1
// SPDX-License-Identifier: GPL-2.0-or-later
2
/*
3
 *	NET3:	Implementation of the ICMP protocol layer.
4
 *
5
 *		Alan Cox, <[email protected]>
6
 *
7
 *	Some of the function names and the icmp unreach table for this
8
 *	module were derived from [icmp.c 1.0.11 06/02/93] by
9
 *	Ross Biro, Fred N. van Kempen, Mark Evans, Alan Cox, Gerhard Koerting.
10
 *	Other than that this module is a complete rewrite.
11
 *
12
 *	Fixes:
13
 *	Clemens Fruhwirth	:	introduce global icmp rate limiting
14
 *					with icmp type masking ability instead
15
 *					of broken per type icmp timeouts.
16
 *		Mike Shaver	:	RFC1122 checks.
17
 *		Alan Cox	:	Multicast ping reply as self.
18
 *		Alan Cox	:	Fix atomicity lockup in ip_build_xmit
19
 *					call.
20
 *		Alan Cox	:	Added 216,128 byte paths to the MTU
21
 *					code.
22
 *		Martin Mares	:	RFC1812 checks.
23
 *		Martin Mares	:	Can be configured to follow redirects
24
 *					if acting as a router _without_ a
25
 *					routing protocol (RFC 1812).
26
 *		Martin Mares	:	Echo requests may be configured to
27
 *					be ignored (RFC 1812).
28
 *		Martin Mares	:	Limitation of ICMP error message
29
 *					transmit rate (RFC 1812).
30
 *		Martin Mares	:	TOS and Precedence set correctly
31
 *					(RFC 1812).
32
 *		Martin Mares	:	Now copying as much data from the
33
 *					original packet as we can without
34
 *					exceeding 576 bytes (RFC 1812).
35
 *	Willy Konynenberg	:	Transparent proxying support.
36
 *		Keith Owens	:	RFC1191 correction for 4.2BSD based
37
 *					path MTU bug.
38
 *		Thomas Quinot	:	ICMP Dest Unreach codes up to 15 are
39
 *					valid (RFC 1812).
40
 *		Andi Kleen	:	Check all packet lengths properly
41
 *					and moved all kfree_skb() up to
42
 *					icmp_rcv.
43
 *		Andi Kleen	:	Move the rate limit bookkeeping
44
 *					into the dest entry and use a token
45
 *					bucket filter (thanks to ANK). Make
46
 *					the rates sysctl configurable.
47
 *		Yu Tianli	:	Fixed two ugly bugs in icmp_send
48
 *					- IP option length was accounted wrongly
49
 *					- ICMP header length was not accounted
50
 *					  at all.
51
 *              Tristan Greaves :       Added sysctl option to ignore bogus
52
 *              			broadcast responses from broken routers.
53
 *
54
 * To Fix:
55
 *
56
 *	- Should use skb_pull() instead of all the manual checking.
57
 *	  This would also greatly simply some upper layer error handlers. --AK
58
 */
59

60
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
61

62
#include <linux/module.h>
63
#include <linux/types.h>
64
#include <linux/jiffies.h>
65
#include <linux/kernel.h>
66
#include <linux/fcntl.h>
67
#include <linux/socket.h>
68
#include <linux/in.h>
69
#include <linux/inet.h>
70
#include <linux/inetdevice.h>
71
#include <linux/netdevice.h>
72
#include <linux/string.h>
73
#include <linux/netfilter_ipv4.h>
74
#include <linux/slab.h>
75
#include <net/snmp.h>
76
#include <net/ip.h>
77
#include <net/route.h>
78
#include <net/protocol.h>
79
#include <net/icmp.h>
80
#include <net/tcp.h>
81
#include <net/udp.h>
82
#include <net/raw.h>
83
#include <net/ping.h>
84
#include <linux/skbuff.h>
85
#include <net/sock.h>
86
#include <linux/errno.h>
87
#include <linux/timer.h>
88
#include <linux/init.h>
89
#include <linux/uaccess.h>
90
#include <net/checksum.h>
91
#include <net/xfrm.h>
92
#include <net/inet_common.h>
93
#include <net/ip_fib.h>
94
#include <net/l3mdev.h>
95
#include <net/addrconf.h>
96
#include <net/inet_dscp.h>
97
#define CREATE_TRACE_POINTS
98
#include <trace/events/icmp.h>
99

100
/*
101
 *	Build xmit assembly blocks
102
 */
103

104
struct icmp_bxm {
105
	struct sk_buff *skb;
106
	int offset;
107
	int data_len;
108

109
	struct {
110
		struct icmphdr icmph;
111
		__be32	       times[3];
112
	} data;
113
	int head_len;
114
	struct ip_options_data replyopts;
115
};
116

117
/* An array of errno for error messages from dest unreach. */
118
/* RFC 1122: 3.2.2.1 States that NET_UNREACH, HOST_UNREACH and SR_FAILED MUST be considered 'transient errs'. */
119

120
const struct icmp_err icmp_err_convert[] = {
121
	{
122
		.errno = ENETUNREACH,	/* ICMP_NET_UNREACH */
123
		.fatal = 0,
124
	},
125
	{
126
		.errno = EHOSTUNREACH,	/* ICMP_HOST_UNREACH */
127
		.fatal = 0,
128
	},
129
	{
130
		.errno = ENOPROTOOPT	/* ICMP_PROT_UNREACH */,
131
		.fatal = 1,
132
	},
133
	{
134
		.errno = ECONNREFUSED,	/* ICMP_PORT_UNREACH */
135
		.fatal = 1,
136
	},
137
	{
138
		.errno = EMSGSIZE,	/* ICMP_FRAG_NEEDED */
139
		.fatal = 0,
140
	},
141
	{
142
		.errno = EOPNOTSUPP,	/* ICMP_SR_FAILED */
143
		.fatal = 0,
144
	},
145
	{
146
		.errno = ENETUNREACH,	/* ICMP_NET_UNKNOWN */
147
		.fatal = 1,
148
	},
149
	{
150
		.errno = EHOSTDOWN,	/* ICMP_HOST_UNKNOWN */
151
		.fatal = 1,
152
	},
153
	{
154
		.errno = ENONET,	/* ICMP_HOST_ISOLATED */
155
		.fatal = 1,
156
	},
157
	{
158
		.errno = ENETUNREACH,	/* ICMP_NET_ANO	*/
159
		.fatal = 1,
160
	},
161
	{
162
		.errno = EHOSTUNREACH,	/* ICMP_HOST_ANO */
163
		.fatal = 1,
164
	},
165
	{
166
		.errno = ENETUNREACH,	/* ICMP_NET_UNR_TOS */
167
		.fatal = 0,
168
	},
169
	{
170
		.errno = EHOSTUNREACH,	/* ICMP_HOST_UNR_TOS */
171
		.fatal = 0,
172
	},
173
	{
174
		.errno = EHOSTUNREACH,	/* ICMP_PKT_FILTERED */
175
		.fatal = 1,
176
	},
177
	{
178
		.errno = EHOSTUNREACH,	/* ICMP_PREC_VIOLATION */
179
		.fatal = 1,
180
	},
181
	{
182
		.errno = EHOSTUNREACH,	/* ICMP_PREC_CUTOFF */
183
		.fatal = 1,
184
	},
185
};
186
EXPORT_SYMBOL(icmp_err_convert);
187

188
/*
189
 *	ICMP control array. This specifies what to do with each ICMP.
190
 */
191

192
struct icmp_control {
193
	enum skb_drop_reason (*handler)(struct sk_buff *skb);
194
	short   error;		/* This ICMP is classed as an error message */
195
};
196

