/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License (the "License"). * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END */ /* * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ /* Copyright (c) 1990 Mentat Inc. */ /* * This file contains common code for handling Options Management requests. */ #include <sys/types.h> #include <sys/stream.h> #include <sys/stropts.h> #include <sys/strsubr.h> #include <sys/errno.h> #define _SUN_TPI_VERSION 2 #include <sys/tihdr.h> #include <sys/socket.h> #include <sys/socketvar.h> #include <sys/ddi.h> #include <sys/debug.h> /* for ASSERT */ #include <sys/policy.h> #include <inet/common.h> #include <inet/mi.h> #include <inet/nd.h> #include <netinet/ip6.h> #include <inet/ip.h> #include <inet/mib2.h> #include <netinet/in.h> #include "optcom.h" #include <inet/optcom.h> #include <inet/ipclassifier.h> #include <inet/proto_set.h> /* * Function prototypes */ static t_scalar_t process_topthdrs_first_pass(mblk_t *, cred_t *, optdb_obj_t *, size_t *); static t_scalar_t do_options_second_pass(queue_t *q, mblk_t *reqmp, mblk_t *ack_mp, cred_t *, optdb_obj_t *dbobjp, t_uscalar_t *worst_statusp); static t_uscalar_t get_worst_status(t_uscalar_t, t_uscalar_t); static int do_opt_default(queue_t *, struct T_opthdr *, uchar_t **, t_uscalar_t *, cred_t *, optdb_obj_t *); static void do_opt_current(queue_t *, struct T_opthdr *, uchar_t **, t_uscalar_t *, cred_t *cr, optdb_obj_t *); static void do_opt_check_or_negotiate(queue_t *q, struct T_opthdr *reqopt, uint_t optset_context, uchar_t **resptrp, t_uscalar_t *worst_statusp, cred_t *, optdb_obj_t *dbobjp); static boolean_t opt_level_valid(t_uscalar_t, optlevel_t *, uint_t); static size_t opt_level_allopts_lengths(t_uscalar_t, opdes_t *, uint_t); static boolean_t opt_length_ok(opdes_t *, t_uscalar_t optlen); static t_uscalar_t optcom_max_optbuf_len(opdes_t *, uint_t); static boolean_t opt_bloated_maxsize(opdes_t *); /* Common code for sending back a T_ERROR_ACK. */ void optcom_err_ack(queue_t *q, mblk_t *mp, t_scalar_t t_error, int sys_error) { if ((mp = mi_tpi_err_ack_alloc(mp, t_error, sys_error)) != NULL) qreply(q, mp); } /* * The option management routines svr4_optcom_req() and tpi_optcom_req() use * callback functions as arguments. Here is the expected interfaces * assumed from the callback functions * * * (1) deffn(q, optlevel, optname, optvalp) * * - Function only called when default value comes from protocol * specific code and not the option database table (indicated by * OP_DEF_FN property in option database.) * - Error return is -1. Valid returns are >=0. * - When valid, the return value represents the length used for storing * the default value of the option. * - Error return implies the called routine did not recognize this * option. Something downstream could so input is left unchanged * in request buffer. * * (2) getfn(q, optlevel, optname, optvalp) * * - Error return is -1. Valid returns are >=0. * - When valid, the return value represents the length used for storing * the actual value of the option. * - Error return implies the called routine did not recognize this * option. Something downstream could so input is left unchanged * in request buffer. * * (3) setfn(q, optset_context, optlevel, optname, inlen, invalp, * outlenp, outvalp, attrp, cr); * * - OK return is 0, Error code is returned as a non-zero argument. * - If negative it is ignored by svr4_optcom_req(). If positive, error * is returned. A negative return implies that option, while handled on * this stack is not handled at this level and will be handled further * downstream. * - Both negative and positive errors are treats as errors in an * identical manner by tpi_optcom_req(). The errors affect "status" * field of each option's T_opthdr. If sucessfull, an appropriate sucess * result is carried. If error, it instantiated to "failure" at the * topmost level and left unchanged at other levels. (This "failure" can * turn to a success at another level). * - optset_context passed for tpi_optcom_req(). It is interpreted as: * - SETFN_OPTCOM_CHECKONLY * semantics are to pretend to set the value and report * back if it would be successful. * This is used with T_CHECK semantics in XTI * - SETFN_OPTCOM_NEGOTIATE * set the value. Call from option management primitive * T_OPTMGMT_REQ when T_NEGOTIATE flags is used. * - SETFN_UD_NEGOTIATE * option request came riding on UNITDATA primitive most often * has "this datagram" semantics to influence prpoerties * affecting an outgoig datagram or associated with recived * datagram * [ Note: XTI permits this use outside of "this datagram" * semantics also and permits setting "management related" * options in this context and its test suite enforces it ] * - SETFN_CONN_NEGOTATE * option request came riding on CONN_REQ/RES primitive and * most often has "this connection" (negotiation during * "connection estblishment") semantics. * [ Note: XTI permits use of these outside of "this connection" * semantics and permits "management related" options in this * context and its test suite enforces it. ] * * - inlen, invalp is the option length,value requested to be set. * - outlenp, outvalp represent return parameters which contain the * value set and it might be different from one passed on input. * - attrp points to a data structure that's used by v6 modules to * store ancillary data options or sticky options. * - cr points to the caller's credentials * - the caller might pass same buffers for input and output and the * routine should protect against this case by not updating output * buffers until it is done referencing input buffers and any other * issues (e.g. not use bcopy() if we do not trust what it does). * - If option is not known, it returns error. We randomly pick EINVAL. * It can however get called with options that are handled downstream * opr upstream so for svr4_optcom_req(), it does not return error for * negative return values. * */ /* * Upper Level Protocols call this routine when they receive * a T_SVR4_OPTMGMT_REQ message. They supply callback functions * for setting a new value for a single options, getting the * current value for a single option, and checking for support * of a single option. svr4_optcom_req validates the option management * buffer passed in, and calls the appropriate routines to do the * job requested. * XXX Code below needs some restructuring after we have some more * macros to support 'struct opthdr' in the headers. */ void svr4_optcom_req(queue_t *q, mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp) { pfi_t deffn = dbobjp->odb_deffn; pfi_t getfn = dbobjp->odb_getfn; opt_set_fn setfn = dbobjp->odb_setfn; opdes_t *opt_arr = dbobjp->odb_opt_des_arr; uint_t opt_arr_cnt = dbobjp->odb_opt_arr_cnt; t_uscalar_t