Re: [PATCH] icmp: Fixed bug in raw sockets causing incorrect ICMP SNMP counter values
Forgive me for possibly being a little stupid here (This is my first patch to Linux so I am slightly over my head) Is this issue not addressed above the file where the following check is done? if (iphlen > length) goto error_free; On Sun, Oct 11, 2015 at 11:10 PM, Eric Dumazet wrote: > On Sun, 2015-10-11 at 20:55 +, Ben Cartwright-Cox wrote: >> Sending ICMP packets with raw sockets ends up in the SNMP counters >> logging the type as the first byte of the IPv4 header rather than >> the ICMP header (in nearly all cases this is seen as "OutType69". >> This is fixed by adding the IP Header Length to the casting into >> a icmphdr struct. >> >> Signed-off-by: Ben Cartwright-Cox >> --- >> net/ipv4/raw.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c >> index 561cd4b..1ad8bae 100644 >> --- a/net/ipv4/raw.c >> +++ b/net/ipv4/raw.c >> @@ -409,7 +409,7 @@ static int raw_send_hdrinc(struct sock *sk, struct >> flowi4 *fl4, >> } >> if (iph->protocol == IPPROTO_ICMP) >> icmp_out_count(net, ((struct icmphdr *) >> - skb_transport_header(skb))->type); >> + skb_transport_header(skb) + iphlen)->type); >> >> err = NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, sk, skb, >> NULL, rt->dst.dev, dst_output_sk); > > > Hmm... This seems to lack checks against a malicious user ? > > The only guarantee you have here is that iphlen < length. > > It is not enough. > > Make sure you do not access not initialized memory or even non existent > one. > > > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] icmp: Fixed bug in raw sockets causing incorrect ICMP SNMP counter values
Nice! That works in my head at least, Sorry about not seeing that fairly glaring memory issue there. Are you sure " skb->transport_header += iphlen; " won't have a knock on affect when it's given to NF_HOOK ( as in, would a potential userspace program get something it does not expect anymore ) ? How does submission work at this point if the above is not a issue (apologies if this is already in a FAQ somewhere I missed)? On Mon, Oct 12, 2015 at 12:09 AM, Eric Dumazet wrote: > On Sun, 2015-10-11 at 15:44 -0700, Eric Dumazet wrote: >> On Sun, 2015-10-11 at 15:43 -0700, Eric Dumazet wrote: >> >> > But your code reads 21th byte. >> >> BTW, nice catch ! > > Maybe the following one. > > 1) We properly set transport header > 2) We use icmp_hdr() helper. > > diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c > index 561cd4b8fc6e..ffe25cd1f0e0 100644 > --- a/net/ipv4/raw.c > +++ b/net/ipv4/raw.c > @@ -406,11 +406,11 @@ static int raw_send_hdrinc(struct sock *sk, struct > flowi4 *fl4, > ip_select_ident(net, skb, NULL); > > iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl); > + skb->transport_header += iphlen; > + if (iph->protocol == IPPROTO_ICMP && > + length >= iphlen + sizeof(struct icmphdr)) > + icmp_out_count(net, icmp_hdr(skb)->type); > } > - if (iph->protocol == IPPROTO_ICMP) > - icmp_out_count(net, ((struct icmphdr *) > - skb_transport_header(skb))->type); > - > err = NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, sk, skb, > NULL, rt->dst.dev, dst_output_sk); > if (err > 0) > > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
