netinet: Disallow unspecified addresses in ICMP-embedded packets
ClosedPublic
Actions

Authored by markj on Mar 6 2023, 10:21 PM.

Details

Reviewers

melifaro
glebius
tuexen

Group Reviewers

network
transport

Commits

rGaa71d6b4a2ec: netinet: Disallow unspecified addresses in ICMP-embedded packets

Summary

Reported by: glebius
Reported by: syzbot+981c528ccb5c5534dffc@syzkaller.appspotmail.com

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 50179
Build 47071: arc lint + arc unit

Event Timeline

markj created this revision.Mar 6 2023, 10:21 PM

Herald added a reviewer: transport. · View Herald TranscriptMar 6 2023, 10:21 PM

Herald added subscribers: ae, imp. · View Herald Transcript

markj requested review of this revision.Mar 6 2023, 10:21 PM

Harbormaster completed remote builds in B50179: Diff 118435.Mar 6 2023, 10:21 PM

tuexen accepted this revision.Mar 6 2023, 10:30 PM

This revision is now accepted and ready to land.Mar 6 2023, 10:30 PM

Continuing out discussion that we had before in email. After more thinking on this I'm convinced we should filter this out at ICMP input and don't let it down to TCP/UDP control input method. Any legitimate ICMP in principle is a reaction to a packet that we sent. We never send a packet with zero source address. Let's for a minute imagine that we did! In that case an ICMP reply to this packet should go to zero address. How is it going to reach us in that case? The only absolutely imaginary situation that I can see is that we send from 0.0.0.0 and the closest gateway sends us that packet back wrapped into ICMP and uses layer 2 header to determine where it actually should send it to.

This revision now requires changes to proceed.Mar 8 2023, 5:19 PM

In D38936#887403, @glebius wrote:

Continuing out discussion that we had before in email. After more thinking on this I'm convinced we should filter this out at ICMP input and don't let it down to TCP/UDP control input method. Any legitimate ICMP in principle is a reaction to a packet that we sent. We never send a packet with zero source address. Let's for a minute imagine that we did! In that case an ICMP reply to this packet should go to zero address. How is it going to reach us in that case? The only absolutely imaginary situation that I can see is that we send from 0.0.0.0 and the closest gateway sends us that packet back wrapped into ICMP and uses layer 2 header to determine where it actually should send it to.

Ok, I will update the patch.

Or I can formulate it other way. The source address in the IP packet embedded into ICMP must be the same as destination address of the outer IP packet. If they are different, the ICMP packet is illegitimate.