mirror of
https://github.com/smaeul/u-boot.git
synced 2025-10-24 01:28:15 +01:00
The argument len passed to function process_ra is the length of the IPv6 router advertisement message and needs to be between 0 and MTU because it is assigned to remaining_option_len and used as a loop variable. Addresses-Coverity-ID: 450971 ("TAINTED_SCALAR") Signed-off-by: Ehsan Mohandesi <emohandesi@linux.microsoft.com> Reviewed-by: Viacheslav Mitrofanov <v.v.mitrofanov@yadro.com> Reviewed-by: Ramon Fried <rfried.dev@gmail.com>
517 lines
15 KiB
C
517 lines
15 KiB
C
// SPDX-License-Identifier: GPL-2.0+
|
|
/*
|
|
* Copyright (C) 2013 Allied Telesis Labs NZ
|
|
* Chris Packham, <judge.packham@gmail.com>
|
|
*
|
|
* Copyright (C) 2022 YADRO
|
|
* Viacheslav Mitrofanov <v.v.mitrofanov@yadro.com>
|
|
*/
|
|
|
|
/* Neighbour Discovery for IPv6 */
|
|
|
|
#include <common.h>
|
|
#include <net.h>
|
|
#include <net6.h>
|
|
#include <ndisc.h>
|
|
#include <stdlib.h>
|
|
#include <linux/delay.h>
|
|
|
|
/* IPv6 destination address of packet waiting for ND */
|
|
struct in6_addr net_nd_sol_packet_ip6 = ZERO_IPV6_ADDR;
|
|
/* IPv6 address we are expecting ND advert from */
|
|
static struct in6_addr net_nd_rep_packet_ip6 = ZERO_IPV6_ADDR;
|
|
/* MAC destination address of packet waiting for ND */
|
|
uchar *net_nd_packet_mac;
|
|
/* pointer to packet waiting to be transmitted after ND is resolved */
|
|
uchar *net_nd_tx_packet;
|
|
static uchar net_nd_packet_buf[PKTSIZE_ALIGN + PKTALIGN];
|
|
/* size of packet waiting to be transmitted */
|
|
int net_nd_tx_packet_size;
|
|
/* the timer for ND resolution */
|
|
ulong net_nd_timer_start;
|
|
/* the number of requests we have sent so far */
|
|
int net_nd_try;
|
|
struct in6_addr all_routers = ALL_ROUTERS_MULT_ADDR;
|
|
|
|
#define MAX_RTR_SOLICITATIONS 3
|
|
/* The maximum time to delay sending the first router solicitation message. */
|
|
#define MAX_SOLICITATION_DELAY 1 // 1 second
|
|
/* The time to wait before sending the next router solicitation message. */
|
|
#define RTR_SOLICITATION_INTERVAL 4000 // 4 seconds
|
|
|
|
#define IP6_NDISC_OPT_SPACE(len) (((len) + 2 + 7) & ~7)
|
|
|
|
/**
|
|
* ndisc_insert_option() - Insert an option into a neighbor discovery packet
|
|
*
|
|
* @opt: pointer to the option element of the neighbor discovery packet
|
|
* @type: option type to insert
|
|
* @data: option data to insert
|
|
* @len: data length
|
|
* Return: the number of bytes inserted (which may be >= len)
|
|
*/
|
|
static int ndisc_insert_option(__u8 *opt, int type, u8 *data, int len)
|
|
{
|
|
int space = IP6_NDISC_OPT_SPACE(len);
|
|
|
|
opt[0] = type;
|
|
opt[1] = space >> 3;
|
|
memcpy(&opt[2], data, len);
|
|
len += 2;
|
|
|
|
/* fill the remainder with 0 */
|
|
if (space - len > 0)
|
|
memset(&opt[len], '\0', space - len);
|
|
|
|
return space;
|
|
}
|
|
|
|
/**
|
|
* ndisc_extract_enetaddr() - Extract the Ethernet address from a ND packet
|
|
*
|
|
* Note that the link layer address could be anything but the only networking
|
|
* media that u-boot supports is Ethernet so we assume we're extracting a 6
|
|
* byte Ethernet MAC address.
