1// SPDX-License-Identifier: GPL-2.0-or-later 2/* 3 * Point-to-Point Tunneling Protocol for Linux 4 * 5 * Authors: Dmitry Kozlov <xeb@mail.ru> 6 */ 7 8#include <linux/string.h> 9#include <linux/module.h> 10#include <linux/kernel.h> 11#include <linux/slab.h> 12#include <linux/errno.h> 13#include <linux/netdevice.h> 14#include <linux/net.h> 15#include <linux/skbuff.h> 16#include <linux/vmalloc.h> 17#include <linux/init.h> 18#include <linux/ppp_channel.h> 19#include <linux/ppp_defs.h> 20#include <linux/if_pppox.h> 21#include <linux/ppp-ioctl.h> 22#include <linux/notifier.h> 23#include <linux/file.h> 24#include <linux/in.h> 25#include <linux/ip.h> 26#include <linux/rcupdate.h> 27#include <linux/security.h> 28#include <linux/spinlock.h> 29 30#include <net/sock.h> 31#include <net/protocol.h> 32#include <net/ip.h> 33#include <net/icmp.h> 34#include <net/route.h> 35#include <net/gre.h> 36#include <net/pptp.h> 37 38#include <linux/uaccess.h> 39 40#define PPTP_DRIVER_VERSION "0.8.5" 41 42#define MAX_CALLID 65535 43 44static DECLARE_BITMAP(callid_bitmap, MAX_CALLID + 1); 45static struct pppox_sock __rcu **callid_sock; 46 47static DEFINE_SPINLOCK(chan_lock); 48 49static struct proto pptp_sk_proto __read_mostly; 50static const struct ppp_channel_ops pptp_chan_ops; 51static const struct proto_ops pptp_ops; 52 53static struct pppox_sock *lookup_chan(u16 call_id, __be32 s_addr) 54{ 55 struct pppox_sock *sock; 56 struct pptp_opt *opt; 57 58 rcu_read_lock(); 59 sock = rcu_dereference(callid_sock[call_id]); 60 if (sock) { 61 opt = &sock->proto.pptp; 62 if (opt->dst_addr.sin_addr.s_addr != s_addr) 63 sock = NULL; 64 else 65 sock_hold(sk_pppox(sock)); 66 } 67 rcu_read_unlock(); 68 69 return sock; 70} 71 72static int lookup_chan_dst(u16 call_id, __be32 d_addr) 73{ 74 struct pppox_sock *sock; 75 struct pptp_opt *opt; 76 int i; 77 78 rcu_read_lock(); 79 i = 1; 80 for_each_set_bit_from(i, callid_bitmap, MAX_CALLID) { 81 sock = rcu_dereference(callid_sock[i]); 82 if (!sock) 83 continue; 84 opt = &sock->proto.pptp; 85 if (opt->dst_addr.call_id == call_id && 86 opt->dst_addr.sin_addr.s_addr == d_addr) 87 break; 88 } 89 rcu_read_unlock(); 90 91 return i < MAX_CALLID; 92} 93 94static int add_chan(struct pppox_sock *sock, 95 struct pptp_addr *sa) 96{ 97 static int call_id; 98 99 spin_lock(&chan_lock); 100 if (!sa->call_id) { 101 call_id = find_next_zero_bit(callid_bitmap, MAX_CALLID, call_id + 1); 102 if (call_id == MAX_CALLID) { 103 call_id = find_next_zero_bit(callid_bitmap, MAX_CALLID, 1); 104 if (call_id == MAX_CALLID) 105 goto out_err; 106 } 107 sa->call_id = call_id; 108 } else if (test_bit(sa->call_id, callid_bitmap)) { 109 goto out_err; 110 } 111 112 sock->proto.pptp.src_addr = *sa; 113 set_bit(sa->call_id, callid_bitmap); 114 rcu_assign_pointer(callid_sock[sa->call_id], sock); 115 spin_unlock(&chan_lock); 116 117 return 0; 118 119out_err: 120 spin_unlock(&chan_lock); 121 return -1; 122} 123 124static void del_chan(struct