From: David Gibson <david@gibson.dropbear.id.au>
To: passt-dev@passt.top, Stefano Brivio <sbrivio@redhat.com>
Cc: David Gibson <david@gibson.dropbear.id.au>
Subject: [PATCH v3 17/20] tcp: Validate TCP endpoint addresses
Date: Wed, 28 Feb 2024 22:25:17 +1100 [thread overview]
Message-ID: <20240228112520.2078220-18-david@gibson.dropbear.id.au> (raw)
In-Reply-To: <20240228112520.2078220-1-david@gibson.dropbear.id.au>
TCP connections should typically not have wildcard addresses (0.0.0.0
or ::) nor a zero port number for either endpoint. It's not entirely
clear (at least to me) if it's strictly against the RFCs to do so, but
at any rate the socket interfaces often treat those values
specially[1], so it's not really possible to manipulate such
connections. Likewise they should not have broadcast or multicast
addresses for either endpoint.
However, nothing prevents a guest from creating a SYN packet with such
values, and it's not entirely clear what the effect on passt would be.
To ensure sane behaviour, explicitly check for this case and drop such
packets, logging a debug warning (we don't want a higher level,
because that would allow a guest to spam the logs).
We never expect such an address on an accept()ed socket either, but
just in case, check for it as well.
[1] Depending on context as "unknown", "match any" or "kernel, pick
something for me"
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
tcp.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++------
1 file changed, 67 insertions(+), 7 deletions(-)
diff --git a/tcp.c b/tcp.c
index b4d7eec6..2ea985e6 100644
--- a/tcp.c
+++ b/tcp.c
@@ -284,6 +284,7 @@
#include <sys/types.h>
#include <sys/uio.h>
#include <time.h>
+#include <arpa/inet.h>
#include <linux/tcp.h> /* For struct tcp_info */
@@ -1935,27 +1936,59 @@ static void tcp_conn_from_tap(struct ctx *c, sa_family_t af,
const struct tcphdr *th, const char *opts,
size_t optlen, const struct timespec *now)
{
+ in_port_t srcport = ntohs(th->source);
+ in_port_t dstport = ntohs(th->dest);
struct sockaddr_in addr4 = {
.sin_family = AF_INET,
- .sin_port = th->dest,
+ .sin_port = htons(dstport),
.sin_addr = *(struct in_addr *)daddr,
};
struct sockaddr_in6 addr6 = {
.sin6_family = AF_INET6,
- .sin6_port = th->dest,
+ .sin6_port = htons(dstport),
.sin6_addr = *(struct in6_addr *)daddr,
};
const struct sockaddr *sa;
struct tcp_tap_conn *conn;
union flow *flow;
+ int s = -1, mss;
socklen_t sl;
- int s, mss;
-
- (void)saddr;
if (!(flow = flow_alloc()))
return;
+ if (af == AF_INET) {
+ if (IN4_IS_ADDR_UNSPECIFIED(saddr) ||
+ IN4_IS_ADDR_BROADCAST(saddr) ||
+ IN4_IS_ADDR_MULTICAST(saddr) || srcport == 0 ||
+ IN4_IS_ADDR_UNSPECIFIED(daddr) ||
+ IN4_IS_ADDR_BROADCAST(daddr) ||
+ IN4_IS_ADDR_MULTICAST(daddr) || dstport == 0) {
+ char sstr[INET_ADDRSTRLEN], dstr[INET_ADDRSTRLEN];
+
+ debug("Invalid endpoint in TCP SYN: %s:%hu -> %s:%hu",
+ inet_ntop(AF_INET, saddr, sstr, sizeof(sstr)),
+ srcport,
+ inet_ntop(AF_INET, daddr, dstr, sizeof(dstr)),
+ dstport);
+ goto cancel;
+ }
+ } else if (af == AF_INET6) {
+ if (IN6_IS_ADDR_UNSPECIFIED(saddr) ||
+ IN6_IS_ADDR_MULTICAST(saddr) || srcport == 0 ||
+ IN6_IS_ADDR_UNSPECIFIED(daddr) ||
+ IN6_IS_ADDR_MULTICAST(daddr) || dstport == 0) {
+ char sstr[INET6_ADDRSTRLEN], dstr[INET6_ADDRSTRLEN];
+
+ debug("Invalid endpoint in TCP SYN: %s:%hu -> %s:%hu",
+ inet_ntop(AF_INET6, saddr, sstr, sizeof(sstr)),
+ srcport,
+ inet_ntop(AF_INET6, daddr, dstr, sizeof(dstr)),
+ dstport);
+ goto cancel;
+ }
+ }
+
if ((s = tcp_conn_sock(c, af)) < 0)
goto cancel;