|
|
*
|
|
* @ndisc: pointer to ND packet
|
|
* @enetaddr: extracted MAC addr
|
|
*/
|
|
static void ndisc_extract_enetaddr(struct nd_msg *ndisc, uchar enetaddr[6])
|
|
{
|
|
memcpy(enetaddr, &ndisc->opt[2], 6);
|
|
}
|
|
|
|
/**
|
|
* ndisc_has_option() - Check if the ND packet has the specified option set
|
|
*
|
|
* @ip6: pointer to IPv6 header
|
|
* @type: option type to check
|
|
* Return: 1 if ND has that option, 0 therwise
|
|
*/
|
|
static int ndisc_has_option(struct ip6_hdr *ip6, __u8 type)
|
|
{
|
|
struct nd_msg *ndisc = (struct nd_msg *)(((uchar *)ip6) + IP6_HDR_SIZE);
|
|
|
|
if (ip6->payload_len <= sizeof(struct icmp6hdr))
|
|
return 0;
|
|
|
|
return ndisc->opt[0] == type;
|
|
}
|
|
|
|
static void ip6_send_ns(struct in6_addr *neigh_addr)
|
|
{
|
|
struct in6_addr dst_adr;
|
|
unsigned char enetaddr[6];
|
|
struct nd_msg *msg;
|
|
__u16 len;
|
|
uchar *pkt;
|
|
unsigned short csum;
|
|
unsigned int pcsum;
|
|
|
|
debug("sending neighbor solicitation for %pI6c our address %pI6c\n",
|
|
neigh_addr, &net_link_local_ip6);
|
|
|
|
/* calculate src, dest IPv6 addr and dest Eth addr */
|
|
ip6_make_snma(&dst_adr, neigh_addr);
|
|
ip6_make_mult_ethdstaddr(enetaddr, &dst_adr);
|
|
len = sizeof(struct icmp6hdr) + IN6ADDRSZ +
|
|
IP6_NDISC_OPT_SPACE(INETHADDRSZ);
|
|
|
|
pkt = (uchar *)net_tx_packet;
|
|
pkt += net_set_ether(pkt, enetaddr, PROT_IP6);
|
|
pkt += ip6_add_hdr(pkt, &net_link_local_ip6, &dst_adr, PROT_ICMPV6,
|
|
IPV6_NDISC_HOPLIMIT, len);
|
|
|
|
/* ICMPv6 - NS */
|
|
msg = (struct nd_msg *)pkt;
|
|
msg->icmph.icmp6_type = IPV6_NDISC_NEIGHBOUR_SOLICITATION;
|
|
msg->icmph.icmp6_code = 0;
|
|
memset(&msg->icmph.icmp6_cksum, 0, sizeof(__be16));
|
|
memset(&msg->icmph.icmp6_unused, 0, sizeof(__be32));
|
|
|
|
/* Set the target address and llsaddr option */
|
|
net_copy_ip6(&msg->target, neigh_addr);
|
|
ndisc_insert_option(msg->opt, ND_OPT_SOURCE_LL_ADDR, net_ethaddr,
|
|
INETHADDRSZ);
|
|
|
|
/* checksum */
|
|
pcsum = csum_partial((__u8 *)msg, len, 0);
|
|
csum = csum_ipv6_magic(&net_link_local_ip6, &dst_adr,
|
|
len, PROT_ICMPV6, pcsum);
|
|
msg->icmph.icmp6_cksum = csum;
|
|
pkt += len;
|
|
|
|
/* send it! */
|
|
net_send_packet(net_tx_packet, (pkt - net_tx_packet));
|
|
}
|
|
|
|
/*
|
|
* ip6_send_rs() - Send IPv6 Router Solicitation Message.
|
|
*
|
|
* A router solicitation is sent to discover a router. RS message creation is
|
|
* based on RFC 4861 section 4.1. Router Solicitation Message Format.
