin))
|
|
|
|
goto out;
|
|
|
|
if (usin->sin_family != AF_INET) {
|
2012-03-12 02:36:11 +08:00
|
|
|
pr_info_once("%s: %s forgot to set AF_INET. Fix it!\n",
|
|
|
|
__func__, current->comm);
|
2005-04-17 06:20:36 +08:00
|
|
|
err = -EAFNOSUPPORT;
|
|
|
|
if (usin->sin_family)
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
daddr = usin->sin_addr.s_addr;
|
|
|
|
/* ANK: I did not forget to get protocol from port field.
|
|
|
|
* I just do not know, who uses this weirdness.
|
|
|
|
* IP_HDRINCL is much more convenient.
|
|
|
|
*/
|
|
|
|
} else {
|
|
|
|
err = -EDESTADDRREQ;
|
2007-02-09 22:24:47 +08:00
|
|
|
if (sk->sk_state != TCP_ESTABLISHED)
|
2005-04-17 06:20:36 +08:00
|
|
|
goto out;
|
2009-10-15 14:30:45 +08:00
|
|
|
daddr = inet->inet_daddr;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2018-07-06 22:12:54 +08:00
|
|
|
ipcm_init_sk(&ipc, inet);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
if (msg->msg_controllen) {
|
2016-04-03 11:08:10 +08:00
|
|
|
err = ip_cmsg_send(sk, msg, &ipc, false);
|
2016-02-04 22:23:28 +08:00
|
|
|
if (unlikely(err)) {
|
|
|
|
kfree(ipc.opt);
|
2005-04-17 06:20:36 +08:00
|
|
|
goto out;
|
2016-02-04 22:23:28 +08:00
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
if (ipc.opt)
|
|
|
|
free = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
saddr = ipc.addr;
|
|
|
|
ipc.addr = daddr;
|
|
|
|
|
2011-04-21 17:45:37 +08:00
|
|
|
if (!ipc.opt) {
|
|
|
|
struct ip_options_rcu *inet_opt;
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
inet_opt = rcu_dereference(inet->inet_opt);
|
|
|
|
if (inet_opt) {
|
|
|
|
memcpy(&opt_copy, inet_opt,
|
|
|
|
sizeof(*inet_opt) + inet_opt->opt.optlen);
|
|
|
|
ipc.opt = &opt_copy.opt;
|
|
|
|
}
|
|
|
|
rcu_read_unlock();
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
if (ipc.opt) {
|
|
|
|
err = -EINVAL;
|
|
|
|
/* Linux does not mangle headers on raw sockets,
|
|
|
|
* so that IP options + IP_HDRINCL is non-sense.
|
|
|
|
*/
|
2017-12-10 11:50:58 +08:00
|
|
|
if (hdrincl)
|
2005-04-17 06:20:36 +08:00
|
|
|
goto done;
|
2011-04-21 17:45:37 +08:00
|
|
|
if (ipc.opt->opt.srr) {
|
2005-04-17 06:20:36 +08:00
|
|
|
if (!daddr)
|
|
|
|
goto done;
|
2011-04-21 17:45:37 +08:00
|
|
|
daddr = ipc.opt->opt.faddr;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
}
|
2013-09-24 21:43:09 +08:00
|
|
|
tos = get_rtconn_flags(&ipc, sk);
|
2005-04-17 06:20:36 +08:00
|
|
|
if (msg->msg_flags & MSG_DONTROUTE)
|
|
|
|
tos |= RTO_ONLINK;
|
|
|
|
|
2007-12-17 05:45:43 +08:00
|
|
|
if (ipv4_is_multicast(daddr)) {
|
2018-10-01 16:40:23 +08:00
|
|
|
if (!ipc.oif || netif_index_is_l3_master(sock_net(sk), ipc.oif))
|
2005-04-17 06:20:36 +08:00
|
|
|
ipc.oif = inet->mc_index;
|
|
|
|
if (!saddr)
|
|
|
|
saddr = inet->mc_addr;
|
2018-01-25 11:37:38 +08:00
|
|
|
} else if (!ipc.oif) {
|
2012-02-08 17:11:07 +08:00
|
|
|
ipc.oif = inet->uc_index;
|
2018-01-25 11:37:38 +08:00
|
|
|
} else if (ipv4_is_lbcast(daddr) && inet->uc_index) {
|
2020-08-27 19:27:49 +08:00
|
|
|
/* oif is set, packet is to local broadcast
|
2018-01-25 11:37:38 +08:00
|
|
|
* and uc_index is set. oif is most likely set
|
|
|
|
* by sk_bound_dev_if. If uc_index != oif check if the
|
|
|
|
* oif is an L3 master and uc_index is an L3 slave.
|
|
|
|
* If so, we want to allow the send using the uc_index.