@@ -2006,8 +2039,8 @@ static void tcp_conn_from_tap(struct ctx *c, sa_family_t af,
sl = sizeof(addr6);
}
- conn->fport = ntohs(th->dest);
- conn->eport = ntohs(th->source);
+ conn->fport = dstport;
+ conn->eport = srcport;
conn->seq_init_from_tap = ntohl(th->seq);
conn->seq_from_tap = conn->seq_init_from_tap + 1;
@@ -2736,6 +2769,33 @@ void tcp_listen_handler(struct ctx *c, union epoll_ref ref,
if (s < 0)
goto cancel;
+ if (sa.sa_family == AF_INET) {
+ const struct in_addr *addr = &sa.sa4.sin_addr;
+ in_port_t port = sa.sa4.sin_port;
+
+ if (IN4_IS_ADDR_UNSPECIFIED(addr) ||
+ IN4_IS_ADDR_BROADCAST(addr) ||
+ IN4_IS_ADDR_MULTICAST(addr) || port == 0) {
+ char str[INET_ADDRSTRLEN];
+
+ err("Invalid endpoint from TCP accept(): %s:%hu",
+ inet_ntop(AF_INET, addr, str, sizeof(str)), port);
+ goto cancel;
+ }
+ } else if (sa.sa_family == AF_INET6) {
+ const struct in6_addr *addr = &sa.sa6.sin6_addr;
+ in_port_t port = sa.sa6.sin6_port;
+
+ if (IN6_IS_ADDR_UNSPECIFIED(addr) ||
+ IN6_IS_ADDR_MULTICAST(addr) || port == 0) {
+ char str[INET6_ADDRSTRLEN];
+
+ err("Invalid endpoint from TCP accept(): %s:%hu",
+ inet_ntop(AF_INET6, addr, str, sizeof(str)), port);
+ goto cancel;
+ }
+ }
+
if (tcp_splice_conn_from_sock(c, ref.tcp_listen.pif,
ref.tcp_listen.port, flow, s, &sa))
return;
--
@@ -284,6 +284,7 @@
#include <sys/types.h>
#include <sys/uio.h>
#include <time.h>
+#include <arpa/inet.h>
#include <linux/tcp.h> /* For struct tcp_info */
@@ -1935,27 +1936,59 @@ static void tcp_conn_from_tap(struct ctx *c, sa_family_t af,
const struct tcphdr *th, const char *opts,
size_t optlen, const struct timespec *now)
{
+ in_port_t srcport = ntohs(th->source);
+ in_port_t dstport = ntohs(th->dest);
struct sockaddr_in addr4 = {
.sin_family = AF_INET,
- .sin_port = th->dest,
+ .sin_port = htons(dstport),
.sin_addr = *(struct in_addr *)daddr,
};
struct sockaddr_in6 addr6 = {
.sin6_family = AF_INET6,
- .sin6_port = th->dest,
+ .sin6_port = htons(dstport),
.sin6_addr = *(struct in6_addr *)daddr,
};
const struct sockaddr *sa;
struct tcp_tap_conn *conn;
union flow *flow;
+ int s = -1, mss;
socklen_t sl;
- int s, mss;
-
- (void)saddr;
if (!(flow = flow_alloc()))
return;
+ if (af == AF_INET) {
+ if (IN4_IS_ADDR_UNSPECIFIED(saddr) ||
+ IN4_IS_ADDR_BROADCAST(saddr) ||
+ IN4_IS_ADDR_MULTICAST(saddr) || srcport == 0 ||
+ IN4_IS_ADDR_UNSPECIFIED(daddr) ||
+ IN4_IS_ADDR_BROADCAST(daddr) ||
+ IN4_IS_ADDR_MULTICAST(daddr) || dstport == 0) {
+ char sstr[INET_ADDRSTRLEN], dstr[INET_ADDRSTRLEN];
+
+ debug("Invalid endpoint in TCP SYN: %s:%hu -> %s:%hu",
+ inet_ntop(AF_INET, saddr, sstr, sizeof(sstr)),
+ srcport,
+ inet_ntop(AF_INET, daddr, dstr, sizeof(dstr)),
+ dstport);
+ goto cancel;
+ }
+ } else if (af == AF_INET6) {
+ if (IN6_IS_ADDR_UNSPECIFIED(saddr) ||
+ IN6_IS_ADDR_MULTICAST(saddr) || srcport == 0 ||
+ IN6_IS_ADDR_UNSPECIFIED(daddr) ||
+ IN6_IS_ADDR_MULTICAST(daddr) || dstport == 0) {
+ char sstr[INET6_ADDRSTRLEN], dstr[INET6_ADDRSTRLEN];
+
+ debug("Invalid endpoint in TCP SYN: %s:%hu -> %s:%hu",
+ inet_ntop(AF_INET6, saddr, sstr, sizeof(sstr)),
+ srcport,
+ inet_ntop(AF_INET6, daddr, dstr, sizeof(dstr)),
+ dstport);
+ goto cancel;
+ }
+ }
+
if ((s = tcp_conn_sock(c, af)) < 0)
goto cancel;
@@ -2006,8 +2039,8 @@ static void tcp_conn_from_tap(struct ctx *c, sa_family_t af,
sl = sizeof(addr6);
}
- conn->fport = ntohs(th->dest);
- conn->eport = ntohs(th->source);
+ conn->fport = dstport;
+ conn->eport = srcport;
conn->seq_init_from_tap = ntohl(th->seq);
conn->seq_from_tap = conn->seq_init_from_tap + 1;
