net/netfilter/nf_conntrack_sip.c

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /* SIP extension for IP connection tracking.
   3  *
   4  * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar>
   5  * based on RR's ip_conntrack_ftp.c and other modules.
   6  * (C) 2007 United Security Providers
   7  * (C) 2007, 2008 Patrick McHardy <kaber@trash.net>
   8  */
   9
  10 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  11
  12 #include <linux/module.h>
  13 #include <linux/ctype.h>
  14 #include <linux/skbuff.h>
  15 #include <linux/inet.h>
  16 #include <linux/in.h>
  17 #include <linux/udp.h>
  18 #include <linux/tcp.h>
  19 #include <linux/netfilter.h>
  20 #include <linux/netfilter_ipv4.h>
  21 #include <linux/netfilter_ipv6.h>
  22
  23 #include <net/netfilter/nf_conntrack.h>
  24 #include <net/netfilter/nf_conntrack_core.h>
  25 #include <net/netfilter/nf_conntrack_expect.h>
  26 #include <net/netfilter/nf_conntrack_helper.h>
  27 #include <net/netfilter/nf_conntrack_zones.h>
  28 #include <linux/netfilter/nf_conntrack_sip.h>
  29
  30 #define HELPER_NAME "sip"
  31
  32 MODULE_LICENSE("GPL");
  33 MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>");
  34 MODULE_DESCRIPTION("SIP connection tracking helper");
  35 MODULE_ALIAS("ip_conntrack_sip");
  36 MODULE_ALIAS_NFCT_HELPER(HELPER_NAME);
  37
  38 #define MAX_PORTS       8
  39 static unsigned short ports[MAX_PORTS];
  40 static unsigned int ports_c;
  41 module_param_array(ports, ushort, &ports_c, 0400);
  42 MODULE_PARM_DESC(ports, "port numbers of SIP servers");
  43
  44 static unsigned int sip_timeout __read_mostly = SIP_TIMEOUT;
  45 module_param(sip_timeout, uint, 0600);
  46 MODULE_PARM_DESC(sip_timeout, "timeout for the master SIP session");
  47
  48 static int sip_direct_signalling __read_mostly = 1;
  49 module_param(sip_direct_signalling, int, 0600);
  50 MODULE_PARM_DESC(sip_direct_signalling, "expect incoming calls from registrar "
  51                                         "only (default 1)");
  52
  53 static int sip_direct_media __read_mostly = 1;
  54 module_param(sip_direct_media, int, 0600);
  55 MODULE_PARM_DESC(sip_direct_media, "Expect Media streams between signalling "
  56                                    "endpoints only (default 1)");
  57
  58 static int sip_external_media __read_mostly = 0;
  59 module_param(sip_external_media, int, 0600);
  60 MODULE_PARM_DESC(sip_external_media, "Expect Media streams between external "
  61                                      "endpoints (default 0)");
  62
  63 const struct nf_nat_sip_hooks *nf_nat_sip_hooks;
  64 EXPORT_SYMBOL_GPL(nf_nat_sip_hooks);
  65
  66 static int string_len(const struct nf_conn *ct, const char *dptr,
  67                       const char *limit, int *shift)
  68 {
  69         int len = 0;
  70
  71         while (dptr < limit && isalpha(*dptr)) {
  72                 dptr++;
  73                 len++;
  74         }
  75         return len;
  76 }
  77
  78 static int digits_len(const struct nf_conn *ct, const char *dptr,
  79                       const char *limit, int *shift)
  80 {
  81         int len = 0;
  82         while (dptr < limit && isdigit(*dptr)) {
  83                 dptr++;
  84                 len++;
  85         }
  86         return len;
  87 }
  88
  89 static int iswordc(const char c)
  90 {
  91         if (isalnum(c) || c == '!' || c == '"' || c == '%' ||
  92             (c >= '(' && c <= '+') || c == ':' || c == '<' || c == '>' ||
  93             c == '?' || (c >= '[' && c <= ']') || c == '_' || c == '`' ||
  94             c == '{' || c == '}' || c == '~' || (c >= '-' && c <= '/') ||
  95             c == '\'')
  96                 return 1;
  97         return 0;
  98 }
  99
 100 static int word_len(const char *dptr, const char *limit)
 101 {
 102         int len = 0;
 103         while (dptr < limit && iswordc(*dptr)) {
 104                 dptr++;
 105                 len++;
 106         }
 107         return len;
 108 }
 109
 110 static int callid_len(const struct nf_conn *ct, const char *dptr,
 111                       const char *limit, int *shift)
 112 {
 113         int len, domain_len;
 114
 115         len = word_len(dptr, limit);
 116         dptr += len;
 117         if (!len || dptr == limit || *dptr != '@')
 118                 return len;
 119         dptr++;
 120         len++;
 121
 122         domain_len = word_len(dptr, limit);
 123         if (!domain_len)
 124                 return 0;
 125         return len + domain_len;
 126 }
 127
 128 /* get media type + port length */
 129 static int media_len(const struct nf_conn *ct, const char *dptr,
 130                      const char *limit, int *shift)
 131 {
 132         int len = string_len(ct, dptr, limit, shift);
 133
 134         dptr += len;
 135         if (dptr >= limit || *dptr != ' ')
 136                 return 0;
 137         len++;
 138         dptr++;
 139
 140         return len + digits_len(ct, dptr, limit, shift);
 141 }
 142
 143 static int sip_parse_addr(const struct nf_conn *ct, const char *cp,
 144                           const char **endp, union nf_inet_addr *addr,
 145                           const char *limit, bool delim)
 146 {
 147         const char *end;
 148         int ret;
 149
 150         if (!ct)
 151                 return 0;
 152
 153         memset(addr, 0, sizeof(*addr));
 154         switch (nf_ct_l3num(ct)) {
 155         case AF_INET:
 156                 ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end);
 157                 if (ret == 0)
 158                         return 0;
 159                 break;
 160         case AF_INET6:
 161                 if (cp < limit && *cp == '[')
 162                         cp++;
 163                 else if (delim)
 164                         return 0;
 165
 166                 ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end);
 167                 if (ret == 0)
 168                         return 0;
 169
 170                 if (end < limit && *end == ']')
 171                         end++;
 172                 else if (delim)
 173                         return 0;
 174                 break;
 175         default:
 176                 BUG();
 177         }
 178
 179         if (endp)
 180                 *endp = end;
 181         return 1;
 182 }
 183
 184 /* skip ip address. returns its length. */
 185 static int epaddr_len(const struct nf_conn *ct, const char *dptr,
 186                       const char *limit, int *shift)
 187 {
 188         union nf_inet_addr addr;
 189         const char *aux = dptr;
 190
 191         if (!sip_parse_addr(ct, dptr, &dptr, &addr, limit, true)) {
 192                 pr_debug("ip: %s parse failed.!\n", dptr);
 193                 return 0;
 194         }
 195
 196         /* Port number */
 197         if (*dptr == ':') {
 198                 dptr++;
 199                 dptr += digits_len(ct, dptr, limit, shift);
 200         }
 201         return dptr - aux;
 202 }
 203
 204 /* get address length, skiping user info. */
 205 static int skp_epaddr_len(const struct nf_conn *ct, const char *dptr,
 206                           const char *limit, int *shift)
 207 {
 208         const char *start = dptr;
 209         int s = *shift;
 210
 211         /* Search for @, but stop at the end of the line.
 212          * We are inside a sip: URI, so we don't need to worry about
 213          * continuation lines. */
 214         while (dptr < limit &&
 215                *dptr != '@' && *dptr != '\r' && *dptr != '\n') {
 216                 (*shift)++;
 217                 dptr++;
 218         }
 219
 220         if (dptr < limit && *dptr == '@') {
 221                 dptr++;
 222                 (*shift)++;
 223         } else {
 224                 dptr = start;
 225                 *shift = s;
 226         }
 227
 228         return epaddr_len(ct, dptr, limit, shift);
 229 }
 230
 231 /* Parse a SIP request line of the form:
 232  *
 233  * Request-Line = Method SP Request-URI SP SIP-Version CRLF
 234  *
 235  * and return the offset and length of the address contained in the Request-URI.