max_optbuf_len; int len; mblk_t *mp1 = NULL; struct opthdr *next_opt; struct opthdr *opt; struct opthdr *opt1; struct opthdr *opt_end; struct opthdr *opt_start; opdes_t *optd; struct T_optmgmt_ack *toa; struct T_optmgmt_req *tor; int error; tor = (struct T_optmgmt_req *)mp->b_rptr; /* Verify message integrity. */ if (mp->b_wptr - mp->b_rptr < sizeof (struct T_optmgmt_req)) goto bad_opt; /* Verify MGMT_flags legal */ switch (tor->MGMT_flags) { case T_DEFAULT: case T_NEGOTIATE: case T_CURRENT: case T_CHECK: /* OK - legal request flags */ break; default: optcom_err_ack(q, mp, TBADFLAG, 0); return; } if (tor->MGMT_flags == T_DEFAULT) { /* Is it a request for default option settings? */ /* * Note: XXX TLI and TPI specification was unclear about * semantics of T_DEFAULT and the following historical note * and its interpretation is incorrect (it implies a request * for default values of only the identified options not all. * The semantics have been explained better in XTI spec.) * However, we do not modify (comment or code) here to keep * compatibility. * We can rethink this if it ever becomes an issue. * ----historical comment start------ * As we understand it, the input buffer is meaningless * so we ditch the message. A T_DEFAULT request is a * request to obtain a buffer containing defaults for * all supported options, so we allocate a maximum length * reply. * ----historical comment end ------- */ /* T_DEFAULT not passed down */ freemsg(mp); max_optbuf_len = optcom_max_optbuf_len(opt_arr, opt_arr_cnt); mp = allocb(max_optbuf_len, BPRI_MED); if (!mp) { no_mem:; optcom_err_ack(q, mp, TSYSERR, ENOMEM); return; } /* Initialize the T_optmgmt_ack header. */ toa = (struct T_optmgmt_ack *)mp->b_rptr; bzero((char *)toa, max_optbuf_len); toa->PRIM_type = T_OPTMGMT_ACK; toa->OPT_offset = (t_scalar_t)sizeof (struct T_optmgmt_ack); /* TODO: Is T_DEFAULT the right thing to put in MGMT_flags? */ toa->MGMT_flags = T_DEFAULT; /* Now walk the table of options passed in */ opt = (struct opthdr *)&toa[1]; for (optd = opt_arr; optd < &opt_arr[opt_arr_cnt]; optd++) { /* * All the options in the table of options passed * in are by definition supported by the protocol * calling this function. */ if (!OA_READ_PERMISSION(optd, cr)) continue; opt->level = optd->opdes_level; opt->name = optd->opdes_name; if (!(optd->opdes_props & OP_DEF_FN) || ((len = (*deffn)(q, opt->level, opt->name, (uchar_t *)&opt[1])) < 0)) { /* * Fill length and value from table. * * Default value not instantiated from function * (or the protocol specific function failed it; * In this interpretation of T_DEFAULT, this is * the best we can do) */ switch (optd->opdes_size) { /* * Since options are guaranteed aligned only * on a 4 byte boundary (t_scalar_t) any * option that is greater in size will default * to the bcopy below */ case sizeof (int32_t): *(int32_t *)&opt[1] = (int32_t)optd->opdes_default; break; case sizeof (int16_t): *(int16_t *)&opt[1] = (int16_t)optd->opdes_default; break; case sizeof (int8_t): *(int8_t *)&opt[1] = (int8_t)optd->opdes_default; break; default: /* * other length but still assume * fixed - use bcopy */ bcopy(optd->opdes_defbuf, &opt[1], optd->opdes_size); break; } opt->len = optd->opdes_size; } else opt->len = (t_uscalar_t)len; opt = (struct opthdr *)((char *)&opt[1] + _TPI_ALIGN_OPT(opt->len)); } /* Now record the final length. */ toa->OPT_length = (t_scalar_t)((char *)opt - (char *)&toa[1]); mp->b_wptr = (uchar_t *)opt; mp->b_datap->db_type = M_PCPROTO; /* Ship it back. */ qreply(q, mp); return; } /* T_DEFAULT processing complete - no more T_DEFAULT */ /* * For T_NEGOTIATE, T_CURRENT, and T_CHECK requests, we make a * pass through the input buffer validating the details and * making sure each option is supported by the protocol. */ if ((opt_start = (struct opthdr *)mi_offset_param(mp, tor->OPT_offset, tor->OPT_length)) == NULL) goto bad_opt; if (!__TPI_OPT_ISALIGNED(opt_start)) goto bad_opt; opt_end = (struct opthdr *)((uchar_t *)opt_start + tor->OPT_length); for (opt = opt_start; opt < opt_end; opt = next_opt) { /* * Verify we have room to reference the option header * fields in the option buffer. */ if ((uchar_t *)opt + sizeof (struct opthdr) > (uchar_t *)opt_end) goto bad_opt; /* * We now compute pointer to next option in buffer 'next_opt' * The next_opt computation above below 'opt->len' initialized * by application which cannot be trusted. The usual value * too large will be captured by the loop termination condition * above. We check for the following which it will miss. * -pointer space wraparound arithmetic overflow * -last option in buffer with 'opt->len' being too large * (only reason 'next_opt' should equal or exceed * 'opt_end' for last option is roundup unless length is * too-large/invalid) */ next_opt = (struct opthdr *)((uchar_t *)&opt[1] + _TPI_ALIGN_OPT(opt->len)); if ((uchar_t *)next_opt < (uchar_t *)&opt[1] || ((next_opt >= opt_end) && (((uchar_t *)next_opt - (uchar_t *)opt_end) >= __TPI_ALIGN_SIZE))) goto bad_opt; /* sanity check */ if (opt->name == T_ALLOPT) goto bad_opt; error = proto_opt_check(opt->level, opt->name, opt->len, NULL, opt_arr, opt_arr_cnt, tor->MGMT_flags == T_NEGOTIATE, tor->MGMT_flags == T_CHECK, cr); if (error < 0) { optcom_err_ack(q, mp, -error, 0); return; } else if (error > 0) { optcom_err_ack(q, mp, TSYSERR, error); return; } } /* end for loop scanning option buffer */ /* Now complete the operation as required. */ switch (tor->MGMT_flags) { case T_CHECK: /* * Historically used same as T_CURRENT (which was added to * standard later). Code retained for compatibility. */ /* FALLTHROUGH */ case T_CURRENT: /* * Allocate a maximum size reply. Perhaps we are supposed to * assume that the input buffer includes space for the answers * as well as the opthdrs, but we don't know that for sure. * So, instead, we create a new output buffer, using the * input buffer only as a list of options. */ max_optbuf_len = optcom_max_optbuf_len(opt_arr, opt_arr_cnt); mp1 = allocb_tmpl(max_optbuf_len, mp); if (!mp1) goto no_mem; /* Initialize the header. */ mp1->b_datap->db_type = M_PCPROTO; mp1->b_wptr = &mp1->b_rptr[sizeof (struct T_optmgmt_ack)]; toa = (struct T_optmgmt_ack *)mp1->b_rptr; toa->OPT_offset = (t_scalar_t)sizeof (struct T_optmgmt_ack); toa->MGMT_flags = tor->MGMT_flags; /* * Walk through the input buffer again, this time adding * entries to the output buffer for each option requested. * Note, sanity of option header, last option etc, verified * in first pass. */ opt1 = (struct opthdr *)&toa[1]; for (opt = opt_start; opt < opt_end; opt = next_opt) { next_opt = (struct opthdr *)((uchar_t *)&opt[1] + _TPI_ALIGN_OPT(opt->len)); opt1->name = opt->name; opt1->level = opt->level; len = (*getfn)(q, opt->level, opt->name, (uchar_t *)&opt1[1]); /* * Failure means option is not recognized. Copy input * buffer as is */ if (len < 0) { opt1->len = opt->len; bcopy(&opt[1], &opt1[1], opt->len); } else { opt1->len = (t_uscalar_t)len; } opt1 = (struct opthdr *)((uchar_t *)&opt1[1] + _TPI_ALIGN_OPT(opt1->len)); } /* end for loop */ /* Record the final length. */ toa->OPT_length = (t_scalar_t)((uchar_t *)opt1 - (uchar_t *)&toa[1]); mp1->b_wptr = (uchar_t *)opt1; /* Ditch the input buffer. */ freemsg(mp); mp = mp1; break; case T_NEGOTIATE: /* * Here we are expecting that the response buffer is exactly * the same size as the input buffer. We pass each opthdr * to the protocol's set function. If the protocol doesn't * like it, it can update the value in it return argument. */ /* * Pass each negotiated option through the protocol set * function. * Note: sanity check on option header values done in first * pass and not repeated here. */ toa = (struct T_optmgmt_ack *)tor; for (opt = opt_start; opt < opt_end; opt = next_opt) { int error; next_opt = (struct opthdr *)((uchar_t *)&opt[1] + _TPI_ALIGN_OPT(opt->len)); error = (*setfn)(q, SETFN_OPTCOM_NEGOTIATE, opt->level, opt->name, opt->len, (uchar_t *)&opt[1], &opt->len, (uchar_t *)&opt[1], NULL, cr); /* * Treat positive "errors" as real. * Note: negative errors are to be treated as * non-fatal by svr4_optcom_req() and are * returned by setfn() when it is passed an * option it does not handle. Since the option * passed proto_opt_lookup(), it is implied that * it is valid but was either handled upstream * or will be handled downstream. */ if (error > 0) { optcom_err_ack(q, mp, TSYSERR, error); return; } /* * error < 0 means option is not recognized. */ } break; default: optcom_err_ack(q, mp, TBADFLAG, 0); return; } /* Set common fields in the header. */ toa->MGMT_flags = T_SUCCESS; mp->b_datap->db_type = M_PCPROTO; toa->PRIM_type = T_OPTMGMT_ACK; qreply(q, mp); return; bad_opt:; optcom_err_ack(q, mp, TBADOPT, 0); } /* * New optcom_req inspired by TPI/XTI semantics */ void tpi_optcom_req(queue_t *q, mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp) { t_scalar_t t_error; mblk_t *toa_mp; size_t toa_len; struct T_optmgmt_ack *toa; struct T_optmgmt_req *tor = (struct T_optmgmt_req *)mp->b_rptr; t_uscalar_t worst_status; /* Verify message integrity. */ if ((mp->b_wptr - mp->b_rptr) < sizeof (struct T_optmgmt_req)) { optcom_err_ack(q, mp, TBADOPT, 0); return; } /* Verify MGMT_flags legal */ switch (tor->MGMT_flags) { case T_DEFAULT: case T_NEGOTIATE: case T_CURRENT: case T_CHECK: /* OK - legal request flags */ break; default: optcom_err_ack(q, mp, TBADFLAG, 0); return; } /* * In this design, there are two passes required on the input buffer * mostly to accomodate variable length options and "T_ALLOPT" option * which has the semantics "all options of the specified level". * * For T_DEFAULT, T_NEGOTIATE, T_CURRENT, and T_CHECK requests, we make * a pass through the input buffer validating the details and making * sure each option is supported by the protocol. We also determine the * length of the option buffer to return. (Variable length options and * T_ALLOPT mean that length can be different for output buffer). */ toa_len = 0; /* initial value */ /* * First pass, we do the following * - estimate cumulative length needed for results * - set "status" field based on permissions, option header check * etc. */ if ((t_error = process_topthdrs_first_pass(mp, cr, dbobjp, &toa_len)) != 0) { optcom_err_ack(q, mp, t_error, 0); return; } /* * A validation phase of the input buffer is done. We have also * obtained the length requirement and and other details about the * input and we liked input buffer so far. We make another scan * through the input now and generate the output necessary to complete * the operation. */ toa_mp = allocb_tmpl(toa_len, mp); if (!toa_mp) { optcom_err_ack(q, mp, TSYSERR, ENOMEM); return; } /* * Set initial values for generating output. */ worst_status = T_SUCCESS; /* initial value */ /* * This routine makes another pass through the option buffer this * time acting on the request based on "status" result in the * first pass. It also performs "expansion" of T_ALLOPT into * all options of a certain level and acts on each for this request. */ if ((t_error = do_options_second_pass(q, mp, toa_mp, cr, dbobjp, &worst_status)) != 0) { freemsg(toa_mp); optcom_err_ack(q, mp, t_error, 0); return; } /* * Following code relies on the coincidence that T_optmgmt_req * and T_optmgmt_ack are identical in binary representation */ toa = (struct T_optmgmt_ack *)toa_mp->b_rptr; toa->OPT_length = (t_scalar_t)(toa_mp->b_wptr - (toa_mp->b_rptr + sizeof (struct T_optmgmt_ack))); toa->OPT_offset = (t_scalar_t)sizeof (struct T_optmgmt_ack); toa->MGMT_flags = tor->MGMT_flags; freemsg(mp); /* free input mblk */ toa->PRIM_type = T_OPTMGMT_ACK; toa_mp->b_datap->db_type = M_PCPROTO; toa->MGMT_flags |= worst_status; /* XXX "worst" or "OR" TPI ? */ qreply(q, toa_mp); } /* * Following routine makes a pass through option buffer in mp and performs the * following tasks. * - estimate cumulative length needed for results * - set "status" field based on permissions, option header check * etc. */ static t_scalar_t process_topthdrs_first_pass(mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp, size_t *toa_lenp) { opdes_t *opt_arr = dbobjp->odb_opt_des_arr; uint_t opt_arr_cnt = dbobjp->odb_opt_arr_cnt; optlevel_t *valid_level_arr = dbobjp->odb_valid_levels_arr; uint_t valid_level_arr_cnt = dbobjp->odb_valid_levels_arr_cnt; struct T_opthdr *opt; struct T_opthdr *opt_start, *opt_end; opdes_t *optd; size_t allopt_len; struct T_optmgmt_req *tor = (struct T_optmgmt_req *)mp->b_rptr; *toa_lenp = sizeof (struct T_optmgmt_ack); /* initial value */ if ((opt_start = (struct T_opthdr *) mi_offset_param(mp, tor->OPT_offset, tor->OPT_length)) == NULL) { return (TBADOPT); } if (!__TPI_TOPT_ISALIGNED(opt_start)) return (TBADOPT); opt_end = (struct T_opthdr *)((uchar_t *)opt_start + tor->OPT_length); for (opt = opt_start; opt && (opt < opt_end); opt = _TPI_TOPT_NEXTHDR(opt_start, tor->OPT_length, opt)) { /* * Validate the option for length and alignment * before accessing anything in it. */ if (!