|
|
*/
|
|
void ip6_send_rs(void)
|
|
{
|
|
unsigned char enetaddr[6];
|
|
struct rs_msg *msg;
|
|
__u16 icmp_len;
|
|
uchar *pkt;
|
|
unsigned short csum;
|
|
unsigned int pcsum;
|
|
static unsigned int retry_count;
|
|
|
|
if (!ip6_is_unspecified_addr(&net_gateway6) &&
|
|
net_prefix_length != 0) {
|
|
net_set_state(NETLOOP_SUCCESS);
|
|
return;
|
|
} else if (retry_count >= MAX_RTR_SOLICITATIONS) {
|
|
net_set_state(NETLOOP_FAIL);
|
|
net_set_timeout_handler(0, NULL);
|
|
retry_count = 0;
|
|
return;
|
|
}
|
|
|
|
printf("ROUTER SOLICITATION %d\n", retry_count + 1);
|
|
|
|
ip6_make_mult_ethdstaddr(enetaddr, &all_routers);
|
|
/*
|
|
* ICMP length is the size of ICMP header (8) + one option (8) = 16.
|
|
* The option is 2 bytes of type and length + 6 bytes for MAC.
|
|
*/
|
|
icmp_len = sizeof(struct icmp6hdr) + IP6_NDISC_OPT_SPACE(INETHADDRSZ);
|
|
|
|
pkt = (uchar *)net_tx_packet;
|
|
pkt += net_set_ether(pkt, enetaddr, PROT_IP6);
|
|
pkt += ip6_add_hdr(pkt, &net_link_local_ip6, &all_routers, PROT_ICMPV6,
|
|
IPV6_NDISC_HOPLIMIT, icmp_len);
|
|
|
|
/* ICMPv6 - RS */
|
|
msg = (struct rs_msg *)pkt;
|
|
msg->icmph.icmp6_type = IPV6_NDISC_ROUTER_SOLICITATION;
|
|
msg->icmph.icmp6_code = 0;
|
|
memset(&msg->icmph.icmp6_cksum, 0, sizeof(__be16));
|
|
memset(&msg->icmph.icmp6_unused, 0, sizeof(__be32));
|
|
|
|
/* Set the llsaddr option */
|
|
ndisc_insert_option(msg->opt, ND_OPT_SOURCE_LL_ADDR, net_ethaddr,
|
|
INETHADDRSZ);
|
|
|
|
/* checksum */
|
|
pcsum = csum_partial((__u8 *)msg, icmp_len, 0);
|
|
csum = csum_ipv6_magic(&net_link_local_ip6, &all_routers,
|
|
icmp_len, PROT_ICMPV6, pcsum);
|
|
msg->icmph.icmp6_cksum = csum;
|
|
pkt += icmp_len;
|
|
|
|
/* Wait up to 1 second if it is the first try to get the RA */
|
|
if (retry_count == 0)
|
|
udelay(((unsigned int)rand() % 1000000) * MAX_SOLICITATION_DELAY);
|
|
|
|
/* send it! */
|
|
net_send_packet(net_tx_packet, (pkt - net_tx_packet));
|
|
|
|
retry_count++;
|
|
net_set_timeout_handler(RTR_SOLICITATION_INTERVAL, ip6_send_rs);
|
|
}
|
|
|
|
static void
|
|
ip6_send_na(uchar *eth_dst_addr, struct in6_addr *neigh_addr,
|
|
struct in6_addr *target)
|
|
{
|
|
struct nd_msg *msg;
|
|
__u16 len;
|
|
uchar *pkt;
|
|
unsigned short csum;
|
|
|
|
debug("sending neighbor advertisement for %pI6c to %pI6c (%pM)\n",
|
|
target, neigh_addr, eth_dst_addr);
|
|
|
|
len = sizeof(struct icmp6hdr) + IN6ADDRSZ +
|
|
IP6_NDISC_OPT_SPACE(INETHADDRSZ);
|
|
|
|
pkt = (uchar *)net_tx_packet;
|
|
pkt += net_set_ether(pkt, eth_dst_addr, PROT_IP6);
|
|
pkt += ip6_add_hdr(pkt, &net_link_local_ip6, neigh_addr,
|
|
PROT_ICMPV6, IPV6_NDISC_HOPLIMIT, len);
|
|
|
|
/* ICMPv6 - NA */
|
|
msg = (struct nd_msg *)pkt;