 236  */
 237 int ct_sip_parse_request(const struct nf_conn *ct,
 238                          const char *dptr, unsigned int datalen,
 239                          unsigned int *matchoff, unsigned int *matchlen,
 240                          union nf_inet_addr *addr, __be16 *port)
 241 {
 242         const char *start = dptr, *limit = dptr + datalen, *end;
 243         unsigned int mlen;
 244         unsigned int p;
 245         int shift = 0;
 246
 247         /* Skip method and following whitespace */
 248         mlen = string_len(ct, dptr, limit, NULL);
 249         if (!mlen)
 250                 return 0;
 251         dptr += mlen;
 252         if (++dptr >= limit)
 253                 return 0;
 254
 255         /* Find SIP URI */
 256         for (; dptr < limit - strlen("sip:"); dptr++) {
 257                 if (*dptr == '\r' || *dptr == '\n')
 258                         return -1;
 259                 if (strncasecmp(dptr, "sip:", strlen("sip:")) == 0) {
 260                         dptr += strlen("sip:");
 261                         break;
 262                 }
 263         }
 264         if (!skp_epaddr_len(ct, dptr, limit, &shift))
 265                 return 0;
 266         dptr += shift;
 267
 268         if (!sip_parse_addr(ct, dptr, &end, addr, limit, true))
 269                 return -1;
 270         if (end < limit && *end == ':') {
 271                 end++;
 272                 p = simple_strtoul(end, (char **)&end, 10);
 273                 if (p < 1024 || p > 65535)
 274                         return -1;
 275                 *port = htons(p);
 276         } else
 277                 *port = htons(SIP_PORT);
 278
 279         if (end == dptr)
 280                 return 0;
 281         *matchoff = dptr - start;
 282         *matchlen = end - dptr;
 283         return 1;
 284 }
 285 EXPORT_SYMBOL_GPL(ct_sip_parse_request);
 286
 287 /* SIP header parsing: SIP headers are located at the beginning of a line, but
 288  * may span several lines, in which case the continuation lines begin with a
 289  * whitespace character. RFC 2543 allows lines to be terminated with CR, LF or
 290  * CRLF, RFC 3261 allows only CRLF, we support both.
 291  *
 292  * Headers are followed by (optionally) whitespace, a colon, again (optionally)
 293  * whitespace and the values. Whitespace in this context means any amount of
 294  * tabs, spaces and continuation lines, which are treated as a single whitespace
 295  * character.
 296  *
 297  * Some headers may appear multiple times. A comma separated list of values is
 298  * equivalent to multiple headers.
 299  */
 300 static const struct sip_header ct_sip_hdrs[] = {
 301         [SIP_HDR_CSEQ]                  = SIP_HDR("CSeq", NULL, NULL, digits_len),
 302         [SIP_HDR_FROM]                  = SIP_HDR("From", "f", "sip:", skp_epaddr_len),
 303         [SIP_HDR_TO]                    = SIP_HDR("To", "t", "sip:", skp_epaddr_len),
 304         [SIP_HDR_CONTACT]               = SIP_HDR("Contact", "m", "sip:", skp_epaddr_len),
 305         [SIP_HDR_VIA_UDP]               = SIP_HDR("Via", "v", "UDP ", epaddr_len),
 306         [SIP_HDR_VIA_TCP]               = SIP_HDR("Via", "v", "TCP ", epaddr_len),
 307         [SIP_HDR_EXPIRES]               = SIP_HDR("Expires", NULL, NULL, digits_len),
 308         [SIP_HDR_CONTENT_LENGTH]        = SIP_HDR("Content-Length", "l", NULL, digits_len),
 309         [SIP_HDR_CALL_ID]               = SIP_HDR("Call-Id", "i", NULL, callid_len),
 310 };
 311
 312 static const char *sip_follow_continuation(const char *dptr, const char *limit)
 313 {
 314         /* Walk past newline */
 315         if (++dptr >= limit)
 316                 return NULL;
 317
 318         /* Skip '\n' in CR LF */
 319         if (*(dptr - 1) == '\r' && *dptr == '\n') {
 320                 if (++dptr >= limit)
 321                         return NULL;
 322         }
 323
 324         /* Continuation line? */
 325         if (*dptr != ' ' && *dptr != '\t')
 326                 return NULL;
 327
 328         /* skip leading whitespace */
 329         for (; dptr < limit; dptr++) {
 330                 if (*dptr != ' ' && *dptr != '\t')
 331                         break;
 332         }
 333         return dptr;
 334 }
 335
 336 static const char *sip_skip_whitespace(const char *dptr, const char *limit)
 337 {
 338         for (; dptr < limit; dptr++) {
 339                 if (*dptr == ' ' || *dptr == '\t')
 340                         continue;
 341                 if (*dptr != '\r' && *dptr != '\n')
 342                         break;
 343                 dptr = sip_follow_continuation(dptr, limit);
 344                 break;
 345         }
 346         return dptr;
 347 }
 348
 349 /* Search within a SIP header value, dealing with continuation lines */
 350 static const char *ct_sip_header_search(const char *dptr, const char *limit,
 351                                         const char *needle, unsigned int len)
 352 {
 353         for (limit -= len; dptr < limit; dptr++) {
 354                 if (*dptr == '\r' || *dptr == '\n') {
 355                         dptr = sip_follow_continuation(dptr, limit);
 356                         if (dptr == NULL)
 357                                 break;
 358                         continue;
 359                 }
 360
 361                 if (strncasecmp(dptr, needle, len) == 0)
 362                         return dptr;
 363         }
 364         return NULL;
 365 }
 366
 367 int ct_sip_get_header(const struct nf_conn *ct, const char *dptr,
 368                       unsigned int dataoff, unsigned int datalen,
 369                       enum sip_header_types type,
 370                       unsigned int *matchoff, unsigned int *matchlen)
 371 {
 372         const struct sip_header *hdr = &ct_sip_hdrs[type];
 373         const char *start = dptr, *limit = dptr + datalen;
 374         int shift = 0;
 375
 376         for (dptr += dataoff; dptr < limit; dptr++) {
 377                 /* Find beginning of line */
 378                 if (*dptr != '\r' && *dptr != '\n')
 379                         continue;
 380                 if (++dptr >= limit)
 381                         break;
 382                 if (*(dptr - 1) == '\r' && *dptr == '\n') {
 383                         if (++dptr >= limit)
 384                                 break;
 385                 }
 386
 387                 /* Skip continuation lines */
 388                 if (*dptr == ' ' || *dptr == '\t')
 389                         continue;
 390
 391                 /* Find header. Compact headers must be followed by a
 392                  * non-alphabetic character to avoid mismatches. */
 393                 if (limit - dptr >= hdr->len &&
 394                     strncasecmp(dptr, hdr->name, hdr->len) == 0)
 395                         dptr += hdr->len;
 396                 else if (hdr->cname && limit - dptr >= hdr->clen + 1 &&
 397                          strncasecmp(dptr, hdr->cname, hdr->clen) == 0 &&
 398                          !isalpha(*(dptr + hdr->clen)))
 399                         dptr += hdr->clen;
 400                 else
 401                         continue;
 402
 403                 /* Find and skip colon */
 404                 dptr = sip_skip_whitespace(dptr, limit);
 405                 if (dptr == NULL)
 406                         break;
 407                 if (*dptr != ':' || ++dptr >= limit)
 408                         break;
 409
 410                 /* Skip whitespace after colon */
 411                 dptr = sip_skip_whitespace(dptr, limit);
 412                 if (dptr == NULL)
 413                         break;
 414
 415                 *matchoff = dptr - start;
 416                 if (hdr->search) {
 417                         dptr = ct_sip_header_search(dptr, limit, hdr->search,
 418                                                     hdr->slen);
 419                         if (!dptr)
 420                                 return -1;
 421                         dptr += hdr->slen;
 422                 }
 423
 424                 *matchlen = hdr->match_len(ct, dptr, limit, &shift);
 425                 if (!*matchlen)
 426                         return -1;
 427                 *matchoff = dptr - start + shift;
 428                 return 1;
 429         }
 430         return 0;
 431 }
 432 EXPORT_SYMBOL_GPL(ct_sip_get_header);
 433
 434 /* Get next header field in a list of comma separated values */
 435 static int ct_sip_next_header(const struct nf_conn *ct, const char *dptr,
 436                               unsigned int dataoff, unsigned int datalen,
 437                               enum sip_header_types type,
 438                               unsigned int *matchoff, unsigned int *matchlen)
 439 {
 440         const struct sip_header *hdr = &ct_sip_hdrs[type];
 441         const char *start = dptr, *limit = dptr + datalen;
 442         int shift = 0;
 443
 444         dptr += dataoff;
 445
 446         dptr = ct_sip_header_search(dptr, limit, ",", strlen(","));
 447         if (!dptr)
 448                 return 0;
 449
 450         dptr = ct_sip_header_search(dptr, limit, hdr->search, hdr->slen);
 451         if (!dptr)
 452                 return 0;
 453         dptr += hdr->slen;
 454
 455         *matchoff = dptr - start;
 456         *matchlen = hdr->match_len(ct, dptr, limit, &shift);
 457         if (!*matchlen)
 458                 return -1;
 459         *matchoff += shift;
 460         return 1;
 461 }
 462
 463 /* Walk through headers until a parsable one is found or no header of the
 464  * given type is left. */
 465 static int ct_sip_walk_headers(const struct nf_conn *ct, const char *dptr,
 466                                unsigned int dataoff, unsigned int datalen,
 467                                enum sip_header_types type, int *in_header,
 468                                unsigned int *matchoff, unsigned int *matchlen)
 469 {
 470         int ret;
 471
 472         if (in_header && *in_header) {
 473                 while (1) {
 474                         ret = ct_sip_next_header(ct, dptr, dataoff, datalen,
 475                                                  type, matchoff, matchlen);
 476                         if (ret > 0)
 477                                 return ret;
 478                         if (ret == 0)
 479                                 break;
 480                         dataoff += *matchoff;
 481                 }
 482                 *in_header = 0;
 483         }
 484
 485         while (1) {
 486                 ret = ct_sip_get_header(ct, dptr, dataoff, datalen,
 487                                         type, matchoff, matchlen);
 488                 if (ret > 0)
 489                         break;
 490                 if (ret == 0)
 491                         return ret;
 492                 dataoff += *matchoff;
 493         }
 494
 495         if (in_header)
 496                 *in_header = 1;
 497         return 1;
 498 }
 499
 500 /* Locate a SIP header, parse the URI and return the offset and length of
 501  * the address as well as the address and port themselves. A stream of
 502  * headers can be parsed by handing in a non-NULL datalen and in_header
 503  * pointer.
