4 * IPv6 fragmentation and reassembly.
8 * Copyright (c) 2010 Inico Technologies Ltd.
11 * Redistribution and use in source and binary forms, with or without modification,
12 * are permitted provided that the following conditions are met:
14 * 1. Redistributions of source code must retain the above copyright notice,
15 * this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright notice,
17 * this list of conditions and the following disclaimer in the documentation
18 * and/or other materials provided with the distribution.
19 * 3. The name of the author may not be used to endorse or promote products
20 * derived from this software without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
23 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
24 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
25 * SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
26 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
27 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
28 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
29 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
30 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
33 * This file is part of the lwIP TCP/IP stack.
35 * Author: Ivan Delamer <delamer@inicotech.com>
38 * Please coordinate changes and requests with Ivan Delamer
39 * <delamer@inicotech.com>
43 #include "lwip/ip6_frag.h"
45 #include "lwip/icmp6.h"
48 #include "lwip/pbuf.h"
49 #include "lwip/memp.h"
50 #include "lwip/stats.h"
54 #if LWIP_IPV6 && LWIP_IPV6_REASS /* don't build if not configured for use in lwipopts.h */
57 /** Setting this to 0, you can turn off checking the fragments for overlapping
58 * regions. The code gets a little smaller. Only use this if you know that
59 * overlapping won't occur on your network! */
60 #ifndef IP_REASS_CHECK_OVERLAP
61 #define IP_REASS_CHECK_OVERLAP 1
62 #endif /* IP_REASS_CHECK_OVERLAP */
64 /** Set to 0 to prevent freeing the oldest datagram when the reassembly buffer is
65 * full (IP_REASS_MAX_PBUFS pbufs are enqueued). The code gets a little smaller.
66 * Datagrams will be freed by timeout only. Especially useful when MEMP_NUM_REASSDATA
67 * is set to 1, so one datagram can be reassembled at a time, only. */
68 #ifndef IP_REASS_FREE_OLDEST
69 #define IP_REASS_FREE_OLDEST 1
70 #endif /* IP_REASS_FREE_OLDEST */
72 #define IP_REASS_FLAG_LASTFRAG 0x01
74 /** This is a helper struct which holds the starting
75 * offset and the ending offset of this fragment to
76 * easily chain the fragments.
77 * It has the same packing requirements as the IPv6 header, since it replaces
78 * the Fragment Header in memory in incoming fragments to keep
79 * track of the various fragments.
81 #ifdef PACK_STRUCT_USE_INCLUDES
82 # include "arch/bpstruct.h"
85 struct ip6_reass_helper {
86 PACK_STRUCT_FIELD(struct pbuf *next_pbuf);
87 PACK_STRUCT_FIELD(u16_t start);
88 PACK_STRUCT_FIELD(u16_t end);
91 #ifdef PACK_STRUCT_USE_INCLUDES
92 # include "arch/epstruct.h"
95 /* static variables */
96 static struct ip6_reassdata *reassdatagrams;
97 static u16_t ip6_reass_pbufcount;
99 /* Forward declarations. */
100 static void ip6_reass_free_complete_datagram(struct ip6_reassdata *ipr);
101 #if IP_REASS_FREE_OLDEST
102 static void ip6_reass_remove_oldest_datagram(struct ip6_reassdata *ipr, int pbufs_needed);
103 #endif /* IP_REASS_FREE_OLDEST */
108 struct ip6_reassdata *r, *tmp;
112 /* Decrement the timer. Once it reaches 0,
113 * clean up the incomplete fragment assembly */
118 /* reassembly timed out */
120 /* get the next pointer before freeing */
122 /* free the helper struct and all enqueued pbufs */
123 ip6_reass_free_complete_datagram(tmp);
129 * Free a datagram (struct ip6_reassdata) and all its pbufs.
130 * Updates the total count of enqueued pbufs (ip6_reass_pbufcount),
131 * sends an ICMP time exceeded packet.