|
|
msg->icmph.icmp6_type = IPV6_NDISC_NEIGHBOUR_ADVERTISEMENT;
|
|
msg->icmph.icmp6_code = 0;
|
|
memset(&msg->icmph.icmp6_cksum, 0, sizeof(__be16));
|
|
memset(&msg->icmph.icmp6_unused, 0, sizeof(__be32));
|
|
msg->icmph.icmp6_dataun.u_nd_advt.solicited = 1;
|
|
msg->icmph.icmp6_dataun.u_nd_advt.override = 1;
|
|
/* Set the target address and lltargetaddr option */
|
|
net_copy_ip6(&msg->target, target);
|
|
ndisc_insert_option(msg->opt, ND_OPT_TARGET_LL_ADDR, net_ethaddr,
|
|
INETHADDRSZ);
|
|
|
|
/* checksum */
|
|
csum = csum_ipv6_magic(&net_link_local_ip6,
|
|
neigh_addr, len, PROT_ICMPV6,
|
|
csum_partial((__u8 *)msg, len, 0));
|
|
msg->icmph.icmp6_cksum = csum;
|
|
pkt += len;
|
|
|
|
/* send it! */
|
|
net_send_packet(net_tx_packet, (pkt - net_tx_packet));
|
|
}
|
|
|
|
void ndisc_request(void)
|
|
{
|
|
if (!ip6_addr_in_subnet(&net_ip6, &net_nd_sol_packet_ip6,
|
|
net_prefix_length)) {
|
|
if (ip6_is_unspecified_addr(&net_gateway6)) {
|
|
puts("## Warning: gatewayip6 is needed but not set\n");
|
|
net_nd_rep_packet_ip6 = net_nd_sol_packet_ip6;
|
|
} else {
|
|
net_nd_rep_packet_ip6 = net_gateway6;
|
|
}
|
|
} else {
|
|
net_nd_rep_packet_ip6 = net_nd_sol_packet_ip6;
|
|
}
|
|
|
|
ip6_send_ns(&net_nd_rep_packet_ip6);
|
|
}
|
|
|
|
int ndisc_timeout_check(void)
|
|
{
|
|
ulong t;
|
|
|
|
if (ip6_is_unspecified_addr(&net_nd_sol_packet_ip6))
|
|
return 0;
|
|
|
|
t = get_timer(0);
|
|
|
|
/* check for NDISC timeout */
|
|
if ((t - net_nd_timer_start) > NDISC_TIMEOUT) {
|
|
net_nd_try++;
|
|
if (net_nd_try >= NDISC_TIMEOUT_COUNT) {
|
|
puts("\nNeighbour discovery retry count exceeded; "
|
|
"starting again\n");
|
|
net_nd_try = 0;
|
|
net_set_state(NETLOOP_FAIL);
|
|
} else {
|
|
net_nd_timer_start = t;
|
|
ndisc_request();
|
|
}
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/*
|
|
* ndisc_init() - Make initial steps for ND state machine.
|
|
* Usually move variables into initial state.
|
|
*/
|
|
void ndisc_init(void)
|
|
{
|
|
net_nd_packet_mac = NULL;
|
|
net_nd_tx_packet = NULL;
|
|
net_nd_sol_packet_ip6 = net_null_addr_ip6;
|
|
net_nd_rep_packet_ip6 = net_null_addr_ip6;
|
|
net_nd_tx_packet_size = 0;
|
|
net_nd_tx_packet = &net_nd_packet_buf[0] + (PKTALIGN - 1);
|
|
net_nd_tx_packet -= (ulong)net_nd_tx_packet % PKTALIGN;
|
|
}
|
|
|
|
/*
|
|
* validate_ra() - Validate the router advertisement message.
|
|
*
|
|
* @ip6: Pointer to the router advertisement packet
|
|
*
|
|
* Check if the router advertisement message is valid. Conditions are
|
|
* according to RFC 4861 section 6.1.2. Validation of Router Advertisement
|
|
* Messages.
|
|
*
|
|
* Return: true if the message is valid and false if it is invalid.