 504  */
 505 int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
 506                             unsigned int *dataoff, unsigned int datalen,
 507                             enum sip_header_types type, int *in_header,
 508                             unsigned int *matchoff, unsigned int *matchlen,
 509                             union nf_inet_addr *addr, __be16 *port)
 510 {
 511         const char *c, *limit = dptr + datalen;
 512         unsigned int p;
 513         int ret;
 514
 515         ret = ct_sip_walk_headers(ct, dptr, dataoff ? *dataoff : 0, datalen,
 516                                   type, in_header, matchoff, matchlen);
 517         WARN_ON(ret < 0);
 518         if (ret == 0)
 519                 return ret;
 520
 521         if (!sip_parse_addr(ct, dptr + *matchoff, &c, addr, limit, true))
 522                 return -1;
 523         if (*c == ':') {
 524                 c++;
 525                 p = simple_strtoul(c, (char **)&c, 10);
 526                 if (p < 1024 || p > 65535)
 527                         return -1;
 528                 *port = htons(p);
 529         } else
 530                 *port = htons(SIP_PORT);
 531
 532         if (dataoff)
 533                 *dataoff = c - dptr;
 534         return 1;
 535 }
 536 EXPORT_SYMBOL_GPL(ct_sip_parse_header_uri);
 537
 538 static int ct_sip_parse_param(const struct nf_conn *ct, const char *dptr,
 539                               unsigned int dataoff, unsigned int datalen,
 540                               const char *name,
 541                               unsigned int *matchoff, unsigned int *matchlen)
 542 {
 543         const char *limit = dptr + datalen;
 544         const char *start;
 545         const char *end;
 546
 547         limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
 548         if (!limit)
 549                 limit = dptr + datalen;
 550
 551         start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
 552         if (!start)
 553                 return 0;
 554         start += strlen(name);
 555
 556         end = ct_sip_header_search(start, limit, ";", strlen(";"));
 557         if (!end)
 558                 end = limit;
 559
 560         *matchoff = start - dptr;
 561         *matchlen = end - start;
 562         return 1;
 563 }
 564
 565 /* Parse address from header parameter and return address, offset and length */
 566 int ct_sip_parse_address_param(const struct nf_conn *ct, const char *dptr,
 567                                unsigned int dataoff, unsigned int datalen,
 568                                const char *name,
 569                                unsigned int *matchoff, unsigned int *matchlen,
 570                                union nf_inet_addr *addr, bool delim)
 571 {
 572         const char *limit = dptr + datalen;
 573         const char *start, *end;
 574
 575         limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
 576         if (!limit)
 577                 limit = dptr + datalen;
 578
 579         start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
 580         if (!start)
 581                 return 0;
 582
 583         start += strlen(name);
 584         if (!sip_parse_addr(ct, start, &end, addr, limit, delim))
 585                 return 0;
 586         *matchoff = start - dptr;
 587         *matchlen = end - start;
 588         return 1;
 589 }
 590 EXPORT_SYMBOL_GPL(ct_sip_parse_address_param);
 591
 592 /* Parse numerical header parameter and return value, offset and length */
 593 int ct_sip_parse_numerical_param(const struct nf_conn *ct, const char *dptr,
 594                                  unsigned int dataoff, unsigned int datalen,
 595                                  const char *name,
 596                                  unsigned int *matchoff, unsigned int *matchlen,
 597                                  unsigned int *val)
 598 {
 599         const char *limit = dptr + datalen;
 600         const char *start;
 601         char *end;
 602
 603         limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
 604         if (!limit)
 605                 limit = dptr + datalen;
 606
 607         start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
 608         if (!start)
 609                 return 0;
 610
 611         start += strlen(name);
 612         *val = simple_strtoul(start, &end, 0);
 613         if (start == end)
 614                 return 0;
 615         if (matchoff && matchlen) {
 616                 *matchoff = start - dptr;
 617                 *matchlen = end - start;
 618         }
 619         return 1;
 620 }
 621 EXPORT_SYMBOL_GPL(ct_sip_parse_numerical_param);
 622
 623 static int ct_sip_parse_transport(struct nf_conn *ct, const char *dptr,
 624                                   unsigned int dataoff, unsigned int datalen,
 625                                   u8 *proto)
 626 {
 627         unsigned int matchoff, matchlen;
 628
 629         if (ct_sip_parse_param(ct, dptr, dataoff, datalen, "transport=",
 630                                &matchoff, &matchlen)) {
 631                 if (!strncasecmp(dptr + matchoff, "TCP", strlen("TCP")))
 632                         *proto = IPPROTO_TCP;
 633                 else if (!strncasecmp(dptr + matchoff, "UDP", strlen("UDP")))
 634                         *proto = IPPROTO_UDP;
 635                 else
 636                         return 0;
 637
 638                 if (*proto != nf_ct_protonum(ct))
 639                         return 0;
 640         } else
 641                 *proto = nf_ct_protonum(ct);
 642
 643         return 1;
 644 }
 645
 646 static int sdp_parse_addr(const struct nf_conn *ct, const char *cp,
 647                           const char **endp, union nf_inet_addr *addr,
 648                           const char *limit)
 649 {
 650         const char *end;
 651         int ret;
 652
 653         memset(addr, 0, sizeof(*addr));
 654         switch (nf_ct_l3num(ct)) {
 655         case AF_INET:
 656                 ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end);
 657                 break;
 658         case AF_INET6:
 659                 ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end);
 660                 break;
 661         default:
 662                 BUG();
 663         }
 664
 665         if (ret == 0)
 666                 return 0;
 667         if (endp)
 668                 *endp = end;
 669         return 1;
 670 }
 671
 672 /* skip ip address. returns its length. */
 673 static int sdp_addr_len(const struct nf_conn *ct, const char *dptr,
 674                         const char *limit, int *shift)
 675 {
 676         union nf_inet_addr addr;
 677         const char *aux = dptr;
 678
 679         if (!sdp_parse_addr(ct, dptr, &dptr, &addr, limit)) {
 680                 pr_debug("ip: %s parse failed.!\n", dptr);
 681                 return 0;
 682         }
 683
 684         return dptr - aux;
 685 }
 686
 687 /* SDP header parsing: a SDP session description contains an ordered set of
 688  * headers, starting with a section containing general session parameters,
 689  * optionally followed by multiple media descriptions.
