From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202410 header.b=IyUuTzhU; dkim-atps=neutral Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 99D2F5A061D for ; Thu, 05 Dec 2024 05:26:14 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202410; t=1733372760; bh=rAQiDo/s8FkGLKJRAcR726HFH0cJrEFEiS/Bt21hTdo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IyUuTzhUlWK+AIQ0tOfqAN+GGg5AH5Smcl/CC7vq0D44fqFvRK6Viv2HRVG2aNH9u MrWI6uSqFq/gEku7ncxvTuMKjseOhwKyPPnR12gZuWTQut09nY6XLQ/tbDBugpfn37 GNhDTqOkP8L8h/+PR/EsBcFWUkAOjcqqbhbOKM8+7fphrC28Oxp4LU5Ap1IGd5ejSd m6QuxN3NCIWhus4LikuEihO3TqXp4+3yxueTM2DHRAO1OwjaPX4yec+0FVVAQ14gxn Sh6cNUWOocZkUSar+fFKMx2Uv5JlxUeaDKB0cjSYosr4hGH4aHVGcV2yf/TD4m0OD8 wb+LgfekvixCg== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4Y3hCX28mDz4x66; Thu, 5 Dec 2024 15:26:00 +1100 (AEDT) From: David Gibson To: Stefano Brivio , passt-dev@passt.top Subject: [PATCH 1/2] udp: Improve detail of UDP endpoint sanity checking Date: Thu, 5 Dec 2024 15:26:01 +1100 Message-ID: <20241205042602.701755-2-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20241205042602.701755-1-david@gibson.dropbear.id.au> References: <20241205042602.701755-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: UCJKGLLVDFDZGNBUVCAZBAP4EW7DVQXX X-Message-ID-Hash: UCJKGLLVDFDZGNBUVCAZBAP4EW7DVQXX X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: steffhip@gmail.com, David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: In udp_flow_new() we reject a flow if the endpoint isn't unicast, or it has a zero endpoint port. Those conditions aren't strictly illegal, but we can't safely handle them at present: * Multicast UDP endpoints are certainly possible, but our current flow tracking only makes sense for simple unicast flows - we'll need different handling if we want to handle multicast flows in future * It's not entirely clear if port 0 is RFC-ishly correct, but for socket interfaces port 0 sometimes has a special meaning such as "pick the port for me, kernel". That makes flows on port 0 unsafe to forward in the usual way. For the same reason we also can't safely handle port 0 as our port. In principle that's also true for our address, however in the case of flows initiated from a socket, we may not know our address since the socket could be bound to 0.0.0.0 or ::, so we can only verify that our address is unicast for flows initiated from the tap side. Refine the current check in udp_flow_new() to slightly more detailed checks in udp_flow_from_sock() and udp_flow_from_tap() to make what is and isn't handled clearer. This makes this checking more similar to what we do for TCP connections. Signed-off-by: David Gibson --- udp_flow.c | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/udp_flow.c b/udp_flow.c index b81be2c..c8fdb5f 100644 --- a/udp_flow.c +++ b/udp_flow.c @@ -75,16 +75,10 @@ void udp_flow_close(const struct ctx *c, struct udp_flow *uflow) static flow_sidx_t udp_flow_new(const struct ctx *c, union flow *flow, int s_ini, const struct timespec *now) { - const struct flowside *ini = &flow->f.side[INISIDE]; struct udp_flow *uflow = NULL; const struct flowside *tgt; uint8_t tgtpif; - if (!inany_is_unicast(&ini->eaddr) || ini->eport == 0) { - flow_trace(flow, "Invalid endpoint to initiate UDP flow"); - goto cancel; - } - if (!(tgt = flow_target(c, flow, IPPROTO_UDP))) goto cancel; tgtpif = flow->f.pif[TGTSIDE]; @@ -189,6 +183,7 @@ flow_sidx_t udp_flow_from_sock(const struct ctx *c, union epoll_ref ref, const union sockaddr_inany *s_in, const struct timespec *now) { + const struct flowside *ini; struct udp_flow *uflow; union flow *flow; flow_sidx_t sidx; @@ -210,7 +205,19 @@ flow_sidx_t udp_flow_from_sock(const struct ctx *c, union epoll_ref ref, return FLOW_SIDX_NONE; } - flow_initiate_sa(flow, ref.udp.pif, s_in, ref.udp.port); + ini = flow_initiate_sa(flow, ref.udp.pif, s_in, ref.udp.port); + + if (!inany_is_unicast(&ini->eaddr) || + ini->eport == 0 || ini->oport == 0) { + /* In principle ini->oddr also must be unicast, but when we've + * been initiated from a socket bound to 0.0.0.0 or ::, we don't + * know our address, so we have to leave it unpopulated. + */ + flow_err(flow, "Invalid endpoint on UDP recvfrom()"); + flow_alloc_cancel(flow); + return FLOW_SIDX_NONE; + } + return udp_flow_new(c, flow, ref.fd, now); } @@ -233,6 +240,7 @@ flow_sidx_t udp_flow_from_tap(const struct ctx *c, in_port_t srcport, in_port_t dstport, const struct timespec *now) { + const struct flowside *ini; struct udp_flow *uflow; union flow *flow; flow_sidx_t sidx; @@ -256,7 +264,15 @@ flow_sidx_t udp_flow_from_tap(const struct ctx *c, return FLOW_SIDX_NONE; } - flow_initiate_af(flow, PIF_TAP, af, saddr, srcport, daddr, dstport); + ini = flow_initiate_af(flow, PIF_TAP, af, saddr, srcport, + daddr, dstport); + + if (!inany_is_unicast(&ini->eaddr) || ini->eport == 0 || + !inany_is_unicast(&ini->oaddr) || ini->oport == 0) { + flow_dbg(flow, "Invalid endpoint on UDP packet"); + flow_alloc_cancel(flow); + return FLOW_SIDX_NONE; + } return udp_flow_new(c, flow, -1, now); } -- 2.47.0