197
static const struct icmp_control icmp_pointers[NR_ICMP_TYPES+1];
198

199
static DEFINE_PER_CPU(struct sock *, ipv4_icmp_sk);
200

201
/* Called with BH disabled */
202
static inline struct sock *icmp_xmit_lock(struct net *net)
203
{
204
	struct sock *sk;
205

206
	sk = this_cpu_read(ipv4_icmp_sk);
207

208
	if (unlikely(!spin_trylock(&sk->sk_lock.slock))) {
209
		/* This can happen if the output path signals a
210
		 * dst_link_failure() for an outgoing ICMP packet.
211
		 */
212
		return NULL;
213
	}
214
	sock_net_set(sk, net);
215
	return sk;
216
}
217

218
static inline void icmp_xmit_unlock(struct sock *sk)
219
{
220
	sock_net_set(sk, &init_net);
221
	spin_unlock(&sk->sk_lock.slock);
222
}
223

224
/**
225
 * icmp_global_allow - Are we allowed to send one more ICMP message ?
226
 * @net: network namespace
227
 *
228
 * Uses a token bucket to limit our ICMP messages to ~sysctl_icmp_msgs_per_sec.
229
 * Returns false if we reached the limit and can not send another packet.
230
 * Works in tandem with icmp_global_consume().
231
 */
232
bool icmp_global_allow(struct net *net)
233
{
234
	u32 delta, now, oldstamp;
235
	int incr, new, old;
236

237
	/* Note: many cpus could find this condition true.
238
	 * Then later icmp_global_consume() could consume more credits,
239
	 * this is an acceptable race.
240
	 */
241
	if (atomic_read(&net->ipv4.icmp_global_credit) > 0)
242
		return true;
243

244
	now = jiffies;
245
	oldstamp = READ_ONCE(net->ipv4.icmp_global_stamp);
246
	delta = min_t(u32, now - oldstamp, HZ);
247
	if (delta < HZ / 50)
248
		return false;
249

250
	incr = READ_ONCE(net->ipv4.sysctl_icmp_msgs_per_sec) * delta / HZ;
251
	if (!incr)
252
		return false;
253

254
	if (cmpxchg(&net->ipv4.icmp_global_stamp, oldstamp, now) == oldstamp) {
255
		old = atomic_read(&net->ipv4.icmp_global_credit);
256
		do {
257
			new = min(old + incr, READ_ONCE(net->ipv4.sysctl_icmp_msgs_burst));
258
		} while (!atomic_try_cmpxchg(&net->ipv4.icmp_global_credit, &old, new));
259
	}
260
	return true;
261
}
262
EXPORT_SYMBOL(icmp_global_allow);
263

264
void icmp_global_consume(struct net *net)
265
{
266
	int credits = get_random_u32_below(3);
267

268
	/* Note: this might make icmp_global.credit negative. */
269
	if (credits)
270
		atomic_sub(credits, &net->ipv4.icmp_global_credit);
271
}
272
EXPORT_SYMBOL(icmp_global_consume);
273

274
static bool icmpv4_mask_allow(struct net *net, int type, int code)
275
{
276
	if (type > NR_ICMP_TYPES)
277
		return true;
278

279
	/* Don't limit PMTU discovery. */
280
	if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED)
281
		return true;
282

283
	/* Limit if icmp type is enabled in ratemask. */
284
	if (!((1 << type) & READ_ONCE(net->ipv4.sysctl_icmp_ratemask)))
285
		return true;
286

287
	return false;
288
}
289

290
static bool icmpv4_global_allow(struct net *net, int type, int code,
291
				bool *apply_ratelimit)
292
{
293
	if (icmpv4_mask_allow(net, type, code))
294
		return true;
295

296
	if (icmp_global_allow(net)) {
297
		*apply_ratelimit = true;
298
		return true;
299
	}
300
	__ICMP_INC_STATS(net, ICMP_MIB_RATELIMITGLOBAL);
301
	return false;
302
}
303

304
/*
305
 *	Send an ICMP frame.
306
 */
307

308
static bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt,
309
			       struct flowi4 *fl4, int type, int code,
310
			       bool apply_ratelimit)
311
{
312
	struct dst_entry *dst = &rt->dst;
313
	struct inet_peer *peer;
314
	struct net_device *dev;
315
	bool rc = true;
316

317
	if (!apply_ratelimit)
318
		return true;
319

320
	/* No rate limit on loopback */
321
	dev = dst_dev(dst);
322
	if (dev && (dev->flags & IFF_LOOPBACK))
323
		goto out;
324

325
	rcu_read_lock();
326
	peer = inet_getpeer_v4(net->ipv4.peers, fl4->daddr,
327
			       l3mdev_master_ifindex_rcu(dev));
328
	rc = inet_peer_xrlim_allow(peer,
329
				   READ_ONCE(net->ipv4.sysctl_icmp_ratelimit));
330
	rcu_read_unlock();
331
out:
332
	if (!rc)
333
		__ICMP_INC_STATS(net, ICMP_MIB_RATELIMITHOST);
334
	else
335
		icmp_global_consume(net);
336
	return rc;
337
}
338

339
/*
340
 *	Maintain the counters used in the SNMP statistics for outgoing ICMP
341
 */
342
void icmp_out_count(struct net *net, unsigned char type)
343
{
344
	ICMPMSGOUT_INC_STATS(net, type);
345
	ICMP_INC_STATS(net, ICMP_MIB_OUTMSGS);
346
}
347

348
/*
349
 *	Checksum each fragment, and on the first include the headers and final
350
 *	checksum.
351
 */
352
static int icmp_glue_bits(void *from, char *to, int offset, int len, int odd,
353
			  struct sk_buff *skb)
354
{
355
	struct icmp_bxm *icmp_param = from;
356
	__wsum csum;
357

358
	csum = skb_copy_and_csum_bits(icmp_param->skb,
359
				      icmp_param->offset + offset,
360
				      to, len);
361

362
	skb->csum = csum_block_add(skb->csum, csum, odd);
363
	if (icmp_pointers[icmp_param->data.icmph.type].error)
364
		nf_ct_attach(skb, icmp_param->skb);
365
	return 0;
366
}
367

368
static void icmp_push_reply(struct sock *sk,
369
			    struct icmp_bxm *icmp_param,
370
			    struct flowi4 *fl4,
371
			    struct ipcm_cookie *ipc, struct rtable **rt)
372
{
373
	struct sk_buff *skb;
374

375
	if (ip_append_data(sk, fl4, icmp_glue_bits, icmp_param,
376
			   icmp_param->data_len+icmp_param->head_len,
377
			   icmp_param->head_len,
378
			   ipc, rt, MSG_DONTWAIT) < 0) {
379
		__ICMP_INC_STATS(sock_net(sk), ICMP_MIB_OUTERRORS);
380
		ip_flush_pending_frames(sk);
381
	} else if ((skb = skb_peek(&sk->sk_write_queue)) != NULL) {
382
		struct icmphdr *icmph = icmp_hdr(skb);
383
		__wsum csum;
384
		struct sk_buff *skb1;
385

386
		csum = csum_partial_copy_nocheck((void *)&icmp_param->data,
387
						 (char *)icmph,
388
						 icmp_param->head_len);
389
		skb_queue_walk(&sk->sk_write_queue, skb1) {
390
			csum = csum_add(csum, skb1->csum);
391
		}
392
		icmph->checksum = csum_fold(csum);
393
		skb->ip_summed = CHECKSUM_NONE;
394
		ip_push_pending_frames(sk, fl4);
395
	}
396
}
397