|
|
|
|
*/
|
|
|
|
if (ipc.oif != inet->uc_index &&
|
|
|
|
ipc.oif == l3mdev_master_ifindex_by_index(sock_net(sk),
|
|
|
|
inet->uc_index)) {
|
|
|
|
ipc.oif = inet->uc_index;
|
|
|
|
}
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2019-09-12 03:50:51 +08:00
|
|
|
flowi4_init_output(&fl4, ipc.oif, ipc.sockc.mark, tos,
|
2011-05-09 08:12:19 +08:00
|
|
|
RT_SCOPE_UNIVERSE,
|
2017-12-10 11:50:58 +08:00
|
|
|
hdrincl ? IPPROTO_RAW : sk->sk_protocol,
|
2013-08-28 14:04:14 +08:00
|
|
|
inet_sk_flowi_flags(sk) |
|
2017-12-10 11:50:58 +08:00
|
|
|
(hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
|
2016-11-04 01:23:43 +08:00
|
|
|
daddr, saddr, 0, 0, sk->sk_uid);
|
2011-03-31 19:53:51 +08:00
|
|
|
|
2017-12-10 11:50:58 +08:00
|
|
|
if (!hdrincl) {
|
2014-11-24 23:52:29 +08:00
|
|
|
rfv.msg = msg;
|
2014-11-07 21:27:09 +08:00
|
|
|
rfv.hlen = 0;
|
|
|
|
|
|
|
|
err = raw_probe_proto_opt(&rfv, &fl4);
|
2011-05-09 08:12:19 +08:00
|
|
|
if (err)
|
2011-03-03 06:31:35 +08:00
|
|
|
goto done;
|
2011-05-09 08:12:19 +08:00
|
|
|
}
|
|
|
|
|
2020-09-28 10:38:26 +08:00
|
|
|
security_sk_classify_flow(sk, flowi4_to_flowi_common(&fl4));
|
2015-10-05 23:51:27 +08:00
|
|
|
rt = ip_route_output_flow(net, &fl4, sk);
|
2011-05-09 08:12:19 +08:00
|
|
|
if (IS_ERR(rt)) {
|
|
|
|
err = PTR_ERR(rt);
|
|
|
|
rt = NULL;
|
|
|
|
goto done;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
err = -EACCES;
|
|
|
|
if (rt->rt_flags & RTCF_BROADCAST && !sock_flag(sk, SOCK_BROADCAST))
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
if (msg->msg_flags & MSG_CONFIRM)
|
|
|
|
goto do_confirm;
|
|
|
|
back_from_confirm:
|
|
|
|
|
2017-12-10 11:50:58 +08:00
|
|
|
if (hdrincl)
|
2014-11-28 08:30:51 +08:00
|
|
|
err = raw_send_hdrinc(sk, &fl4, msg, len,
|
2016-04-03 11:08:12 +08:00
|
|
|
&rt, msg->msg_flags, &ipc.sockc);
|
2007-02-09 22:24:47 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
else {
|
|
|
|
if (!ipc.addr)
|
2011-05-09 08:12:19 +08:00
|
|
|
ipc.addr = fl4.daddr;
|
2005-04-17 06:20:36 +08:00
|
|
|
lock_sock(sk);
|
2014-11-07 21:27:09 +08:00
|
|
|
err = ip_append_data(sk, &fl4, raw_getfrag,
|
|
|
|
&rfv, len, 0,
|
2011-05-09 08:12:19 +08:00
|
|
|
&ipc, &rt, msg->msg_flags);
|
2005-04-17 06:20:36 +08:00
|
|
|
if (err)
|
|
|
|
ip_flush_pending_frames(sk);
|
ip: Report qdisc packet drops
Christoph Lameter pointed out that packet drops at qdisc level where not
accounted in SNMP counters. Only if application sets IP_RECVERR, drops
are reported to user (-ENOBUFS errors) and SNMP counters updated.
IP_RECVERR is used to enable extended reliable error message passing,
but these are not needed to update system wide SNMP stats.
This patch changes things a bit to allow SNMP counters to be updated,
regardless of IP_RECVERR being set or not on the socket.
Example after an UDP tx flood
# netstat -s
...
IP:
1487048 outgoing packets dropped
...
Udp:
...
SndbufErrors: 1487048
send() syscalls, do however still return an OK status, to not
break applications.
Note : send() manual page explicitly says for -ENOBUFS error :
"The output queue for a network interface was full.
This generally indicates that the interface has stopped sending,
but may be caused by transient congestion.
(Normally, this does not occur in Linux. Packets are just silently
dropped when a device queue overflows.) "
This is not true for IP_RECVERR enabled sockets : a send() syscall
that hit a qdisc drop returns an ENOBUFS error.
Many thanks to Christoph, David, and last but not least, Alexey !
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-09-03 09:05:33 +08:00
|
|
|
else if (!(msg->msg_flags & MSG_MORE)) {
|
2011-05-09 08:12:19 +08:00
|
|
|
err = ip_push_pending_frames(sk, &fl4);
|
ip: Report qdisc packet drops
Christoph Lameter pointed out that packet drops at qdisc level where not
accounted in SNMP counters. Only if application sets IP_RECVERR, drops
are reported to user (-ENOBUFS errors) and SNMP counters updated.
IP_RECVERR is used to enable extended reliable error message passing,
but these are not needed to update system wide SNMP stats.