133 * @param ipr datagram to free
136 ip6_reass_free_complete_datagram(struct ip6_reassdata *ipr)
138 struct ip6_reassdata *prev;
139 u16_t pbufs_freed = 0;
142 struct ip6_reass_helper *iprh;
145 iprh = (struct ip6_reass_helper *)ipr->p->payload;
146 if (iprh->start == 0) {
147 /* The first fragment was received, send ICMP time exceeded. */
148 /* First, de-queue the first pbuf from r->p. */
150 ipr->p = iprh->next_pbuf;
151 /* Then, move back to the original header (we are now pointing to Fragment header). */
152 if (pbuf_header(p, (u8_t*)p->payload - (u8_t*)ipr->iphdr)) {
153 LWIP_ASSERT("ip6_reass_free: moving p->payload to ip6 header failed\n", 0);
156 icmp6_time_exceeded(p, ICMP6_TE_FRAG);
159 LWIP_ASSERT("pbufs_freed + clen <= 0xffff", pbufs_freed + clen <= 0xffff);
163 #endif /* LWIP_ICMP6 */
165 /* First, free all received pbufs. The individual pbufs need to be released
166 separately as they have not yet been chained */
170 iprh = (struct ip6_reass_helper *)p->payload;
172 /* get the next pointer before freeing */
174 clen = pbuf_clen(pcur);
175 LWIP_ASSERT("pbufs_freed + clen <= 0xffff", pbufs_freed + clen <= 0xffff);
180 /* Then, unchain the struct ip6_reassdata from the list and free it. */
181 if (ipr == reassdatagrams) {
182 reassdatagrams = ipr->next;
184 prev = reassdatagrams;
185 while (prev != NULL) {
186 if (prev->next == ipr) {
192 prev->next = ipr->next;
195 memp_free(MEMP_IP6_REASSDATA, ipr);
197 /* Finally, update number of pbufs in reassembly queue */
198 LWIP_ASSERT("ip_reass_pbufcount >= clen", ip6_reass_pbufcount >= pbufs_freed);
199 ip6_reass_pbufcount -= pbufs_freed;
202 #if IP_REASS_FREE_OLDEST
204 * Free the oldest datagram to make room for enqueueing new fragments.
205 * The datagram ipr is not freed!
207 * @param ipr ip6_reassdata for the current fragment
208 * @param pbufs_needed number of pbufs needed to enqueue
209 * (used for freeing other datagrams if not enough space)
212 ip6_reass_remove_oldest_datagram(struct ip6_reassdata *ipr, int pbufs_needed)
214 struct ip6_reassdata *r, *oldest;
216 /* Free datagrams until being allowed to enqueue 'pbufs_needed' pbufs,
217 * but don't free the current datagram! */
219 r = oldest = reassdatagrams;
222 if (r->timer <= oldest->timer) {
223 /* older than the previous oldest */
229 if (oldest != NULL) {
230 ip6_reass_free_complete_datagram(oldest);
232 } while (((ip6_reass_pbufcount + pbufs_needed) > IP_REASS_MAX_PBUFS) && (reassdatagrams != NULL));
234 #endif /* IP_REASS_FREE_OLDEST */
237 * Reassembles incoming IPv6 fragments into an IPv6 datagram.
239 * @param p points to the IPv6 Fragment Header
240 * @param len the length of the payload (after Fragment Header)
241 * @return NULL if reassembly is incomplete, pbuf pointing to
242 * IPv6 Header if reassembly is complete
245 ip6_reass(struct pbuf *p)
247 struct ip6_reassdata *ipr, *ipr_prev;
248 struct ip6_reass_helper *iprh, *iprh_tmp, *iprh_prev=NULL;
249 struct ip6_frag_hdr * frag_hdr;
251 u8_t clen, valid = 1;
254 IP6_FRAG_STATS_INC(ip6_frag.recv);
256 frag_hdr = (struct ip6_frag_hdr *) p->payload;
260 offset = ntohs(frag_hdr->_fragment_offset);
262 /* Calculate fragment length from IPv6 payload length.