@@ -2736,6 +2769,33 @@ void tcp_listen_handler(struct ctx *c, union epoll_ref ref,
if (s < 0)
goto cancel;
+ if (sa.sa_family == AF_INET) {
+ const struct in_addr *addr = &sa.sa4.sin_addr;
+ in_port_t port = sa.sa4.sin_port;
+
+ if (IN4_IS_ADDR_UNSPECIFIED(addr) ||
+ IN4_IS_ADDR_BROADCAST(addr) ||
+ IN4_IS_ADDR_MULTICAST(addr) || port == 0) {
+ char str[INET_ADDRSTRLEN];
+
+ err("Invalid endpoint from TCP accept(): %s:%hu",
+ inet_ntop(AF_INET, addr, str, sizeof(str)), port);
+ goto cancel;
+ }
+ } else if (sa.sa_family == AF_INET6) {
+ const struct in6_addr *addr = &sa.sa6.sin6_addr;
+ in_port_t port = sa.sa6.sin6_port;
+
+ if (IN6_IS_ADDR_UNSPECIFIED(addr) ||
+ IN6_IS_ADDR_MULTICAST(addr) || port == 0) {
+ char str[INET6_ADDRSTRLEN];
+
+ err("Invalid endpoint from TCP accept(): %s:%hu",
+ inet_ntop(AF_INET6, addr, str, sizeof(str)), port);
+ goto cancel;
+ }
+ }
+
if (tcp_splice_conn_from_sock(c, ref.tcp_listen.pif,
ref.tcp_listen.port, flow, s, &sa))
return;
--
2.43.2
next prev parent reply other threads:[~2024-02-28 11:25 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-28 11:25 [PATCH v3 00/20] More flow table preliminaries: address handling improvements David Gibson
2024-02-28 11:25 ` [PATCH v3 01/20] inany: Helper to test for various address types David Gibson
2024-02-28 11:25 ` [PATCH v3 02/20] inany: Add inany_ntop() helper David Gibson
2024-02-28 11:25 ` [PATCH v3 03/20] inany: Provide more conveniently typed constants for special addresses David Gibson
2024-02-28 11:25 ` [PATCH v3 04/20] inany: Introduce union sockaddr_inany David Gibson
2024-02-28 11:25 ` [PATCH v3 05/20] util: Allow IN4_IS_* macros to operate on untyped addresses David Gibson
2024-02-28 11:25 ` [PATCH v3 06/20] tcp, udp: Don't precompute port remappings in epoll references David Gibson
2024-02-28 11:25 ` [PATCH v3 07/20] flow: Add helper to determine a flow's protocol David Gibson
2024-02-28 11:25 ` [PATCH v3 08/20] tcp_splice: Simplify clean up logic David Gibson
2024-02-28 11:25 ` [PATCH v3 09/20] tcp_splice: Don't use flow_trace() before setting flow type David Gibson
2024-02-28 11:25 ` [PATCH v3 10/20] flow: Clarify flow entry life cycle, introduce uniform logging David Gibson
2024-02-28 11:25 ` [PATCH v3 11/20] tcp_splice: More specific variable names in new splice path David Gibson
2024-02-28 11:25 ` [PATCH v3 12/20] tcp_splice: Merge tcp_splice_new() into its caller David Gibson
2024-02-28 11:25 ` [PATCH v3 13/20] tcp_splice: Make tcp_splice_connect() create its own sockets David Gibson
2024-02-28 11:25 ` [PATCH v3 14/20] tcp_splice: Improve error reporting on connect path David Gibson
2024-02-28 11:25 ` [PATCH v3 15/20] tcp_splice: Improve logic deciding when to splice David Gibson
2024-02-28 11:25 ` [PATCH v3 16/20] tcp, tcp_splice: Parse listening socket epoll ref in tcp_listen_handler() David Gibson
2024-02-28 11:25 ` David Gibson [this message]
2024-02-28 11:25 ` [PATCH v3 18/20] tap: Disallow loopback addresses on tap interface David Gibson
2024-02-28 11:25 ` [PATCH v3 19/20] port_fwd: Fix copypasta error in port_fwd_scan_udp() comments David Gibson
2024-02-28 11:25 ` [PATCH v3 20/20] fwd: Rename port_fwd.[ch] and their contents David Gibson
2024-02-29 10:53 ` [PATCH v3 00/20] More flow table preliminaries: address handling improvements Stefano Brivio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240228112520.2078220-18-david@gibson.dropbear.id.au \
--to=david@gibson.dropbear.id.au \
--cc=passt-dev@passt.top \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).