CVS commit: [netbsd-7-0] src/sys/net/npf
Module Name:src
Committed By: martin
Date: Mon May 14 19:03:48 UTC 2018
Modified Files:
src/sys/net/npf [netbsd-7-0]: npf_alg_icmp.c npf_inet.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1605):
sys/net/npf/npf_inet.c: revision 1.45
sys/net/npf/npf_alg_icmp.c: revision 1.27-1.29
Fix use-after-free.
The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.
We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).
Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.
Discussed with rmind@.
Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.
Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.
In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).
This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.
Ah, fix compilation. I tested my previous change by loading the kernel
module from the filesystem, but the Makefile didn't have DIAGNOSTIC
enabled, and the two KASSERTs I added did not compile properly.
To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.23.6.1 src/sys/net/npf/npf_alg_icmp.c
cvs rdiff -u -r1.32 -r1.32.6.1 src/sys/net/npf/npf_inet.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_alg_icmp.c
diff -u src/sys/net/npf/npf_alg_icmp.c:1.23 src/sys/net/npf/npf_alg_icmp.c:1.23.6.1
--- src/sys/net/npf/npf_alg_icmp.c:1.23 Sun Jul 20 00:37:41 2014
+++ src/sys/net/npf/npf_alg_icmp.c Mon May 14 19:03:48 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_alg_icmp.c,v 1.23 2014/07/20 00:37:41 rmind Exp $ */
+/* $NetBSD: npf_alg_icmp.c,v 1.23.6.1 2018/05/14 19:03:48 martin Exp $ */
/*-
* Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.23 2014/07/20 00:37:41 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.23.6.1 2018/05/14 19:03:48 martin Exp $");
#include
#include
@@ -118,13 +118,15 @@ npfa_icmp_match(npf_cache_t *npc, npf_na
/*
* npfa_icmp{4,6}_inspect: retrieve unique identifiers - either ICMP query
* ID or TCP/UDP ports of the original packet, which is embedded.
+ *
+ * => Sets hasqid=true if the packet has a Query Id. In this case neither
+ *the nbuf nor npc is touched.
*/
static bool
-npfa_icmp4_inspect(const int type, npf_cache_t *npc)
+npfa_icmp4_inspect(const int type, npf_cache_t *npc, bool *hasqid)
{
nbuf_t *nbuf = npc->npc_nbuf;
- u_int offby;
/* Per RFC 792. */
switch (type) {
@@ -148,12 +150,8 @@ npfa_icmp4_inspect(const int type, npf_c
case ICMP_TSTAMPREPLY:
case ICMP_IREQ:
case ICMP_IREQREPLY:
- /* Should contain ICMP query ID - ensure. */
- offby = offsetof(struct icmp, icmp_id);
- if (!nbuf_advance(nbuf, offby, sizeof(uint16_t))) {
- return false;
- }
- npc->npc_info |= NPC_ICMP_ID;
+ /* Contains ICMP query ID. */
+ *hasqid = true;
return true;
default:
break;
@@ -162,10 +160,9 @@ npfa_icmp4_inspect(const int type, npf_c
}
static bool
-npfa_icmp6_inspect(const int type, npf_cache_t *npc)
+npfa_icmp6_inspect(const int type, npf_cache_t *npc, bool *hasqid)
{
nbuf_t *nbuf = npc->npc_nbuf;
- u_int offby;
/* Per RFC 4443. */
switch (type) {
@@ -184,12 +181,8 @@ npfa_icmp6_inspect(const int type, npf_c
case ICMP6_ECHO_REQUEST:
case ICMP6_ECHO_REPLY:
- /* Should contain ICMP query ID - ensure. */
- offby = offsetof(struct icmp6_hdr, icmp6_id);
- if (!nbuf_advance(nbuf, offby, sizeof(uint16_t))) {
- return false;
- }
- npc->npc_info |= NPC_ICMP_ID;
+ /* Contains ICMP query ID. */
+ *hasqid = true;
return true;
default:
break;
@@ -200,13 +193,13 @@ npfa_icmp6_inspect(const int type, npf_c
/*
* npfa_icmp_inspect: ALG ICMP inspector.