This patch changes things a bit to allow SNMP counters to be updated,
regardless of IP_RECVERR being set or not on the socket.
Example after an UDP tx flood
# netstat -s
...
IP:
1487048 outgoing packets dropped
...
Udp:
...
SndbufErrors: 1487048
send() syscalls, do however still return an OK status, to not
break applications.
Note : send() manual page explicitly says for -ENOBUFS error :
"The output queue for a network interface was full.
This generally indicates that the interface has stopped sending,
but may be caused by transient congestion.
(Normally, this does not occur in Linux. Packets are just silently
dropped when a device queue overflows.) "
This is not true for IP_RECVERR enabled sockets : a send() syscall
that hit a qdisc drop returns an ENOBUFS error.
Many thanks to Christoph, David, and last but not least, Alexey !
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-09-03 09:05:33 +08:00
|
|
|
if (err == -ENOBUFS && !inet->recverr)
|
|
|
|
err = 0;
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
release_sock(sk);
|
|
|
|
}
|
|
|
|
done:
|
|
|
|
if (free)
|
|
|
|
kfree(ipc.opt);
|
|
|
|
ip_rt_put(rt);
|
|
|
|
|
2005-06-19 13:59:45 +08:00
|
|
|
out:
|
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
return len;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
do_confirm:
|
2017-02-07 05:14:16 +08:00
|
|
|
if (msg->msg_flags & MSG_PROBE)
|
|
|
|
dst_confirm_neigh(&rt->dst, &fl4.daddr);
|
2005-04-17 06:20:36 +08:00
|
|
|
if (!(msg->msg_flags & MSG_PROBE) || len)
|
|
|
|
goto back_from_confirm;
|
|
|
|
err = 0;
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void raw_close(struct sock *sk, long timeout)
|
|
|
|
{
|
2007-02-09 22:24:47 +08:00
|
|
|
/*
|
2011-03-31 09:57:33 +08:00
|
|
|
* Raw sockets may have direct kernel references. Kill them.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
|
|
|
ip_ra_control(sk, 0, NULL);
|
|
|
|
|
|
|
|
sk_common_release(sk);
|
|
|
|
}
|
|
|
|
|
2008-06-15 08:04:49 +08:00
|
|
|
static void raw_destroy(struct sock *sk)
|
raw: Raw socket leak.
The program below just leaks the raw kernel socket
int main() {
int fd = socket(PF_INET, SOCK_RAW, IPPROTO_UDP);
struct sockaddr_in addr;
memset(&addr, 0, sizeof(addr));
inet_aton("127.0.0.1", &addr.sin_addr);
addr.sin_family = AF_INET;
addr.sin_port = htons(2048);
sendto(fd, "a", 1, MSG_MORE, &addr, sizeof(addr));
return 0;
}
Corked packet is allocated via sock_wmalloc which holds the owner socket,
so one should uncork it and flush all pending data on close. Do this in the
same way as in UDP.
Signed-off-by: Denis V. Lunev <den@openvz.org>
Acked-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-06-05 06:16:12 +08:00
|
|
|
{
|
|
|
|
lock_sock(sk);
|
|
|
|
ip_flush_pending_frames(sk);
|
|
|
|
release_sock(sk);
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/* This gets rid of all the nasties in af_inet. -DaveM */
|
|
|
|
static int raw_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
|
|
|
|
{
|
|
|
|
struct inet_sock *inet = inet_sk(sk);
|
|
|
|
struct sockaddr_in *addr = (struct sockaddr_in *) uaddr;
|
2021-11-17 17:00:11 +08:00
|
|
|
struct net *net = sock_net(sk);
|
2016-11-04 00:25:00 +08:00
|
|
|
u32 tb_id = RT_TABLE_LOCAL;
|
2005-04-17 06:20:36 +08:00
|
|
|
int ret = -EINVAL;
|
|
|
|
int chk_addr_ret;
|
|
|
|
|
2022-01-27 08:51:16 +08:00
|
|
|
lock_sock(sk);
|
2005-04-17 06:20:36 +08:00
|
|
|
if (sk->sk_state != TCP_CLOSE || addr_len < sizeof(struct sockaddr_in))
|
|
|
|
goto out;
|
2016-11-04 00:25:00 +08:00
|
|
|
|
|
|
|
if (sk->sk_bound_dev_if)
|
2021-11-17 17:00:11 +08:00
|
|
|
tb_id = l3mdev_fib_table_by_index(net,
|
|
|
|
sk->sk_bound_dev_if) ? : tb_id;
|
2016-11-04 00:25:00 +08:00
|
|
|
|
2021-11-17 17:00:11 +08:00
|
|
|
chk_addr_ret = inet_addr_type_table(net, addr->sin_addr.s_addr, tb_id);
|
2016-11-04 00:25:00 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
ret = -EADDRNOTAVAIL;
|
2021-11-17 17:00:11 +08:00
|
|
|
if (!inet_addr_valid_or_nonlocal(net, inet, addr->sin_addr.s_addr,
|
|
|
|
chk_addr_ret))
|
2005-04-17 06:20:36 +08:00
|
|
|
goto out;
|
2021-11-17 17:00:11 +08:00
|
|
|
|
2009-10-15 14:30:45 +08:00
|
|
|
inet->inet_rcv_saddr = inet->inet_saddr = addr->sin_addr.s_addr;
|
2005-04-17 06:20:36 +08:00
|
|
|
if (chk_addr_ret == RTN_MULTICAST || chk_addr_ret == RTN_BROADCAST)
|
2009-10-15 14:30:45 +08:00
|
|
|
inet->inet_saddr = 0; /* Use device */
|
2005-04-17 06:20:36 +08:00
|
|
|
sk_dst_reset(sk);
|
|
|
|
ret = 0;
|
2022-01-27 08:51:16 +08:00
|
|
|
out:
|
|
|
|
release_sock(sk);
|
|
|
|
return ret;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This should be easy, if there is something there
|
|
|
|
* we return it, otherwise we block.