398
/*
399
 *	Driving logic for building and sending ICMP messages.
400
 */
401

402
static void icmp_reply(struct icmp_bxm *icmp_param, struct sk_buff *skb)
403
{
404
	struct rtable *rt = skb_rtable(skb);
405
	struct net *net = dev_net_rcu(rt->dst.dev);
406
	bool apply_ratelimit = false;
407
	struct ipcm_cookie ipc;
408
	struct flowi4 fl4;
409
	struct sock *sk;
410
	__be32 daddr, saddr;
411
	u32 mark = IP4_REPLY_MARK(net, skb->mark);
412
	int type = icmp_param->data.icmph.type;
413
	int code = icmp_param->data.icmph.code;
414

415
	if (ip_options_echo(net, &icmp_param->replyopts.opt.opt, skb))
416
		return;
417

418
	/* Needed by both icmpv4_global_allow and icmp_xmit_lock */
419
	local_bh_disable();
420

421
	/* is global icmp_msgs_per_sec exhausted ? */
422
	if (!icmpv4_global_allow(net, type, code, &apply_ratelimit))
423
		goto out_bh_enable;
424

425
	sk = icmp_xmit_lock(net);
426
	if (!sk)
427
		goto out_bh_enable;
428

429
	icmp_param->data.icmph.checksum = 0;
430

431
	ipcm_init(&ipc);
432
	ipc.tos = ip_hdr(skb)->tos;
433
	ipc.sockc.mark = mark;
434
	daddr = ipc.addr = ip_hdr(skb)->saddr;
435
	saddr = fib_compute_spec_dst(skb);
436

437
	if (icmp_param->replyopts.opt.opt.optlen) {
438
		ipc.opt = &icmp_param->replyopts.opt;
439
		if (ipc.opt->opt.srr)
440
			daddr = icmp_param->replyopts.opt.opt.faddr;
441
	}
442
	memset(&fl4, 0, sizeof(fl4));
443
	fl4.daddr = daddr;
444
	fl4.saddr = saddr;
445
	fl4.flowi4_mark = mark;
446
	fl4.flowi4_uid = sock_net_uid(net, NULL);
447
	fl4.flowi4_tos = inet_dscp_to_dsfield(ip4h_dscp(ip_hdr(skb)));
448
	fl4.flowi4_proto = IPPROTO_ICMP;
449
	fl4.flowi4_oif = l3mdev_master_ifindex(skb->dev);
450
	security_skb_classify_flow(skb, flowi4_to_flowi_common(&fl4));
451
	rt = ip_route_output_key(net, &fl4);
452
	if (IS_ERR(rt))
453
		goto out_unlock;
454
	if (icmpv4_xrlim_allow(net, rt, &fl4, type, code, apply_ratelimit))
455
		icmp_push_reply(sk, icmp_param, &fl4, &ipc, &rt);
456
	ip_rt_put(rt);
457
out_unlock:
458
	icmp_xmit_unlock(sk);
459
out_bh_enable:
460
	local_bh_enable();
461
}
462

463
/*
464
 * The device used for looking up which routing table to use for sending an ICMP
465
 * error is preferably the source whenever it is set, which should ensure the
466
 * icmp error can be sent to the source host, else lookup using the routing
467
 * table of the destination device, else use the main routing table (index 0).
468
 */
469
static struct net_device *icmp_get_route_lookup_dev(struct sk_buff *skb)
470
{
471
	struct net_device *dev = skb->dev;
472
	const struct dst_entry *dst;
473

474
	if (dev)
475
		return dev;
476
	dst = skb_dst(skb);
477
	return dst ? dst_dev(dst) : NULL;
478
}
479

480
static struct rtable *icmp_route_lookup(struct net *net, struct flowi4 *fl4,
481
					struct sk_buff *skb_in,
482
					const struct iphdr *iph, __be32 saddr,
483
					dscp_t dscp, u32 mark, int type,
484
					int code, struct icmp_bxm *param)
485
{
486
	struct net_device *route_lookup_dev;
487
	struct dst_entry *dst, *dst2;
488
	struct rtable *rt, *rt2;
489
	struct flowi4 fl4_dec;
490
	int err;
491

492
	memset(fl4, 0, sizeof(*fl4));
493
	fl4->daddr = (param->replyopts.opt.opt.srr ?
494
		      param->replyopts.opt.opt.faddr : iph->saddr);
495
	fl4->saddr = saddr;
496
	fl4->flowi4_mark = mark;
497
	fl4->flowi4_uid = sock_net_uid(net, NULL);
498
	fl4->flowi4_tos = inet_dscp_to_dsfield(dscp);
499
	fl4->flowi4_proto = IPPROTO_ICMP;
500
	fl4->fl4_icmp_type = type;
501
	fl4->fl4_icmp_code = code;
502
	route_lookup_dev = icmp_get_route_lookup_dev(skb_in);
503
	fl4->flowi4_oif = l3mdev_master_ifindex(route_lookup_dev);
504

505
	security_skb_classify_flow(skb_in, flowi4_to_flowi_common(fl4));
506
	rt = ip_route_output_key_hash(net, fl4, skb_in);
507
	if (IS_ERR(rt))
508
		return rt;
509

510
	/* No need to clone since we're just using its address. */
511
	rt2 = rt;
512

513
	dst = xfrm_lookup(net, &rt->dst,
514
			  flowi4_to_flowi(fl4), NULL, 0);
515
	rt = dst_rtable(dst);
516
	if (!IS_ERR(dst)) {
517
		if (rt != rt2)
518
			return rt;
519
		if (inet_addr_type_dev_table(net, route_lookup_dev,
520
					     fl4->daddr) == RTN_LOCAL)
521
			return rt;
522
	} else if (PTR_ERR(dst) == -EPERM) {
523
		rt = NULL;
524
	} else {
525
		return rt;
526
	}
527
	err = xfrm_decode_session_reverse(net, skb_in, flowi4_to_flowi(&fl4_dec), AF_INET);
528
	if (err)
529
		goto relookup_failed;
530

531
	if (inet_addr_type_dev_table(net, route_lookup_dev,
532
				     fl4_dec.saddr) == RTN_LOCAL) {
533
		rt2 = __ip_route_output_key(net, &fl4_dec);
534
		if (IS_ERR(rt2))
535
			err = PTR_ERR(rt2);
536
	} else {
537
		struct flowi4 fl4_2 = {};
538
		unsigned long orefdst;
539

540
		fl4_2.daddr = fl4_dec.saddr;
541
		rt2 = ip_route_output_key(net, &fl4_2);
542
		if (IS_ERR(rt2)) {
543
			err = PTR_ERR(rt2);
544
			goto relookup_failed;
545
		}
546
		/* Ugh! */
547
		orefdst = skb_in->_skb_refdst; /* save old refdst */
548
		skb_dst_set(skb_in, NULL);
549
		err = ip_route_input(skb_in, fl4_dec.daddr, fl4_dec.saddr,
550
				     dscp, rt2->dst.dev) ? -EINVAL : 0;
551

552
		dst_release(&rt2->dst);
553
		rt2 = skb_rtable(skb_in);
554
		skb_in->_skb_refdst = orefdst; /* restore old refdst */
555
	}
556

557
	if (err)
558
		goto relookup_failed;
559

560
	dst2 = xfrm_lookup(net, &rt2->dst, flowi4_to_flowi(&fl4_dec), NULL,
561
			   XFRM_LOOKUP_ICMP);
562
	rt2 = dst_rtable(dst2);
563
	if (!IS_ERR(dst2)) {
564
		dst_release(&rt->dst);
565
		memcpy(fl4, &fl4_dec, sizeof(*fl4));
566
		rt = rt2;
567
	} else if (PTR_ERR(dst2) == -EPERM) {
568
		if (rt)
569
			dst_release(&rt->dst);
570
		return rt2;
571
	} else {
572
		err = PTR_ERR(dst2);
573
		goto relookup_failed;
574
	}
575
	return rt;
576