 690  *
 691  * SDP headers always start at the beginning of a line. According to RFC 2327:
 692  * "The sequence CRLF (0x0d0a) is used to end a record, although parsers should
 693  * be tolerant and also accept records terminated with a single newline
 694  * character". We handle both cases.
 695  */
 696 static const struct sip_header ct_sdp_hdrs_v4[] = {
 697         [SDP_HDR_VERSION]       = SDP_HDR("v=", NULL, digits_len),
 698         [SDP_HDR_OWNER]         = SDP_HDR("o=", "IN IP4 ", sdp_addr_len),
 699         [SDP_HDR_CONNECTION]    = SDP_HDR("c=", "IN IP4 ", sdp_addr_len),
 700         [SDP_HDR_MEDIA]         = SDP_HDR("m=", NULL, media_len),
 701 };
 702
 703 static const struct sip_header ct_sdp_hdrs_v6[] = {
 704         [SDP_HDR_VERSION]       = SDP_HDR("v=", NULL, digits_len),
 705         [SDP_HDR_OWNER]         = SDP_HDR("o=", "IN IP6 ", sdp_addr_len),
 706         [SDP_HDR_CONNECTION]    = SDP_HDR("c=", "IN IP6 ", sdp_addr_len),
 707         [SDP_HDR_MEDIA]         = SDP_HDR("m=", NULL, media_len),
 708 };
 709
 710 /* Linear string search within SDP header values */
 711 static const char *ct_sdp_header_search(const char *dptr, const char *limit,
 712                                         const char *needle, unsigned int len)
 713 {
 714         for (limit -= len; dptr < limit; dptr++) {
 715                 if (*dptr == '\r' || *dptr == '\n')
 716                         break;
 717                 if (strncmp(dptr, needle, len) == 0)
 718                         return dptr;
 719         }
 720         return NULL;
 721 }
 722
 723 /* Locate a SDP header (optionally a substring within the header value),
 724  * optionally stopping at the first occurrence of the term header, parse
 725  * it and return the offset and length of the data we're interested in.
 726  */
 727 int ct_sip_get_sdp_header(const struct nf_conn *ct, const char *dptr,
 728                           unsigned int dataoff, unsigned int datalen,
 729                           enum sdp_header_types type,
 730                           enum sdp_header_types term,
 731                           unsigned int *matchoff, unsigned int *matchlen)
 732 {
 733         const struct sip_header *hdrs, *hdr, *thdr;
 734         const char *start = dptr, *limit = dptr + datalen;
 735         int shift = 0;
 736
 737         hdrs = nf_ct_l3num(ct) == NFPROTO_IPV4 ? ct_sdp_hdrs_v4 : ct_sdp_hdrs_v6;
 738         hdr = &hdrs[type];
 739         thdr = &hdrs[term];
 740
 741         for (dptr += dataoff; dptr < limit; dptr++) {
 742                 /* Find beginning of line */
 743                 if (*dptr != '\r' && *dptr != '\n')
 744                         continue;
 745                 if (++dptr >= limit)
 746                         break;
 747                 if (*(dptr - 1) == '\r' && *dptr == '\n') {
 748                         if (++dptr >= limit)
 749                                 break;
 750                 }
 751
 752                 if (term != SDP_HDR_UNSPEC &&
 753                     limit - dptr >= thdr->len &&
 754                     strncasecmp(dptr, thdr->name, thdr->len) == 0)
 755                         break;
 756                 else if (limit - dptr >= hdr->len &&
 757                          strncasecmp(dptr, hdr->name, hdr->len) == 0)
 758                         dptr += hdr->len;
 759                 else
 760                         continue;
 761
 762                 *matchoff = dptr - start;
 763                 if (hdr->search) {
 764                         dptr = ct_sdp_header_search(dptr, limit, hdr->search,
 765                                                     hdr->slen);
 766                         if (!dptr)
 767                                 return -1;
 768                         dptr += hdr->slen;
 769                 }
 770
 771                 *matchlen = hdr->match_len(ct, dptr, limit, &shift);
 772                 if (!*matchlen)
 773                         return -1;
 774                 *matchoff = dptr - start + shift;
 775                 return 1;
 776         }
 777         return 0;
 778 }
 779 EXPORT_SYMBOL_GPL(ct_sip_get_sdp_header);
 780
 781 static int ct_sip_parse_sdp_addr(const struct nf_conn *ct, const char *dptr,
 782                                  unsigned int dataoff, unsigned int datalen,
 783                                  enum sdp_header_types type,
 784                                  enum sdp_header_types term,
 785                                  unsigned int *matchoff, unsigned int *matchlen,
 786                                  union nf_inet_addr *addr)
 787 {
 788         int ret;
 789
 790         ret = ct_sip_get_sdp_header(ct, dptr, dataoff, datalen, type, term,
 791                                     matchoff, matchlen);
 792         if (ret <= 0)
 793                 return ret;
 794
 795         if (!sdp_parse_addr(ct, dptr + *matchoff, NULL, addr,
 796                             dptr + *matchoff + *matchlen))
 797                 return -1;
 798         return 1;
 799 }
 800
 801 static int refresh_signalling_expectation(struct nf_conn *ct,
 802                                           union nf_inet_addr *addr,
 803                                           u8 proto, __be16 port,
 804                                           unsigned int expires)
 805 {
 806         struct nf_conn_help *help = nfct_help(ct);
 807         struct nf_conntrack_expect *exp;
 808         struct hlist_node *next;
 809         int found = 0;
 810
 811         spin_lock_bh(&nf_conntrack_expect_lock);
 812         hlist_for_each_entry_safe(exp, next, &help->expectations, lnode) {
 813                 if (exp->class != SIP_EXPECT_SIGNALLING ||
 814                     !nf_inet_addr_cmp(&exp->tuple.dst.u3, addr) ||
 815                     exp->tuple.dst.protonum != proto ||
 816                     exp->tuple.dst.u.udp.port != port)
 817                         continue;
 818                 if (mod_timer_pending(&exp->timeout, jiffies + expires * HZ)) {
 819                         exp->flags &= ~NF_CT_EXPECT_INACTIVE;
 820                         found = 1;
 821                         break;
 822                 }
 823         }
 824         spin_unlock_bh(&nf_conntrack_expect_lock);
 825         return found;
 826 }
 827
 828 static void flush_expectations(struct nf_conn *ct, bool media)
 829 {
 830         struct nf_conn_help *help = nfct_help(ct);
 831         struct nf_conntrack_expect *exp;
 832         struct hlist_node *next;
 833
 834         spin_lock_bh(&nf_conntrack_expect_lock);
 835         hlist_for_each_entry_safe(exp, next, &help->expectations, lnode) {
 836                 if ((exp->class != SIP_EXPECT_SIGNALLING) ^ media)
 837                         continue;
 838                 if (!nf_ct_remove_expect(exp))
 839                         continue;
 840                 if (!media)
 841                         break;
 842         }
 843         spin_unlock_bh(&nf_conntrack_expect_lock);
 844 }
 845
 846 static int set_expected_rtp_rtcp(struct sk_buff *skb, unsigned int protoff,
 847                                  unsigned int dataoff,
 848                                  const char **dptr, unsigned int *datalen,
 849                                  union nf_inet_addr *daddr, __be16 port,
 850                                  enum sip_expectation_classes class,
 851                                  unsigned int mediaoff, unsigned int medialen)
 852 {
 853         struct nf_conntrack_expect *exp, *rtp_exp, *rtcp_exp;
 854         enum ip_conntrack_info ctinfo;
 855         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
 856         struct net *net = nf_ct_net(ct);
 857         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 858         union nf_inet_addr *saddr;
 859         struct nf_conntrack_tuple tuple;
 860         int direct_rtp = 0, skip_expect = 0, ret = NF_DROP;
 861         u_int16_t base_port;
 862         __be16 rtp_port, rtcp_port;
 863         const struct nf_nat_sip_hooks *hooks;
 864
 865         saddr = NULL;
 866         if (sip_direct_media) {
 867                 if (!nf_inet_addr_cmp(daddr, &ct->tuplehash[dir].tuple.src.u3))
 868                         return NF_ACCEPT;
 869                 saddr = &ct->tuplehash[!dir].tuple.src.u3;
 870         } else if (sip_external_media) {
 871                 struct net_device *dev = skb_dst(skb)->dev;
 872                 struct net *net = dev_net(dev);
 873                 struct flowi fl;
 874                 struct dst_entry *dst = NULL;
 875
 876                 memset(&fl, 0, sizeof(fl));
 877
 878                 switch (nf_ct_l3num(ct)) {
 879                         case NFPROTO_IPV4:
 880                                 fl.u.ip4.daddr = daddr->ip;
 881                                 nf_ip_route(net, &dst, &fl, false);
 882                                 break;
 883
 884                         case NFPROTO_IPV6:
 885                                 fl.u.ip6.daddr = daddr->in6;
 886                                 nf_ip6_route(net, &dst, &fl, false);
 887                                 break;
 888                 }
 889
 890                 /* Don't predict any conntracks when media endpoint is reachable
 891                  * through the same interface as the signalling peer.