263 * Adjust for headers before Fragment Header.
264 * And finally adjust by Fragment Header length. */
265 len = ntohs(ip6_current_header()->_plen);
266 len -= ((u8_t*)p->payload - (u8_t*)ip6_current_header()) - IP6_HLEN;
267 len -= IP6_FRAG_HLEN;
269 /* Look for the datagram the fragment belongs to in the current datagram queue,
270 * remembering the previous in the queue for later dequeueing. */
271 for (ipr = reassdatagrams, ipr_prev = NULL; ipr != NULL; ipr = ipr->next) {
272 /* Check if the incoming fragment matches the one currently present
273 in the reassembly buffer. If so, we proceed with copying the
274 fragment into the buffer. */
275 if ((frag_hdr->_identification == ipr->identification) &&
276 ip6_addr_cmp(ip6_current_src_addr(), &(ipr->iphdr->src)) &&
277 ip6_addr_cmp(ip6_current_dest_addr(), &(ipr->iphdr->dest))) {
278 IP6_FRAG_STATS_INC(ip6_frag.cachehit);
285 /* Enqueue a new datagram into the datagram queue */
286 ipr = (struct ip6_reassdata *)memp_malloc(MEMP_IP6_REASSDATA);
288 #if IP_REASS_FREE_OLDEST
289 /* Make room and try again. */
290 ip6_reass_remove_oldest_datagram(ipr, clen);
291 ipr = (struct ip6_reassdata *)memp_malloc(MEMP_IP6_REASSDATA);
293 #endif /* IP_REASS_FREE_OLDEST */
295 IP6_FRAG_STATS_INC(ip6_frag.memerr);
296 IP6_FRAG_STATS_INC(ip6_frag.drop);
301 memset(ipr, 0, sizeof(struct ip6_reassdata));
302 ipr->timer = IP_REASS_MAXAGE;
304 /* enqueue the new structure to the front of the list */
305 ipr->next = reassdatagrams;
306 reassdatagrams = ipr;
308 /* Use the current IPv6 header for src/dest address reference.
309 * Eventually, we will replace it when we get the first fragment
310 * (it might be this one, in any case, it is done later). */
311 ipr->iphdr = (struct ip6_hdr *)ip6_current_header();
313 /* copy the fragmented packet id. */
314 ipr->identification = frag_hdr->_identification;
316 /* copy the nexth field */
317 ipr->nexth = frag_hdr->_nexth;
320 /* Check if we are allowed to enqueue more datagrams. */
321 if ((ip6_reass_pbufcount + clen) > IP_REASS_MAX_PBUFS) {
322 #if IP_REASS_FREE_OLDEST
323 ip6_reass_remove_oldest_datagram(ipr, clen);
324 if ((ip6_reass_pbufcount + clen) > IP_REASS_MAX_PBUFS)
325 #endif /* IP_REASS_FREE_OLDEST */
327 /* @todo: send ICMPv6 time exceeded here? */
329 IP6_FRAG_STATS_INC(ip6_frag.memerr);
330 IP6_FRAG_STATS_INC(ip6_frag.drop);
335 /* Overwrite Fragment Header with our own helper struct. */
336 iprh = (struct ip6_reass_helper *)p->payload;
337 iprh->next_pbuf = NULL;
338 iprh->start = (offset & IP6_FRAG_OFFSET_MASK);
339 iprh->end = (offset & IP6_FRAG_OFFSET_MASK) + len;
341 /* find the right place to insert this pbuf */
342 /* Iterate through until we either get to the end of the list (append),
343 * or we find on with a larger offset (insert). */
344 for (q = ipr->p; q != NULL;) {
345 iprh_tmp = (struct ip6_reass_helper*)q->payload;
346 if (iprh->start < iprh_tmp->start) {
347 #if IP_REASS_CHECK_OVERLAP
348 if (iprh->end > iprh_tmp->start) {
349 /* fragment overlaps with following, throw away */
350 IP6_FRAG_STATS_INC(ip6_frag.proterr);
351 IP6_FRAG_STATS_INC(ip6_frag.drop);
354 if (iprh_prev != NULL) {
355 if (iprh->start < iprh_prev->end) {