577
relookup_failed:
578
	if (rt)
579
		return rt;
580
	return ERR_PTR(err);
581
}
582

583
/*
584
 *	Send an ICMP message in response to a situation
585
 *
586
 *	RFC 1122: 3.2.2	MUST send at least the IP header and 8 bytes of header.
587
 *		  MAY send more (we do).
588
 *			MUST NOT change this header information.
589
 *			MUST NOT reply to a multicast/broadcast IP address.
590
 *			MUST NOT reply to a multicast/broadcast MAC address.
591
 *			MUST reply to only the first fragment.
592
 */
593

594
void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info,
595
		 const struct ip_options *opt)
596
{
597
	struct iphdr *iph;
598
	int room;
599
	struct icmp_bxm icmp_param;
600
	struct rtable *rt = skb_rtable(skb_in);
601
	bool apply_ratelimit = false;
602
	struct ipcm_cookie ipc;
603
	struct flowi4 fl4;
604
	__be32 saddr;
605
	u8  tos;
606
	u32 mark;
607
	struct net *net;
608
	struct sock *sk;
609

610
	if (!rt)
611
		return;
612

613
	rcu_read_lock();
614

615
	if (rt->dst.dev)
616
		net = dev_net_rcu(rt->dst.dev);
617
	else if (skb_in->dev)
618
		net = dev_net_rcu(skb_in->dev);
619
	else
620
		goto out;
621

622
	/*
623
	 *	Find the original header. It is expected to be valid, of course.
624
	 *	Check this, icmp_send is called from the most obscure devices
625
	 *	sometimes.
626
	 */
627
	iph = ip_hdr(skb_in);
628

629
	if ((u8 *)iph < skb_in->head ||
630
	    (skb_network_header(skb_in) + sizeof(*iph)) >
631
	    skb_tail_pointer(skb_in))
632
		goto out;
633

634
	/*
635
	 *	No replies to physical multicast/broadcast
636
	 */
637
	if (skb_in->pkt_type != PACKET_HOST)
638
		goto out;
639

640
	/*
641
	 *	Now check at the protocol level
642
	 */
643
	if (rt->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST))
644
		goto out;
645

646
	/*
647
	 *	Only reply to fragment 0. We byte re-order the constant
648
	 *	mask for efficiency.
649
	 */
650
	if (iph->frag_off & htons(IP_OFFSET))
651
		goto out;
652

653
	/*
654
	 *	If we send an ICMP error to an ICMP error a mess would result..
655
	 */
656
	if (icmp_pointers[type].error) {
657
		/*
658
		 *	We are an error, check if we are replying to an
659
		 *	ICMP error
660
		 */
661
		if (iph->protocol == IPPROTO_ICMP) {
662
			u8 _inner_type, *itp;
663

664
			itp = skb_header_pointer(skb_in,
665
						 skb_network_header(skb_in) +
666
						 (iph->ihl << 2) +
667
						 offsetof(struct icmphdr,
668
							  type) -
669
						 skb_in->data,
670
						 sizeof(_inner_type),
671
						 &_inner_type);
672
			if (!itp)
673
				goto out;
674

675
			/*
676
			 *	Assume any unknown ICMP type is an error. This
677
			 *	isn't specified by the RFC, but think about it..
678
			 */
679
			if (*itp > NR_ICMP_TYPES ||
680
			    icmp_pointers[*itp].error)
681
				goto out;
682
		}
683
	}
684

685
	/* Needed by both icmpv4_global_allow and icmp_xmit_lock */
686
	local_bh_disable();
687

688
	/* Check global sysctl_icmp_msgs_per_sec ratelimit, unless
689
	 * incoming dev is loopback.  If outgoing dev change to not be
690
	 * loopback, then peer ratelimit still work (in icmpv4_xrlim_allow)
691
	 */
692
	if (!(skb_in->dev && (skb_in->dev->flags&IFF_LOOPBACK)) &&
693
	      !icmpv4_global_allow(net, type, code, &apply_ratelimit))
694
		goto out_bh_enable;
695

696
	sk = icmp_xmit_lock(net);
697
	if (!sk)
698
		goto out_bh_enable;
699

700
	/*
701
	 *	Construct source address and options.
702
	 */
703

704
	saddr = iph->daddr;
705
	if (!(rt->rt_flags & RTCF_LOCAL)) {
706
		struct net_device *dev = NULL;
707

708
		rcu_read_lock();
709
		if (rt_is_input_route(rt) &&
710
		    READ_ONCE(net->ipv4.sysctl_icmp_errors_use_inbound_ifaddr))
711
			dev = dev_get_by_index_rcu(net, inet_iif(skb_in));
712

713
		if (dev)
714
			saddr = inet_select_addr(dev, iph->saddr,
715
						 RT_SCOPE_LINK);
716
		else
717
			saddr = 0;
718
		rcu_read_unlock();
719
	}
720

721
	tos = icmp_pointers[type].error ? (RT_TOS(iph->tos) |
722
					   IPTOS_PREC_INTERNETCONTROL) :
723
					   iph->tos;
724
	mark = IP4_REPLY_MARK(net, skb_in->mark);
725

726
	if (__ip_options_echo(net, &icmp_param.replyopts.opt.opt, skb_in, opt))
727
		goto out_unlock;
728

729

730
	/*
731
	 *	Prepare data for ICMP header.
732
	 */
733

734
	icmp_param.data.icmph.type	 = type;
735
	icmp_param.data.icmph.code	 = code;
736
	icmp_param.data.icmph.un.gateway = info;
737
	icmp_param.data.icmph.checksum	 = 0;
738
	icmp_param.skb	  = skb_in;
739
	icmp_param.offset = skb_network_offset(skb_in);
740
	ipcm_init(&ipc);
741
	ipc.tos = tos;
742
	ipc.addr = iph->saddr;
743
	ipc.opt = &icmp_param.replyopts.opt;
744
	ipc.sockc.mark = mark;
745

746
	rt = icmp_route_lookup(net, &fl4, skb_in, iph, saddr,
747
			       inet_dsfield_to_dscp(tos), mark, type, code,
748
			       &icmp_param);
749
	if (IS_ERR(rt))
750
		goto out_unlock;
751

752
	/* peer icmp_ratelimit */
753
	if (!icmpv4_xrlim_allow(net, rt, &fl4, type, code, apply_ratelimit))
754
		goto ende;
755

756
	/* RFC says return as much as we can without exceeding 576 bytes. */
757

758
	room = dst_mtu(&rt->dst);
759
	if (room > 576)
760
		room = 576;
761
	room -= sizeof(struct iphdr) + icmp_param.replyopts.opt.opt.optlen;
762
	room -= sizeof(struct icmphdr);
763
	/* Guard against tiny mtu. We need to include at least one
764
	 * IP network header for this message to make any sense.
765
	 */
766
	if (room <= (int)sizeof(struct iphdr))
767
		goto ende;
768

769
	icmp_param.data_len = skb_in->len - icmp_param.offset;
770
	if (icmp_param.data_len > room)
771
		icmp_param.data_len = room;
772
	icmp_param.head_len = sizeof(struct icmphdr);
773

774
	/* if we don't have a source address at this point, fall back to the
775
	 * dummy address instead of sending out a packet with a source address
776
	 * of 0.0.0.0
777
	 */
778
	if (!fl4.saddr)
779
		fl4.saddr = htonl(INADDR_DUMMY);
780

781
	trace_icmp_send(skb_in, type, code);
782

783
	icmp_push_reply(sk, &icmp_param, &fl4, &ipc, &rt);
784
ende:
785
	ip_rt_put(rt);
786
out_unlock:
787
	icmp_xmit_unlock(sk);
788
out_bh_enable:
789
	local_bh_enable();
790
out:
791
	rcu_read_unlock();
792
}
793
EXPORT_SYMBOL(__icmp_send);
794