(_TPI_TOPT_VALID(opt, opt_start, opt_end))) return (TBADOPT); /* Find the option in the opt_arr. */ if (opt->name != T_ALLOPT) { optd = proto_opt_lookup(opt->level, opt->name, opt_arr, opt_arr_cnt); if (optd == NULL) { /* * Option not found * * Verify if level is "valid" or not. * Note: This check is required by XTI * * TPI provider always initializes * the "not supported" (or whatever) status * for the options. Other levels leave status * unchanged if they do not understand an * option. */ if (!opt_level_valid(opt->level, valid_level_arr, valid_level_arr_cnt)) return (TBADOPT); /* * level is valid - initialize * option as not supported */ opt->status = T_NOTSUPPORT; *toa_lenp += _TPI_ALIGN_TOPT(opt->len); continue; } } else { /* * Handle T_ALLOPT case as a special case. * Note: T_ALLOPT does not mean anything * for T_CHECK operation. */ allopt_len = 0; if (tor->MGMT_flags == T_CHECK || ((allopt_len = opt_level_allopts_lengths(opt->level, opt_arr, opt_arr_cnt)) == 0)) { /* * This is confusing but correct ! * It is not valid to to use T_ALLOPT with * T_CHECK flag. * * opt_level_allopts_lengths() is used to verify * that "level" associated with the T_ALLOPT is * supported. * */ opt->status = T_FAILURE; *toa_lenp += _TPI_ALIGN_TOPT(opt->len); continue; } ASSERT(allopt_len != 0); /* remove ? */ *toa_lenp += allopt_len; opt->status = T_SUCCESS; continue; } /* Additional checks dependent on operation. */ switch (tor->MGMT_flags) { case T_DEFAULT: case T_CURRENT: /* * The proto_opt_lookup() routine call above approved of * this option so we can work on the status for it * based on the permissions for the operation. (This * can override any status for it set at higher levels) * We assume this override is OK since chkfn at this * level approved of this option. * * T_CURRENT semantics: * The read access is required. Else option * status is T_NOTSUPPORT. * * T_DEFAULT semantics: * Note: specification is not clear on this but we * interpret T_DEFAULT semantics such that access to * read value is required for access even the default * value. Otherwise the option status is T_NOTSUPPORT. */ if (!OA_READ_PERMISSION(optd, cr)) { opt->status = T_NOTSUPPORT; *toa_lenp += _TPI_ALIGN_TOPT(opt->len); /* skip to next */ continue; } /* * T_DEFAULT/T_CURRENT semantics: * We know that read access is set. If no other access * is set, then status is T_READONLY. */ if (OA_READONLY_PERMISSION(optd, cr)) opt->status = T_READONLY; else opt->status = T_SUCCESS; /* * Option passes all checks. Make room for it in the * ack. Note: size stored in table does not include * space for option header. */ *toa_lenp += sizeof (struct T_opthdr) + _TPI_ALIGN_TOPT(optd->opdes_size); break; case T_CHECK: case T_NEGOTIATE: /* * T_NEGOTIATE semantics: * If for fixed length option value on input is not the * same as value supplied, then status is T_FAILURE. * * T_CHECK semantics: * If value is supplied, semantics same as T_NEGOTIATE. * It is however ok not to supply a value with T_CHECK. */ if (tor->MGMT_flags == T_NEGOTIATE || (opt->len != sizeof (struct T_opthdr))) { /* * Implies "value" is specified in T_CHECK or * it is a T_NEGOTIATE request. * Verify size. * Note: This can override anything about this * option request done at a higher level. */ if (opt->len < sizeof (struct T_opthdr) || !opt_length_ok(optd, opt->len - sizeof (struct T_opthdr))) { /* bad size */ *toa_lenp += _TPI_ALIGN_TOPT(opt->len); opt->status = T_FAILURE; continue; } } /* * The proto_opt_lookup() routine above() approved of * this option so we can work on the status for it based * on the permissions for the operation. (This can * override anything set at a higher level). * * T_CHECK/T_NEGOTIATE semantics: * Set status to T_READONLY if read is the only access * permitted */ if (OA_READONLY_PERMISSION(optd, cr)) { opt->status = T_READONLY; *toa_lenp += _TPI_ALIGN_TOPT(opt->len); /* skip to next */ continue; } /* * T_CHECK/T_NEGOTIATE semantics: * If write (or execute) access is not set, then status * is T_NOTSUPPORT. */ if (!OA_WRITE_OR_EXECUTE(optd, cr)) { opt->status = T_NOTSUPPORT; *toa_lenp += _TPI_ALIGN_TOPT(opt->len); /* skip to next option */ continue; } /* * Option passes all checks. Make room for it in the * ack and set success in status. * Note: size stored in table does not include header * length. */ opt->status = T_SUCCESS; *toa_lenp += sizeof (struct T_opthdr) + _TPI_ALIGN_TOPT(optd->opdes_size); break; default: return (TBADFLAG); } } /* for loop scanning input buffer */ return (0); /* OK return */ } /* * This routine makes another pass through the option buffer this * time acting on the request based on "status" result in the * first pass. It also performs "expansion" of T_ALLOPT into * all options of a certain level and acts on each for this request. */ static t_scalar_t do_options_second_pass(queue_t *q, mblk_t *reqmp, mblk_t *ack_mp, cred_t *cr, optdb_obj_t *dbobjp, t_uscalar_t *worst_statusp) { int failed_option; struct T_opthdr *opt; struct T_opthdr *opt_start, *opt_end; uchar_t *optr; uint_t optset_context; struct T_optmgmt_req *tor = (struct T_optmgmt_req *)reqmp->b_rptr; optr = (uchar_t *)ack_mp->b_rptr + sizeof (struct T_optmgmt_ack); /* assumed int32_t aligned */ /* * Set initial values for scanning input */ opt_start = (struct T_opthdr *)mi_offset_param(reqmp, tor->OPT_offset, tor->OPT_length); if (opt_start == NULL) return (TBADOPT); opt_end = (struct T_opthdr *)((uchar_t *)opt_start + tor->OPT_length); ASSERT(__TPI_TOPT_ISALIGNED(opt_start)); /* verified in first pass */ for (opt = opt_start; opt && (opt < opt_end); opt = _TPI_TOPT_NEXTHDR(opt_start, tor->OPT_length, opt)) { /* verified in first pass */ ASSERT(_TPI_TOPT_VALID(opt, opt_start, opt_end)); /* * If the first pass in process_topthdrs_first_pass() * has marked the option as a failure case for the MGMT_flags * semantics then there is not much to do. * * Note: For all practical purposes, T_READONLY status is * a "success" for T_DEFAULT/T_CURRENT and "failure" for * T_CHECK/T_NEGOTIATE */ failed_option = (opt->status == T_NOTSUPPORT) || (opt->status == T_FAILURE) || ((tor->MGMT_flags & (T_NEGOTIATE|T_CHECK)) && (opt->status == T_READONLY)); if (failed_option) { /* * According to T_DEFAULT/T_CURRENT semantics, the * input values, even if present, are to be ignored. * Note: Specification is not clear on this, but we * interpret that even though we ignore the values, we * can return them as is. So we process them similar to * T_CHECK/T_NEGOTIATE case which has the semantics to * return the values as is. XXX If interpretation is * ever determined incorrect fill in appropriate code * here to treat T_DEFAULT/T_CURRENT differently. * * According to T_CHECK/T_NEGOTIATE semantics, * in the case of T_NOTSUPPORT/T_FAILURE/T_READONLY, * the semantics are to return the "value" part of * option untouched. So here we copy the option * head including value part if any to output. */ bcopy(opt, optr, opt->len); optr += _TPI_ALIGN_TOPT(opt->len); *worst_statusp = get_worst_status(opt->status, *worst_statusp); /* skip to process next option in buffer */ continue; } /* end if "failed option" */ /* * The status is T_SUCCESS or T_READONLY * We process the value part here */ ASSERT(opt->status == T_SUCCESS || opt->status == T_READONLY); switch (tor->MGMT_flags) { case T_DEFAULT: /* * We fill default value from table or protocol specific * function. If this call fails, we pass input through. */ if (do_opt_default(q, opt, &optr, worst_statusp, cr, dbobjp) < 0) { opt->status = T_FAILURE; bcopy(opt, optr, opt->len); optr += _TPI_ALIGN_TOPT(opt->len); *worst_statusp = get_worst_status(opt->status, *worst_statusp); } break; case T_CURRENT: do_opt_current(q, opt, &optr, worst_statusp, cr, dbobjp); break; case T_CHECK: case T_NEGOTIATE: if (tor->MGMT_flags == T_CHECK) optset_context = SETFN_OPTCOM_CHECKONLY; else /* T_NEGOTIATE */ optset_context = SETFN_OPTCOM_NEGOTIATE; do_opt_check_or_negotiate(q, opt, optset_context, &optr, worst_statusp, cr, dbobjp); break; default: return (TBADFLAG); } } /* end for loop scanning option buffer */ ack_mp->b_wptr = optr; ASSERT(ack_mp->b_wptr <= ack_mp->b_datap->db_lim); return (0); /* OK return */ } static t_uscalar_t get_worst_status(t_uscalar_t status, t_uscalar_t current_worst_status) { /* * Return the "worst" among the arguments "status" and * "current_worst_status". * * Note: Tracking "worst_status" can be made a bit simpler * if we use the property that status codes are bitwise * distinct. * * The pecking order is * * T_SUCCESS ..... best * T_PARTSUCCESS * T_FAILURE * T_READONLY * T_NOTSUPPORT... worst */ if (status == current_worst_status) return (current_worst_status); switch (current_worst_status) { case T_SUCCESS: if (status == T_PARTSUCCESS) return (T_PARTSUCCESS); /* FALLTHROUGH */ case T_PARTSUCCESS: if (status == T_FAILURE) return (T_FAILURE); /* FALLTHROUGH */ case T_FAILURE: if (status == T_READONLY) return (T_READONLY); /* FALLTHROUGH */ case T_READONLY: if (status == T_NOTSUPPORT) return (T_NOTSUPPORT); /* FALLTHROUGH */ case T_NOTSUPPORT: default: return (current_worst_status); } } static int do_opt_default(queue_t *q, struct T_opthdr *reqopt, uchar_t **resptrp, t_uscalar_t *worst_statusp, cred_t *cr, optdb_obj_t *dbobjp) { pfi_t deffn = dbobjp->odb_deffn; opdes_t *opt_arr = dbobjp->odb_opt_des_arr; uint_t opt_arr_cnt = dbobjp->odb_opt_arr_cnt; struct T_opthdr *topth; opdes_t *optd; if (reqopt->name != T_ALLOPT) { /* * lookup the option in the table and fill default value */ optd = proto_opt_lookup(reqopt->level, reqopt->name, opt_arr, opt_arr_cnt); /* Calling routine should have verified it it exists */ ASSERT(optd != NULL); topth = (struct T_opthdr *)(*resptrp); topth->level = reqopt->level; topth->name = reqopt->name; topth->status = reqopt->status; *worst_statusp = get_worst_status(reqopt->status, *worst_statusp); if (optd->opdes_props & OP_NODEFAULT) { /* header only, no default "value" part */ topth->len = sizeof (struct T_opthdr); *resptrp += sizeof (struct T_opthdr); } else { int deflen; if (optd->opdes_props & OP_DEF_FN) { deflen = (*deffn)(q, reqopt->level, reqopt->name, _TPI_TOPT_DATA(topth)); if (deflen >= 0) { topth->len = (t_uscalar_t) (sizeof (struct T_opthdr) + deflen); } else { /* * return error, this should 'pass * through' the option and maybe some * other level will fill it in or * already did. * (No change in 'resptrp' upto here) */ return (-1); } } else { /* fill length and value part */ switch (optd->opdes_size) { /* * Since options are guaranteed aligned only * on a 4 byte boundary (t_scalar_t) any * option that is greater in size will default * to the bcopy below */ case sizeof (int32_t): *(int32_t *)_TPI_TOPT_DATA(topth) = (int32_t)optd->opdes_default; break; case sizeof (int16_t): *(int16_t *)_TPI_TOPT_DATA(topth) = (int16_t)optd->opdes_default; break; case sizeof (int8_t): *(int8_t *)_TPI_TOPT_DATA(topth) = (int8_t)optd->opdes_default; break; default: /* * other length but still assume * fixed - use bcopy */ bcopy(optd->opdes_defbuf, _TPI_TOPT_DATA(topth), optd->opdes_size); break; } topth->len = (t_uscalar_t)(optd->opdes_size + sizeof (struct T_opthdr)); } *resptrp += _TPI_ALIGN_TOPT(topth->len); } return (0); /* OK return */ } /* * T_ALLOPT processing * * lookup and stuff default values of all the options of the * level specified */ for (optd = opt_arr; optd < &opt_arr[opt_arr_cnt]; optd++) { if (reqopt->level != optd->opdes_level) continue; /* * * T_DEFAULT semantics: * XXX: we interpret T_DEFAULT semantics such that access to * read value is required for access even the default value. * Else option is ignored for T_ALLOPT request. */ if (!OA_READ_PERMISSION(optd, cr)) /* skip this one */ continue; /* * Found option of same level as T_ALLOPT request * that we can return. */ topth = (struct T_opthdr *)(*resptrp); topth->level = optd->opdes_level; topth->name = optd->opdes_name; /* * T_DEFAULT semantics: * We know that read access is set. If no other access is set, * then status is T_READONLY */ if (OA_READONLY_PERMISSION(optd, cr)) { topth->status = T_READONLY; *worst_statusp = get_worst_status(T_READONLY, *worst_statusp); } else { topth->status = T_SUCCESS; /* * Note: *worst_statusp has to be T_SUCCESS or * worse so no need to adjust */ } if (optd->opdes_props & OP_NODEFAULT) { /* header only, no value part */ topth->len = sizeof (struct T_opthdr); *resptrp += sizeof (struct T_opthdr); } else { int deflen; if (optd->opdes_props & OP_DEF_FN) { deflen = (*deffn)(q, reqopt->level, reqopt->name, _TPI_TOPT_DATA(topth)); if (deflen >= 0) { topth->len = (t_uscalar_t)(deflen + sizeof (struct T_opthdr)); } else { /* * deffn failed. * return just the header as T_ALLOPT * expansion. * Some other level deffn may * supply value part. */ topth->len = sizeof (struct T_opthdr); topth->status = T_FAILURE; *worst_statusp = get_worst_status(T_FAILURE, *worst_statusp); } } else { /* * fill length and value part from * table */ switch (optd->opdes_size) { /* * Since options are guaranteed aligned only * on a 4 byte boundary (t_scalar_t) any * option that is greater in size will default * to the bcopy below */ case sizeof (int32_t): *(int32_t *)_TPI_TOPT_DATA(topth) = (int32_t)optd->opdes_default; break; case sizeof (int16_t): *(int16_t *)_TPI_TOPT_DATA(topth) = (int16_t)optd->opdes_default; break; case sizeof (int8_t): *(int8_t *)_TPI_TOPT_DATA(topth) = (int8_t)optd->opdes_default; break; default: /* * other length but still assume * fixed - use bcopy */ bcopy(optd->opdes_defbuf, _TPI_TOPT_DATA(topth), optd->opdes_size); } topth->len = (t_uscalar_t)(optd->opdes_size + sizeof (struct T_opthdr)); } *resptrp += _TPI_ALIGN_TOPT(topth->len); } } return (0); } static void do_opt_current(queue_t *q, struct T_opthdr *reqopt, uchar_t **resptrp, t_uscalar_t *worst_statusp, cred_t *cr, optdb_obj_t *dbobjp) { pfi_t getfn = dbobjp->odb_getfn; opdes_t *opt_arr = dbobjp->odb_opt_des_arr; uint_t opt_arr_cnt = dbobjp->odb_opt_arr_cnt; struct T_opthdr *topth; opdes_t *optd; int optlen; uchar_t *initptr = *resptrp; /* * We