 892                  */
 893                 if (dst) {
 894                         bool external_media = (dst->dev == dev);
 895
 896                         dst_release(dst);
 897                         if (external_media)
 898                                 return NF_ACCEPT;
 899                 }
 900         }
 901
 902         /* We need to check whether the registration exists before attempting
 903          * to register it since we can see the same media description multiple
 904          * times on different connections in case multiple endpoints receive
 905          * the same call.
 906          *
 907          * RTP optimization: if we find a matching media channel expectation
 908          * and both the expectation and this connection are SNATed, we assume
 909          * both sides can reach each other directly and use the final
 910          * destination address from the expectation. We still need to keep
 911          * the NATed expectations for media that might arrive from the
 912          * outside, and additionally need to expect the direct RTP stream
 913          * in case it passes through us even without NAT.
 914          */
 915         memset(&tuple, 0, sizeof(tuple));
 916         if (saddr)
 917                 tuple.src.u3 = *saddr;
 918         tuple.src.l3num         = nf_ct_l3num(ct);
 919         tuple.dst.protonum      = IPPROTO_UDP;
 920         tuple.dst.u3            = *daddr;
 921         tuple.dst.u.udp.port    = port;
 922
 923         do {
 924                 exp = __nf_ct_expect_find(net, nf_ct_zone(ct), &tuple);
 925
 926                 if (!exp || exp->master == ct ||
 927                     nfct_help(exp->master)->helper != nfct_help(ct)->helper ||
 928                     exp->class != class)
 929                         break;
 930 #if IS_ENABLED(CONFIG_NF_NAT)
 931                 if (!direct_rtp &&
 932                     (!nf_inet_addr_cmp(&exp->saved_addr, &exp->tuple.dst.u3) ||
 933                      exp->saved_proto.udp.port != exp->tuple.dst.u.udp.port) &&
 934                     ct->status & IPS_NAT_MASK) {
 935                         *daddr                  = exp->saved_addr;
 936                         tuple.dst.u3            = exp->saved_addr;
 937                         tuple.dst.u.udp.port    = exp->saved_proto.udp.port;
 938                         direct_rtp = 1;
 939                 } else
 940 #endif
 941                         skip_expect = 1;
 942         } while (!skip_expect);
 943
 944         base_port = ntohs(tuple.dst.u.udp.port) & ~1;
 945         rtp_port = htons(base_port);
 946         rtcp_port = htons(base_port + 1);
 947
 948         if (direct_rtp) {
 949                 hooks = rcu_dereference(nf_nat_sip_hooks);
 950                 if (hooks &&
 951                     !hooks->sdp_port(skb, protoff, dataoff, dptr, datalen,
 952                                      mediaoff, medialen, ntohs(rtp_port)))
 953                         goto err1;
 954         }
 955
 956         if (skip_expect)
 957                 return NF_ACCEPT;
 958
 959         rtp_exp = nf_ct_expect_alloc(ct);
 960         if (rtp_exp == NULL)
 961                 goto err1;
 962         nf_ct_expect_init(rtp_exp, class, nf_ct_l3num(ct), saddr, daddr,
 963                           IPPROTO_UDP, NULL, &rtp_port);
 964
 965         rtcp_exp = nf_ct_expect_alloc(ct);
 966         if (rtcp_exp == NULL)
 967                 goto err2;
 968         nf_ct_expect_init(rtcp_exp, class, nf_ct_l3num(ct), saddr, daddr,
 969                           IPPROTO_UDP, NULL, &rtcp_port);
 970
 971         hooks = rcu_dereference(nf_nat_sip_hooks);
 972         if (hooks && ct->status & IPS_NAT_MASK && !direct_rtp)
 973                 ret = hooks->sdp_media(skb, protoff, dataoff, dptr,
 974                                        datalen, rtp_exp, rtcp_exp,
 975                                        mediaoff, medialen, daddr);
 976         else {
 977                 /* -EALREADY handling works around end-points that send
 978                  * SDP messages with identical port but different media type,
 979                  * we pretend expectation was set up.
 980                  */
 981                 int errp = nf_ct_expect_related(rtp_exp);
 982
 983                 if (errp == 0 || errp == -EALREADY) {
 984                         int errcp = nf_ct_expect_related(rtcp_exp);
 985
 986                         if (errcp == 0 || errcp == -EALREADY)
 987                                 ret = NF_ACCEPT;
 988                         else if (errp == 0)
 989                                 nf_ct_unexpect_related(rtp_exp);
 990                 }
 991         }
 992         nf_ct_expect_put(rtcp_exp);
 993 err2:
 994         nf_ct_expect_put(rtp_exp);
 995 err1:
 996         return ret;
 997 }
 998
 999 static const struct sdp_media_type sdp_media_types[] = {
1000         SDP_MEDIA_TYPE("audio ", SIP_EXPECT_AUDIO),
1001         SDP_MEDIA_TYPE("video ", SIP_EXPECT_VIDEO),
1002         SDP_MEDIA_TYPE("image ", SIP_EXPECT_IMAGE),
1003 };
1004
1005 static const struct sdp_media_type *sdp_media_type(const char *dptr,
1006                                                    unsigned int matchoff,
1007                                                    unsigned int matchlen)
1008 {
1009         const struct sdp_media_type *t;
1010         unsigned int i;
1011
1012         for (i = 0; i < ARRAY_SIZE(sdp_media_types); i++) {
1013                 t = &sdp_media_types[i];
1014                 if (matchlen < t->len ||
1015                     strncmp(dptr + matchoff, t->name, t->len))
1016                         continue;
1017                 return t;
1018         }
1019         return NULL;
1020 }
1021
1022 static int process_sdp(struct sk_buff *skb, unsigned int protoff,
1023                        unsigned int dataoff,
1024                        const char **dptr, unsigned int *datalen,
1025                        unsigned int cseq)
1026 {
1027         enum ip_conntrack_info ctinfo;
1028         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1029         unsigned int matchoff, matchlen;
1030         unsigned int mediaoff, medialen;
1031         unsigned int sdpoff;
1032         unsigned int caddr_len, maddr_len;
1033         unsigned int i;
1034         union nf_inet_addr caddr, maddr, rtp_addr;
1035         const struct nf_nat_sip_hooks *hooks;
1036         unsigned int port;
1037         const struct sdp_media_type *t;
1038         int ret = NF_ACCEPT;
1039
1040         hooks = rcu_dereference(nf_nat_sip_hooks);
1041
1042         /* Find beginning of session description */
1043         if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen,
1044                                   SDP_HDR_VERSION, SDP_HDR_UNSPEC,
1045                                   &matchoff, &matchlen) <= 0)
1046                 return NF_ACCEPT;
1047         sdpoff = matchoff;
1048
1049         /* The connection information is contained in the session description
1050          * and/or once per media description. The first media description marks
1051          * the end of the session description. */
1052         caddr_len = 0;
1053         if (ct_sip_parse_sdp_addr(ct, *dptr, sdpoff, *datalen,
1054                                   SDP_HDR_CONNECTION, SDP_HDR_MEDIA,
1055                                   &matchoff, &matchlen, &caddr) > 0)
1056                 caddr_len = matchlen;
1057
1058         mediaoff = sdpoff;
1059         for (i = 0; i < ARRAY_SIZE(sdp_media_types); ) {
1060                 if (ct_sip_get_sdp_header(ct, *dptr, mediaoff, *datalen,
1061                                           SDP_HDR_MEDIA, SDP_HDR_UNSPEC,
1062                                           &mediaoff, &medialen) <= 0)
1063                         break;
1064
1065                 /* Get media type and port number. A media port value of zero
1066                  * indicates an inactive stream. */
1067                 t = sdp_media_type(*dptr, mediaoff, medialen);
1068                 if (!t) {
1069                         mediaoff += medialen;
1070                         continue;
1071                 }
1072                 mediaoff += t->len;
1073                 medialen -= t->len;
1074