795
#if IS_ENABLED(CONFIG_NF_NAT)
796
#include <net/netfilter/nf_conntrack.h>
797
void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info)
798
{
799
	struct sk_buff *cloned_skb = NULL;
800
	struct ip_options opts = { 0 };
801
	enum ip_conntrack_info ctinfo;
802
	enum ip_conntrack_dir dir;
803
	struct nf_conn *ct;
804
	__be32 orig_ip;
805

806
	ct = nf_ct_get(skb_in, &ctinfo);
807
	if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) {
808
		__icmp_send(skb_in, type, code, info, &opts);
809
		return;
810
	}
811

812
	if (skb_shared(skb_in))
813
		skb_in = cloned_skb = skb_clone(skb_in, GFP_ATOMIC);
814

815
	if (unlikely(!skb_in || skb_network_header(skb_in) < skb_in->head ||
816
	    (skb_network_header(skb_in) + sizeof(struct iphdr)) >
817
	    skb_tail_pointer(skb_in) || skb_ensure_writable(skb_in,
818
	    skb_network_offset(skb_in) + sizeof(struct iphdr))))
819
		goto out;
820

821
	orig_ip = ip_hdr(skb_in)->saddr;
822
	dir = CTINFO2DIR(ctinfo);
823
	ip_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.ip;
824
	__icmp_send(skb_in, type, code, info, &opts);
825
	ip_hdr(skb_in)->saddr = orig_ip;
826
out:
827
	consume_skb(cloned_skb);
828
}
829
EXPORT_SYMBOL(icmp_ndo_send);
830
#endif
831

832
static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
833
{
834
	const struct iphdr *iph = (const struct iphdr *)skb->data;
835
	const struct net_protocol *ipprot;
836
	int protocol = iph->protocol;
837

838
	/* Checkin full IP header plus 8 bytes of protocol to
839
	 * avoid additional coding at protocol handlers.
840
	 */
841
	if (!pskb_may_pull(skb, iph->ihl * 4 + 8)) {
842
		__ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
843
		return;
844
	}
845

846
	raw_icmp_error(skb, protocol, info);
847

848
	ipprot = rcu_dereference(inet_protos[protocol]);
849
	if (ipprot && ipprot->err_handler)
850
		ipprot->err_handler(skb, info);
851
}
852

853
static bool icmp_tag_validation(int proto)
854
{
855
	bool ok;
856

857
	rcu_read_lock();
858
	ok = rcu_dereference(inet_protos[proto])->icmp_strict_tag_validation;
859
	rcu_read_unlock();
860
	return ok;
861
}
862

863
/*
864
 *	Handle ICMP_DEST_UNREACH, ICMP_TIME_EXCEEDED, ICMP_QUENCH, and
865
 *	ICMP_PARAMETERPROB.
866
 */
867

868
static enum skb_drop_reason icmp_unreach(struct sk_buff *skb)
869
{
870
	enum skb_drop_reason reason = SKB_NOT_DROPPED_YET;
871
	const struct iphdr *iph;
872
	struct icmphdr *icmph;
873
	struct net *net;
874
	u32 info = 0;
875

876
	net = skb_dst_dev_net_rcu(skb);
877

878
	/*
879
	 *	Incomplete header ?
880
	 * 	Only checks for the IP header, there should be an
881
	 *	additional check for longer headers in upper levels.
882
	 */
883

884
	if (!pskb_may_pull(skb, sizeof(struct iphdr)))
885
		goto out_err;
886

887
	icmph = icmp_hdr(skb);
888
	iph   = (const struct iphdr *)skb->data;
889

890
	if (iph->ihl < 5)  { /* Mangled header, drop. */
891
		reason = SKB_DROP_REASON_IP_INHDR;
892
		goto out_err;
893
	}
894

895
	switch (icmph->type) {
896
	case ICMP_DEST_UNREACH:
897
		switch (icmph->code & 15) {
898
		case ICMP_NET_UNREACH:
899
		case ICMP_HOST_UNREACH:
900
		case ICMP_PROT_UNREACH:
901
		case ICMP_PORT_UNREACH:
902
			break;
903
		case ICMP_FRAG_NEEDED:
904
			/* for documentation of the ip_no_pmtu_disc
905
			 * values please see
906
			 * Documentation/networking/ip-sysctl.rst
907
			 */
908
			switch (READ_ONCE(net->ipv4.sysctl_ip_no_pmtu_disc)) {
909
			default:
910
				net_dbg_ratelimited("%pI4: fragmentation needed and DF set\n",
911
						    &iph->daddr);
912
				break;
913
			case 2:
914
				goto out;
915
			case 3:
916
				if (!icmp_tag_validation(iph->protocol))
917
					goto out;
918
				fallthrough;
919
			case 0:
920
				info = ntohs(icmph->un.frag.mtu);
921
			}
922
			break;
923
		case ICMP_SR_FAILED:
924
			net_dbg_ratelimited("%pI4: Source Route Failed\n",
925
					    &iph->daddr);
926
			break;
927
		default:
928
			break;
929
		}
930
		if (icmph->code > NR_ICMP_UNREACH)
931
			goto out;
932
		break;
933
	case ICMP_PARAMETERPROB:
934
		info = ntohl(icmph->un.gateway) >> 24;
935
		break;
936
	case ICMP_TIME_EXCEEDED:
937
		__ICMP_INC_STATS(net, ICMP_MIB_INTIMEEXCDS);
938
		if (icmph->code == ICMP_EXC_FRAGTIME)
939
			goto out;
940
		break;
941
	}
942

943
	/*
944
	 *	Throw it at our lower layers
945
	 *
946
	 *	RFC 1122: 3.2.2 MUST extract the protocol ID from the passed
947
	 *		  header.
948
	 *	RFC 1122: 3.2.2.1 MUST pass ICMP unreach messages to the
949
	 *		  transport layer.
950
	 *	RFC 1122: 3.2.2.2 MUST pass ICMP time expired messages to
951
	 *		  transport layer.
952
	 */
953

954
	/*
955
	 *	Check the other end isn't violating RFC 1122. Some routers send
956
	 *	bogus responses to broadcast frames. If you see this message
957
	 *	first check your netmask matches at both ends, if it does then
958
	 *	get the other vendor to fix their kit.
959
	 */
960

961
	if (!READ_ONCE(net->ipv4.sysctl_icmp_ignore_bogus_error_responses) &&
962
	    inet_addr_type_dev_table(net, skb->dev, iph->daddr) == RTN_BROADCAST) {
963
		net_warn_ratelimited("%pI4 sent an invalid ICMP type %u, code %u error to a broadcast: %pI4 on %s\n",
964
				     &ip_hdr(skb)->saddr,
965
				     icmph->type, icmph->code,
966
				     &iph->daddr, skb->dev->name);
967
		goto out;
968
	}
969

970
	icmp_socket_deliver(skb, info);
971

972
out:
973
	return reason;
974
out_err:
975
	__ICMP_INC_STATS(net, ICMP_MIB_INERRORS);
976
	return reason ?: SKB_DROP_REASON_NOT_SPECIFIED;
977
}
978

979

980
/*
981
 *	Handle ICMP_REDIRECT.
982
 */
983

984
static enum skb_drop_reason icmp_redirect(struct sk_buff *skb)
985
{
986
	if (skb->len < sizeof(struct iphdr)) {
987
		__ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
988
		return SKB_DROP_REASON_PKT_TOO_SMALL;
989
	}
990

991
	if (!pskb_may_pull(skb, sizeof(struct iphdr))) {
992
		/* there aught to be a stat */
993
		return SKB_DROP_REASON_NOMEM;
994
	}
995

