From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>, passt-dev@passt.top
Cc: steffhip@gmail.com, David Gibson <david@gibson.dropbear.id.au>
Subject: [PATCH 1/2] udp: Improve detail of UDP endpoint sanity checking
Date: Thu, 5 Dec 2024 15:26:01 +1100 [thread overview]
Message-ID: <20241205042602.701755-2-david@gibson.dropbear.id.au> (raw)
In-Reply-To: <20241205042602.701755-1-david@gibson.dropbear.id.au>
In udp_flow_new() we reject a flow if the endpoint isn't unicast, or it has
a zero endpoint port. Those conditions aren't strictly illegal, but we
can't safely handle them at present:
* Multicast UDP endpoints are certainly possible, but our current flow
tracking only makes sense for simple unicast flows - we'll need
different handling if we want to handle multicast flows in future
* It's not entirely clear if port 0 is RFC-ishly correct, but for socket
interfaces port 0 sometimes has a special meaning such as "pick the port
for me, kernel". That makes flows on port 0 unsafe to forward in the
usual way.
For the same reason we also can't safely handle port 0 as our port. In
principle that's also true for our address, however in the case of flows
initiated from a socket, we may not know our address since the socket
could be bound to 0.0.0.0 or ::, so we can only verify that our address
is unicast for flows initiated from the tap side.
Refine the current check in udp_flow_new() to slightly more detailed checks
in udp_flow_from_sock() and udp_flow_from_tap() to make what is and isn't
handled clearer. This makes this checking more similar to what we do for
TCP connections.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
udp_flow.c | 32 ++++++++++++++++++++++++--------
1 file changed, 24 insertions(+), 8 deletions(-)
diff --git a/udp_flow.c b/udp_flow.c
index b81be2c..c8fdb5f 100644
--- a/udp_flow.c
+++ b/udp_flow.c
@@ -75,16 +75,10 @@ void udp_flow_close(const struct ctx *c, struct udp_flow *uflow)
static flow_sidx_t udp_flow_new(const struct ctx *c, union flow *flow,
int s_ini, const struct timespec *now)
{
- const struct flowside *ini = &flow->f.side[INISIDE];
struct udp_flow *uflow = NULL;
const struct flowside *tgt;
uint8_t tgtpif;
- if (!inany_is_unicast(&ini->eaddr) || ini->eport == 0) {
- flow_trace(flow, "Invalid endpoint to initiate UDP flow");
- goto cancel;
- }
-
if (!(tgt = flow_target(c, flow, IPPROTO_UDP)))
goto cancel;
tgtpif = flow->f.pif[TGTSIDE];
@@ -189,6 +183,7 @@ flow_sidx_t udp_flow_from_sock(const struct ctx *c, union epoll_ref ref,
const union sockaddr_inany *s_in,
const struct timespec *now)
{
+ const struct flowside *ini;
struct udp_flow *uflow;
union flow *flow;
flow_sidx_t sidx;
@@ -210,7 +205,19 @@ flow_sidx_t udp_flow_from_sock(const struct ctx *c, union epoll_ref ref,
return FLOW_SIDX_NONE;
}
- flow_initiate_sa(flow, ref.udp.pif, s_in, ref.udp.port);
+ ini = flow_initiate_sa(flow, ref.udp.pif, s_in, ref.udp.port);
+
+ if (!inany_is_unicast(&ini->eaddr) ||
+ ini->eport == 0 || ini->oport == 0) {
+ /* In principle ini->oddr also must be unicast, but when we've
+ * been initiated from a socket bound to 0.0.0.0 or ::, we don't
+ * know our address, so we have to leave it unpopulated.