call getfn to get the current value of an option. The call may * fail in which case we copy the values from the input buffer. Maybe * something downstream will fill it in or something upstream did. */ if (reqopt->name != T_ALLOPT) { topth = (struct T_opthdr *)*resptrp; *resptrp += sizeof (struct T_opthdr); optlen = (*getfn)(q, reqopt->level, reqopt->name, *resptrp); if (optlen >= 0) { topth->len = (t_uscalar_t)(optlen + sizeof (struct T_opthdr)); topth->level = reqopt->level; topth->name = reqopt->name; topth->status = reqopt->status; *resptrp += _TPI_ALIGN_TOPT(optlen); *worst_statusp = get_worst_status(topth->status, *worst_statusp); } else { /* failed - reset "*resptrp" pointer */ *resptrp -= sizeof (struct T_opthdr); } } else { /* T_ALLOPT processing */ /* scan and get all options */ for (optd = opt_arr; optd < &opt_arr[opt_arr_cnt]; optd++) { /* skip other levels */ if (reqopt->level != optd->opdes_level) continue; if (!OA_READ_PERMISSION(optd, cr)) /* skip this one */ continue; topth = (struct T_opthdr *)*resptrp; *resptrp += sizeof (struct T_opthdr); /* get option of this level */ optlen = (*getfn)(q, reqopt->level, optd->opdes_name, *resptrp); if (optlen >= 0) { /* success */ topth->len = (t_uscalar_t)(optlen + sizeof (struct T_opthdr)); topth->level = reqopt->level; topth->name = optd->opdes_name; if (OA_READONLY_PERMISSION(optd, cr)) topth->status = T_READONLY; else topth->status = T_SUCCESS; *resptrp += _TPI_ALIGN_TOPT(optlen); } else { /* * failed, return as T_FAILURE and null value * part. Maybe something downstream will * handle this one and fill in a value. Here * it is just part of T_ALLOPT expansion. */ topth->len = sizeof (struct T_opthdr); topth->level = reqopt->level; topth->name = optd->opdes_name; topth->status = T_FAILURE; } *worst_statusp = get_worst_status(topth->status, *worst_statusp); } /* end for loop */ } if (*resptrp == initptr) { /* * getfn failed and does not want to handle this option. */ reqopt->status = T_FAILURE; bcopy(reqopt, *resptrp, reqopt->len); *resptrp += _TPI_ALIGN_TOPT(reqopt->len); *worst_statusp = get_worst_status(reqopt->status, *worst_statusp); } } static void do_opt_check_or_negotiate(queue_t *q, struct T_opthdr *reqopt, uint_t optset_context, uchar_t **resptrp, t_uscalar_t *worst_statusp, cred_t *cr, optdb_obj_t *dbobjp) { pfi_t deffn = dbobjp->odb_deffn; opt_set_fn setfn = dbobjp->odb_setfn; opdes_t *opt_arr = dbobjp->odb_opt_des_arr; uint_t opt_arr_cnt = dbobjp->odb_opt_arr_cnt; struct T_opthdr *topth; opdes_t *optd; int error; t_uscalar_t optlen; t_scalar_t optsize; uchar_t *initptr = *resptrp; ASSERT(reqopt->status == T_SUCCESS); if (reqopt->name != T_ALLOPT) { topth = (struct T_opthdr *)*resptrp; *resptrp += sizeof (struct T_opthdr); error = (*setfn)(q, optset_context, reqopt->level, reqopt->name, reqopt->len - sizeof (struct T_opthdr), _TPI_TOPT_DATA(reqopt), &optlen, _TPI_TOPT_DATA(topth), NULL, cr); if (error) { /* failed - reset "*resptrp" */ *resptrp -= sizeof (struct T_opthdr); } else { /* * success - "value" already filled in setfn() */ topth->len = (t_uscalar_t)(optlen + sizeof (struct T_opthdr)); topth->level = reqopt->level; topth->name = reqopt->name; topth->status = reqopt->status; *resptrp += _TPI_ALIGN_TOPT(optlen); *worst_statusp = get_worst_status(topth->status, *worst_statusp); } } else { /* T_ALLOPT processing */ /* only for T_NEGOTIATE case */ ASSERT(optset_context == SETFN_OPTCOM_NEGOTIATE); /* scan and set all options to default value */ for (optd = opt_arr; optd < &opt_arr[opt_arr_cnt]; optd++) { /* skip other levels */ if (reqopt->level != optd->opdes_level) continue; if (OA_EXECUTE_PERMISSION(optd, cr) || OA_NO_PERMISSION(optd, cr)) { /* * skip this one too. Does not make sense to * set anything to default value for "execute" * options. */ continue; } if (OA_READONLY_PERMISSION(optd, cr)) { /* * Return with T_READONLY status (and no value * part). Note: spec is not clear but * XTI test suite needs this. */ topth = (struct T_opthdr *)*resptrp; topth->len = sizeof (struct T_opthdr); *resptrp += topth->len; topth->level = reqopt->level; topth->name = optd->opdes_name; topth->status = T_READONLY; *worst_statusp = get_worst_status(topth->status, *worst_statusp); continue; } /* * It is not read only or execute type * the it must have write permission */ ASSERT(OA_WRITE_PERMISSION(optd, cr)); topth = (struct T_opthdr *)*resptrp; *resptrp += sizeof (struct T_opthdr); topth->len = sizeof (struct T_opthdr); topth->level = reqopt->level; topth->name = optd->opdes_name; if (optd->opdes_props & OP_NODEFAULT) { /* * Option of "no default value" so it does not * make sense to try to set it. We just return * header with status of T_SUCCESS * XXX should this be failure ? */ topth->status = T_SUCCESS; continue; /* skip setting */ } if (optd->opdes_props & OP_DEF_FN) { if ((optd->opdes_props & OP_VARLEN) || ((optsize = (*deffn)(q, reqopt->level, optd->opdes_name, (uchar_t *)optd->opdes_defbuf)) < 0)) { /* XXX - skip these too */ topth->status = T_SUCCESS; continue; /* skip setting */ } } else { optsize = optd->opdes_size; } /* set option of this level */ error = (*setfn)(q, SETFN_OPTCOM_NEGOTIATE, reqopt->level, optd->opdes_name, optsize, (uchar_t *)optd->opdes_defbuf, &optlen, _TPI_TOPT_DATA(topth), NULL, cr); if (error) { /* * failed, return as T_FAILURE and null value * part. Maybe something downstream will * handle this one and fill in a value. Here * it is just part of T_ALLOPT expansion. */ topth->status = T_FAILURE; *worst_statusp = get_worst_status(topth->status, *worst_statusp); } else { /* success */ topth->len += optlen; topth->status = T_SUCCESS; *resptrp += _TPI_ALIGN_TOPT(optlen); } } /* end for loop */ /* END T_ALLOPT */ } if (*resptrp == initptr) { /* * setfn failed and does not want to handle this option. */ reqopt->status = T_FAILURE; bcopy(reqopt, *resptrp, reqopt->len); *resptrp += _TPI_ALIGN_TOPT(reqopt->len); *worst_statusp = get_worst_status(reqopt->status, *worst_statusp); } } /* * The following routines process options buffer passed with * T_CONN_REQ, T_CONN_RES and T_UNITDATA_REQ. * This routine does the consistency check applied to the * sanity of formatting of multiple options packed in the * buffer. * * XTI brain damage alert: * XTI interface adopts the notion of an option being an * "absolute requirement" from OSI transport service (but applies * it to all transports including Internet transports). * The main effect of that is action on failure to "negotiate" a * requested option to the exact requested value * * - if the option is an "absolute requirement", the primitive * is aborted (e.g T_DISCON_REQ or T_UDERR generated) * - if the option is NOT and "absolute requirement" it can * just be ignored. * * We would not