From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from gandalf.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id AE6D65A0279 for ; Thu, 21 Dec 2023 07:53:35 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202312; t=1703141610; bh=J7G0KfB1deyndOqO4gtFu2PVYbVKJpEruhD46d7KZbg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oeHd1BVsRqzi1vTEZWwZaaSOvAug5scJdYsILhk+bNGrAyoSBzcItT3lj8VK1OQ5e n8hAfFsDMubCQIOxzcFmFa44cq5VbOelUnLyCNxnyVEJZMzZAEEFkE+W5WHG4T+moH Mg8/zM1BZuNEIfNWQLF9qHZJle0WxIxqv4MGCX+YgCcTEA/1cfA5ShMxfAnL7D4SnY R37q69XDWEx5NzmYe26YQopv8dXFsn5etl2Z/9MPbJducvihWVtia1awsZTze9KayC RogqeYZ7lyr4G+/Td6Fvfn+HW9+Oa6RebX4Qa4pCAe1bSIFoIvpX3VwS0jPBxxVRTp Nt6EiGAI37/CA== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4Swh3G5Swjz4xSc; Thu, 21 Dec 2023 17:53:30 +1100 (AEDT) From: David Gibson To: Stefano Brivio , passt-dev@passt.top Subject: [PATCH v2 11/12] icmp: Validate packets received on ping sockets Date: Thu, 21 Dec 2023 17:53:26 +1100 Message-ID: <20231221065327.1307827-12-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231221065327.1307827-1-david@gibson.dropbear.id.au> References: <20231221065327.1307827-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: ASND63SOTJG2ZVKPLQJELEZGOP4HHOR3 X-Message-ID-Hash: ASND63SOTJG2ZVKPLQJELEZGOP4HHOR3 X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: We access fields of packets received from ping sockets assuming they're echo replies, without actually checking that. Of course, we don't expect anything else from the kernel, but it's probably best to verify. While we're at it, also check for short packets, or a receive address of the wrong family. Signed-off-by: David Gibson --- icmp.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/icmp.c b/icmp.c index 7e698f3..129a7f1 100644 --- a/icmp.c +++ b/icmp.c @@ -86,16 +86,25 @@ void icmp_sock_handler(const struct ctx *c, int af, union epoll_ref ref) pname, strerror(errno)); return; } + if (sr.sa.sa_family != af) + goto unexpected; if (af == AF_INET) { struct icmphdr *ih4 = (struct icmphdr *)buf; + if ((size_t)n < sizeof(*ih4) || ih4->type != ICMP_ECHOREPLY) + goto unexpected; + /* Adjust packet back to guest-side ID */ ih4->un.echo.id = htons(ref.icmp.id); seq = ntohs(ih4->un.echo.sequence); } else if (af == AF_INET6) { struct icmp6hdr *ih6 = (struct icmp6hdr *)buf; + if ((size_t)n < sizeof(*ih6) || + ih6->icmp6_type != ICMPV6_ECHO_REPLY) + goto unexpected; + /* Adjust packet back to guest-side ID */ ih6->icmp6_identifier = htons(ref.icmp.id); seq = ntohs(ih6->icmp6_sequence); @@ -117,6 +126,10 @@ void icmp_sock_handler(const struct ctx *c, int af, union epoll_ref ref) else if (af == AF_INET6) tap_icmp6_send(c, &sr.sa6.sin6_addr, tap_ip6_daddr(c, &sr.sa6.sin6_addr), buf, n); + return; + +unexpected: + warn("%s: Unexpected packet on ping socket", pname); } /** -- 2.43.0