1 files changed, 70 insertions, 5 deletions
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 563f12c1c99..73cf3f78aaa 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1690,14 +1690,78 @@ static struct rt6_info *ip6_route_redirect(const struct in6_addr *dest,
                                                   flags, __ip6_route_redirect);
 }
-void rt6_redirect(const struct in6_addr *dest, const struct in6_addr *src,
+void rt6_redirect(struct sk_buff *skb)
-                  const struct in6_addr *saddr,
-                  struct neighbour *neigh, u8 *lladdr, int on_link)
 {
-        struct rt6_info *rt, *nrt = NULL;
+        struct net *net = dev_net(skb->dev);
        struct netevent_redirect netevent;
-        struct net *net = dev_net(neigh->dev);
+        struct rt6_info *rt, *nrt = NULL;
+        const struct in6_addr *target;
        struct neighbour *old_neigh;
+        const struct in6_addr *dest;
+        const struct in6_addr *src;
+        const struct in6_addr *saddr;
+        struct ndisc_options ndopts;
+        struct inet6_dev *in6_dev;
+        struct neighbour *neigh;
+        struct icmp6hdr *icmph;
+        int on_link, optlen;
+        u8 *lladdr = NULL;
+        optlen = skb->tail - skb->transport_header;
+        optlen -= sizeof(struct icmp6hdr) + 2 * sizeof(struct in6_addr);
+        if (optlen < 0) {
+                net_dbg_ratelimited("rt6_redirect: packet too short\n");
+                return;
+        }
+        icmph = icmp6_hdr(skb);
+        target = (const struct in6_addr *) (icmph + 1);
+        dest = target + 1;
+        if (ipv6_addr_is_multicast(dest)) {
+                net_dbg_ratelimited("rt6_redirect: destination address is multicast\n");
+                return;
+        }
+        if (ipv6_addr_equal(dest, target)) {
+                on_link = 1;
+        } else if (ipv6_addr_type(target) !=
+                   (IPV6_ADDR_UNICAST|IPV6_ADDR_LINKLOCAL)) {
+                net_dbg_ratelimited("rt6_redirect: target address is not link-local unicast\n");
+                return;
+        }
+        in6_dev = __in6_dev_get(skb->dev);
+        if (!in6_dev)
+                return;
+        if (in6_dev->cnf.forwarding || !in6_dev->cnf.accept_redirects)
+                return;
+        /* RFC2461 8.1:
+         *      The IP source address of the Redirect MUST be the same as the current
+         *      first-hop router for the specified ICMP Destination Address.
+         */
+        if (!ndisc_parse_options((u8*)(dest + 1), optlen, &ndopts)) {
+                net_dbg_ratelimited("rt6_redirect: invalid ND options\n");
+                return;
+        }
+        if (ndopts.nd_opts_tgt_lladdr) {
+                lladdr = ndisc_opt_addr_data(ndopts.nd_opts_tgt_lladdr,
+                                             skb->dev);
+                if (!lladdr) {
+                        net_dbg_ratelimited("rt6_redirect: invalid link-layer address length\n");
+                        return;
+                }
+        }
+        neigh = __neigh_lookup(&nd_tbl, target, skb->dev, 1);
+        if (!neigh)
+                return;
+        src = &ipv6_hdr(skb)->daddr;
+        saddr = &ipv6_hdr(skb)->saddr;
        rt = ip6_route_redirect(dest, src, saddr, neigh->dev);
@@ -1756,6 +1820,7 @@ void rt6_redirect(const struct in6_addr *dest, const struct in6_addr *src,
        }
 out:
+        neigh_release(neigh);