|
|
|
|
*/
|
|
|
|
|
2015-03-02 15:37:48 +08:00
|
|
|
static int raw_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
|
net: remove noblock parameter from recvmsg() entities
The internal recvmsg() functions have two parameters 'flags' and 'noblock'
that were merged inside skb_recv_datagram(). As a follow up patch to commit
f4b41f062c42 ("net: remove noblock parameter from skb_recv_datagram()")
this patch removes the separate 'noblock' parameter for recvmsg().
Analogue to the referenced patch for skb_recv_datagram() the 'flags' and
'noblock' parameters are unnecessarily split up with e.g.
err = sk->sk_prot->recvmsg(sk, msg, size, flags & MSG_DONTWAIT,
flags & ~MSG_DONTWAIT, &addr_len);
or in
err = INDIRECT_CALL_2(sk->sk_prot->recvmsg, tcp_recvmsg, udp_recvmsg,
sk, msg, size, flags & MSG_DONTWAIT,
flags & ~MSG_DONTWAIT, &addr_len);
instead of simply using only flags all the time and check for MSG_DONTWAIT
where needed (to preserve for the formerly separated no(n)block condition).
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Link: https://lore.kernel.org/r/20220411124955.154876-1-socketcan@hartkopp.net
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2022-04-11 20:49:55 +08:00
|
|
|
int flags, int *addr_len)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
struct inet_sock *inet = inet_sk(sk);
|
|
|
|
size_t copied = 0;
|
|
|
|
int err = -EOPNOTSUPP;
|
2014-01-18 05:53:15 +08:00
|
|
|
DECLARE_SOCKADDR(struct sockaddr_in *, sin, msg->msg_name);
|
2005-04-17 06:20:36 +08:00
|
|
|
struct sk_buff *skb;
|
|
|
|
|
|
|
|
if (flags & MSG_OOB)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
if (flags & MSG_ERRQUEUE) {
|
2013-11-23 07:46:12 +08:00
|
|
|
err = ip_recv_error(sk, msg, len, addr_len);
|
2005-04-17 06:20:36 +08:00
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2022-04-05 00:30:22 +08:00
|
|
|
skb = skb_recv_datagram(sk, flags, &err);
|
2005-04-17 06:20:36 +08:00
|
|
|
if (!skb)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
copied = skb->len;
|
|
|
|
if (len < copied) {
|
|
|
|
msg->msg_flags |= MSG_TRUNC;
|
|
|
|
copied = len;
|
|
|
|
}
|
|
|
|
|
2014-11-06 05:46:40 +08:00
|
|
|
err = skb_copy_datagram_msg(skb, 0, msg, copied);
|
2005-04-17 06:20:36 +08:00
|
|
|
if (err)
|
|
|
|
goto done;
|
|
|
|
|
2022-04-28 04:02:37 +08:00
|
|
|
sock_recv_cmsgs(msg, sk, skb);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* Copy the address. */
|
|
|
|
if (sin) {
|
|
|
|
sin->sin_family = AF_INET;
|
2007-04-21 13:47:35 +08:00
|
|
|
sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
|
2006-07-26 08:05:35 +08:00
|
|
|
sin->sin_port = 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));
|
2013-11-18 11:20:45 +08:00
|
|
|
*addr_len = sizeof(*sin);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
if (inet->cmsg_flags)
|
|
|
|
ip_cmsg_recv(msg, skb);
|
|
|
|
if (flags & MSG_TRUNC)
|
|
|
|
copied = skb->len;
|
|
|
|
done:
|
|
|
|
skb_free_datagram(sk, skb);
|
2005-06-19 13:59:45 +08:00
|
|
|
out:
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
return copied;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2018-11-07 23:36:05 +08:00
|
|
|
static int raw_sk_init(struct sock *sk)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
struct raw_sock *rp = raw_sk(sk);
|
|
|
|
|
2009-10-15 14:30:45 +08:00
|
|
|
if (inet_sk(sk)->inet_num == IPPROTO_ICMP)
|
2005-04-17 06:20:36 +08:00
|
|
|
memset(&rp->filter, 0, sizeof(rp->filter));
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2020-07-23 14:09:07 +08:00
|
|
|
static int raw_seticmpfilter(struct sock *sk, sockptr_t optval, int optlen)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
