lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 04 Feb 2021 23:01:50 -0600
From:   Andreas Roeseler <andreas.a.roeseler@...il.com>
To:     Willem de Bruijn <willemdebruijn.kernel@...il.com>
Cc:     David Miller <davem@...emloft.net>,
        Alexey Kuznetsov <kuznet@....inr.ac.ru>,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        Jakub Kicinski <kuba@...nel.org>,
        Network Development <netdev@...r.kernel.org>
Subject: Re: [PATCH V2 net-next 5/5] icmp: add response to RFC 8335 PROBE
 messages

On Thu, 2021-02-04 at 14:52 -0500, Willem de Bruijn wrote:
> On Wed, Feb 3, 2021 at 6:30 PM Andreas Roeseler
> <andreas.a.roeseler@...il.com> wrote:
> > 
> > Modify the icmp_rcv function to check for PROBE messages and call
> > icmp_echo if a PROBE request is detected.
> > 
> > Modify the existing icmp_echo function to respond to both ping and
> > PROBE
> > requests.
> > 
> > This was tested using a custom modification of the iputils package
> > and
> > wireshark. It supports IPV4 probing by name, ifindex, and probing
> > by both IPV4 and IPV6
> > addresses. It currently does not support responding to probes off
> > the proxy node
> > (See RFC 8335 Section 2).
> > 
> > 
> > Signed-off-by: Andreas Roeseler <andreas.a.roeseler@...il.com>
> > ---
> > Changes since v1:
> >  - Reorder variable declarations to follow coding style
> >  - Switch to functions such as dev_get_by_name and ip_dev_find to
> > lookup
> >    net devices
> > ---
> >  net/ipv4/icmp.c | 98 ++++++++++++++++++++++++++++++++++++++++++++-
> > ----
> >  1 file changed, 88 insertions(+), 10 deletions(-)
> > 
> > diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
> > index 396b492c804f..18f9a2a3bf59 100644
> > --- a/net/ipv4/icmp.c
> > +++ b/net/ipv4/icmp.c
> > @@ -983,21 +983,85 @@ static bool icmp_redirect(struct sk_buff
> > *skb)
> > 
> >  static bool icmp_echo(struct sk_buff *skb)
> >  {
> > +       struct icmp_bxm icmp_param;
> >         struct net *net;
> > +       struct net_device *dev;
> > +       struct icmp_extobj_hdr *extobj_hdr;
> > +       struct icmp_ext_ctype3_hdr *ctype3_hdr;
> > +       __u8 status;
> 
> nit: please maintain reverse christmas tree variable ordering
> 
> > 
> >         net = dev_net(skb_dst(skb)->dev);
> > -       if (!net->ipv4.sysctl_icmp_echo_ignore_all) {
> > -               struct icmp_bxm icmp_param;
> > +       /* should there be an ICMP stat for ignored echos? */
> > +       if (net->ipv4.sysctl_icmp_echo_ignore_all)
> > +               return true;
> > +
> > +       icmp_param.data.icmph           = *icmp_hdr(skb);
> > +       icmp_param.skb                  = skb;
> > +       icmp_param.offset               = 0;
> > +       icmp_param.data_len             = skb->len;
> > +       icmp_param.head_len             = sizeof(struct icmphdr);
> > 
> > -               icmp_param.data.icmph      = *icmp_hdr(skb);
> > +       if (icmp_param.data.icmph.type == ICMP_ECHO) {
> >                 icmp_param.data.icmph.type = ICMP_ECHOREPLY;
> > -               icmp_param.skb             = skb;
> > -               icmp_param.offset          = 0;
> > -               icmp_param.data_len        = skb->len;
> > -               icmp_param.head_len        = sizeof(struct
> > icmphdr);
> > -               icmp_reply(&icmp_param, skb);
> > +               goto send_reply;
> >         }
> > -       /* should there be an ICMP stat for ignored echos? */
> > +       if (!net->ipv4.sysctl_icmp_echo_enable_probe)
> > +               return true;
> > +       /* We currently do not support probing off the proxy node
> > */
> > +       if (!(ntohs(icmp_param.data.icmph.un.echo.sequence) & 1))
> > +               return true;
> 
> What does this comment mean?
> 
> And why does the sequence number need to be even?