        dst_release(&rt->dst);
 }

diff --git a/net/ipv6/route.c b/net/ipv6/route.c index 563f12c1c99..73cf3f78aaa 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c
@@ -1690,14 +1690,78 @@ static struct rt6_info ip6_route_redirect(const struct in6_addr dest,
1690	flags, __ip6_route_redirect);	1690	flags, __ip6_route_redirect);
1691	}	1691	}
1692		1692
1693	void rt6_redirect(const struct in6_addr dest, const struct in6_addr src,	1693	void rt6_redirect(struct sk_buff *skb)
1694	const struct in6_addr *saddr,
1695	struct neighbour neigh, u8 lladdr, int on_link)
1696	{	1694	{
1697	struct rt6_info rt, nrt = NULL;	1695	struct net *net = dev_net(skb->dev);
1698	struct netevent_redirect netevent;	1696	struct netevent_redirect netevent;
1699	struct net *net = dev_net(neigh->dev);	1697	struct rt6_info rt, nrt = NULL;
		1698	const struct in6_addr *target;
1700	struct neighbour *old_neigh;	1699	struct neighbour *old_neigh;
		1700	const struct in6_addr *dest;
		1701	const struct in6_addr *src;
		1702	const struct in6_addr *saddr;
		1703	struct ndisc_options ndopts;
		1704	struct inet6_dev *in6_dev;
		1705	struct neighbour *neigh;
		1706	struct icmp6hdr *icmph;
		1707	int on_link, optlen;
		1708	u8 *lladdr = NULL;
		1709
		1710	optlen = skb->tail - skb->transport_header;
		1711	optlen -= sizeof(struct icmp6hdr) + 2 * sizeof(struct in6_addr);
		1712
		1713	if (optlen < 0) {
		1714	net_dbg_ratelimited("rt6_redirect: packet too short\n");
		1715	return;
		1716	}
		1717
		1718	icmph = icmp6_hdr(skb);
		1719	target = (const struct in6_addr *) (icmph + 1);
		1720	dest = target + 1;
		1721
		1722	if (ipv6_addr_is_multicast(dest)) {
		1723	net_dbg_ratelimited("rt6_redirect: destination address is multicast\n");
		1724	return;
		1725	}
		1726
		1727	if (ipv6_addr_equal(dest, target)) {
		1728	on_link = 1;
		1729	} else if (ipv6_addr_type(target) !=
		1730	(IPV6_ADDR_UNICAST\|IPV6_ADDR_LINKLOCAL)) {
		1731	net_dbg_ratelimited("rt6_redirect: target address is not link-local unicast\n");
		1732	return;
		1733	}
		1734
		1735	in6_dev = __in6_dev_get(skb->dev);
		1736	if (!in6_dev)
		1737	return;
		1738	if (in6_dev->cnf.forwarding \|\| !in6_dev->cnf.accept_redirects)
		1739	return;
		1740
		1741	/* RFC2461 8.1:
		1742	* The IP source address of the Redirect MUST be the same as the current
		1743	* first-hop router for the specified ICMP Destination Address.
		1744	*/
		1745
		1746	if (!ndisc_parse_options((u8*)(dest + 1), optlen, &ndopts)) {
		1747	net_dbg_ratelimited("rt6_redirect: invalid ND options\n");
		1748	return;
		1749	}
		1750	if (ndopts.nd_opts_tgt_lladdr) {
		1751	lladdr = ndisc_opt_addr_data(ndopts.nd_opts_tgt_lladdr,
		1752	skb->dev);
		1753	if (!lladdr) {
		1754	net_dbg_ratelimited("rt6_redirect: invalid link-layer address length\n");
		1755	return;
		1756	}
		1757	}
		1758
		1759	neigh = __neigh_lookup(&nd_tbl, target, skb->dev, 1);
		1760	if (!neigh)
		1761	return;
		1762
		1763	src = &ipv6_hdr(skb)->daddr;
		1764	saddr = &ipv6_hdr(skb)->saddr;
1701		1765
1702	rt = ip6_route_redirect(dest, src, saddr, neigh->dev);	1766	rt = ip6_route_redirect(dest, src, saddr, neigh->dev);
1703		1767
@@ -1756,6 +1820,7 @@ void rt6_redirect(const struct in6_addr dest, const struct in6_addr src,
1756	}	1820	}
1757		1821
1758	out:	1822	out:
		1823	neigh_release(neigh);
1759	dst_release(&rt->dst);	1824	dst_release(&rt->dst);
1760	}	1825	}
1761		1826