|
|
*/
|
|
bool validate_ra(struct ip6_hdr *ip6)
|
|
{
|
|
struct icmp6hdr *icmp = (struct icmp6hdr *)(ip6 + 1);
|
|
|
|
/* ICMP length (derived from the IP length) should be 16 or more octets. */
|
|
if (ip6->payload_len < 16)
|
|
return false;
|
|
|
|
/* Source IP Address should be a valid link-local address. */
|
|
if ((ntohs(ip6->saddr.s6_addr16[0]) & IPV6_LINK_LOCAL_MASK) !=
|
|
IPV6_LINK_LOCAL_PREFIX)
|
|
return false;
|
|
|
|
/*
|
|
* The IP Hop Limit field should have a value of 255, i.e., the packet
|
|
* could not possibly have been forwarded by a router.
|
|
*/
|
|
if (ip6->hop_limit != 255)
|
|
return false;
|
|
|
|
/* ICMP checksum has already been checked in net_ip6_handler. */
|
|
|
|
if (icmp->icmp6_code != 0)
|
|
return false;
|
|
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
* process_ra() - Process the router advertisement packet.
|
|
*
|
|
* @ip6: Pointer to the router advertisement packet
|
|
* @len: Length of the router advertisement packet
|
|
*
|
|
* Process the received router advertisement message.
|
|
* Although RFC 4861 requires retaining at least two router addresses, we only
|
|
* keep one because of the U-Boot limitations and its goal of lightweight code.
|
|
*
|
|
* Return: 0 - RA is a default router and contains valid prefix information.
|
|
* Non-zero - RA options are invalid or do not indicate it is a default router
|
|
* or do not contain valid prefix information.
|
|
*/
|
|
int process_ra(struct ip6_hdr *ip6, int len)
|
|
{
|
|
/* Pointer to the ICMP section of the packet */
|
|
struct icmp6hdr *icmp = (struct icmp6hdr *)(ip6 + 1);
|
|
struct ra_msg *msg = (struct ra_msg *)icmp;
|
|
int remaining_option_len = len - IP6_HDR_SIZE - sizeof(struct ra_msg);
|
|
unsigned short int option_len; /* Length of each option */
|
|
/* Pointer to the ICMPv6 message options */
|
|
unsigned char *option = NULL;
|
|
/* 8-bit identifier of the type of ICMPv6 option */
|
|
unsigned char type = 0;
|
|
struct icmp6_ra_prefix_info *prefix = NULL;
|
|
|
|
if (len > ETH_MAX_MTU)
|
|
return -EMSGSIZE;
|
|
/* Ignore the packet if router lifetime is 0. */
|
|
if (!icmp->icmp6_rt_lifetime)
|
|
return -EOPNOTSUPP;
|
|
|
|
/* Processing the options */
|
|
option = msg->opt;
|
|
while (remaining_option_len > 0) {
|
|
/* The 2nd byte of the option is its length. */
|
|
option_len = option[1];
|
|
/* All included options should have a positive length. */
|
|
if (option_len == 0)
|
|
return -EINVAL;
|
|
|
|
type = option[0];
|
|
/* All option types except Prefix Information are ignored. */
|
|
switch (type) {
|
|
case ND_OPT_SOURCE_LL_ADDR:
|
|
case ND_OPT_TARGET_LL_ADDR:
|
|
case ND_OPT_REDIRECT_HDR:
|
|
case ND_OPT_MTU:
|
|
break;
|
|
case ND_OPT_PREFIX_INFO:
|
|
prefix = (struct icmp6_ra_prefix_info *)option;
|
|
/* The link-local prefix 0xfe80::/10 is ignored. */
|
|
if ((ntohs(prefix->prefix.s6_addr16[0]) &
|
|
IPV6_LINK_LOCAL_MASK) == IPV6_LINK_LOCAL_PREFIX)
|
|
break;
|
|
if (prefix->on_link && ntohl(prefix->valid_lifetime)) {
|
|
net_prefix_length = prefix->prefix_len;
|
|
net_gateway6 = ip6->saddr;
|
|
return 0;
|
|
}
|
|
break;
|
|
default:
|
|
debug("Unknown IPv6 Neighbor Discovery Option 0x%x\n",
|
|
type);
|
|
}
|
|
|
|
option_len <<= 3; /* Option length is a multiple of 8. */
|
|
remaining_option_len -= option_len;
|
|
option += option_len;
|
|
}
|
|
|
|
return -EADDRNOTAVAIL;
|
|
}
|
|
|
|
int ndisc_receive(struct ethernet_hdr *et, struct ip6_hdr *ip6, int len)
|
|
{
|
|
struct icmp6hdr *icmp =
|
|
(struct icmp6hdr *)(((uchar *)ip6) + IP6_HDR_SIZE);
|
|
struct nd_msg *ndisc = (struct nd_msg *)icmp;
|
|
uchar neigh_eth_addr[6];
|
|
int err = 0; // The error code returned calling functions.