356 /* fragment overlaps with previous, throw away */
357 IP6_FRAG_STATS_INC(ip6_frag.proterr);
358 IP6_FRAG_STATS_INC(ip6_frag.drop);
362 #endif /* IP_REASS_CHECK_OVERLAP */
363 /* the new pbuf should be inserted before this */
365 if (iprh_prev != NULL) {
366 /* not the fragment with the lowest offset */
367 iprh_prev->next_pbuf = p;
369 /* fragment with the lowest offset */
373 } else if(iprh->start == iprh_tmp->start) {
374 /* received the same datagram twice: no need to keep the datagram */
375 IP6_FRAG_STATS_INC(ip6_frag.drop);
377 #if IP_REASS_CHECK_OVERLAP
378 } else if(iprh->start < iprh_tmp->end) {
379 /* overlap: no need to keep the new datagram */
380 IP6_FRAG_STATS_INC(ip6_frag.proterr);
381 IP6_FRAG_STATS_INC(ip6_frag.drop);
383 #endif /* IP_REASS_CHECK_OVERLAP */
385 /* Check if the fragments received so far have no gaps. */
386 if (iprh_prev != NULL) {
387 if (iprh_prev->end != iprh_tmp->start) {
388 /* There is a fragment missing between the current
389 * and the previous fragment */
394 q = iprh_tmp->next_pbuf;
395 iprh_prev = iprh_tmp;
398 /* If q is NULL, then we made it to the end of the list. Determine what to do now */
400 if (iprh_prev != NULL) {
401 /* this is (for now), the fragment with the highest offset:
402 * chain it to the last fragment */
403 #if IP_REASS_CHECK_OVERLAP
404 LWIP_ASSERT("check fragments don't overlap", iprh_prev->end <= iprh->start);
405 #endif /* IP_REASS_CHECK_OVERLAP */
406 iprh_prev->next_pbuf = p;
407 if (iprh_prev->end != iprh->start) {
411 #if IP_REASS_CHECK_OVERLAP
412 LWIP_ASSERT("no previous fragment, this must be the first fragment!",
414 #endif /* IP_REASS_CHECK_OVERLAP */
415 /* this is the first fragment we ever received for this ip datagram */
420 /* Track the current number of pbufs current 'in-flight', in order to limit
421 the number of fragments that may be enqueued at any one time */
422 ip6_reass_pbufcount += clen;
424 /* Remember IPv6 header if this is the first fragment. */
425 if (iprh->start == 0) {
426 ipr->iphdr = (struct ip6_hdr *)ip6_current_header();
429 /* If this is the last fragment, calculate total packet length. */
430 if ((offset & IP6_FRAG_MORE_FLAG) == 0) {
431 ipr->datagram_len = iprh->end;
434 /* Additional validity tests: we have received first and last fragment. */
435 iprh_tmp = (struct ip6_reass_helper*)ipr->p->payload;
436 if (iprh_tmp->start != 0) {
439 if (ipr->datagram_len == 0) {
443 /* Final validity test: no gaps between current and last fragment. */
446 while ((q != NULL) && valid) {
447 iprh = (struct ip6_reass_helper*)q->payload;
448 if (iprh_prev->end != iprh->start) {
457 /* All fragments have been received */
459 /* chain together the pbufs contained within the ip6_reassdata list. */
460 iprh = (struct ip6_reass_helper*) ipr->p->payload;
461 while(iprh != NULL) {
463 if (iprh->next_pbuf != NULL) {
464 /* Save next helper struct (will be hidden in next step). */
465 iprh_tmp = (struct ip6_reass_helper*) iprh->next_pbuf->payload;
467 /* hide the fragment header for every succeding fragment */
468 pbuf_header(iprh->next_pbuf, -IP6_FRAG_HLEN);
469 pbuf_cat(ipr->p, iprh->next_pbuf);
478 /* Adjust datagram length by adding header lengths. */
