From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from gandalf.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id CF7B85A0277 for ; Tue, 16 Jan 2024 06:16:28 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202312; t=1705382181; bh=0Z+hxI1l6UYVuQ4HvgOtSYOIy2yrW7z/bSo+j0vU8Oo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fx/5Xv8wVmaNUGO3FaxvH4Lj6rxa43h7GKs0dqeRvjg7x9iDHVoTYEZAfxcPYe9OB S6aHTbR1TT+p8SwGrIuYH3mqvCjOt5lkNiRcuauo7D7qygKcjOY5JOTGsUwWXF7mko UxSiPi2NWyPwtC+PZfnb+2ugFB3llqMGja2DXiy46X4QRRqAcyF0Uryuc/x6T/Hn1K a/3bBaXN3Jg0BXz/eaa+xbXVSbrFKbliuYdbIUvHxpkztDgn9Q7Leny4dvD41m8VQc GH2KupF5eV6HQpoO3BgR9hVglBykgPVwf7UxUe1vgEHcXGZjBKdGugUWoWBFwgypQa EwUQ6+IRHUMHw== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4TDcg91MM3z4xF4; Tue, 16 Jan 2024 16:16:21 +1100 (AEDT) From: David Gibson To: Stefano Brivio , passt-dev@passt.top Subject: [PATCH v3 10/11] icmp: Validate packets received on ping sockets Date: Tue, 16 Jan 2024 16:16:17 +1100 Message-ID: <20240116051618.2746103-11-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240116051618.2746103-1-david@gibson.dropbear.id.au> References: <20240116051618.2746103-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: AAABOVAKYANB46DPVCRYA7UZQUCR253F X-Message-ID-Hash: AAABOVAKYANB46DPVCRYA7UZQUCR253F X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: We access fields of packets received from ping sockets assuming they're echo replies, without actually checking that. Of course, we don't expect anything else from the kernel, but it's probably best to verify. While we're at it, also check for short packets, or a receive address of the wrong family. Signed-off-by: David Gibson --- icmp.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/icmp.c b/icmp.c index 79f6c8c..a9dc436 100644 --- a/icmp.c +++ b/icmp.c @@ -86,16 +86,25 @@ void icmp_sock_handler(const struct ctx *c, int af, union epoll_ref ref) pname, strerror(errno)); return; } + if (sr.sa.sa_family != af) + goto unexpected; if (af == AF_INET) { struct icmphdr *ih4 = (struct icmphdr *)buf; + if ((size_t)n < sizeof(*ih4) || ih4->type != ICMP_ECHOREPLY) + goto unexpected; + /* Adjust packet back to guest-side ID */ ih4->un.echo.id = htons(ref.icmp.id); seq = ntohs(ih4->un.echo.sequence); } else if (af == AF_INET6) { struct icmp6hdr *ih6 = (struct icmp6hdr *)buf; + if ((size_t)n < sizeof(*ih6) || + ih6->icmp6_type != ICMPV6_ECHO_REPLY) + goto unexpected; + /* Adjust packet back to guest-side ID */ ih6->icmp6_identifier = htons(ref.icmp.id); seq = ntohs(ih6->icmp6_sequence); @@ -118,6 +127,10 @@ void icmp_sock_handler(const struct ctx *c, int af, union epoll_ref ref) else if (af == AF_INET6) tap_icmp6_send(c, &sr.sa6.sin6_addr, tap_ip6_daddr(c, &sr.sa6.sin6_addr), buf, n); + return; + +unexpected: + warn("%s: Unexpected packet on ping socket", pname); } /** -- 2.43.0