996
	icmp_socket_deliver(skb, ntohl(icmp_hdr(skb)->un.gateway));
997
	return SKB_NOT_DROPPED_YET;
998
}
999

1000
/*
1001
 *	Handle ICMP_ECHO ("ping") and ICMP_EXT_ECHO ("PROBE") requests.
1002
 *
1003
 *	RFC 1122: 3.2.2.6 MUST have an echo server that answers ICMP echo
1004
 *		  requests.
1005
 *	RFC 1122: 3.2.2.6 Data received in the ICMP_ECHO request MUST be
1006
 *		  included in the reply.
1007
 *	RFC 1812: 4.3.3.6 SHOULD have a config option for silently ignoring
1008
 *		  echo requests, MUST have default=NOT.
1009
 *	RFC 8335: 8 MUST have a config option to enable/disable ICMP
1010
 *		  Extended Echo Functionality, MUST be disabled by default
1011
 *	See also WRT handling of options once they are done and working.
1012
 */
1013

1014
static enum skb_drop_reason icmp_echo(struct sk_buff *skb)
1015
{
1016
	struct icmp_bxm icmp_param;
1017
	struct net *net;
1018

1019
	net = skb_dst_dev_net_rcu(skb);
1020
	/* should there be an ICMP stat for ignored echos? */
1021
	if (READ_ONCE(net->ipv4.sysctl_icmp_echo_ignore_all))
1022
		return SKB_NOT_DROPPED_YET;
1023

1024
	icmp_param.data.icmph	   = *icmp_hdr(skb);
1025
	icmp_param.skb		   = skb;
1026
	icmp_param.offset	   = 0;
1027
	icmp_param.data_len	   = skb->len;
1028
	icmp_param.head_len	   = sizeof(struct icmphdr);
1029

1030
	if (icmp_param.data.icmph.type == ICMP_ECHO)
1031
		icmp_param.data.icmph.type = ICMP_ECHOREPLY;
1032
	else if (!icmp_build_probe(skb, &icmp_param.data.icmph))
1033
		return SKB_NOT_DROPPED_YET;
1034

1035
	icmp_reply(&icmp_param, skb);
1036
	return SKB_NOT_DROPPED_YET;
1037
}
1038

1039
/*	Helper for icmp_echo and icmpv6_echo_reply.
1040
 *	Searches for net_device that matches PROBE interface identifier
1041
 *		and builds PROBE reply message in icmphdr.
1042
 *
1043
 *	Returns false if PROBE responses are disabled via sysctl
1044
 */
1045

1046
bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr)
1047
{
1048
	struct net *net = dev_net_rcu(skb->dev);
1049
	struct icmp_ext_hdr *ext_hdr, _ext_hdr;
1050
	struct icmp_ext_echo_iio *iio, _iio;
1051
	struct inet6_dev *in6_dev;
1052
	struct in_device *in_dev;
1053
	struct net_device *dev;
1054
	char buff[IFNAMSIZ];
1055
	u16 ident_len;
1056
	u8 status;
1057

1058
	if (!READ_ONCE(net->ipv4.sysctl_icmp_echo_enable_probe))
1059
		return false;
1060

1061
	/* We currently only support probing interfaces on the proxy node
1062
	 * Check to ensure L-bit is set
1063
	 */
1064
	if (!(ntohs(icmphdr->un.echo.sequence) & 1))
1065
		return false;
1066
	/* Clear status bits in reply message */
1067
	icmphdr->un.echo.sequence &= htons(0xFF00);
1068
	if (icmphdr->type == ICMP_EXT_ECHO)
1069
		icmphdr->type = ICMP_EXT_ECHOREPLY;
1070
	else
1071
		icmphdr->type = ICMPV6_EXT_ECHO_REPLY;
1072
	ext_hdr = skb_header_pointer(skb, 0, sizeof(_ext_hdr), &_ext_hdr);
1073
	/* Size of iio is class_type dependent.
1074
	 * Only check header here and assign length based on ctype in the switch statement
1075
	 */
1076
	iio = skb_header_pointer(skb, sizeof(_ext_hdr), sizeof(iio->extobj_hdr), &_iio);
1077
	if (!ext_hdr || !iio)
1078
		goto send_mal_query;
1079
	if (ntohs(iio->extobj_hdr.length) <= sizeof(iio->extobj_hdr) ||
1080
	    ntohs(iio->extobj_hdr.length) > sizeof(_iio))
1081
		goto send_mal_query;
1082
	ident_len = ntohs(iio->extobj_hdr.length) - sizeof(iio->extobj_hdr);
1083
	iio = skb_header_pointer(skb, sizeof(_ext_hdr),
1084
				 sizeof(iio->extobj_hdr) + ident_len, &_iio);
1085
	if (!iio)
1086
		goto send_mal_query;
1087

1088
	status = 0;
1089
	dev = NULL;
1090
	switch (iio->extobj_hdr.class_type) {
1091
	case ICMP_EXT_ECHO_CTYPE_NAME:
1092
		if (ident_len >= IFNAMSIZ)
1093
			goto send_mal_query;
1094
		memset(buff, 0, sizeof(buff));
1095
		memcpy(buff, &iio->ident.name, ident_len);
1096
		dev = dev_get_by_name(net, buff);
1097
		break;
1098
	case ICMP_EXT_ECHO_CTYPE_INDEX:
1099
		if (ident_len != sizeof(iio->ident.ifindex))
1100
			goto send_mal_query;
1101
		dev = dev_get_by_index(net, ntohl(iio->ident.ifindex));
1102
		break;
1103
	case ICMP_EXT_ECHO_CTYPE_ADDR:
1104
		if (ident_len < sizeof(iio->ident.addr.ctype3_hdr) ||
1105
		    ident_len != sizeof(iio->ident.addr.ctype3_hdr) +
1106
				 iio->ident.addr.ctype3_hdr.addrlen)
1107
			goto send_mal_query;
1108
		switch (ntohs(iio->ident.addr.ctype3_hdr.afi)) {
1109
		case ICMP_AFI_IP:
1110
			if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in_addr))
1111
				goto send_mal_query;
1112
			dev = ip_dev_find(net, iio->ident.addr.ip_addr.ipv4_addr);
1113
			break;
1114
#if IS_ENABLED(CONFIG_IPV6)
1115
		case ICMP_AFI_IP6:
1116
			if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in6_addr))
1117
				goto send_mal_query;
1118
			dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
1119
			dev_hold(dev);
1120
			break;
1121
#endif
1122
		default:
1123
			goto send_mal_query;
1124
		}
1125
		break;
1126
	default:
1127
		goto send_mal_query;
1128
	}
1129
	if (!dev) {
1130
		icmphdr->code = ICMP_EXT_CODE_NO_IF;
1131
		return true;
1132
	}
1133
	/* Fill bits in reply message */
1134
	if (dev->flags & IFF_UP)
1135
		status |= ICMP_EXT_ECHOREPLY_ACTIVE;
1136

1137
	in_dev = __in_dev_get_rcu(dev);
1138
	if (in_dev && rcu_access_pointer(in_dev->ifa_list))
1139
		status |= ICMP_EXT_ECHOREPLY_IPV4;
1140

1141
	in6_dev = __in6_dev_get(dev);
1142
	if (in6_dev && !list_empty(&in6_dev->addr_list))
1143
		status |= ICMP_EXT_ECHOREPLY_IPV6;
1144

1145
	dev_put(dev);
1146
	icmphdr->un.echo.sequence |= htons(status);
1147
	return true;
1148
send_mal_query:
1149
	icmphdr->code = ICMP_EXT_CODE_MAL_QUERY;
1150
	return true;
1151
}
1152
EXPORT_SYMBOL_GPL(icmp_build_probe);
1153