479 ipr->datagram_len += ((u8_t*)ipr->p->payload - (u8_t*)ipr->iphdr)
483 /* Set payload length in ip header. */
484 ipr->iphdr->_plen = htons(ipr->datagram_len);
486 /* Get the furst pbuf. */
489 /* Restore Fragment Header in first pbuf. Mark as "single fragment"
490 * packet. Restore nexth. */
491 frag_hdr = (struct ip6_frag_hdr *) p->payload;
492 frag_hdr->_nexth = ipr->nexth;
493 frag_hdr->reserved = 0;
494 frag_hdr->_fragment_offset = 0;
495 frag_hdr->_identification = 0;
497 /* release the sources allocate for the fragment queue entry */
498 if (reassdatagrams == ipr) {
499 /* it was the first in the list */
500 reassdatagrams = ipr->next;
502 /* it wasn't the first, so it must have a valid 'prev' */
503 LWIP_ASSERT("sanity check linked list", ipr_prev != NULL);
504 ipr_prev->next = ipr->next;
506 memp_free(MEMP_IP6_REASSDATA, ipr);
508 /* adjust the number of pbufs currently queued for reassembly. */
509 ip6_reass_pbufcount -= pbuf_clen(p);
511 /* Move pbuf back to IPv6 header. */
512 if (pbuf_header(p, (u8_t*)p->payload - (u8_t*)ipr->iphdr)) {
513 LWIP_ASSERT("ip6_reass: moving p->payload to ip6 header failed\n", 0);
518 /* Return the pbuf chain */
521 /* the datagram is not (yet?) reassembled completely */
529 #endif /* LWIP_IPV6 ^^ LWIP_IPV6_REASS */
531 #if LWIP_IPV6 && LWIP_IPV6_FRAG
533 /** Allocate a new struct pbuf_custom_ref */
534 static struct pbuf_custom_ref*
535 ip6_frag_alloc_pbuf_custom_ref(void)
537 return (struct pbuf_custom_ref*)memp_malloc(MEMP_FRAG_PBUF);
540 /** Free a struct pbuf_custom_ref */
542 ip6_frag_free_pbuf_custom_ref(struct pbuf_custom_ref* p)
544 LWIP_ASSERT("p != NULL", p != NULL);
545 memp_free(MEMP_FRAG_PBUF, p);
548 /** Free-callback function to free a 'struct pbuf_custom_ref', called by
551 ip6_frag_free_pbuf_custom(struct pbuf *p)
553 struct pbuf_custom_ref *pcr = (struct pbuf_custom_ref*)p;
554 LWIP_ASSERT("pcr != NULL", pcr != NULL);
555 LWIP_ASSERT("pcr == p", (void*)pcr == (void*)p);
556 if (pcr->original != NULL) {
557 pbuf_free(pcr->original);
559 ip6_frag_free_pbuf_custom_ref(pcr);
563 * Fragment an IPv6 datagram if too large for the netif or path MTU.
565 * Chop the datagram in MTU sized chunks and send them in order
566 * by pointing PBUF_REFs into p
568 * @param p ipv6 packet to send
569 * @param netif the netif on which to send
570 * @param dest destination ipv6 address to which to send
572 * @return ERR_OK if sent successfully, err_t otherwise
575 ip6_frag(struct pbuf *p, struct netif *netif, ip6_addr_t *dest)
577 struct ip6_hdr *original_ip6hdr;
578 struct ip6_hdr *ip6hdr;
579 struct ip6_frag_hdr * frag_hdr;
581 struct pbuf *newpbuf;
582 static u32_t identification;
586 u16_t fragment_offset = 0;
588 u16_t poff = IP6_HLEN;
589 u16_t newpbuflen = 0;
594 original_ip6hdr = (struct ip6_hdr *)p->payload;
596 mtu = nd6_get_destination_mtu(dest, netif);
598 /* TODO we assume there are no options in the unfragmentable part (IPv6 header). */
599 left = p->tot_len - IP6_HLEN;
601 nfb = (mtu - (IP6_HLEN + IP6_FRAG_HLEN)) & IP6_FRAG_OFFSET_MASK;
604 last = (left <= nfb);
606 /* Fill this fragment */
607 cop = last ? left : nfb;
609 /* When not using a static buffer, create a chain of pbufs.