pppox_sock *sock) 125{ 126 spin_lock(&chan_lock); 127 clear_bit(sock->proto.pptp.src_addr.call_id, callid_bitmap); 128 RCU_INIT_POINTER(callid_sock[sock->proto.pptp.src_addr.call_id], NULL); 129 spin_unlock(&chan_lock); 130} 131 132static struct rtable *pptp_route_output(struct pppox_sock *po, 133 struct flowi4 *fl4) 134{ 135 struct sock *sk = &po->sk; 136 struct net *net; 137 138 net = sock_net(sk); 139 flowi4_init_output(fl4, sk->sk_bound_dev_if, sk->sk_mark, 0, 140 RT_SCOPE_UNIVERSE, IPPROTO_GRE, 0, 141 po->proto.pptp.dst_addr.sin_addr.s_addr, 142 po->proto.pptp.src_addr.sin_addr.s_addr, 143 0, 0, sock_net_uid(net, sk)); 144 security_sk_classify_flow(sk, flowi4_to_flowi_common(fl4)); 145 146 return ip_route_output_flow(net, fl4, sk); 147} 148 149static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb) 150{ 151 struct sock *sk = (struct sock *) chan->private; 152 struct pppox_sock *po = pppox_sk(sk); 153 struct net *net = sock_net(sk); 154 struct pptp_opt *opt = &po->proto.pptp; 155 struct pptp_gre_header *hdr; 156 unsigned int header_len = sizeof(*hdr); 157 struct flowi4 fl4; 158 int islcp; 159 int len; 160 unsigned char *data; 161 __u32 seq_recv; 162 163 164 struct rtable *rt; 165 struct net_device *tdev; 166 struct iphdr *iph; 167 int max_headroom; 168 169 if (sk_pppox(po)->sk_state & PPPOX_DEAD) 170 goto tx_error; 171 172 rt = pptp_route_output(po, &fl4); 173 if (IS_ERR(rt)) 174 goto tx_error; 175 176 tdev = rt->dst.dev; 177 178 max_headroom = LL_RESERVED_SPACE(tdev) + sizeof(*iph) + sizeof(*hdr) + 2; 179 180 if (skb_headroom(skb) < max_headroom || skb_cloned(skb) || skb_shared(skb)) { 181 struct sk_buff *new_skb = skb_realloc_headroom(skb, max_headroom); 182 if (!new_skb) { 183 ip_rt_put(rt); 184 goto tx_error; 185 } 186 if (skb->sk) 187 skb_set_owner_w(new_skb, skb->sk); 188 consume_skb(skb); 189 skb = new_skb; 190 } 191 192 data = skb->data; 193 islcp = ((data[0] << 8) + data[1]) == PPP_LCP && 1 <= data[2] && data[2] <= 7; 194 195 /* compress protocol field */ 196 if ((opt->ppp_flags & SC_COMP_PROT) && data[0] == 0 && !islcp) 197 skb_pull(skb, 1); 198 199 /* Put in the address/control bytes if necessary */ 200 if ((opt->ppp_flags & SC_COMP_AC) == 0 || islcp) { 201 data = skb_push(skb, 2); 202 data[0] = PPP_ALLSTATIONS; 203 data[1] = PPP_UI; 204 } 205 206 len = skb->len; 207 208 seq_recv = opt->seq_recv; 209 210 if (opt->ack_sent == seq_recv) 211 header_len -= sizeof(hdr->ack); 212 213 /* Push down and install GRE header */ 214 skb_push(skb, header_len); 215 hdr = (struct pptp_gre_header *)(skb->data); 216 217 hdr->gre_hd.flags = GRE_KEY | GRE_VERSION_1 | GRE_SEQ; 218 hdr->gre_hd.protocol = GRE_PROTO_PPP; 219 hdr->call_id = htons(opt->dst_addr.call_id); 220 221 hdr->seq = htonl(++opt->seq_sent); 222 if (opt->ack_sent != seq_recv) { 223 /* send ack with this message */ 224 hdr->gre_hd.flags |= GRE_ACK; 225 hdr->ack = htonl(seq_recv); 226 opt->ack_sent = seq_recv; 227 } 228 hdr->payload_len = htons(len); 229 230 /* Push down and install the IP header. */ 231 232 skb_reset_transport_header(skb); 233 skb_push(skb, sizeof(*iph)); 234 skb_reset_network_header(skb); 235 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt)); 236 IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED | IPSKB_REROUTED); 237 238 iph = ip_hdr(skb); 239 iph->version = 4; 240 iph->ihl = sizeof(struct iphdr) >> 2; 241 if (ip_dont_fragment(sk, &rt->dst)) 242 iph->frag_off = htons(IP_DF); 243 else 244 iph->frag_off = 0; 245 iph->protocol = IPPROTO_GRE; 246 iph->tos = 0; 247 iph->daddr = fl4.daddr; 248 iph->saddr = fl4.saddr; 249 iph->ttl = ip4_dst_hoplimit(&rt->dst); 250 iph->tot_len = htons(skb->len); 251 252 skb_dst_drop(skb); 253 skb_dst_set(skb, &rt->dst); 254 255 nf_reset_ct(skb); 256 257 skb->ip_summed = CHECKSUM_NONE; 258 ip_select_ident(net, skb, NULL); 259 ip_send_check(iph); 260 261 ip_local_out(net, skb->sk, skb); 262 return 1; 263 264tx_error: 265 kfree_skb(skb); 266 return 1; 267} 268 269static int pptp_rcv_core(struct sock *sk, struct sk_buff *skb) 270{ 271 struct pppox_sock *po = pppox_sk(sk); 272 struct pptp_opt *opt = &po->proto.pptp; 273 int headersize, payload_len, seq; 274 __u8 *payload; 275 struct pptp_gre_header *header; 276 277 if (!(sk->sk_state & PPPOX_CONNECTED)) { 278 if (sock_queue_rcv_skb(sk, skb)) 279 goto drop; 280 return NET_RX_SUCCESS; 281 } 282 283 header = (struct pptp_gre_header *)(skb->data); 284 headersize = sizeof(*header); 285 286 /* test if acknowledgement present */ 287 if (GRE_IS_ACK(header->gre_hd.flags)) { 288 __u32 ack; 289 290 if (!pskb_may_pull(skb, headersize)) 291 goto drop; 292 header = (struct pptp_gre_header *)(skb->data); 293 294 /* ack in different place if S = 0 */ 295 ack = GRE_IS_SEQ(header->gre_hd.flags) ? header->ack : header->seq; 296 297 ack = ntohl(ack); 298 299 if (ack > opt->ack_recv) 300 opt->ack_recv = ack; 301 /* also handle sequence number wrap-around */ 302 if (WRAPPED(ack, opt->ack_recv)) 303 opt->ack_recv = ack; 304 } else { 305 headersize -= sizeof(header->ack); 306 } 307 /* test if payload present */ 308 if (!GRE_IS_SEQ(header->gre_hd.flags)) 309 goto drop; 310 311 payload_len = ntohs(header->payload_len); 312 seq = ntohl(header->seq); 313 314 /* check for incomplete packet (length smaller than expected) */ 315 if (!pskb_may_pull(skb, headersize + payload_len)) 316 goto drop; 317 318 payload = skb->data + headersize; 319 /* check for expected sequence number */ 320 if (seq < opt->seq_recv + 1 || WRAPPED(opt->seq_recv, seq)) { 321 if ((payload[0] == PPP_ALLSTATIONS) && (payload[1] == PPP_UI) && 322 (PPP_PROTOCOL(payload) == PPP_LCP) && 323 ((payload[4] == PPP_LCP_ECHOREQ) || (payload[4] == PPP_LCP_ECHOREP))) 324 goto allow_packet; 325 } else { 326 opt->seq_recv = seq; 327allow_packet: 328 skb_pull(skb, headersize); 329 330 if (payload[0] == PPP_ALLSTATIONS && payload[1] == PPP_UI) { 331 /* chop off address/control */ 332 if (skb->len < 3) 333 goto