if (optlen > sizeof(struct icmp_filter))
|
|
|
|
optlen = sizeof(struct icmp_filter);
|
2020-07-23 14:09:07 +08:00
|
|
|
if (copy_from_sockptr(&raw_sk(sk)->filter, optval, optlen))
|
2005-04-17 06:20:36 +08:00
|
|
|
return -EFAULT;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
|
|
|
|
{
|
|
|
|
int len, ret = -EFAULT;
|
|
|
|
|
|
|
|
if (get_user(len, optlen))
|
|
|
|
goto out;
|
|
|
|
ret = -EINVAL;
|
|
|
|
if (len < 0)
|
|
|
|
goto out;
|
|
|
|
if (len > sizeof(struct icmp_filter))
|
|
|
|
len = sizeof(struct icmp_filter);
|
|
|
|
ret = -EFAULT;
|
|
|
|
if (put_user(len, optlen) ||
|
|
|
|
copy_to_user(optval, &raw_sk(sk)->filter, len))
|
|
|
|
goto out;
|
|
|
|
ret = 0;
|
|
|
|
out: return ret;
|
|
|
|
}
|
|
|
|
|
2006-03-21 14:45:21 +08:00
|
|
|
static int do_raw_setsockopt(struct sock *sk, int level, int optname,
|
2020-07-23 14:09:07 +08:00
|
|
|
sockptr_t optval, unsigned int optlen)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
if (optname == ICMP_FILTER) {
|
2009-10-15 14:30:45 +08:00
|
|
|
if (inet_sk(sk)->inet_num != IPPROTO_ICMP)
|
2005-04-17 06:20:36 +08:00
|
|
|
return -EOPNOTSUPP;
|
|
|
|
else
|
|
|
|
return raw_seticmpfilter(sk, optval, optlen);
|
|
|
|
}
|
|
|
|
return -ENOPROTOOPT;
|
|
|
|
}
|
|
|
|
|
2006-03-21 14:45:21 +08:00
|
|
|
static int raw_setsockopt(struct sock *sk, int level, int optname,
|
2020-07-23 14:09:07 +08:00
|
|
|
sockptr_t optval, unsigned int optlen)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
if (level != SOL_RAW)
|
2006-03-21 14:45:21 +08:00
|
|
|
return ip_setsockopt(sk, level, optname, optval, optlen);
|
|
|
|
return do_raw_setsockopt(sk, level, optname, optval, optlen);
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2006-03-21 14:45:21 +08:00
|
|
|
static int do_raw_getsockopt(struct sock *sk, int level, int optname,
|
|
|
|
char __user *optval, int __user *optlen)
|
|
|
|
{
|
2005-04-17 06:20:36 +08:00
|
|
|
if (optname == ICMP_FILTER) {
|
2009-10-15 14:30:45 +08:00
|
|
|
if (inet_sk(sk)->inet_num != IPPROTO_ICMP)
|
2005-04-17 06:20:36 +08:00
|
|
|
return -EOPNOTSUPP;
|
|
|
|
else
|
|
|
|
return raw_geticmpfilter(sk, optval, optlen);
|
|
|
|
}
|
|
|
|
return -ENOPROTOOPT;
|
|
|
|
}
|
|
|
|
|
2006-03-21 14:45:21 +08:00
|
|
|
static int raw_getsockopt(struct sock *sk, int level, int optname,
|
|
|
|
char __user *optval, int __user *optlen)
|
|
|
|
{
|
|
|
|
if (level != SOL_RAW)
|
|
|
|
return ip_getsockopt(sk, level, optname, optval, optlen);
|
|
|
|
return do_raw_getsockopt(sk, level, optname, optval, optlen);
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
static int raw_ioctl(struct sock *sk, int cmd, unsigned long arg)
|
|
|
|
{
|
|
|
|
switch (cmd) {
|
2011-07-01 17:43:07 +08:00
|
|
|
case SIOCOUTQ: {
|
|
|
|
int amount = sk_wmem_alloc_get(sk);
|
2009-06-18 10:05:41 +08:00
|
|
|
|
2011-07-01 17:43:07 +08:00
|
|
|
return put_user(amount, (int __user *)arg);
|
|
|
|
}
|
|
|
|
case SIOCINQ: {
|
|
|
|
struct sk_buff *skb;
|
|
|
|
int amount = 0;
|
|
|
|
|
|
|
|
spin_lock_bh(&sk->sk_receive_queue.lock);
|
|
|
|
skb = skb_peek(&sk->sk_receive_queue);
|
2015-04-03 16:17:27 +08:00
|
|
|
if (skb)
|
2011-07-01 17:43:07 +08:00
|
|
|
amount = skb->len;
|
|
|
|
spin_unlock_bh(&sk->sk_receive_queue.lock);
|
|
|
|
return put_user(amount, (int __user *)arg);
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-07-01 17:43:07 +08:00
|
|
|
default:
|
2005-04-17 06:20:36 +08:00
|
|
|
#ifdef CONFIG_IP_MROUTE
|
2011-07-01 17:43:07 +08:00
|
|
|
return ipmr_ioctl(sk, cmd, (void __user *)arg);
|
2005-04-17 06:20:36 +08:00
|
|
|
#else
|
2011-07-01 17:43:07 +08:00
|
|
|
return -ENOIOCTLCMD;
|