1075                 port = simple_strtoul(*dptr + mediaoff, NULL, 10);
1076                 if (port == 0)
1077                         continue;
1078                 if (port < 1024 || port > 65535) {
1079                         nf_ct_helper_log(skb, ct, "wrong port %u", port);
1080                         return NF_DROP;
1081                 }
1082
1083                 /* The media description overrides the session description. */
1084                 maddr_len = 0;
1085                 if (ct_sip_parse_sdp_addr(ct, *dptr, mediaoff, *datalen,
1086                                           SDP_HDR_CONNECTION, SDP_HDR_MEDIA,
1087                                           &matchoff, &matchlen, &maddr) > 0) {
1088                         maddr_len = matchlen;
1089                         memcpy(&rtp_addr, &maddr, sizeof(rtp_addr));
1090                 } else if (caddr_len)
1091                         memcpy(&rtp_addr, &caddr, sizeof(rtp_addr));
1092                 else {
1093                         nf_ct_helper_log(skb, ct, "cannot parse SDP message");
1094                         return NF_DROP;
1095                 }
1096
1097                 ret = set_expected_rtp_rtcp(skb, protoff, dataoff,
1098                                             dptr, datalen,
1099                                             &rtp_addr, htons(port), t->class,
1100                                             mediaoff, medialen);
1101                 if (ret != NF_ACCEPT) {
1102                         nf_ct_helper_log(skb, ct,
1103                                          "cannot add expectation for voice");
1104                         return ret;
1105                 }
1106
1107                 /* Update media connection address if present */
1108                 if (maddr_len && hooks && ct->status & IPS_NAT_MASK) {
1109                         ret = hooks->sdp_addr(skb, protoff, dataoff,
1110                                               dptr, datalen, mediaoff,
1111                                               SDP_HDR_CONNECTION,
1112                                               SDP_HDR_MEDIA,
1113                                               &rtp_addr);
1114                         if (ret != NF_ACCEPT) {
1115                                 nf_ct_helper_log(skb, ct, "cannot mangle SDP");
1116                                 return ret;
1117                         }
1118                 }
1119                 i++;
1120         }
1121
1122         /* Update session connection and owner addresses */
1123         hooks = rcu_dereference(nf_nat_sip_hooks);
1124         if (hooks && ct->status & IPS_NAT_MASK)
1125                 ret = hooks->sdp_session(skb, protoff, dataoff,
1126                                          dptr, datalen, sdpoff,
1127                                          &rtp_addr);
1128
1129         return ret;
1130 }
1131 static int process_invite_response(struct sk_buff *skb, unsigned int protoff,
1132                                    unsigned int dataoff,
1133                                    const char **dptr, unsigned int *datalen,
1134                                    unsigned int cseq, unsigned int code)
1135 {
1136         enum ip_conntrack_info ctinfo;
1137         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1138         struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
1139
1140         if ((code >= 100 && code <= 199) ||
1141             (code >= 200 && code <= 299))
1142                 return process_sdp(skb, protoff, dataoff, dptr, datalen, cseq);
1143         else if (ct_sip_info->invite_cseq == cseq)
1144                 flush_expectations(ct, true);
1145         return NF_ACCEPT;
1146 }
1147
1148 static int process_update_response(struct sk_buff *skb, unsigned int protoff,
1149                                    unsigned int dataoff,
1150                                    const char **dptr, unsigned int *datalen,
1151                                    unsigned int cseq, unsigned int code)
1152 {
1153         enum ip_conntrack_info ctinfo;
1154         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1155         struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
1156
1157         if ((code >= 100 && code <= 199) ||
1158             (code >= 200 && code <= 299))
1159                 return process_sdp(skb, protoff, dataoff, dptr, datalen, cseq);
1160         else if (ct_sip_info->invite_cseq == cseq)
1161                 flush_expectations(ct, true);
1162         return NF_ACCEPT;
1163 }
1164
1165 static int process_prack_response(struct sk_buff *skb, unsigned int protoff,
1166                                   unsigned int dataoff,
1167                                   const char **dptr, unsigned int *datalen,
1168                                   unsigned int cseq, unsigned int code)
1169 {
1170         enum ip_conntrack_info ctinfo;
1171         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1172         struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
1173
1174         if ((code >= 100 && code <= 199) ||
1175             (code >= 200 && code <= 299))
1176                 return process_sdp(skb, protoff, dataoff, dptr, datalen, cseq);
1177         else if (ct_sip_info->invite_cseq == cseq)
1178                 flush_expectations(ct, true);
1179         return NF_ACCEPT;
1180 }
1181
1182 static int process_invite_request(struct sk_buff *skb, unsigned int protoff,
1183                                   unsigned int dataoff,
1184                                   const char **dptr, unsigned int *datalen,
1185                                   unsigned int cseq)
1186 {
1187         enum ip_conntrack_info ctinfo;
1188         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1189         struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
1190         unsigned int ret;
1191
1192         flush_expectations(ct, true);
1193         ret = process_sdp(skb, protoff, dataoff, dptr, datalen, cseq);
1194         if (ret == NF_ACCEPT)
1195                 ct_sip_info->invite_cseq = cseq;
1196         return ret;
1197 }
1198
1199 static int process_bye_request(struct sk_buff *skb, unsigned int protoff,
1200                                unsigned int dataoff,
1201                                const char **dptr, unsigned int *datalen,
1202                                unsigned int cseq)
1203 {
1204         enum ip_conntrack_info ctinfo;
1205         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1206
1207         flush_expectations(ct, true);
1208         return NF_ACCEPT;
1209 }
1210
1211 /* Parse a REGISTER request and create a permanent expectation for incoming
1212  * signalling connections. The expectation is marked inactive and is activated
1213  * when receiving a response indicating success from the registrar.
1214  */
1215 static int process_register_request(struct sk_buff *skb, unsigned int protoff,
1216                                     unsigned int dataoff,
1217                                     const char **dptr, unsigned int *datalen,
1218                                     unsigned int cseq)
1219 {
1220         enum ip_conntrack_info ctinfo;
1221         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1222         struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
1223         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
1224         unsigned int matchoff, matchlen;
1225         struct nf_conntrack_expect *exp;
1226         union nf_inet_addr *saddr, daddr;
1227         const struct nf_nat_sip_hooks *hooks;
1228         __be16 port;
1229         u8 proto;
1230         unsigned int expires = 0;
1231         int ret;
1232
1233         /* Expected connections can not register again. */
1234         if (ct->status & IPS_EXPECTED)
1235                 return NF_ACCEPT;
1236
1237         /* We must check the expiration time: a value of zero signals the
1238          * registrar to release the binding. We'll remove our expectation
1239          * when receiving the new bindings in the response, but we don't
1240          * want to create new ones.
1241          *
1242          * The expiration time may be contained in Expires: header, the
1243          * Contact: header parameters or the URI parameters.
