| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 24 Jun 2021 11:01:35 +0200
From: Georg Kohmann <geokohma@...co.com>
To: netdev@...r.kernel.org
Cc: coreteam@...filter.org, netfilter-devel@...r.kernel.org,
kuba@...nel.org, davem@...emloft.net, fw@...len.de,
kadlec@...filter.org, pablo@...filter.org,
Georg Kohmann <geokohma@...co.com>
Subject: [PATCH net] ipv6/netfilter: Drop Packet Too Big with invalid payload
PMTU is updated even though received ICMPv6 PTB do not match any
transmitted traffic. This breaks TAHI IPv6 Core Conformance Test
Revision 5.0.1, v6LC.4.1.12 Validate Packet Too Big[1].
Referring to RFC8201 IPv6 Path MTU Discovery, section 4: "Nodes should
appropriately validate the payload of ICMPv6 PTB messages to ensure
these are received in response to transmitted traffic (i.e., a reported
error condition that corresponds to an IPv6 packet actually sent by the
application) per [ICMPv6]."
nf_conntrack_inet_error() return -NF_ACCEPT if the inner header of
ICMPv6 error packet is not related to an existing connection. Drop PTB
packet when this occur. This will prevent ipv6 from handling the packet
and update the PMTU.
The included test script below use ICMPv6 echo requests and PTB with an
invalid ICMPv6 identifier to check whether the host under test will
ignore the PTB or not. The host should not fragment the last echo
response.
[1] https://www.ipv6ready.org/docs/Core_Conformance_5_0_1.pdf
===== SCRIPT FOR SIMULATING TEST v6LC.4.1.12. =====
from scapy.all import *
def send_packet_too_big(addr, reply, mtu, id):
reply[ICMPv6EchoReply].id = id
I=IPv6(dst=addr)
PacketTooBig=ICMPv6PacketTooBig(mtu=mtu, code=255)
reply.data = reply.data[:mtu-len(I/PacketTooBig/reply)]
reply[IPv6].fl = 0
packet = I/PacketTooBig/reply
del packet.cksum
send(packet)
def send_echo_request(addr, payload, id=0, wait=True):
I=IPv6(dst=addr)
EchoRequest=ICMPv6EchoRequest(data=payload)
EchoRequest.id = id
if wait:
return sr1(I/EchoRequest, timeout=5)
else:
return send(I/EchoRequest)
def validate_packets(addr):
packets = sniff(filter = "ip6 and host {}".format(addr), timeout=2)
for packet in packets:
if IPv6ExtHdrFragment in packet[IPv6]:
if ICMPv6EchoReply in packet[IPv6][IPv6ExtHdrFragment]:
print("Fail - Received a fragmented echo")
return
print("Success - No fragmented echo reply received")
if __name__ == '__main__':
print("Simulating IPv6 Core Conformance Test v6LC4.1.12")
addr = sys.argv[1]
thread = threading.Thread(target=validate_packets, args=(addr,))
thread.start()
echo_reply = send_echo_request(addr, 'A'*1400, id=0)
if echo_reply:
send_packet_too_big(addr, echo_reply, mtu=1300, id=1)
send_echo_request(addr, 'A'*1400, id=0, wait=False)
===== END OF SCRIPT =====
Signed-off-by: Georg Kohmann <geokohma@...co.com>
---
net/netfilter/nf_conntrack_proto_icmpv6.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_icmpv6.c b/net/netfilter/nf_conntrack_proto_icmpv6.c
index facd8c6..797cd42 100644
--- a/net/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/netfilter/nf_conntrack_proto_icmpv6.c
@@ -139,6 +139,7 @@ int nf_conntrack_icmpv6_error(struct nf_conn *tmpl,
const struct icmp6hdr *icmp6h;
struct icmp6hdr _ih;
int type;
+ int ret;
icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih);
if (icmp6h == NULL) {
@@ -167,8 +168,12 @@ int nf_conntrack_icmpv6_error(struct nf_conn *tmpl,
memcpy(&outer_daddr.ip6, &ipv6_hdr(skb)->daddr,
sizeof(outer_daddr.ip6));
dataoff += sizeof(*icmp6h);
- return nf_conntrack_inet_error(tmpl, skb, dataoff, state,
- IPPROTO_ICMPV6, &outer_daddr);
+ ret = nf_conntrack_inet_error(tmpl, skb, dataoff, state,
+ IPPROTO_ICMPV6, &outer_daddr);
+ if (icmp6h->icmp6_type == ICMPV6_PKT_TOOBIG &&
+ ret == -NF_ACCEPT)
+ return -NF_DROP;
+ return ret;
}
#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
--
2.10.2
Powered by blists - more mailing lists