2005-04-17 06:20:36 +08:00
|
|
|
#endif
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-01-30 00:15:56 +08:00
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
static int compat_raw_ioctl(struct sock *sk, unsigned int cmd, unsigned long arg)
|
|
|
|
{
|
|
|
|
switch (cmd) {
|
|
|
|
case SIOCOUTQ:
|
|
|
|
case SIOCINQ:
|
|
|
|
return -ENOIOCTLCMD;
|
|
|
|
default:
|
|
|
|
#ifdef CONFIG_IP_MROUTE
|
|
|
|
return ipmr_compat_ioctl(sk, cmd, compat_ptr(arg));
|
|
|
|
#else
|
|
|
|
return -ENOIOCTLCMD;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2016-10-21 18:03:44 +08:00
|
|
|
int raw_abort(struct sock *sk, int err)
|
|
|
|
{
|
|
|
|
lock_sock(sk);
|
|
|
|
|
|
|
|
sk->sk_err = err;
|
2021-06-28 06:48:21 +08:00
|
|
|
sk_error_report(sk);
|
2016-11-02 04:05:00 +08:00
|
|
|
__udp_disconnect(sk, 0);
|
2016-10-21 18:03:44 +08:00
|
|
|
|
|
|
|
release_sock(sk);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(raw_abort);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
struct proto raw_prot = {
|
2006-03-21 14:48:35 +08:00
|
|
|
.name = "RAW",
|
|
|
|
.owner = THIS_MODULE,
|
|
|
|
.close = raw_close,
|
raw: Raw socket leak.
The program below just leaks the raw kernel socket
int main() {
int fd = socket(PF_INET, SOCK_RAW, IPPROTO_UDP);
struct sockaddr_in addr;
memset(&addr, 0, sizeof(addr));
inet_aton("127.0.0.1", &addr.sin_addr);
addr.sin_family = AF_INET;
addr.sin_port = htons(2048);
sendto(fd, "a", 1, MSG_MORE, &addr, sizeof(addr));
return 0;
}
Corked packet is allocated via sock_wmalloc which holds the owner socket,
so one should uncork it and flush all pending data on close. Do this in the
same way as in UDP.
Signed-off-by: Denis V. Lunev <den@openvz.org>
Acked-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-06-05 06:16:12 +08:00
|
|
|
.destroy = raw_destroy,
|
2006-03-21 14:48:35 +08:00
|
|
|
.connect = ip4_datagram_connect,
|
2016-10-21 00:39:40 +08:00
|
|
|
.disconnect = __udp_disconnect,
|
2006-03-21 14:48:35 +08:00
|
|
|
.ioctl = raw_ioctl,
|
2018-11-07 23:36:05 +08:00
|
|
|
.init = raw_sk_init,
|
2006-03-21 14:48:35 +08:00
|
|
|
.setsockopt = raw_setsockopt,
|
|
|
|
.getsockopt = raw_getsockopt,
|
|
|
|
.sendmsg = raw_sendmsg,
|
|
|
|
.recvmsg = raw_recvmsg,
|
|
|
|
.bind = raw_bind,
|
|
|
|
.backlog_rcv = raw_rcv_skb,
|
2013-01-21 10:00:03 +08:00
|
|
|
.release_cb = ip4_datagram_release_cb,
|
2008-03-23 07:56:51 +08:00
|
|
|
.hash = raw_hash_sk,
|
|
|
|
.unhash = raw_unhash_sk,
|
2006-03-21 14:48:35 +08:00
|
|
|
.obj_size = sizeof(struct raw_sock),
|
ip: Define usercopy region in IP proto slab cache
The ICMP filters for IPv4 and IPv6 raw sockets need to be copied to/from
userspace. In support of usercopy hardening, this patch defines a region
in the struct proto slab cache in which userspace copy operations are
allowed.
example usage trace:
net/ipv4/raw.c:
raw_seticmpfilter(...):
...
copy_from_user(&raw_sk(sk)->filter, ..., optlen)
raw_geticmpfilter(...):
...
copy_to_user(..., &raw_sk(sk)->filter, len)
net/ipv6/raw.c:
rawv6_seticmpfilter(...):
...
copy_from_user(&raw6_sk(sk)->filter, ..., optlen)
rawv6_geticmpfilter(...):
...
copy_to_user(..., &raw6_sk(sk)->filter, len)
This region is known as the slab cache's usercopy region. Slab caches
can now check that each dynamically sized copy operation involving
cache-managed memory falls entirely within the slab's usercopy region.
This patch is modified from Brad Spengler/PaX Team's PAX_USERCOPY
whitelisting code in the last public patch of grsecurity/PaX based on my
understanding of the code. Changes or omissions from the original code are
mine and don't reflect the original grsecurity/PaX code.