RFC 8335 Section 2 specifies that the ICMP Extended Echo Request
messages use a modified sequence number field, as follows.
0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Type      |     Code      |          Checksum             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Identifier          |Sequence Number|   Reserved  |L|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The L-bit is set if the probed interface resides on the proxy node. We
only support probing interfaces that lie on the proxy node since it
simplifies the response handler and, if we wanted to know the status of
an interface on another node, we could simply probe that node instead.
This line ensures that the L-bit is set to 1.

I'll clarify the wording of the comment.

> 
> > +
> > +       icmp_param.data.icmph.type = ICMP_EXT_ECHOREPLY;
> > +       icmp_param.data.icmph.un.echo.sequence &= htons(0xFF00);
> 
> Why this mask?

This clears the status fields of the reply message to avoid sending old
data back to the probing host.

> 
> > +       extobj_hdr = (struct icmp_extobj_hdr *)(skb->data +
> > sizeof(struct icmp_ext_hdr));
> > +       ctype3_hdr = (struct icmp_ext_ctype3_hdr *)(extobj_hdr +
> > 1);
> 
> It is not safe to trust the contents of unverified packets. We cannot
> just cast to a string and call dev_get_by_name. Need to verify packet
> length and data format.
> 

Great catch, I will work on adding this into the next version.

> Also below code just casts to the expected data type at some offset.
> Can that be defined more formally as header structs? Like ctype3_hdr,
> but for other headers, as well.
> 

Will do.

> > +       status = 0;
> > +       switch (extobj_hdr->class_type) {
> > +       case CTYPE_NAME:
> > +               dev = dev_get_by_name(net, (char *)(extobj_hdr +
> > 1));
> > +               break;
> > +       case CTYPE_INDEX:
> > +               dev = dev_get_by_index(net, ntohl(*((uint32_t
> > *)(extobj_hdr + 1))));
> > +               break;
> > +       case CTYPE_ADDR:
> > +               switch (ntohs(ctype3_hdr->afi)) {
> > +               case AFI_IP:
> > +                       dev = ip_dev_find(net, *(__be32
> > *)(ctype3_hdr + 1));
> > +                       break;
> > +               case AFI_IP6:
> > +                       dev = ipv6_dev_find(net, (struct in6_addr
> > *)(ctype3_hdr + 1), dev);
> > +                       if(dev) dev_hold(dev);
> > +                       break;
> > +               default:
> > +                       icmp_param.data.icmph.code =
> > ICMP_EXT_MAL_QUERY;
> > +                       goto send_reply;
> > +               }
> > +               break;
> > +       default:
> > +               icmp_param.data.icmph.code = ICMP_EXT_MAL_QUERY;
> > +               goto send_reply;
> > +       }
> > +       if(!dev) {
> > +               icmp_param.data.icmph.code = ICMP_EXT_NO_IF;
> > +               goto send_reply;
> > +       }
> > +       /* RFC 8335: 3 the last 8 bits of the Extended Echo Reply
> > Message
> > +        *  are laid out as follows:
> > +        *      +-+-+-+-+-+-+-+-+
> > +        *      |State|Res|A|4|6|
> > +        *      +-+-+-+-+-+-+-+-+
> > +        */
> > +       if (dev->flags & IFF_UP)
> > +               status |= EXT_ECHOREPLY_ACTIVE;
> > +       if (dev->ip_ptr->ifa_list)
> > +               status |= EXT_ECHOREPLY_IPV4;
> > +       if (!list_empty(&dev->ip6_ptr->addr_list))
> > +               status |= EXT_ECHOREPLY_IPV6;
> > +       dev_put(dev);
> > +       icmp_param.data.icmph.un.echo.sequence |= htons(status);
> > +
> > +send_reply:
> > +       icmp_reply(&icmp_param, skb);
> >         return true;
> >  }

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