1154
/*
1155
 *	Handle ICMP Timestamp requests.
1156
 *	RFC 1122: 3.2.2.8 MAY implement ICMP timestamp requests.
1157
 *		  SHOULD be in the kernel for minimum random latency.
1158
 *		  MUST be accurate to a few minutes.
1159
 *		  MUST be updated at least at 15Hz.
1160
 */
1161
static enum skb_drop_reason icmp_timestamp(struct sk_buff *skb)
1162
{
1163
	struct icmp_bxm icmp_param;
1164
	/*
1165
	 *	Too short.
1166
	 */
1167
	if (skb->len < 4)
1168
		goto out_err;
1169

1170
	/*
1171
	 *	Fill in the current time as ms since midnight UT:
1172
	 */
1173
	icmp_param.data.times[1] = inet_current_timestamp();
1174
	icmp_param.data.times[2] = icmp_param.data.times[1];
1175

1176
	BUG_ON(skb_copy_bits(skb, 0, &icmp_param.data.times[0], 4));
1177

1178
	icmp_param.data.icmph	   = *icmp_hdr(skb);
1179
	icmp_param.data.icmph.type = ICMP_TIMESTAMPREPLY;
1180
	icmp_param.data.icmph.code = 0;
1181
	icmp_param.skb		   = skb;
1182
	icmp_param.offset	   = 0;
1183
	icmp_param.data_len	   = 0;
1184
	icmp_param.head_len	   = sizeof(struct icmphdr) + 12;
1185
	icmp_reply(&icmp_param, skb);
1186
	return SKB_NOT_DROPPED_YET;
1187

1188
out_err:
1189
	__ICMP_INC_STATS(skb_dst_dev_net_rcu(skb), ICMP_MIB_INERRORS);
1190
	return SKB_DROP_REASON_PKT_TOO_SMALL;
1191
}
1192

1193
static enum skb_drop_reason icmp_discard(struct sk_buff *skb)
1194
{
1195
	/* pretend it was a success */
1196
	return SKB_NOT_DROPPED_YET;
1197
}
1198

1199
/*
1200
 *	Deal with incoming ICMP packets.
1201
 */
1202
int icmp_rcv(struct sk_buff *skb)
1203
{
1204
	enum skb_drop_reason reason = SKB_DROP_REASON_NOT_SPECIFIED;
1205
	struct rtable *rt = skb_rtable(skb);
1206
	struct net *net = dev_net_rcu(rt->dst.dev);
1207
	struct icmphdr *icmph;
1208

1209
	if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) {
1210
		struct sec_path *sp = skb_sec_path(skb);
1211
		int nh;
1212

1213
		if (!(sp && sp->xvec[sp->len - 1]->props.flags &
1214
				 XFRM_STATE_ICMP)) {
1215
			reason = SKB_DROP_REASON_XFRM_POLICY;
1216
			goto drop;
1217
		}
1218

1219
		if (!pskb_may_pull(skb, sizeof(*icmph) + sizeof(struct iphdr)))
1220
			goto drop;
1221

1222
		nh = skb_network_offset(skb);
1223
		skb_set_network_header(skb, sizeof(*icmph));
1224

1225
		if (!xfrm4_policy_check_reverse(NULL, XFRM_POLICY_IN,
1226
						skb)) {
1227
			reason = SKB_DROP_REASON_XFRM_POLICY;
1228
			goto drop;
1229
		}
1230

1231
		skb_set_network_header(skb, nh);
1232
	}
1233

1234
	__ICMP_INC_STATS(net, ICMP_MIB_INMSGS);
1235

1236
	if (skb_checksum_simple_validate(skb))
1237
		goto csum_error;
1238

1239
	if (!pskb_pull(skb, sizeof(*icmph)))
1240
		goto error;
1241

1242
	icmph = icmp_hdr(skb);
1243

1244
	ICMPMSGIN_INC_STATS(net, icmph->type);
1245

1246
	/* Check for ICMP Extended Echo (PROBE) messages */
1247
	if (icmph->type == ICMP_EXT_ECHO) {
1248
		/* We can't use icmp_pointers[].handler() because it is an array of
1249
		 * size NR_ICMP_TYPES + 1 (19 elements) and PROBE has code 42.
1250
		 */
1251
		reason = icmp_echo(skb);
1252
		goto reason_check;
1253
	}
1254

1255
	/*
1256
	 *	Parse the ICMP message
1257
	 */
1258

1259
	if (rt->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST)) {
1260
		/*
1261
		 *	RFC 1122: 3.2.2.6 An ICMP_ECHO to broadcast MAY be
1262
		 *	  silently ignored (we let user decide with a sysctl).
1263
		 *	RFC 1122: 3.2.2.8 An ICMP_TIMESTAMP MAY be silently
1264
		 *	  discarded if to broadcast/multicast.
1265
		 */
1266
		if ((icmph->type == ICMP_ECHO ||
1267
		     icmph->type == ICMP_TIMESTAMP) &&
1268
		    READ_ONCE(net->ipv4.sysctl_icmp_echo_ignore_broadcasts)) {
1269
			reason = SKB_DROP_REASON_INVALID_PROTO;
1270
			goto error;
1271
		}
1272
		if (icmph->type != ICMP_ECHO &&
1273
		    icmph->type != ICMP_TIMESTAMP &&
1274
		    icmph->type != ICMP_ADDRESS &&
1275
		    icmph->type != ICMP_ADDRESSREPLY) {
1276
			reason = SKB_DROP_REASON_INVALID_PROTO;
1277
			goto error;
1278
		}
1279
	}
1280

1281
	if (icmph->type == ICMP_EXT_ECHOREPLY ||
1282
	    icmph->type == ICMP_ECHOREPLY) {
1283
		reason = ping_rcv(skb);
1284
		return reason ? NET_RX_DROP : NET_RX_SUCCESS;
1285
	}
1286

1287
	/*
1288
	 *	18 is the highest 'known' ICMP type. Anything else is a mystery
1289
	 *
1290
	 *	RFC 1122: 3.2.2  Unknown ICMP messages types MUST be silently
1291
	 *		  discarded.
1292
	 */
1293
	if (icmph->type > NR_ICMP_TYPES) {
1294
		reason = SKB_DROP_REASON_UNHANDLED_PROTO;
1295
		goto error;
1296
	}
1297

1298
	reason = icmp_pointers[icmph->type].handler(skb);
1299
reason_check:
1300
	if (!reason)  {
1301
		consume_skb(skb);
1302
		return NET_RX_SUCCESS;
1303
	}
1304

1305
drop:
1306
	kfree_skb_reason(skb, reason);
1307
	return NET_RX_DROP;
1308
csum_error:
1309
	reason = SKB_DROP_REASON_ICMP_CSUM;
1310
	__ICMP_INC_STATS(net, ICMP_MIB_CSUMERRORS);
1311
error:
1312
	__ICMP_INC_STATS(net, ICMP_MIB_INERRORS);
1313
	goto drop;
1314
}
1315

1316
static bool ip_icmp_error_rfc4884_validate(const struct sk_buff *skb, int off)
1317
{
1318
	struct icmp_extobj_hdr *objh, _objh;
1319
	struct icmp_ext_hdr *exth, _exth;
1320
	u16 olen;
1321

1322
	exth = skb_header_pointer(skb, off, sizeof(_exth), &_exth);
1323
	if (!exth)
1324
		return false;
1325
	if (exth->version != 2)
1326
		return true;
1327

1328
	if (exth->checksum &&
1329
	    csum_fold(skb_checksum(skb, off, skb->len - off, 0)))
1330
		return false;
1331