Signed-off-by: David Windsor <dave@nullcore.net>
[kees: split from network patch, provide usage trace]
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
2017-08-25 07:49:14 +08:00
|
|
|
.useroffset = offsetof(struct raw_sock, filter),
|
|
|
|
.usersize = sizeof_field(struct raw_sock, filter),
|
2008-03-23 07:56:51 +08:00
|
|
|
.h.raw_hash = &raw_v4_hashinfo,
|
2006-03-21 14:45:21 +08:00
|
|
|
#ifdef CONFIG_COMPAT
|
2011-01-30 00:15:56 +08:00
|
|
|
.compat_ioctl = compat_raw_ioctl,
|
2006-03-21 14:45:21 +08:00
|
|
|
#endif
|
2016-10-21 18:03:44 +08:00
|
|
|
.diag_destroy = raw_abort,
|
2005-04-17 06:20:36 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
#ifdef CONFIG_PROC_FS
|
2022-06-18 11:47:05 +08:00
|
|
|
static struct sock *raw_get_first(struct seq_file *seq, int bucket)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2022-01-22 14:14:23 +08:00
|
|
|
struct raw_hashinfo *h = pde_data(file_inode(seq->file));
|
2008-11-03 16:24:34 +08:00
|
|
|
struct raw_iter_state *state = raw_seq_private(seq);
|
2022-06-18 11:47:05 +08:00
|
|
|
struct hlist_nulls_head *hlist;
|
|
|
|
struct hlist_nulls_node *hnode;
|
|
|
|
struct sock *sk;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2022-06-18 11:47:05 +08:00
|
|
|
for (state->bucket = bucket; state->bucket < RAW_HTABLE_SIZE;
|
2007-11-20 14:36:45 +08:00
|
|
|
++state->bucket) {
|
2022-06-18 11:47:05 +08:00
|
|
|
hlist = &h->ht[state->bucket];
|
2022-06-20 07:29:27 +08:00
|
|
|
sk_nulls_for_each(sk, hnode, hlist) {
|
2008-03-26 01:36:06 +08:00
|
|
|
if (sock_net(sk) == seq_file_net(seq))
|
2022-06-18 11:47:05 +08:00
|
|
|
return sk;
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2022-06-18 11:47:05 +08:00
|
|
|
return NULL;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static struct sock *raw_get_next(struct seq_file *seq, struct sock *sk)
|
|
|
|
{
|
2008-11-03 16:24:34 +08:00
|
|
|
struct raw_iter_state *state = raw_seq_private(seq);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
do {
|
2022-06-18 11:47:05 +08:00
|
|
|
sk = sk_nulls_next(sk);
|
2008-03-26 01:36:06 +08:00
|
|
|
} while (sk && sock_net(sk) != seq_file_net(seq));
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2022-06-18 11:47:05 +08:00
|
|
|
if (!sk)
|
|
|
|
return raw_get_first(seq, state->bucket + 1);
|
2005-04-17 06:20:36 +08:00
|
|
|
return sk;
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct sock *raw_get_idx(struct seq_file *seq, loff_t pos)
|
|
|
|
{
|
2022-06-18 11:47:05 +08:00
|
|
|
struct sock *sk = raw_get_first(seq, 0);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
if (sk)
|
|
|
|
while (pos && (sk = raw_get_next(seq, sk)) != NULL)
|
|
|
|
--pos;
|
|
|
|
return pos ? NULL : sk;
|
|
|
|
}
|
|
|
|
|
2007-11-20 14:38:33 +08:00
|
|
|
void *raw_seq_start(struct seq_file *seq, loff_t *pos)
|
2022-06-18 11:47:05 +08:00
|
|
|
__acquires(RCU)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2022-06-18 11:47:05 +08:00
|
|
|
rcu_read_lock();
|
2005-04-17 06:20:36 +08:00
|
|
|
return *pos ? raw_get_idx(seq, *pos - 1) : SEQ_START_TOKEN;
|
|
|
|
}
|
2007-11-20 14:38:33 +08:00
|
|
|
EXPORT_SYMBOL_GPL(raw_seq_start);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2007-11-20 14:38:33 +08:00
|
|
|
void *raw_seq_next(struct seq_file *seq, void *v, loff_t *pos)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
struct sock *sk;
|
|
|
|
|
|
|
|
if (v == SEQ_START_TOKEN)
|
2022-06-18 11:47:05 +08:00
|
|
|
sk = raw_get_first(seq, 0);
|
2005-04-17 06:20:36 +08:00
|
|
|
else
|
|
|
|
sk = raw_get_next(seq, v);
|
|
|
|
++*pos;
|
|
|
|
return sk;
|
|
|
|
}
|
2007-11-20 14:38:33 +08:00
|
|
|
EXPORT_SYMBOL_GPL(raw_seq_next);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2007-11-20 14:38:33 +08:00
|
|
|
void raw_seq_stop(struct seq_file *seq, void *v)
|
2022-06-18 11:47:05 +08:00
|
|
|
__releases(RCU)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2022-06-18 11:47:05 +08:00
|