drop; 334 skb_pull(skb, 2); 335 } 336 337 skb->ip_summed = CHECKSUM_NONE; 338 skb_set_network_header(skb, skb->head-skb->data); 339 ppp_input(&po->chan, skb); 340 341 return NET_RX_SUCCESS; 342 } 343drop: 344 kfree_skb(skb); 345 return NET_RX_DROP; 346} 347 348static int pptp_rcv(struct sk_buff *skb) 349{ 350 struct pppox_sock *po; 351 struct pptp_gre_header *header; 352 struct iphdr *iph; 353 354 if (skb->pkt_type != PACKET_HOST) 355 goto drop; 356 357 if (!pskb_may_pull(skb, 12)) 358 goto drop; 359 360 iph = ip_hdr(skb); 361 362 header = (struct pptp_gre_header *)skb->data; 363 364 if (header->gre_hd.protocol != GRE_PROTO_PPP || /* PPTP-GRE protocol for PPTP */ 365 GRE_IS_CSUM(header->gre_hd.flags) || /* flag CSUM should be clear */ 366 GRE_IS_ROUTING(header->gre_hd.flags) || /* flag ROUTING should be clear */ 367 !GRE_IS_KEY(header->gre_hd.flags) || /* flag KEY should be set */ 368 (header->gre_hd.flags & GRE_FLAGS)) /* flag Recursion Ctrl should be clear */ 369 /* if invalid, discard this packet */ 370 goto drop; 371 372 po = lookup_chan(htons(header->call_id), iph->saddr); 373 if (po) { 374 skb_dst_drop(skb); 375 nf_reset_ct(skb); 376 return sk_receive_skb(sk_pppox(po), skb, 0); 377 } 378drop: 379 kfree_skb(skb); 380 return NET_RX_DROP; 381} 382 383static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr, 384 int sockaddr_len) 385{ 386 struct sock *sk = sock->sk; 387 struct sockaddr_pppox *sp = (struct sockaddr_pppox *) uservaddr; 388 struct pppox_sock *po = pppox_sk(sk); 389 int error = 0; 390 391 if (sockaddr_len < sizeof(struct sockaddr_pppox)) 392 return -EINVAL; 393 394 lock_sock(sk); 395 396 if (sk->sk_state & PPPOX_DEAD) { 397 error = -EALREADY; 398 goto out; 399 } 400 401 if (sk->sk_state & PPPOX_BOUND) { 402 error = -EBUSY; 403 goto out; 404 } 405 406 if (add_chan(po, &sp->sa_addr.pptp)) 407 error = -EBUSY; 408 else 409 sk->sk_state |= PPPOX_BOUND; 410 411out: 412 release_sock(sk); 413 return error; 414} 415 416static int pptp_connect(struct socket *sock, struct sockaddr *uservaddr, 417 int sockaddr_len, int flags) 418{ 419 struct sock *sk = sock->sk; 420 struct sockaddr_pppox *sp = (struct sockaddr_pppox *) uservaddr; 421 struct pppox_sock *po = pppox_sk(sk); 422 struct pptp_opt *opt = &po->proto.pptp; 423 struct rtable *rt; 424 struct flowi4 fl4; 425 int error = 0; 426 427 if (sockaddr_len < sizeof(struct sockaddr_pppox)) 428 return -EINVAL; 429 430 if (sp->sa_protocol != PX_PROTO_PPTP) 431 return -EINVAL; 432 433 if (lookup_chan_dst(sp->sa_addr.pptp.call_id, sp->sa_addr.pptp.sin_addr.s_addr)) 434 return -EALREADY; 435 436 lock_sock(sk); 437 /* Check for already bound sockets */ 438 if (sk->sk_state & PPPOX_CONNECTED) { 439 error = -EBUSY; 440 goto end; 441 } 442 443 /* Check for already disconnected sockets, on attempts to disconnect */ 444 if (sk->sk_state & PPPOX_DEAD) { 445 error = -EALREADY; 446 goto end; 447 } 448 449 if (!opt->src_addr.sin_addr.s_addr || !sp->sa_addr.pptp.sin_addr.s_addr) { 