support "negotiating" of options on connection * primitives for Internet transports. However just in case we * forced to in order to pass strange test suites, the design here * tries to support these notions. * * tpi_optcom_buf(q, mp, opt_lenp, opt_offset, cred, dbobjp, thisdg_attrs, * *is_absreq_failurep) * * - Verify the option buffer, if formatted badly, return error 1 * * - If it is a "permissions" failure (read-only), return error 2 * * - Else, process the option "in place", the following can happen, * - if a "privileged" option, mark it as "ignored". * - if "not supported", mark "ignored" * - if "supported" attempt negotiation and fill result in * the outcome * - if "absolute requirement", set "*is_absreq_failurep" * - if NOT an "absolute requirement", then our * interpretation is to mark is at ignored if * negotiation fails (Spec allows partial success * as in OSI protocols but not failure) * * Then delete "ignored" options from option buffer and return success. * */ int tpi_optcom_buf(queue_t *q, mblk_t *mp, t_scalar_t *opt_lenp, t_scalar_t opt_offset, cred_t *cr, optdb_obj_t *dbobjp, void *thisdg_attrs, int *is_absreq_failurep) { opt_set_fn setfn = dbobjp->odb_setfn; opdes_t *opt_arr = dbobjp->odb_opt_des_arr; uint_t opt_arr_cnt = dbobjp->odb_opt_arr_cnt; struct T_opthdr *opt, *opt_start, *opt_end; mblk_t *copy_mp_head; uchar_t *optr, *init_optr; opdes_t *optd; uint_t optset_context; t_uscalar_t olen; int error = 0; ASSERT((uchar_t *)opt_lenp > mp->b_rptr && (uchar_t *)opt_lenp < mp->b_wptr); copy_mp_head = NULL; *is_absreq_failurep = 0; switch (((union T_primitives *)mp->b_rptr)->type) { case T_CONN_REQ: case T_CONN_RES: optset_context = SETFN_CONN_NEGOTIATE; break; case T_UNITDATA_REQ: optset_context = SETFN_UD_NEGOTIATE; break; default: /* * should never get here, all possible TPI primitives * where this can be called from should be accounted * for in the cases above */ return (EINVAL); } if ((opt_start = (struct T_opthdr *) mi_offset_param(mp, opt_offset, *opt_lenp)) == NULL) { error = ENOPROTOOPT; goto error_ret; } if (!__TPI_TOPT_ISALIGNED(opt_start)) { error = ENOPROTOOPT; goto error_ret; } opt_end = (struct T_opthdr *)((uchar_t *)opt_start + *opt_lenp); if ((copy_mp_head = copyb(mp)) == (mblk_t *)NULL) { error = ENOMEM; goto error_ret; } init_optr = optr = (uchar_t *)©_mp_head->b_rptr[opt_offset]; for (opt = opt_start; opt && (opt < opt_end); opt = _TPI_TOPT_NEXTHDR(opt_start, *opt_lenp, opt)) { /* * Validate the option for length and alignment * before accessing anything in it */ if (!_TPI_TOPT_VALID(opt, opt_start, opt_end)) { error = ENOPROTOOPT; goto error_ret; } /* Find the option in the opt_arr. */ optd = proto_opt_lookup(opt->level, opt->name, opt_arr, opt_arr_cnt); if (optd == NULL) { /* * Option not found */ opt->status = T_NOTSUPPORT; continue; } /* * Weird but as in XTI spec. * Sec 6.3.6 "Privileged and ReadOnly Options" * Permission problems (e.g.readonly) fail with bad access * BUT "privileged" option request from those NOT PRIVILEGED * are to be merely "ignored". * XXX Prevents "probing" of privileged options ? */ if (OA_READONLY_PERMISSION(optd, cr)) { error = EACCES; goto error_ret; } if (OA_MATCHED_PRIV(optd, cr)) { /* * For privileged options, we DO perform * access checks as is common sense */ if (!OA_WX_ANYPRIV(optd)) { error = EACCES; goto error_ret; } } else { /* * For non privileged, we fail instead following * "ignore" semantics dictated by XTI spec for * permissions problems. * Sec 6.3.6 "Privileged and ReadOnly Options" * XXX Should we do "ignore" semantics ? */ if (!OA_WX_NOPRIV(optd)) { /* nopriv */ opt->status = T_FAILURE; continue; } } /* * * If the negotiation fails, for options that * are "absolute requirement", it is a fatal error. * For options that are NOT "absolute requirements", * and the value fails to negotiate, the XTI spec * only considers the possibility of partial success * (T_PARTSUCCES - not likely for Internet protocols). * The spec is in denial about complete failure * (T_FAILURE) to negotiate for options that are * carried on T_CONN_REQ/T_CONN_RES/T_UNITDATA * We interpret the T_FAILURE to negotiate an option * that is NOT an absolute requirement that it is safe * to ignore it. */ /* verify length */ if (opt->len < (t_uscalar_t)sizeof (struct T_opthdr) || !opt_length_ok(optd, opt->len - sizeof (struct T_opthdr))) { /* bad size */ if ((optd->opdes_props & OP_NOT_ABSREQ) == 0) { /* option is absolute requirement */ *is_absreq_failurep = 1; error = EINVAL; goto error_ret; } opt->status = T_FAILURE; continue; } /* * verified generic attributes. Now call set function. * Note: We assume the following to simplify code. * XXX If this is found not to be valid, this routine * will need to be rewritten. At this point it would * be premature to introduce more complexity than is * needed. * Assumption: For variable length options, we assume * that the value returned will be same or less length * (size does not increase). This makes it OK to pass the * same space for output as it is on input. */ error = (*setfn)(q, optset_context, opt->level, opt->name, opt->len - (t_uscalar_t)sizeof (struct T_opthdr), _TPI_TOPT_DATA(opt), &olen, _TPI_TOPT_DATA(opt), thisdg_attrs, cr); if (olen > (int)(opt->len - sizeof (struct T_opthdr))) { /* * Space on output more than space on input. Should * not happen and we consider it a bug/error. * More of a restriction than an error in our * implementation. Will see if we can live with this * otherwise code will get more hairy with multiple * passes. */ error = EINVAL; goto error_ret; } if (error != 0) { if ((optd->opdes_props & OP_NOT_ABSREQ) == 0) { /* option is absolute requirement. */ *is_absreq_failurep = 1; goto error_ret; } /* * failed - but option "not an absolute * requirement" */ opt->status = T_FAILURE; continue; } /* * Fill in the only possible successful result * (Note: TPI allows for T_PARTSUCCESS - partial * sucess result code which is relevant in OSI world * and not possible in Internet code) */ opt->status = T_SUCCESS; /* * Add T_SUCCESS result code options to the "output" options. * No T_FAILURES or T_NOTSUPPORT here as they are to be * ignored. * This code assumes output option buffer will * be <= input option buffer. * * Copy option header+value */ bcopy(opt, optr, opt->len); optr += _TPI_ALIGN_TOPT(opt->len); } /* * Overwrite the input mblk option buffer now with the output * and update length, and contents in original mbl * (offset remains unchanged). */ *opt_lenp = (t_scalar_t)(optr - init_optr); if (*opt_lenp > 0) { bcopy(init_optr, opt_start, *opt_lenp); } error_ret: if (copy_mp_head != NULL) freeb(copy_mp_head); return (error); } static boolean_t opt_level_valid(t_uscalar_t level, optlevel_t *valid_level_arr, uint_t