|
|
rcu_read_unlock();
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2007-11-20 14:38:33 +08:00
|
|
|
EXPORT_SYMBOL_GPL(raw_seq_stop);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2008-01-31 19:46:43 +08:00
|
|
|
static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
struct inet_sock *inet = inet_sk(sp);
|
2009-10-15 14:30:45 +08:00
|
|
|
__be32 dest = inet->inet_daddr,
|
|
|
|
src = inet->inet_rcv_saddr;
|
2005-04-17 06:20:36 +08:00
|
|
|
__u16 destp = 0,
|
2009-10-15 14:30:45 +08:00
|
|
|
srcp = inet->inet_num;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2008-01-31 19:46:43 +08:00
|
|
|
seq_printf(seq, "%4d: %08X:%04X %08X:%04X"
|
2019-05-17 23:11:28 +08:00
|
|
|
" %02X %08X:%08X %02X:%08lX %08X %5u %8d %lu %d %pK %u\n",
|
2007-02-09 22:24:47 +08:00
|
|
|
i, src, srcp, dest, destp, sp->sk_state,
|
2009-06-18 10:05:41 +08:00
|
|
|
sk_wmem_alloc_get(sp),
|
|
|
|
sk_rmem_alloc_get(sp),
|
2012-05-24 15:10:10 +08:00
|
|
|
0, 0L, 0,
|
|
|
|
from_kuid_munged(seq_user_ns(seq), sock_i_uid(sp)),
|
|
|
|
0, sock_i_ino(sp),
|
2017-06-30 18:08:01 +08:00
|
|
|
refcount_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static int raw_seq_show(struct seq_file *seq, void *v)
|
|
|
|
{
|
|
|
|
if (v == SEQ_START_TOKEN)
|
2008-01-31 19:46:43 +08:00
|
|
|
seq_printf(seq, " sl local_address rem_address st tx_queue "
|
|
|
|
"rx_queue tr tm->when retrnsmt uid timeout "
|
2008-06-18 12:04:56 +08:00
|
|
|
"inode ref pointer drops\n");
|
2008-01-31 19:46:43 +08:00
|
|
|
else
|
|
|
|
raw_sock_seq_show(seq, v, raw_seq_private(seq)->bucket);
|
2005-04-17 06:20:36 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2007-03-13 05:34:29 +08:00
|
|
|
static const struct seq_operations raw_seq_ops = {
|
2005-04-17 06:20:36 +08:00
|
|
|
.start = raw_seq_start,
|
|
|
|
.next = raw_seq_next,
|
|
|
|
.stop = raw_seq_stop,
|
|
|
|
.show = raw_seq_show,
|
|
|
|
};
|
|
|
|
|
2008-01-14 21:36:50 +08:00
|
|
|
static __net_init int raw_init_net(struct net *net)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2018-04-11 01:42:55 +08:00
|
|
|
if (!proc_create_net_data("raw", 0444, net->proc_net, &raw_seq_ops,
|
|
|
|
sizeof(struct raw_iter_state), &raw_v4_hashinfo))
|
2005-04-17 06:20:36 +08:00
|
|
|
return -ENOMEM;
|
2008-01-14 21:36:50 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2008-01-14 21:36:50 +08:00
|
|
|
static __net_exit void raw_exit_net(struct net *net)
|
|
|
|
{
|
2013-02-18 09:34:56 +08:00
|
|
|
remove_proc_entry("raw", net->proc_net);
|
2008-01-14 21:36:50 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static __net_initdata struct pernet_operations raw_net_ops = {
|
|
|
|
.init = raw_init_net,
|
|
|
|
.exit = raw_exit_net,
|
|
|
|
};
|
|
|
|
|
|
|
|
int __init raw_proc_init(void)
|
|
|
|
{
|
2022-06-18 11:47:05 +08:00
|
|
|
|
2008-01-14 21:36:50 +08:00
|
|
|
return register_pernet_subsys(&raw_net_ops);
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
void __init raw_proc_exit(void)
|
|
|
|
{
|
2008-01-14 21:36:50 +08:00
|
|
|
unregister_pernet_subsys(&raw_net_ops);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2018-11-28 12:52:24 +08:00
|
|
|
#endif /* CONFIG_PROC_FS */
|
2018-11-07 23:36:05 +08:00
|
|
|
|
|
|
|
static void raw_sysctl_init_net(struct net *net)
|
|
|
|
{
|
|
|
|
#ifdef CONFIG_NET_L3_MASTER_DEV
|
|
|
|
net->ipv4.sysctl_raw_l3mdev_accept = 1;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
static int __net_init raw_sysctl_init(struct net *net)
|
|
|
|
{
|
|
|
|
raw_sysctl_init_net(net);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct pernet_operations __net_initdata raw_sysctl_ops = {
|
|
|
|
.init = raw_sysctl_init,
|
|
|
|
};
|
|
|
|
|
|
|
|
void __init raw_init(void)
|
|
|
|
{
|
|
|
|
raw_sysctl_init_net(&init_net);
|
|
|
|
if (register_pernet_subsys(&raw_sysctl_ops))
|
|
|
|
panic("RAW: failed to init sysctl parameters.\n");
|
|
|
|
}
|