>Synopsis: IP6/CARP bug in tcpdump (nonexploitable)
>Category: system
>Environment:
System : OpenBSD 7.2
Details : OpenBSD 7.2 (GENERIC.MP) #2: Thu Nov 24 23:53:03 MST 2022
r...@syspatch-72-arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.MP
Architecture: OpenBSD.arm64
Machine : arm64
>Description:
In the tcpdump/print-ip6.c is a small bug that allows constructs (which
are bogus) like this:
tcpdump: listening on bse0, link-type EN10MB
tcpdump: WARNING: compensating for unaligned libpcap packets
07:34:28.370433 192.168.177.13 > 255.255.255.255: gre [R] 86dd off 0x0 (rtaf=0x0
) :: > ::: CARPv2-advertise 0: [ttl=0!] vhid=0 advbase=0 advskew=0 demote=0 (bad
carp cksum ffff!)CARPv2-advertise 0: [ttl=0!] vhid=0 advbase=0 advskew=0 demote
=0 (bad carp cksum ffff!)CARPv2-advertise 0: [ttl=0!] vhid=0 advbase=0 advskew=0
demote=0 (bad carp cksum ffff!)CARPv2-advertise 0: [ttl=0!] vhid=0 advbase=0 ad
vskew=0 demote=0 (bad carp cksum ffff!)CARPv2-advertise 0: [ttl=0!] vhid=0 advba
se=0 advskew=0 demote=0 (bad carp cksum ffff!)CARPv2-advertise 0: [ttl=0!] vhid=
0 advbase=0 advskew=0 demote=0 (bad carp cksum ffff!)CARPv2-advertise 0: [ttl=0!
] vhid=0 advbase=0 advskew=0 demote=0 (bad carp cksum ffff!)CARPv2-advertise 0:
[ttl=0!] vhid=0 advbase=0 advskew=0 demote=0 (bad carp cksum ffff!)CARPv2-advert
ise 0: [ttl=0!] vhid=0 advbase=0 advskew=0 demote=0 (bad carp cksum ffff!)CARPv2
-advertise 0: [ttl=0!] vhid=0 advbase=0 advskew=0 demote=0 (bad carp cksum ffff!
)CARPv2-advertise 0: [ttl=0!] vhid=0 advbase=0 advskew=0 demote=0 (bad carp cksu
m ffff!)CARPv2-advertise 0: [ttl=0!] vhid=0 advbase=0 advskew=0 demote=0 (bad ca
rp cksum ffff!)CARPv2-advertise 0: [ttl=0!] vhid=0 advbase=0 advskew=0 demote=0
(bad carp cksum ffff!)CARPv2-advertise 0: [ttl=0!] vhid=0 advbase=0 advskew=0 de
mote=0 (bad carp cksum ffff!)CARPv2-advertise 0: [ttl=0!] vhid=0 advbase=0 advsk
ew=0 demote=0 (bad carp cksum ffff!)CARPv2-advertise 0: [ttl=0!] vhid=0 advbase=
0 advskew=0 demote=0 (bad carp cksum ffff!)CARPv2-advertise 0: [ttl=0!] vhid=0 a
dvbase=0 advskew=0 demote=0 (bad carp cksum ffff!)CARPv2-advertise 0: [ttl=0!] v
hid=0 advbase=0 advskew=0 demote=0 (bad carp cksum ffff!)CARPv2-advertise 0: [tt
l=0!] vhid=0 advbase=0 advskew=0 demote=0 (bad carp cksum ffff!)CARPv2-advertise
0: [ttl=0!] vhid=0 advbase=0 advskew=0 demote=0 (bad carp cksum ffff!)CARPv2-ad
vertise 0: [ttl=0!] vhid=0 advbase=0 advskew=0 demote=0 (bad carp cksum ffff!)CA
RPv2-advertise 0: [ttl=0!] vhid=0 advbase=0 advskew=0 demote=0 (bad carp cksum f
fff!)CARPv2-advertise 0: [ttl=0!] vhid=0 advbase=0 advskew=0 demote=0 (bad carp
cksum ffff!)CARPv2-advertise 0: [ttl=0!] vhid=0 advbase=0 advskew=0 demote=0 (ba
d carp cksum ffff!)CARPv2-advertise 0: [ttl=0!] vhid=0 advbase=0 advskew=0 demot
e=0 (bad carp cksum ffff!)[|carp] [hlim 0] (len 0) (ttl 255, id 0, len 20)
0000: 4500 0014 0000 0000 ff2f 4a05 c0a8 b10d E......../J.....
This falls back on some code in print-ip6.c that breaks from a switch instead
of a goto end which most other protocols (other than ip6 options) use.
207 case IPPROTO_CARP:
208 if (packettype == PT_VRRP)
209 vrrp_print(cp, len, ip6->ip6_hlim);
210 else
211 carp_print(cp, len, ip6->ip6_hlim);
212 break;
The break in my 7.2 code is on line 212.
>How-To-Repeat:
Specially crafted packets can cause this. If you would like the
packet generator I can make it available to @openbsd.org addresses.
>Fix:
The fix is to replace the break with a goto end; for correctness.
dmesg:
see earlier posts.