450 error = -EINVAL; 451 goto end; 452 } 453 454 po->chan.private = sk; 455 po->chan.ops = &pptp_chan_ops; 456 457 rt = pptp_route_output(po, &fl4); 458 if (IS_ERR(rt)) { 459 error = -EHOSTUNREACH; 460 goto end; 461 } 462 sk_setup_caps(sk, &rt->dst); 463 464 po->chan.mtu = dst_mtu(&rt->dst); 465 if (!po->chan.mtu) 466 po->chan.mtu = PPP_MRU; 467 po->chan.mtu -= PPTP_HEADER_OVERHEAD; 468 469 po->chan.hdrlen = 2 + sizeof(struct pptp_gre_header); 470 error = ppp_register_channel(&po->chan); 471 if (error) { 472 pr_err("PPTP: failed to register PPP channel (%d)\n", error); 473 goto end; 474 } 475 476 opt->dst_addr = sp->sa_addr.pptp; 477 sk->sk_state |= PPPOX_CONNECTED; 478 479 end: 480 release_sock(sk); 481 return error; 482} 483 484static int pptp_getname(struct socket *sock, struct sockaddr *uaddr, 485 int peer) 486{ 487 int len = sizeof(struct sockaddr_pppox); 488 struct sockaddr_pppox sp; 489 490 memset(&sp.sa_addr, 0, sizeof(sp.sa_addr)); 491 492 sp.sa_family = AF_PPPOX; 493 sp.sa_protocol = PX_PROTO_PPTP; 494 sp.sa_addr.pptp = pppox_sk(sock->sk)->proto.pptp.src_addr; 495 496 memcpy(uaddr, &sp, len); 497 498 return len; 499} 500 501static int pptp_release(struct socket *sock) 502{ 503 struct sock *sk = sock->sk; 504 struct pppox_sock *po; 505 int error = 0; 506 507 if (!sk) 508 return 0; 509 510 lock_sock(sk); 511 512 if (sock_flag(sk, SOCK_DEAD)) { 513 release_sock(sk); 514 return -EBADF; 515 } 516 517 po = pppox_sk(sk); 518 del_chan(po); 519 synchronize_rcu(); 520 521 pppox_unbind_sock(sk); 522 sk->sk_state = PPPOX_DEAD; 523 524 sock_orphan(sk); 525 sock->sk = NULL; 526 527 release_sock(sk); 528 sock_put(sk); 529 530 return error; 531} 532 533static void pptp_sock_destruct(struct sock *sk) 534{ 535 if (!(sk->sk_state & PPPOX_DEAD)) { 536 del_chan(pppox_sk(sk)); 537 pppox_unbind_sock(sk); 538 } 539 skb_queue_purge(&sk->sk_receive_queue); 540 dst_release(rcu_dereference_protected(sk->sk_dst_cache, 1)); 541} 542 543static int pptp_create(struct net *net, struct socket *sock, int kern) 544{ 545 int error = -ENOMEM; 546 struct sock *sk; 547 struct pppox_sock *po; 548 struct pptp_opt *opt; 549 550 sk = sk_alloc(net, PF_PPPOX, GFP_KERNEL, &pptp_sk_proto, kern); 551 if (!sk) 552 goto out; 553 554 sock_init_data(sock, sk); 555 556 sock->state = SS_UNCONNECTED; 557 sock->ops = &pptp_ops; 558 559 sk->sk_backlog_rcv = pptp_rcv_core; 560 sk->sk_state = PPPOX_NONE; 561 sk->sk_type = SOCK_STREAM; 562 sk->sk_family = PF_PPPOX; 563 sk->sk_protocol = PX_PROTO_PPTP; 564 sk->sk_destruct = pptp_sock_destruct; 565 566 po = pppox_sk(sk); 567 opt = &po->proto.pptp; 568 569 opt->seq_sent = 0; opt->seq_recv = 0xffffffff; 570 opt->ack_recv = 0; opt->ack_sent = 0xffffffff; 571 572 error = 0; 573out: 574 return error; 575} 576 577static int pptp_ppp_ioctl(struct ppp_channel *chan, unsigned int cmd, 578 unsigned long arg) 579{ 580 struct sock *sk = (struct sock *) chan->private; 581 struct pppox_sock *po = pppox_sk(sk); 