Page MenuHomeFreeBSD
Differential D18834

Check IPv4 options when using IP_HDRINCL socket option on SOCK_RAW sockets
ClosedPublic
Actions

Authored by tuexen on Jan 13 2019, 3:34 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Jan 25, 8:01 PM
Unknown Object (File)
Sat, Jan 25, 7:46 PM
Unknown Object (File)
Fri, Jan 24, 7:05 PM
Unknown Object (File)
Sat, Jan 18, 10:04 AM
Unknown Object (File)
Fri, Jan 17, 2:33 PM
Unknown Object (File)
Fri, Jan 3, 8:24 PM
Unknown Object (File)
Dec 6 2024, 3:32 PM
Unknown Object (File)
Nov 23 2024, 2:44 AM
View All 94 Files
Subscribers
imp
rscheff

Details

Reviewers
jtl
bz
rrs
glebius
lstewart
Commits
rS347093: MFC r344048:
rS344048: Improve input validation for raw IPv4 socket using the IP_HDRINCL
Summary

When sending a packet on a socket(AF_INET, SOCKRAW, ...) socket having the IP_HDRINCL socket option enabled, the user can provide inconsistent data for the options in the IPv4 header. When the packets need to be fragmented, the function [[ https://svnweb.freebsd.org/base/head/sys/netinet/ip_options.c?view=markup#l561 | ip_optcopy ]] assumes the the IP options have a valid layout. The valid layouts are described in RFC 791. This patch verifies that the user provides the IP options using a valid layout.

This issue was found by running syzkaller on OpenBSD. Greg Steuck made me aware that the problem might also exist on FreeBSD.

Test Plan

Use the attached test program on a kernel with INVARIANTS enabled. Without the fix, the kernel panics. With the fix, the write() call fails.

test-raw-1.c1 KBDownload

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

tuexen created this revision.Jan 13 2019, 3:34 PM
Herald added a subscriber: imp. · View Herald TranscriptJan 13 2019, 3:34 PM
Harbormaster completed remote builds in B21945: Diff 52812.Jan 13 2019, 3:35 PM
rscheff added a subscriber: rscheff.Jan 24 2019, 9:54 PM
tuexen updated this revision to Diff 53183.Jan 25 2019, 9:04 AM

Use explicit page number range instead of 15ff as suggested by lstewart@.

Harbormaster completed remote builds in B22137: Diff 53183.Jan 25 2019, 9:04 AM
tuexen added a reviewer: lstewart.Jan 25 2019, 9:04 AM
This revision was not accepted when it landed; it landed in state Needs Review.Feb 12 2019, 10:17 AM
Closed by commit rS344048: Improve input validation for raw IPv4 socket using the IP_HDRINCL (authored by tuexen). · Explain Why
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
head/
sys/
netinet/
30 lines

Diff 53837

View Options

head/sys/netinet/raw_ip.c

Loading...