|
|
|
|
switch (icmp->icmp6_type) {
|
|
case IPV6_NDISC_NEIGHBOUR_SOLICITATION:
|
|
debug("received neighbor solicitation for %pI6c from %pI6c\n",
|
|
&ndisc->target, &ip6->saddr);
|
|
if (ip6_is_our_addr(&ndisc->target) &&
|
|
ndisc_has_option(ip6, ND_OPT_SOURCE_LL_ADDR)) {
|
|
ndisc_extract_enetaddr(ndisc, neigh_eth_addr);
|
|
ip6_send_na(neigh_eth_addr, &ip6->saddr,
|
|
&ndisc->target);
|
|
}
|
|
break;
|
|
|
|
case IPV6_NDISC_NEIGHBOUR_ADVERTISEMENT:
|
|
/* are we waiting for a reply ? */
|
|
if (ip6_is_unspecified_addr(&net_nd_sol_packet_ip6))
|
|
break;
|
|
|
|
if ((memcmp(&ndisc->target, &net_nd_rep_packet_ip6,
|
|
sizeof(struct in6_addr)) == 0) &&
|
|
ndisc_has_option(ip6, ND_OPT_TARGET_LL_ADDR)) {
|
|
ndisc_extract_enetaddr(ndisc, neigh_eth_addr);
|
|
|
|
/* save address for later use */
|
|
if (!net_nd_packet_mac)
|
|
net_nd_packet_mac = neigh_eth_addr;
|
|
|
|
/* modify header, and transmit it */
|
|
memcpy(((struct ethernet_hdr *)net_nd_tx_packet)->et_dest,
|
|
neigh_eth_addr, 6);
|
|
|
|
net_send_packet(net_nd_tx_packet,
|
|
net_nd_tx_packet_size);
|
|
|
|
/* no ND request pending now */
|
|
net_nd_sol_packet_ip6 = net_null_addr_ip6;
|
|
net_nd_tx_packet_size = 0;
|
|
net_nd_packet_mac = NULL;
|
|
}
|
|
break;
|
|
case IPV6_NDISC_ROUTER_SOLICITATION:
|
|
break;
|
|
case IPV6_NDISC_ROUTER_ADVERTISEMENT:
|
|
debug("Received router advertisement for %pI6c from %pI6c\n",
|
|
&ip6->daddr, &ip6->saddr);
|
|
/*
|
|
* If gateway and prefix are set, the RA packet is ignored. The
|
|
* reason is that the U-Boot code is supposed to be as compact
|
|
* as possible and does not need to take care of multiple
|
|
* routers. In addition to that, U-Boot does not want to handle
|
|
* scenarios like a router setting its lifetime to zero to
|
|
* indicate it is not routing anymore. U-Boot program has a
|
|
* short life when the system boots up and does not need such
|
|
* sophistication.
|
|
*/
|
|
if (!ip6_is_unspecified_addr(&net_gateway6) &&
|
|
net_prefix_length != 0) {
|
|
break;
|
|
}
|
|
if (!validate_ra(ip6)) {
|
|
debug("Invalid router advertisement message.\n");
|
|
break;
|
|
}
|
|
err = process_ra(ip6, len);
|
|
if (err)
|
|
debug("Ignored router advertisement. Error: %d\n", err);
|
|
else
|
|
printf("Set gatewayip6: %pI6c, prefix_length: %d\n",
|
|
&net_gateway6, net_prefix_length);
|
|
break;
|
|
default:
|
|
debug("Unexpected ICMPv6 type 0x%x\n", icmp->icmp6_type);
|
|
return -1;
|
|
}
|
|
|
|
return 0;
|
|
}
|