610 * The first will be a PBUF_RAM holding the link, IPv6, and Fragment header.
611 * The rest will be PBUF_REFs mirroring the pbuf chain to be fragged,
612 * but limited to the size of an mtu.
614 rambuf = pbuf_alloc(PBUF_LINK, IP6_HLEN + IP6_FRAG_HLEN, PBUF_RAM);
615 if (rambuf == NULL) {
616 IP6_FRAG_STATS_INC(ip6_frag.memerr);
619 LWIP_ASSERT("this needs a pbuf in one piece!",
620 (p->len >= (IP6_HLEN + IP6_FRAG_HLEN)));
621 SMEMCPY(rambuf->payload, original_ip6hdr, IP6_HLEN);
622 ip6hdr = (struct ip6_hdr *)rambuf->payload;
623 frag_hdr = (struct ip6_frag_hdr *)((u8_t*)rambuf->payload + IP6_HLEN);
625 /* Can just adjust p directly for needed offset. */
626 p->payload = (u8_t *)p->payload + poff;
631 while (left_to_copy) {
632 struct pbuf_custom_ref *pcr;
633 newpbuflen = (left_to_copy < p->len) ? left_to_copy : p->len;
634 /* Is this pbuf already empty? */
639 pcr = ip6_frag_alloc_pbuf_custom_ref();
642 IP6_FRAG_STATS_INC(ip6_frag.memerr);
645 /* Mirror this pbuf, although we might not need all of it. */
646 newpbuf = pbuf_alloced_custom(PBUF_RAW, newpbuflen, PBUF_REF, &pcr->pc, p->payload, newpbuflen);
647 if (newpbuf == NULL) {
648 ip6_frag_free_pbuf_custom_ref(pcr);
650 IP6_FRAG_STATS_INC(ip6_frag.memerr);
655 pcr->pc.custom_free_function = ip6_frag_free_pbuf_custom;
657 /* Add it to end of rambuf's chain, but using pbuf_cat, not pbuf_chain
658 * so that it is removed when pbuf_dechain is later called on rambuf.
660 pbuf_cat(rambuf, newpbuf);
661 left_to_copy -= newpbuflen;
669 frag_hdr->_nexth = original_ip6hdr->_nexth;
670 frag_hdr->reserved = 0;
671 frag_hdr->_fragment_offset = htons((fragment_offset & IP6_FRAG_OFFSET_MASK) | (last ? 0 : IP6_FRAG_MORE_FLAG));
672 frag_hdr->_identification = htonl(identification);
674 IP6H_NEXTH_SET(ip6hdr, IP6_NEXTH_FRAGMENT);
675 IP6H_PLEN_SET(ip6hdr, cop + IP6_FRAG_HLEN);
677 /* No need for separate header pbuf - we allowed room for it in rambuf
680 IP6_FRAG_STATS_INC(ip6_frag.xmit);
681 netif->output_ip6(netif, rambuf, dest);
683 /* Unfortunately we can't reuse rambuf - the hardware may still be
684 * using the buffer. Instead we free it (and the ensuing chain) and
685 * recreate it next time round the loop. If we're lucky the hardware
686 * will have already sent the packet, the free will really free, and
687 * there will be zero memory penalty.
692 fragment_offset += cop;
697 #endif /* LWIP_IPV6 && LWIP_IPV6_FRAG */