*
- * => Returns true if "enpc" is filled.
+ * => Returns false if there is a problem with the format.
*/
static bool
npfa_icmp_inspect(npf_cache_t *npc, npf_cache_t *enpc)
{
nbuf_t *nbuf = npc->npc_nbuf;
- bool ret;
+ bool ret, hasqid = false;
KASSERT(npf_iscached(npc, NPC_IP46));
KASSERT(npf_iscached(npc, NPC_ICMP));
@@ -225,10 +218,10 @@ npfa_icmp_inspect(npf_cache_t *npc, npf_
*/
if (npf_iscached(npc, NPC_IP4)) {
CVS commit: [netbsd-7-0] src/sys/net/npf
Module Name:src Committed By: martin Date: Mon May 14 19:03:48 UTC 2018 Modified Files: src/sys/net/npf [netbsd-7-0]: npf_alg_icmp.c npf_inet.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1605): sys/net/npf/npf_inet.c: revision 1.45 sys/net/npf/npf_alg_icmp.c: revision 1.27-1.29 Fix use-after-free. The nbuf can be reallocated as a result of caching 'enpc', so it is necessary to recache 'npc', otherwise it contains pointers to the freed mbuf - pointers which are then used in the ruleset machinery. We recache 'npc' when we are sure we won't use 'enpc' anymore, because 'enpc' can be clobbered as a result of caching 'npc' (in other words, only one of the two can be cached at the same time). Also, we recache 'npc' unconditionally, because there is no way to know whether the nbuf got clobbered relatively to it. We can't use the NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the cache. Discussed with rmind@. Change npf_cache_all so that it ensures the potential ICMP Query Id is in the nbuf. In such a way that we don't need to ensure that later. Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither the nbuf nor npc. Adapt their callers accordingly. In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave right away, without recaching npc (not needed since we didn't touch the nbuf). This fixes the handling of Query Id packets (that I broke in my previous commit), and also fixes another possible use-after-free. Ah, fix compilation. I tested my previous change by loading the kernel module from the filesystem, but the Makefile didn't have DIAGNOSTIC enabled, and the two KASSERTs I added did not compile properly. To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.23.6.1 src/sys/net/npf/npf_alg_icmp.c cvs rdiff -u -r1.32 -r1.32.6.1 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/sys/net/npf
Module Name:src
Committed By: martin
Date: Thu Apr 5 11:43:51 UTC 2018
Modified Files:
src/sys/net/npf [netbsd-7-0]: npf.h
Log Message:
Pullup the following revision, requested by maxv in ticket #1593:
sys/net/npf/npf.h 1.55
Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.
Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.
As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.
If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.
The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.
Simple example, a packet with:
packet + 0 = IP6 Header
packet + 40 = IP6 Routing header (ip6r_len = 31)
packet + 48 = Crafted UDP header (uh_dport = )
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = )
Will bypass a rule of the kind "block port ". Here NPF reads the
crafted UDP header, sees , lets the packet in; later the kernel reads
the real UDP header, and delivers it on port .
Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.
To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.47.6.1 src/sys/net/npf/npf.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.47 src/sys/net/npf/npf.h:1.47.6.1
--- src/sys/net/npf/npf.h:1.47 Sun Aug 10 19:09:43 2014
+++ src/sys/net/npf/npf.h Thu Apr 5 11:43:51 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.47 2014/08/10 19:09:43 rmind Exp $ */
+/* $NetBSD: npf.h,v 1.47.6.1 2018/04/05 11:43:51 martin Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -150,7 +150,7 @@ typedef struct {
uint8_t npc_alen;
/* IP header length and L4 protocol. */
- uint8_t npc_hlen;
+ uint32_t npc_hlen;
uint16_t npc_proto;
/* IPv4, IPv6. */
CVS commit: [netbsd-7-0] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:43:51 UTC 2018 Modified Files: src/sys/net/npf [netbsd-7-0]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1593: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.47.6.1 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
