From 7a6078f0122271f97944ed9a9db4d134badff676 Mon Sep 17 00:00:00 2001
From: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Date: Fri, 5 Feb 2016 08:33:32 -0200
Subject: [PATCH] packets: fix compose_nd to not crash system

packet_set_ipv6 and packet_set_nd assumed that valid packets were already in
place, so they were not a good fit for composing new packets. In fact,
packet_set_ipv6 didn't even set the IP version or set L4 offset, causing crashes
when compose_nd tried to access L4.

This patch introduces ipv6_compose and uses it for compose_nd, then set the ND
packets without other helpers.

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
---
 lib/packets.c | 46 ++++++++++++++++++++++++++++++++++++++--------
 lib/packets.h |  3 +++
 2 files changed, 41 insertions(+), 8 deletions(-)

diff --git a/lib/packets.c b/lib/packets.c
index b5d141a35..17d468af0 100644
--- a/lib/packets.c
+++ b/lib/packets.c
@@ -1288,6 +1288,24 @@ compose_arp(struct dp_packet *b, uint16_t arp_op,
     dp_packet_set_l3(b, arp);
 }
 
+void
+ipv6_compose(struct dp_packet *packet, uint8_t proto,
+             const struct in6_addr *src, const struct in6_addr *dst,
+             uint8_t key_tc, ovs_be32 key_fl, uint8_t key_hl)
+{
+    struct ovs_16aligned_ip6_hdr *ip6 = dp_packet_l3(packet);
+    ovs_be32 old_flow;
+    ip6->ip6_vfc = 0x60;
+    ip6->ip6_nxt = proto;
+    ip6->ip6_hlim = key_hl;
+    ip6->ip6_plen = 0;
+    old_flow = get_16aligned_be32(&ip6->ip6_flow) & htonl(0xF00FFFFF | ~IPV6_LABEL_MASK);
+    put_16aligned_be32(&ip6->ip6_flow, old_flow | key_fl | htonl(key_tc << 20));
+    memcpy(&ip6->ip6_src, src, sizeof(ovs_be32[4]));
+    memcpy(&ip6->ip6_dst, dst, sizeof(ovs_be32[4]));
+    dp_packet_set_l4(packet, ip6 + 1);
+}
+
 void
 compose_nd(struct dp_packet *b, const struct eth_addr eth_src,
            struct in6_addr * ipv6_src, struct in6_addr * ipv6_dst)
@@ -1296,26 +1314,38 @@ compose_nd(struct dp_packet *b, const struct eth_addr eth_src,
     struct eth_addr eth_dst;
     struct ovs_nd_msg *ns;
     struct ovs_nd_opt *nd_opt;
+    struct ovs_16aligned_ip6_hdr *ip6;
+    size_t plen = ND_MSG_LEN + ND_OPT_LEN;
+    uint32_t csum;
 
     in6_addr_solicited_node(&sn_addr, ipv6_dst);
     ipv6_multicast_to_ethernet(&eth_dst, &sn_addr);
 
-    eth_compose(b, eth_dst, eth_src, ETH_TYPE_IPV6,
-                IPV6_HEADER_LEN + ICMP6_HEADER_LEN + ND_OPT_LEN);
-    packet_set_ipv6(b, IPPROTO_ICMPV6,
-                    ALIGNED_CAST(ovs_be32 *, ipv6_src->s6_addr),
-                    ALIGNED_CAST(ovs_be32 *, sn_addr.s6_addr),
-                    0, 0, 255);
+    eth_compose(b, eth_dst, eth_src, ETH_TYPE_IPV6, IPV6_HEADER_LEN + plen);
+    ipv6_compose(b, IPPROTO_ICMPV6, ipv6_src, &sn_addr, 0, 0, 255);
+    ip6 = dp_packet_l3(b);
+    ip6->ip6_plen = htons(plen);
 
     ns = dp_packet_l4(b);
+    memset(ns, 0, plen);
     nd_opt = &ns->options[0];
 
     ns->icmph.icmp6_type = ND_NEIGHBOR_SOLICIT;
     ns->icmph.icmp6_code = 0;
+    memcpy(ns->target.be32, ipv6_dst, sizeof(ovs_be32[4]));
 
     nd_opt->nd_opt_type = ND_OPT_SOURCE_LINKADDR;
-    packet_set_nd(b, ALIGNED_CAST(ovs_be32 *, ipv6_dst->s6_addr),
-                  eth_src, eth_addr_zero);
+    nd_opt->nd_opt_len = 1;
+    nd_opt->nd_opt_mac = eth_src;
+
+    ns->icmph.icmp6_cksum = 0;
+    csum = packet_csum_pseudoheader6(ip6, htonl(plen));
+    csum = csum_continue(csum, &ns->icmph, plen);
+    csum = csum_finish(csum);
+    ns->icmph.icmp6_cksum = csum;
+    if (!ns->icmph.icmp6_cksum) {
+        ns->icmph.icmp6_cksum = htons(0xffff);
+    }
 }
 
 uint32_t
diff --git a/lib/packets.h b/lib/packets.h
index d2a9b51ee..23992b4e2 100644
--- a/lib/packets.h
+++ b/lib/packets.h
@@ -1072,6 +1072,9 @@ void packet_set_nd(struct dp_packet *, const ovs_be32 target[4],
 
 void packet_format_tcp_flags(struct ds *, uint16_t);
 const char *packet_tcp_flag_to_string(uint32_t flag);
+void ipv6_compose(struct dp_packet *, uint8_t proto, const struct in6_addr *src,
+                  const struct in6_addr *dst, uint8_t tc,
+                  ovs_be32 fl, uint8_t hlmit);
 void compose_arp(struct dp_packet *, uint16_t arp_op,
                  const struct eth_addr arp_sha,
                  const struct eth_addr arp_tha, bool broadcast,
-- 
2.20.1