Page MenuHomeFreeBSD

Improve input validation when when using IP_HDRINCL socket option on SOCK_RAW sockets
ClosedPublic

Authored by tuexen on Feb 13 2019, 8:00 PM.
Tags
None
Referenced Files
F107086593: D19181.id53884.diff
Thu, Jan 9, 9:51 PM
Unknown Object (File)
Fri, Dec 27, 7:39 AM
Unknown Object (File)
Dec 5 2024, 6:17 PM
Unknown Object (File)
Nov 26 2024, 5:16 AM
Unknown Object (File)
Nov 22 2024, 10:55 PM
Unknown Object (File)
Oct 29 2024, 8:31 PM
Unknown Object (File)
Oct 28 2024, 3:12 AM
Unknown Object (File)
Oct 18 2024, 5:42 AM
Subscribers

Details

Summary

When sending IPv4 packets on a SOCK_RAW socket using the IP_HDRINCL, ensure that the ip_hl field is valid. Furthermore, ensure that the complete IPv4 header is contained in the first mbuf. Finally, move the length checks before relying on them when accessing fields of the IPv4 header.

Thanks to jtl@ for bringing up these issues.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 22648

Event Timeline

Thanks!

sys/netinet/raw_ip.c
527–529

I feel like this is a bit redundant. If m->m_pkthdr.len is set correctly, then the m_pullup should fail if m->m_pkthdr.len < hlen. (And, you've established on line 529 that ntohs(ip->ip_len) is equal to m->m_pkthdr.len.) However, to be clear, I do not strongly feel that this should be changed.

This revision is now accepted and ready to land.Feb 21 2019, 7:03 PM

Integrate jtl@'s suggestion.

This revision now requires review to proceed.Feb 21 2019, 7:19 PM
tuexen added inline comments.
sys/netinet/raw_ip.c
527–529

I integrated your suggestion.

This revision was not accepted when it landed; it landed in state Needs Review.Apr 13 2019, 10:48 AM
This revision was automatically updated to reflect the committed changes.
tuexen marked an inline comment as done.