+ */
+ flow_err(flow, "Invalid endpoint on UDP recvfrom()");
+ flow_alloc_cancel(flow);
+ return FLOW_SIDX_NONE;
+ }
+
return udp_flow_new(c, flow, ref.fd, now);
}
@@ -233,6 +240,7 @@ flow_sidx_t udp_flow_from_tap(const struct ctx *c,
in_port_t srcport, in_port_t dstport,
const struct timespec *now)
{
+ const struct flowside *ini;
struct udp_flow *uflow;
union flow *flow;
flow_sidx_t sidx;
@@ -256,7 +264,15 @@ flow_sidx_t udp_flow_from_tap(const struct ctx *c,
return FLOW_SIDX_NONE;
}
- flow_initiate_af(flow, PIF_TAP, af, saddr, srcport, daddr, dstport);
+ ini = flow_initiate_af(flow, PIF_TAP, af, saddr, srcport,
+ daddr, dstport);
+
+ if (!inany_is_unicast(&ini->eaddr) || ini->eport == 0 ||
+ !inany_is_unicast(&ini->oaddr) || ini->oport == 0) {
+ flow_dbg(flow, "Invalid endpoint on UDP packet");
+ flow_alloc_cancel(flow);
+ return FLOW_SIDX_NONE;
+ }
return udp_flow_new(c, flow, -1, now);
}
--
@@ -75,16 +75,10 @@ void udp_flow_close(const struct ctx *c, struct udp_flow *uflow)
static flow_sidx_t udp_flow_new(const struct ctx *c, union flow *flow,
int s_ini, const struct timespec *now)
{
- const struct flowside *ini = &flow->f.side[INISIDE];
struct udp_flow *uflow = NULL;
const struct flowside *tgt;
uint8_t tgtpif;
- if (!inany_is_unicast(&ini->eaddr) || ini->eport == 0) {
- flow_trace(flow, "Invalid endpoint to initiate UDP flow");
- goto cancel;
- }
-
if (!(tgt = flow_target(c, flow, IPPROTO_UDP)))
goto cancel;
tgtpif = flow->f.pif[TGTSIDE];
@@ -189,6 +183,7 @@ flow_sidx_t udp_flow_from_sock(const struct ctx *c, union epoll_ref ref,
const union sockaddr_inany *s_in,
const struct timespec *now)
{
+ const struct flowside *ini;
struct udp_flow *uflow;
union flow *flow;
flow_sidx_t sidx;
@@ -210,7 +205,19 @@ flow_sidx_t udp_flow_from_sock(const struct ctx *c, union epoll_ref ref,
return FLOW_SIDX_NONE;
}
- flow_initiate_sa(flow, ref.udp.pif, s_in, ref.udp.port);
+ ini = flow_initiate_sa(flow, ref.udp.pif, s_in, ref.udp.port);
+
+ if (!inany_is_unicast(&ini->eaddr) ||
+ ini->eport == 0 || ini->oport == 0) {
+ /* In principle ini->oddr also must be unicast, but when we've
+ * been initiated from a socket bound to 0.0.0.0 or ::, we don't
+ * know our address, so we have to leave it unpopulated.
+ */
+ flow_err(flow, "Invalid endpoint on UDP recvfrom()");
+ flow_alloc_cancel(flow);
+ return FLOW_SIDX_NONE;
+ }
+
return udp_flow_new(c, flow, ref.fd, now);
}
@@ -233,6 +240,7 @@ flow_sidx_t udp_flow_from_tap(const struct ctx *c,
in_port_t srcport, in_port_t dstport,
const struct timespec *now)
{
+ const struct flowside *ini;
struct udp_flow *uflow;
union flow *flow;
flow_sidx_t sidx;
@@ -256,7 +264,15 @@ flow_sidx_t udp_flow_from_tap(const struct ctx *c,
return FLOW_SIDX_NONE;
}
- flow_initiate_af(flow, PIF_TAP, af, saddr, srcport, daddr, dstport);
+ ini = flow_initiate_af(flow, PIF_TAP, af, saddr, srcport,
+ daddr, dstport);
+
+ if (!inany_is_unicast(&ini->eaddr) || ini->eport == 0 ||
+ !inany_is_unicast(&ini->oaddr) || ini->oport == 0) {
+ flow_dbg(flow, "Invalid endpoint on UDP packet");
+ flow_alloc_cancel(flow);
+ return FLOW_SIDX_NONE;
+ }
return udp_flow_new(c, flow, -1, now);
}
--
2.47.0
next prev parent reply other threads:[~2024-12-05 4:26 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-05 4:26 [PATCH 0/2] Fix handling of ICMP flows with 0 id David Gibson
2024-12-05 4:26 ` David Gibson [this message]
2024-12-05 4:26 ` [PATCH 2/2] flow: Remove over-zealous sanity checks in flow_sidx_hash() David Gibson
2024-12-05 21:46 ` [PATCH 0/2] Fix handling of ICMP flows with 0 id Stefano Brivio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241205042602.701755-2-david@gibson.dropbear.id.au \
--to=david@gibson.dropbear.id.au \
--cc=passt-dev@passt.top \
--cc=sbrivio@redhat.com \
--cc=steffhip@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).