From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from gandalf.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id 62FF55A0277
	for <passt-dev@passt.top>; Mon, 18 Dec 2023 08:40:32 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202312; t=1702885220;
	bh=J7G0KfB1deyndOqO4gtFu2PVYbVKJpEruhD46d7KZbg=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=mu4NuiFaN1t/ru43jBSz5Xu6C4iIAntAeTB2gTciWkKgMT9KFH1IT+lm73Kv0CiAl
	 mpenATXeCeCbHQj2F+Xvq3uPdnPiYvGxa7ZyyYjy5jMa0lvvbkcpocA5rXXJ1xUDyz
	 00sE9xOaXrnuRJqRAa3hU9Uzobmvysxh29X09Mc+l/4zrWo/8eWdxhbjdvakOvxMRV
	 GwR1OWQB5pY861/WyPV5VckMFX+F3Qssait7IUgSES/gjqC7oFpz2PBJ+tNU4Pcg9a
	 a9qv9DlPk1PM8nrjrNNJYJ63DB69HstoP0sZcNOyvVUFkqpmotIBWHE/3u2SI9Mayr
	 iZs1Bu5IqLk2g==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4StsDh38Mhz4xgX; Mon, 18 Dec 2023 18:40:20 +1100 (AEDT)
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>,
	passt-dev@passt.top
Subject: [PATCH 11/11] icmp: Validate packets received on ping sockets
Date: Mon, 18 Dec 2023 18:40:17 +1100
Message-ID: <20231218074017.985092-12-david@gibson.dropbear.id.au>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231218074017.985092-1-david@gibson.dropbear.id.au>
References: <20231218074017.985092-1-david@gibson.dropbear.id.au>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: DLAHAVECEPZMXXC75H7XKZQ4UVIZH4IT
X-Message-ID-Hash: DLAHAVECEPZMXXC75H7XKZQ4UVIZH4IT
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: David Gibson <david@gibson.dropbear.id.au>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20231218074017.985092-12-david@gibson.dropbear.id.au/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/DLAHAVECEPZMXXC75H7XKZQ4UVIZH4IT/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

We access fields of packets received from ping sockets assuming they're
echo replies, without actually checking that.  Of course, we don't expect
anything else from the kernel, but it's probably best to verify.

While we're at it, also check for short packets, or a receive address of
the wrong family.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 icmp.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/icmp.c b/icmp.c
index 7e698f3..129a7f1 100644
--- a/icmp.c
+++ b/icmp.c
@@ -86,16 +86,25 @@ void icmp_sock_handler(const struct ctx *c, int af, union epoll_ref ref)
 		     pname, strerror(errno));
 		return;
 	}
+	if (sr.sa.sa_family != af)
+		goto unexpected;
 
 	if (af == AF_INET) {
 		struct icmphdr *ih4 = (struct icmphdr *)buf;
 
+		if ((size_t)n < sizeof(*ih4) || ih4->type != ICMP_ECHOREPLY)
+			goto unexpected;
+
 		/* Adjust packet back to guest-side ID */
 		ih4->un.echo.id = htons(ref.icmp.id);
 		seq = ntohs(ih4->un.echo.sequence);
 	} else if (af == AF_INET6) {
 		struct icmp6hdr *ih6 = (struct icmp6hdr *)buf;
 
+		if ((size_t)n < sizeof(*ih6) ||
+		    ih6->icmp6_type != ICMPV6_ECHO_REPLY)
+			goto unexpected;
+
 		/* Adjust packet back to guest-side ID */
 		ih6->icmp6_identifier = htons(ref.icmp.id);
 		seq = ntohs(ih6->icmp6_sequence);
@@ -117,6 +126,10 @@ void icmp_sock_handler(const struct ctx *c, int af, union epoll_ref ref)
 	else if (af == AF_INET6)
 		tap_icmp6_send(c, &sr.sa6.sin6_addr,
 			       tap_ip6_daddr(c, &sr.sa6.sin6_addr), buf, n);
+	return;
+
+unexpected:
+	warn("%s: Unexpected packet on ping socket", pname);
 }
 
 /**
-- 
2.43.0