1244          */
1245         if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_EXPIRES,
1246                               &matchoff, &matchlen) > 0)
1247                 expires = simple_strtoul(*dptr + matchoff, NULL, 10);
1248
1249         ret = ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
1250                                       SIP_HDR_CONTACT, NULL,
1251                                       &matchoff, &matchlen, &daddr, &port);
1252         if (ret < 0) {
1253                 nf_ct_helper_log(skb, ct, "cannot parse contact");
1254                 return NF_DROP;
1255         } else if (ret == 0)
1256                 return NF_ACCEPT;
1257
1258         /* We don't support third-party registrations */
1259         if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.src.u3, &daddr))
1260                 return NF_ACCEPT;
1261
1262         if (ct_sip_parse_transport(ct, *dptr, matchoff + matchlen, *datalen,
1263                                    &proto) == 0)
1264                 return NF_ACCEPT;
1265
1266         if (ct_sip_parse_numerical_param(ct, *dptr,
1267                                          matchoff + matchlen, *datalen,
1268                                          "expires=", NULL, NULL, &expires) < 0) {
1269                 nf_ct_helper_log(skb, ct, "cannot parse expires");
1270                 return NF_DROP;
1271         }
1272
1273         if (expires == 0) {
1274                 ret = NF_ACCEPT;
1275                 goto store_cseq;
1276         }
1277
1278         exp = nf_ct_expect_alloc(ct);
1279         if (!exp) {
1280                 nf_ct_helper_log(skb, ct, "cannot alloc expectation");
1281                 return NF_DROP;
1282         }
1283
1284         saddr = NULL;
1285         if (sip_direct_signalling)
1286                 saddr = &ct->tuplehash[!dir].tuple.src.u3;
1287
1288         nf_ct_expect_init(exp, SIP_EXPECT_SIGNALLING, nf_ct_l3num(ct),
1289                           saddr, &daddr, proto, NULL, &port);
1290         exp->timeout.expires = sip_timeout * HZ;
1291         exp->helper = nfct_help(ct)->helper;
1292         exp->flags = NF_CT_EXPECT_PERMANENT | NF_CT_EXPECT_INACTIVE;
1293
1294         hooks = rcu_dereference(nf_nat_sip_hooks);
1295         if (hooks && ct->status & IPS_NAT_MASK)
1296                 ret = hooks->expect(skb, protoff, dataoff, dptr, datalen,
1297                                     exp, matchoff, matchlen);
1298         else {
1299                 if (nf_ct_expect_related(exp) != 0) {
1300                         nf_ct_helper_log(skb, ct, "cannot add expectation");
1301                         ret = NF_DROP;
1302                 } else
1303                         ret = NF_ACCEPT;
1304         }
1305         nf_ct_expect_put(exp);
1306
1307 store_cseq:
1308         if (ret == NF_ACCEPT)
1309                 ct_sip_info->register_cseq = cseq;
1310         return ret;
1311 }
1312
1313 static int process_register_response(struct sk_buff *skb, unsigned int protoff,
1314                                      unsigned int dataoff,
1315                                      const char **dptr, unsigned int *datalen,
1316                                      unsigned int cseq, unsigned int code)
1317 {
1318         enum ip_conntrack_info ctinfo;
1319         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1320         struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
1321         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
1322         union nf_inet_addr addr;
1323         __be16 port;
1324         u8 proto;
1325         unsigned int matchoff, matchlen, coff = 0;
1326         unsigned int expires = 0;
1327         int in_contact = 0, ret;
1328
1329         /* According to RFC 3261, "UAs MUST NOT send a new registration until
1330          * they have received a final response from the registrar for the
1331          * previous one or the previous REGISTER request has timed out".
1332          *
1333          * However, some servers fail to detect retransmissions and send late
1334          * responses, so we store the sequence number of the last valid
1335          * request and compare it here.
1336          */
1337         if (ct_sip_info->register_cseq != cseq)
1338                 return NF_ACCEPT;
1339
1340         if (code >= 100 && code <= 199)
1341                 return NF_ACCEPT;
1342         if (code < 200 || code > 299)
1343                 goto flush;
1344
1345         if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_EXPIRES,
1346                               &matchoff, &matchlen) > 0)
1347                 expires = simple_strtoul(*dptr + matchoff, NULL, 10);
1348
1349         while (1) {
1350                 unsigned int c_expires = expires;
1351
1352                 ret = ct_sip_parse_header_uri(ct, *dptr, &coff, *datalen,
1353                                               SIP_HDR_CONTACT, &in_contact,
1354                                               &matchoff, &matchlen,
1355                                               &addr, &port);
1356                 if (ret < 0) {
1357                         nf_ct_helper_log(skb, ct, "cannot parse contact");
1358                         return NF_DROP;
1359                 } else if (ret == 0)
1360                         break;
1361
1362                 /* We don't support third-party registrations */
1363                 if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3, &addr))
1364                         continue;
1365
1366                 if (ct_sip_parse_transport(ct, *dptr, matchoff + matchlen,
1367                                            *datalen, &proto) == 0)
1368                         continue;
1369
1370                 ret = ct_sip_parse_numerical_param(ct, *dptr,
1371                                                    matchoff + matchlen,
1372                                                    *datalen, "expires=",
1373                                                    NULL, NULL, &c_expires);
1374                 if (ret < 0) {
1375                         nf_ct_helper_log(skb, ct, "cannot parse expires");
1376                         return NF_DROP;
1377                 }
1378                 if (c_expires == 0)
1379                         break;
1380                 if (refresh_signalling_expectation(ct, &addr, proto, port,
1381                                                    c_expires))
1382                         return NF_ACCEPT;
1383         }
1384
1385 flush:
1386         flush_expectations(ct, false);
1387         return NF_ACCEPT;
1388 }
1389
1390 static const struct sip_handler sip_handlers[] = {
1391         SIP_HANDLER("INVITE", process_invite_request, process_invite_response),
1392         SIP_HANDLER("UPDATE", process_sdp, process_update_response),
1393         SIP_HANDLER("ACK", process_sdp, NULL),
1394         SIP_HANDLER("PRACK", process_sdp, process_prack_response),
1395         SIP_HANDLER("BYE", process_bye_request, NULL),
1396         SIP_HANDLER("REGISTER", process_register_request, process_register_response),
1397 };
1398
1399 static int process_sip_response(struct sk_buff *skb, unsigned int protoff,
1400                                 unsigned int dataoff,
1401                                 const char **dptr, unsigned int *datalen)
1402 {
1403         enum ip_conntrack_info ctinfo;
1404         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1405         unsigned int matchoff, matchlen, matchend;
1406         unsigned int code, cseq, i;
1407
1408         if (*datalen < strlen("SIP/2.0 200"))
1409                 return NF_ACCEPT;
1410         code = simple_strtoul(*dptr + strlen("SIP/2.0 "), NULL, 10);
1411         if (!code) {
1412                 nf_ct_helper_log(skb, ct, "cannot get code");
1413                 return NF_DROP;
1414         }
1415
1416         if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
1417                               &matchoff, &matchlen) <= 0) {
1418                 nf_ct_helper_log(skb, ct, "cannot parse cseq");
1419                 return NF_DROP;
1420         }
1421         cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
1422         if (!cseq && *(*dptr + matchoff) != '0') {
1423                 nf_ct_helper_log(skb, ct, "cannot get cseq");
1424                 return NF_DROP;
1425         }
1426         matchend = matchoff + matchlen + 1;
1427
1428         for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) {
1429                 const struct sip_handler *handler;
1430
1431                 handler = &sip_handlers[i];
1432                 if (handler->response == NULL)
1433                         continue;
1434                 if (*datalen < matchend + handler->len ||
1435                     strncasecmp(*dptr + matchend, handler->method, handler->len))
1436                         continue;
1437                 return handler->response(skb, protoff, dataoff, dptr, datalen,
1438                                          cseq, code);
1439         }
1440         return NF_ACCEPT;
1441 }
1442
1443 static int process_sip_request(struct sk_buff *skb, unsigned int protoff,
1444                                unsigned int dataoff,
1445                                const char **dptr, unsigned int *datalen)
1446 {
1447         enum ip_conntrack_info ctinfo;
1448         struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1449         struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct);
1450         enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
1451         unsigned int matchoff, matchlen;
1452         unsigned int cseq, i;
1453         union nf_inet_addr addr;
1454         __be16 port;
1455
1456         /* Many Cisco IP phones use a high source port for SIP requests, but
1457          * listen for the response on port 5060.  If we are the local
1458          * router for one of these phones, save the port number from the
1459          * Via: header so that nf_nat_sip can redirect the responses to
1460          * the correct port.
