lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20210624090135.22406-1-geokohma@cisco.com>
Date:   Thu, 24 Jun 2021 11:01:35 +0200
From:   Georg Kohmann <geokohma@...co.com>
To:     netdev@...r.kernel.org
Cc:     coreteam@...filter.org, netfilter-devel@...r.kernel.org,
        kuba@...nel.org, davem@...emloft.net, fw@...len.de,
        kadlec@...filter.org, pablo@...filter.org,
        Georg Kohmann <geokohma@...co.com>
Subject: [PATCH net] ipv6/netfilter: Drop Packet Too Big with invalid payload

PMTU is updated even though received ICMPv6 PTB do not match any
transmitted traffic. This breaks TAHI IPv6 Core Conformance Test
Revision 5.0.1, v6LC.4.1.12 Validate Packet Too Big[1].

Referring to RFC8201 IPv6 Path MTU Discovery, section 4: "Nodes should
appropriately validate the payload of ICMPv6 PTB messages to ensure
these are received in response to transmitted traffic (i.e., a reported
error condition that corresponds to an IPv6 packet actually sent by the
application) per [ICMPv6]."

nf_conntrack_inet_error() return -NF_ACCEPT if the inner header of
ICMPv6 error packet is not related to an existing connection. Drop PTB
packet when this occur. This will prevent ipv6 from handling the packet
and update the PMTU.

The included test script below use ICMPv6 echo requests and PTB with an
invalid ICMPv6 identifier to check whether the host under test will
ignore the PTB or not. The host should not fragment the last echo
response.

[1] https://www.ipv6ready.org/docs/Core_Conformance_5_0_1.pdf
===== SCRIPT FOR SIMULATING TEST v6LC.4.1.12. =====

from scapy.all import *

def send_packet_too_big(addr, reply, mtu, id):
    reply[ICMPv6EchoReply].id = id
    I=IPv6(dst=addr)
    PacketTooBig=ICMPv6PacketTooBig(mtu=mtu, code=255)
    reply.data = reply.data[:mtu-len(I/PacketTooBig/reply)]
    reply[IPv6].fl = 0
    packet = I/PacketTooBig/reply
    del packet.cksum
    send(packet)

def send_echo_request(addr, payload, id=0, wait=True):
    I=IPv6(dst=addr)
    EchoRequest=ICMPv6EchoRequest(data=payload)
    EchoRequest.id = id
    if wait:
        return sr1(I/EchoRequest, timeout=5)
    else:
        return send(I/EchoRequest)

def validate_packets(addr):
    packets = sniff(filter = "ip6 and host {}".format(addr), timeout=2)
    for packet in packets:
        if IPv6ExtHdrFragment in packet[IPv6]:
            if ICMPv6EchoReply in packet[IPv6][IPv6ExtHdrFragment]:
                print("Fail - Received a fragmented echo")
                return
    print("Success - No fragmented echo reply received")

if __name__ == '__main__':
    print("Simulating IPv6 Core Conformance Test v6LC4.1.12")
    addr = sys.argv[1]
    thread = threading.Thread(target=validate_packets, args=(addr,))
    thread.start()
    echo_reply = send_echo_request(addr, 'A'*1400, id=0)
    if echo_reply:
        send_packet_too_big(addr, echo_reply, mtu=1300, id=1)
        send_echo_request(addr, 'A'*1400, id=0, wait=False)

===== END OF SCRIPT =====

Signed-off-by: Georg Kohmann <geokohma@...co.com>
---
 net/netfilter/nf_conntrack_proto_icmpv6.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nf_conntrack_proto_icmpv6.c b/net/netfilter/nf_conntrack_proto_icmpv6.c
index facd8c6..797cd42 100644
--- a/net/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/netfilter/nf_conntrack_proto_icmpv6.c
@@ -139,6 +139,7 @@ int nf_conntrack_icmpv6_error(struct nf_conn *tmpl,
 	const struct icmp6hdr *icmp6h;
 	struct icmp6hdr _ih;
 	int type;
+	int ret;
 
 	icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih);
 	if (icmp6h == NULL) {
@@ -167,8 +168,12 @@ int nf_conntrack_icmpv6_error(struct nf_conn *tmpl,
 	memcpy(&outer_daddr.ip6, &ipv6_hdr(skb)->daddr,
 	       sizeof(outer_daddr.ip6));
 	dataoff += sizeof(*icmp6h);
-	return nf_conntrack_inet_error(tmpl, skb, dataoff, state,
-				       IPPROTO_ICMPV6, &outer_daddr);
+	ret = nf_conntrack_inet_error(tmpl, skb, dataoff, state,
+				      IPPROTO_ICMPV6, &outer_daddr);
+	if (icmp6h->icmp6_type == ICMPV6_PKT_TOOBIG &&
+	    ret == -NF_ACCEPT)
+		return -NF_DROP;
+	return ret;
 }
 
 #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
-- 
2.10.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