valid_level_arr_cnt) { optlevel_t *olp; for (olp = valid_level_arr; olp < &valid_level_arr[valid_level_arr_cnt]; olp++) { if (level == (uint_t)(*olp)) return (B_TRUE); } return (B_FALSE); } /* * Compute largest possible size for an option buffer containing * all options in one buffer. * * XXX TBD, investigate use of opt_bloated_maxsize() to avoid * wastefully large buffer allocation. */ static size_t opt_level_allopts_lengths(t_uscalar_t level, opdes_t *opt_arr, uint_t opt_arr_cnt) { opdes_t *optd; size_t allopt_len = 0; /* 0 implies no option at this level */ /* * Scan opt_arr computing aggregate length * requirement for storing values of all * options. * Note: we do not filter for permissions * etc. This will be >= the real aggregate * length required (upper bound). */ for (optd = opt_arr; optd < &opt_arr[opt_arr_cnt]; optd++) { if (level == optd->opdes_level) { allopt_len += sizeof (struct T_opthdr) + _TPI_ALIGN_TOPT(optd->opdes_size); } } return (allopt_len); /* 0 implies level not found */ } /* * Compute largest possible size for an option buffer containing * all options in one buffer - a (theoretical?) worst case scenario * for certain cases. */ t_uscalar_t optcom_max_optbuf_len(opdes_t *opt_arr, uint_t opt_arr_cnt) { t_uscalar_t max_optbuf_len = sizeof (struct T_info_ack); opdes_t *optd; for (optd = opt_arr; optd < &opt_arr[opt_arr_cnt]; optd++) { max_optbuf_len += (t_uscalar_t)sizeof (struct T_opthdr) + (t_uscalar_t)_TPI_ALIGN_TOPT(optd->opdes_size); } return (max_optbuf_len); } /* * Compute largest possible size for OPT_size for a transport. * Heuristic used is to add all but certain extremely large * size options; this is done by calling opt_bloated_maxsize(). * It affects user level allocations in TLI/XTI code using t_alloc() * and other TLI/XTI implementation instance strucutures. * The large size options excluded are presumed to be * never accessed through the (theoretical?) worst case code paths * through TLI/XTI as they are currently IPv6 specific options. */ t_uscalar_t optcom_max_optsize(opdes_t *opt_arr, uint_t opt_arr_cnt) { t_uscalar_t max_optbuf_len = sizeof (struct T_info_ack); opdes_t *optd; for (optd = opt_arr; optd < &opt_arr[opt_arr_cnt]; optd++) { if (!opt_bloated_maxsize(optd)) { max_optbuf_len += (t_uscalar_t)sizeof (struct T_opthdr) + (t_uscalar_t)_TPI_ALIGN_TOPT(optd->opdes_size); } } return (max_optbuf_len); } /* * The theoretical model used in optcom_max_optsize() and * opt_level_allopts_lengths() accounts for the worst case of all * possible options for the theoretical cases and results in wasteful * memory allocations for certain theoretically correct usage scenarios. * In practice, the "features" they support are rarely, if ever, * used and even then only by test suites for those features (VSU, VST). * However, they result in large allocations due to the increased transport * T_INFO_ACK OPT_size field affecting t_alloc() users and TLI/XTI library * instance data structures for applications. * * The following routine opt_bloated_maxsize() supports a hack that avoids * paying the tax for the bloated options by excluding them and pretending * they don't exist for certain features without affecting features that * do use them. * * XXX Currently implemented only for optcom_max_optsize() * (to reduce risk late in release). * TBD for future, investigate use in optcom_level_allopts_lengths() and * all the instances of T_ALLOPT processing to exclude "bloated options". * Will not affect VSU/VST tests as they do not test with IPPROTO_IPV6 * level options which are the only ones that fit the "bloated maxsize" * option profile now. */ static boolean_t opt_bloated_maxsize(opdes_t *optd) { if (optd->opdes_level != IPPROTO_IPV6) return (B_FALSE); switch (optd->opdes_name) { case IPV6_HOPOPTS: case IPV6_DSTOPTS: case IPV6_RTHDRDSTOPTS: case IPV6_RTHDR: case IPV6_PATHMTU: return (B_TRUE); default: break; } return (B_FALSE); } /* * optlen is the length of the option content * Caller should check the optlen is at least sizeof (struct T_opthdr) */ static boolean_t opt_length_ok(opdes_t *optd, t_uscalar_t optlen) { /* * Verify length. * Value specified should match length of fixed length option or be * less than maxlen of variable length option. */ if (optd->opdes_props & OP_VARLEN) { if (optlen <= optd->opdes_size) return (B_TRUE); } else { /* fixed length option */ if (optlen == optd->opdes_size) return (B_TRUE); } return (B_FALSE); } /* * This routine manages the allocation and free of the space for * an extension header or option. Returns failure if memory * can not be allocated. */ int optcom_pkt_set(uchar_t *invalp, uint_t inlen, uchar_t **optbufp, uint_t *optlenp) { uchar_t *optbuf; uchar_t *optp; if (inlen == *optlenp) { /* Unchanged length - no need to reallocate */ optp = *optbufp; bcopy(invalp, optp, inlen); return (0); } if (inlen > 0) { /* Allocate new buffer before free */ optbuf = kmem_alloc(inlen, KM_NOSLEEP); if (optbuf == NULL) return (ENOMEM); } else { optbuf = NULL; } /* Free old buffer */ if (*optlenp != 0) kmem_free(*optbufp, *optlenp); if (inlen > 0) bcopy(invalp, optbuf, inlen); *optbufp = optbuf; *optlenp = inlen; return (0); } int process_auxiliary_options(conn_t *connp, void *control, t_uscalar_t controllen, void *optbuf, optdb_obj_t *dbobjp, int (*opt_set_fn)(conn_t *, uint_t, int, int, uint_t, uchar_t *, uint_t *, uchar_t *, void *, cred_t *), cred_t *cr) { struct cmsghdr *cmsg; opdes_t *optd; t_uscalar_t outlen; int error = EOPNOTSUPP; t_uscalar_t len; uint_t opt_arr_cnt = dbobjp->odb_opt_arr_cnt; opdes_t *opt_arr = dbobjp->odb_opt_des_arr; for (cmsg = (struct cmsghdr *)control; CMSG_VALID(cmsg, control, (uintptr_t)control + controllen); cmsg = CMSG_NEXT(cmsg)) { len = (t_uscalar_t)CMSG_CONTENTLEN(cmsg); /* Find the option in the opt_arr. */ optd = proto_opt_lookup(cmsg->cmsg_level, cmsg->cmsg_type, opt_arr, opt_arr_cnt); if (optd == NULL) { return (EINVAL); } if (OA_READONLY_PERMISSION(optd, cr)) { return (EACCES); } if (OA_MATCHED_PRIV(optd, cr)) { /* * For privileged options, we DO perform * access checks as is common sense */ if (!OA_WX_ANYPRIV(optd)) { return (EACCES); } } else { /* * For non privileged, we fail instead following * "ignore" semantics dictated by XTI spec for * permissions problems. */ if (!OA_WX_NOPRIV(optd)) { /* nopriv */ return (EACCES); } } error = opt_set_fn(connp, SETFN_UD_NEGOTIATE, optd->opdes_level, optd->opdes_name, len, (uchar_t *)CMSG_CONTENT(cmsg), &outlen, (uchar_t *)CMSG_CONTENT(cmsg), optbuf, cr); if (error > 0) { return (error); } else if (outlen > len) { return (EINVAL); } else { /* * error can be -ve if the protocol wants to * pass the option to IP. We donot pass auxiliary * options to IP. */ error = 0; } } return (error); }