1332
	off += sizeof(_exth);
1333
	while (off < skb->len) {
1334
		objh = skb_header_pointer(skb, off, sizeof(_objh), &_objh);
1335
		if (!objh)
1336
			return false;
1337

1338
		olen = ntohs(objh->length);
1339
		if (olen < sizeof(_objh))
1340
			return false;
1341

1342
		off += olen;
1343
		if (off > skb->len)
1344
			return false;
1345
	}
1346

1347
	return true;
1348
}
1349

1350
void ip_icmp_error_rfc4884(const struct sk_buff *skb,
1351
			   struct sock_ee_data_rfc4884 *out,
1352
			   int thlen, int off)
1353
{
1354
	int hlen;
1355

1356
	/* original datagram headers: end of icmph to payload (skb->data) */
1357
	hlen = -skb_transport_offset(skb) - thlen;
1358

1359
	/* per rfc 4884: minimal datagram length of 128 bytes */
1360
	if (off < 128 || off < hlen)
1361
		return;
1362

1363
	/* kernel has stripped headers: return payload offset in bytes */
1364
	off -= hlen;
1365
	if (off + sizeof(struct icmp_ext_hdr) > skb->len)
1366
		return;
1367

1368
	out->len = off;
1369

1370
	if (!ip_icmp_error_rfc4884_validate(skb, off))
1371
		out->flags |= SO_EE_RFC4884_FLAG_INVALID;
1372
}
1373
EXPORT_SYMBOL_GPL(ip_icmp_error_rfc4884);
1374

1375
int icmp_err(struct sk_buff *skb, u32 info)
1376
{
1377
	struct iphdr *iph = (struct iphdr *)skb->data;
1378
	int offset = iph->ihl<<2;
1379
	struct icmphdr *icmph = (struct icmphdr *)(skb->data + offset);
1380
	struct net *net = dev_net_rcu(skb->dev);
1381
	int type = icmp_hdr(skb)->type;
1382
	int code = icmp_hdr(skb)->code;
1383

1384
	/*
1385
	 * Use ping_err to handle all icmp errors except those
1386
	 * triggered by ICMP_ECHOREPLY which sent from kernel.
1387
	 */
1388
	if (icmph->type != ICMP_ECHOREPLY) {
1389
		ping_err(skb, offset, info);
1390
		return 0;
1391
	}
1392

1393
	if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED)
1394
		ipv4_update_pmtu(skb, net, info, 0, IPPROTO_ICMP);
1395
	else if (type == ICMP_REDIRECT)
1396
		ipv4_redirect(skb, net, 0, IPPROTO_ICMP);
1397

1398
	return 0;
1399
}
1400

1401
/*
1402
 *	This table is the definition of how we handle ICMP.
1403
 */
1404
static const struct icmp_control icmp_pointers[NR_ICMP_TYPES + 1] = {
1405
	[ICMP_ECHOREPLY] = {
1406
		.handler = ping_rcv,
1407
	},
1408
	[1] = {
1409
		.handler = icmp_discard,
1410
		.error = 1,
1411
	},
1412
	[2] = {
1413
		.handler = icmp_discard,
1414
		.error = 1,
1415
	},
1416
	[ICMP_DEST_UNREACH] = {
1417
		.handler = icmp_unreach,
1418
		.error = 1,
1419
	},
1420
	[ICMP_SOURCE_QUENCH] = {
1421
		.handler = icmp_unreach,
1422
		.error = 1,
1423
	},
1424
	[ICMP_REDIRECT] = {
1425
		.handler = icmp_redirect,
1426
		.error = 1,
1427
	},
1428
	[6] = {
1429
		.handler = icmp_discard,
1430
		.error = 1,
1431
	},
1432
	[7] = {
1433
		.handler = icmp_discard,
1434
		.error = 1,
1435
	},
1436
	[ICMP_ECHO] = {
1437
		.handler = icmp_echo,
1438
	},
1439
	[9] = {
1440
		.handler = icmp_discard,
1441
		.error = 1,
1442
	},
1443
	[10] = {
1444
		.handler = icmp_discard,
1445
		.error = 1,
1446
	},
1447
	[ICMP_TIME_EXCEEDED] = {
1448
		.handler = icmp_unreach,
1449
		.error = 1,
1450
	},
1451
	[ICMP_PARAMETERPROB] = {
1452
		.handler = icmp_unreach,
1453
		.error = 1,
1454
	},
1455
	[ICMP_TIMESTAMP] = {
1456
		.handler = icmp_timestamp,
1457
	},
1458
	[ICMP_TIMESTAMPREPLY] = {
1459
		.handler = icmp_discard,
1460
	},
1461
	[ICMP_INFO_REQUEST] = {
1462
		.handler = icmp_discard,
1463
	},
1464
	[ICMP_INFO_REPLY] = {
1465
		.handler = icmp_discard,
1466
	},
1467
	[ICMP_ADDRESS] = {
1468
		.handler = icmp_discard,
1469
	},
1470
	[ICMP_ADDRESSREPLY] = {
1471
		.handler = icmp_discard,
1472
	},
1473
};
1474

1475
static int __net_init icmp_sk_init(struct net *net)
1476
{
1477
	/* Control parameters for ECHO replies. */
1478
	net->ipv4.sysctl_icmp_echo_ignore_all = 0;
1479
	net->ipv4.sysctl_icmp_echo_enable_probe = 0;
1480
	net->ipv4.sysctl_icmp_echo_ignore_broadcasts = 1;
1481

1482
	/* Control parameter - ignore bogus broadcast responses? */
1483
	net->ipv4.sysctl_icmp_ignore_bogus_error_responses = 1;
1484

1485
	/*
1486
	 * 	Configurable global rate limit.
1487
	 *
1488
	 *	ratelimit defines tokens/packet consumed for dst->rate_token
1489
	 *	bucket ratemask defines which icmp types are ratelimited by
1490
	 *	setting	it's bit position.
1491
	 *
1492
	 *	default:
1493
	 *	dest unreachable (3), source quench (4),
1494
	 *	time exceeded (11), parameter problem (12)
1495
	 */
1496

1497
	net->ipv4.sysctl_icmp_ratelimit = 1 * HZ;
1498
	net->ipv4.sysctl_icmp_ratemask = 0x1818;
1499
	net->ipv4.sysctl_icmp_errors_use_inbound_ifaddr = 0;
1500
	net->ipv4.sysctl_icmp_msgs_per_sec = 1000;
1501
	net->ipv4.sysctl_icmp_msgs_burst = 50;
1502

1503
	return 0;
1504
}
1505

1506
static struct pernet_operations __net_initdata icmp_sk_ops = {
1507
       .init = icmp_sk_init,
1508
};
1509

1510
int __init icmp_init(void)
1511
{
1512
	int err, i;
1513

1514
	for_each_possible_cpu(i) {
1515
		struct sock *sk;
1516

1517
		err = inet_ctl_sock_create(&sk, PF_INET,
1518
					   SOCK_RAW, IPPROTO_ICMP, &init_net);
1519
		if (err < 0)
1520
			return err;
1521

1522
		per_cpu(ipv4_icmp_sk, i) = sk;
1523

1524
		/* Enough space for 2 64K ICMP packets, including
1525
		 * sk_buff/skb_shared_info struct overhead.
1526
		 */
1527
		sk->sk_sndbuf =	2 * SKB_TRUESIZE(64 * 1024);
1528

1529
		/*
1530
		 * Speedup sock_wfree()
1531
		 */
1532
		sock_set_flag(sk, SOCK_USE_WRITE_QUEUE);
1533
		inet_sk(sk)->pmtudisc = IP_PMTUDISC_DONT;
1534
	}
1535
	return register_pernet_subsys(&icmp_sk_ops);
1536
}
1537

1538