1461          */
1462         if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
1463                                     SIP_HDR_VIA_UDP, NULL, &matchoff,
1464                                     &matchlen, &addr, &port) > 0 &&
1465             port != ct->tuplehash[dir].tuple.src.u.udp.port &&
1466             nf_inet_addr_cmp(&addr, &ct->tuplehash[dir].tuple.src.u3))
1467                 ct_sip_info->forced_dport = port;
1468
1469         for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) {
1470                 const struct sip_handler *handler;
1471
1472                 handler = &sip_handlers[i];
1473                 if (handler->request == NULL)
1474                         continue;
1475                 if (*datalen < handler->len + 2 ||
1476                     strncasecmp(*dptr, handler->method, handler->len))
1477                         continue;
1478                 if ((*dptr)[handler->len] != ' ' ||
1479                     !isalpha((*dptr)[handler->len+1]))
1480                         continue;
1481
1482                 if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
1483                                       &matchoff, &matchlen) <= 0) {
1484                         nf_ct_helper_log(skb, ct, "cannot parse cseq");
1485                         return NF_DROP;
1486                 }
1487                 cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
1488                 if (!cseq && *(*dptr + matchoff) != '0') {
1489                         nf_ct_helper_log(skb, ct, "cannot get cseq");
1490                         return NF_DROP;
1491                 }
1492
1493                 return handler->request(skb, protoff, dataoff, dptr, datalen,
1494                                         cseq);
1495         }
1496         return NF_ACCEPT;
1497 }
1498
1499 static int process_sip_msg(struct sk_buff *skb, struct nf_conn *ct,
1500                            unsigned int protoff, unsigned int dataoff,
1501                            const char **dptr, unsigned int *datalen)
1502 {
1503         const struct nf_nat_sip_hooks *hooks;
1504         int ret;
1505
1506         if (strncasecmp(*dptr, "SIP/2.0 ", strlen("SIP/2.0 ")) != 0)
1507                 ret = process_sip_request(skb, protoff, dataoff, dptr, datalen);
1508         else
1509                 ret = process_sip_response(skb, protoff, dataoff, dptr, datalen);
1510
1511         if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) {
1512                 hooks = rcu_dereference(nf_nat_sip_hooks);
1513                 if (hooks && !hooks->msg(skb, protoff, dataoff,
1514                                          dptr, datalen)) {
1515                         nf_ct_helper_log(skb, ct, "cannot NAT SIP message");
1516                         ret = NF_DROP;
1517                 }
1518         }
1519
1520         return ret;
1521 }
1522
1523 static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
1524                         struct nf_conn *ct, enum ip_conntrack_info ctinfo)
1525 {
1526         struct tcphdr *th, _tcph;
1527         unsigned int dataoff, datalen;
1528         unsigned int matchoff, matchlen, clen;
1529         unsigned int msglen, origlen;
1530         const char *dptr, *end;
1531         s16 diff, tdiff = 0;
1532         int ret = NF_ACCEPT;
1533         bool term;
1534
1535         if (ctinfo != IP_CT_ESTABLISHED &&
1536             ctinfo != IP_CT_ESTABLISHED_REPLY)
1537                 return NF_ACCEPT;
1538
1539         /* No Data ? */
1540         th = skb_header_pointer(skb, protoff, sizeof(_tcph), &_tcph);
1541         if (th == NULL)
1542                 return NF_ACCEPT;
1543         dataoff = protoff + th->doff * 4;
1544         if (dataoff >= skb->len)
1545                 return NF_ACCEPT;
1546
1547         nf_ct_refresh(ct, skb, sip_timeout * HZ);
1548
1549         if (unlikely(skb_linearize(skb)))
1550                 return NF_DROP;
1551
1552         dptr = skb->data + dataoff;
1553         datalen = skb->len - dataoff;
1554         if (datalen < strlen("SIP/2.0 200"))
1555                 return NF_ACCEPT;
1556
1557         while (1) {
1558                 if (ct_sip_get_header(ct, dptr, 0, datalen,
1559                                       SIP_HDR_CONTENT_LENGTH,
1560                                       &matchoff, &matchlen) <= 0)
1561                         break;
1562
1563                 clen = simple_strtoul(dptr + matchoff, (char **)&end, 10);
1564                 if (dptr + matchoff == end)
1565                         break;
1566
1567                 term = false;
1568                 for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) {
1569                         if (end[0] == '\r' && end[1] == '\n' &&
1570                             end[2] == '\r' && end[3] == '\n') {
1571                                 term = true;
1572                                 break;
1573                         }
1574                 }
1575                 if (!term)
1576                         break;
1577                 end += strlen("\r\n\r\n") + clen;
1578
1579                 msglen = origlen = end - dptr;
1580                 if (msglen > datalen)
1581                         return NF_ACCEPT;
1582
1583                 ret = process_sip_msg(skb, ct, protoff, dataoff,
1584                                       &dptr, &msglen);
1585                 /* process_sip_* functions report why this packet is dropped */
1586                 if (ret != NF_ACCEPT)
1587                         break;
1588                 diff     = msglen - origlen;
1589                 tdiff   += diff;
1590
1591                 dataoff += msglen;
1592                 dptr    += msglen;
1593                 datalen  = datalen + diff - msglen;
1594         }
1595
1596         if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) {
1597                 const struct nf_nat_sip_hooks *hooks;
1598
1599                 hooks = rcu_dereference(nf_nat_sip_hooks);
1600                 if (hooks)
1601                         hooks->seq_adjust(skb, protoff, tdiff);
1602         }
1603
1604         return ret;
1605 }
1606
1607 static int sip_help_udp(struct sk_buff *skb, unsigned int protoff,
1608                         struct nf_conn *ct, enum ip_conntrack_info ctinfo)
1609 {
1610         unsigned int dataoff, datalen;
1611         const char *dptr;
1612
1613         /* No Data ? */
1614         dataoff = protoff + sizeof(struct udphdr);
1615         if (dataoff >= skb->len)
1616                 return NF_ACCEPT;
1617
1618         nf_ct_refresh(ct, skb, sip_timeout * HZ);
1619
1620         if (unlikely(skb_linearize(skb)))
1621                 return NF_DROP;
1622
1623         dptr = skb->data + dataoff;
1624         datalen = skb->len - dataoff;
1625         if (datalen < strlen("SIP/2.0 200"))
1626                 return NF_ACCEPT;
1627
1628         return process_sip_msg(skb, ct, protoff, dataoff, &dptr, &datalen);
1629 }
1630
1631 static struct nf_conntrack_helper sip[MAX_PORTS * 4] __read_mostly;
1632
1633 static const struct nf_conntrack_expect_policy sip_exp_policy[SIP_EXPECT_MAX + 1] = {
1634         [SIP_EXPECT_SIGNALLING] = {
1635                 .name           = "signalling",
1636                 .max_expected   = 1,
1637                 .timeout        = 3 * 60,
1638         },
1639         [SIP_EXPECT_AUDIO] = {
1640                 .name           = "audio",
1641                 .max_expected   = 2 * IP_CT_DIR_MAX,
1642                 .timeout        = 3 * 60,
1643         },
1644         [SIP_EXPECT_VIDEO] = {
1645                 .name           = "video",
1646                 .max_expected   = 2 * IP_CT_DIR_MAX,
1647                 .timeout        = 3 * 60,
1648         },
1649         [SIP_EXPECT_IMAGE] = {
1650                 .name           = "image",
1651                 .max_expected   = IP_CT_DIR_MAX,
1652                 .timeout        = 3 * 60,
1653         },
1654 };
1655
1656 static void __exit nf_conntrack_sip_fini(void)
1657 {
1658         nf_conntrack_helpers_unregister(sip, ports_c * 4);
1659 }
1660
1661 static int __init nf_conntrack_sip_init(void)
1662 {
1663         int i, ret;
1664
1665         NF_CT_HELPER_BUILD_BUG_ON(sizeof(struct nf_ct_sip_master));
1666
1667         if (ports_c == 0)
1668                 ports[ports_c++] = SIP_PORT;
1669
1670         for (i = 0; i < ports_c; i++) {
1671                 nf_ct_helper_init(&sip[4 * i], AF_INET, IPPROTO_UDP,
1672                                   HELPER_NAME, SIP_PORT, ports[i], i,
1673                                   sip_exp_policy, SIP_EXPECT_MAX, sip_help_udp,
1674                                   NULL, THIS_MODULE);
1675                 nf_ct_helper_init(&sip[4 * i + 1], AF_INET, IPPROTO_TCP,
1676                                   HELPER_NAME, SIP_PORT, ports[i], i,
1677                                   sip_exp_policy, SIP_EXPECT_MAX, sip_help_tcp,
1678                                   NULL, THIS_MODULE);
1679                 nf_ct_helper_init(&sip[4 * i + 2], AF_INET6, IPPROTO_UDP,
1680                                   HELPER_NAME, SIP_PORT, ports[i], i,
1681                                   sip_exp_policy, SIP_EXPECT_MAX, sip_help_udp,
1682                                   NULL, THIS_MODULE);
1683                 nf_ct_helper_init(&sip[4 * i + 3], AF_INET6, IPPROTO_TCP,
1684                                   HELPER_NAME, SIP_PORT, ports[i], i,
1685                                   sip_exp_policy, SIP_EXPECT_MAX, sip_help_tcp,
1686                                   NULL, THIS_MODULE);
1687         }
1688
1689         ret = nf_conntrack_helpers_register(sip, ports_c * 4);
1690         if (ret < 0) {
1691                 pr_err("failed to register helpers\n");
1692                 return ret;
1693         }
1694         return 0;
1695 }
1696
1697 module_init(nf_conntrack_sip_init);
1698 module_exit(nf_conntrack_sip_fini);