582 struct pptp_opt *opt = &po->proto.pptp; 583 void __user *argp = (void __user *)arg; 584 int __user *p = argp; 585 int err, val; 586 587 err = -EFAULT; 588 switch (cmd) { 589 case PPPIOCGFLAGS: 590 val = opt->ppp_flags; 591 if (put_user(val, p)) 592 break; 593 err = 0; 594 break; 595 case PPPIOCSFLAGS: 596 if (get_user(val, p)) 597 break; 598 opt->ppp_flags = val & ~SC_RCV_BITS; 599 err = 0; 600 break; 601 default: 602 err = -ENOTTY; 603 } 604 605 return err; 606} 607 608static const struct ppp_channel_ops pptp_chan_ops = { 609 .start_xmit = pptp_xmit, 610 .ioctl = pptp_ppp_ioctl, 611}; 612 613static struct proto pptp_sk_proto __read_mostly = { 614 .name = "PPTP", 615 .owner = THIS_MODULE, 616 .obj_size = sizeof(struct pppox_sock), 617}; 618 619static const struct proto_ops pptp_ops = { 620 .family = AF_PPPOX, 621 .owner = THIS_MODULE, 622 .release = pptp_release, 623 .bind = pptp_bind, 624 .connect = pptp_connect, 625 .socketpair = sock_no_socketpair, 626 .accept = sock_no_accept, 627 .getname = pptp_getname, 628 .listen = sock_no_listen, 629 .shutdown = sock_no_shutdown, 630 .sendmsg = sock_no_sendmsg, 631 .recvmsg = sock_no_recvmsg, 632 .mmap = sock_no_mmap, 633 .ioctl = pppox_ioctl, 634#ifdef CONFIG_COMPAT 635 .compat_ioctl = pppox_compat_ioctl, 636#endif 637}; 638 639static const struct pppox_proto pppox_pptp_proto = { 640 .create = pptp_create, 641 .owner = THIS_MODULE, 642}; 643 644static const struct gre_protocol gre_pptp_protocol = { 645 .handler = pptp_rcv, 646}; 647 648static int __init pptp_init_module(void) 649{ 650 int err = 0; 651 pr_info("PPTP driver version " PPTP_DRIVER_VERSION "\n"); 652 653 callid_sock = vzalloc(array_size(sizeof(void *), (MAX_CALLID + 1))); 654 if (!callid_sock) 655 return -ENOMEM; 656 657 err = gre_add_protocol(&gre_pptp_protocol, GREPROTO_PPTP); 658 if (err) { 659 pr_err("PPTP: can't add gre protocol\n"); 660 goto out_mem_free; 661 } 662 663 err = proto_register(&pptp_sk_proto, 0); 664 if (err) { 665 pr_err("PPTP: can't register sk_proto\n"); 666 goto out_gre_del_protocol; 667 } 668 669 err = register_pppox_proto(PX_PROTO_PPTP, &pppox_pptp_proto); 670 if (err) { 671 pr_err("PPTP: can't register pppox_proto\n"); 672 goto out_unregister_sk_proto; 673 } 674 675 return 0; 676 677out_unregister_sk_proto: 678 proto_unregister(&pptp_sk_proto); 679out_gre_del_protocol: 680 gre_del_protocol(&gre_pptp_protocol, GREPROTO_PPTP); 681out_mem_free: 682 vfree(callid_sock); 683 684 return err; 685} 686 687static void __exit pptp_exit_module(void) 688{ 689 unregister_pppox_proto(PX_PROTO_PPTP); 690 proto_unregister(&pptp_sk_proto); 691 gre_del_protocol(&gre_pptp_protocol, GREPROTO_PPTP); 692 vfree(callid_sock); 693} 694 695module_init(pptp_init_module); 696module_exit(pptp_exit_module); 697 698MODULE_DESCRIPTION("Point-to-Point Tunneling Protocol"); 699MODULE_AUTHOR("D. Kozlov (xeb@mail.ru)"); 700MODULE_LICENSE("GPL"); 701MODULE_ALIAS_NET_PF_PROTO(PF_PPPOX, PX_PROTO_PPTP); 702