Message ID | 20140514011309.GY6302@type.youpi.perso.aquilenet.fr |
---|---|
State | New |
Headers | show |
On Wed, May 14, 2014 at 03:13:09AM +0200, Samuel Thibault wrote: > Do not special-case addresses with zero host part, as we do not > necessarily know how big it is, and the guest can fake them anyway. > Silently avoid having 0.0.0.0 as a destination, however. > > Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> > --- > > This is particularly bad actually, one can for instance simply do this > inside a Linux guest > > ip addr add 192.0.0.0/1 dev eth0 > > and crash qemu (thus a DoS) by just emitting a packet (thus from > 192.0.0.0), getting: > > qemu-system-x86_64: /usr/src/qemu/slirp/arp_table.c:77: arp_table_search: Assertion `(ip_addr & __bswap_32 (~(0xfU << 28))) != 0' failed. > > so it should probably go to all stable maintained versions. > > diff --git a/slirp/arp_table.c b/slirp/arp_table.c > index ecdb0ba..bcaeb44 100644 > --- a/slirp/arp_table.c > +++ b/slirp/arp_table.c > @@ -37,12 +37,7 @@ void arp_table_add(Slirp *slirp, uint32_t ip_addr, uint8_t ethaddr[ETH_ALEN]) > ethaddr[0], ethaddr[1], ethaddr[2], > ethaddr[3], ethaddr[4], ethaddr[5])); > > - /* Check 0.0.0.0/8 invalid source-only addresses */ > - if ((ip_addr & htonl(~(0xfU << 28))) == 0) { > - return; > - } > - > - if (ip_addr == 0xffffffff || ip_addr == broadcast_addr) { > + if (ip_addr == 0 || ip_addr == 0xffffffff || ip_addr == broadcast_addr) { > /* Do not register broadcast addresses */ > return; > } > @@ -73,9 +68,6 @@ bool arp_table_search(Slirp *slirp, uint32_t ip_addr, > DEBUG_CALL("arp_table_search"); > DEBUG_ARG("ip = 0x%x", ip_addr); > > - /* Check 0.0.0.0/8 invalid source-only addresses */ > - assert((ip_addr & htonl(~(0xfU << 28))) != 0); > - > /* If broadcast address */ > if (ip_addr == 0xffffffff || ip_addr == broadcast_addr) { > /* return Ethernet broadcast address */ > diff --git a/slirp/slirp.c b/slirp/slirp.c > index 3fb48a4..00f4eb5 100644 > --- a/slirp/slirp.c > +++ b/slirp/slirp.c > @@ -778,6 +778,11 @@ int if_encap(Slirp *slirp, struct mbuf *ifm) > return 1; > } > > + if (iph->ip_dst.s_addr == 0) { > + /* 0.0.0.0 can not be a destination address, something went wrong, > + * avoid making it worse */ > + return 1; > + } > if (!arp_table_search(slirp, iph->ip_dst.s_addr, ethaddr)) { > uint8_t arp_req[ETH_HLEN + sizeof(struct arphdr)]; > struct ethhdr *reh = (struct ethhdr *)arp_req; >
On Wed, May 14, 2014 at 01:22:25AM +0000, Edgar E. Iglesias wrote: > On Wed, May 14, 2014 at 03:13:09AM +0200, Samuel Thibault wrote: > > Do not special-case addresses with zero host part, as we do not > > necessarily know how big it is, and the guest can fake them anyway. > > Silently avoid having 0.0.0.0 as a destination, however. > > > > Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> > > Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Ping > > > --- > > > > This is particularly bad actually, one can for instance simply do this > > inside a Linux guest > > > > ip addr add 192.0.0.0/1 dev eth0 > > > > and crash qemu (thus a DoS) by just emitting a packet (thus from > > 192.0.0.0), getting: > > > > qemu-system-x86_64: /usr/src/qemu/slirp/arp_table.c:77: arp_table_search: Assertion `(ip_addr & __bswap_32 (~(0xfU << 28))) != 0' failed. > > > > so it should probably go to all stable maintained versions. > > > > diff --git a/slirp/arp_table.c b/slirp/arp_table.c > > index ecdb0ba..bcaeb44 100644 > > --- a/slirp/arp_table.c > > +++ b/slirp/arp_table.c > > @@ -37,12 +37,7 @@ void arp_table_add(Slirp *slirp, uint32_t ip_addr, uint8_t ethaddr[ETH_ALEN]) > > ethaddr[0], ethaddr[1], ethaddr[2], > > ethaddr[3], ethaddr[4], ethaddr[5])); > > > > - /* Check 0.0.0.0/8 invalid source-only addresses */ > > - if ((ip_addr & htonl(~(0xfU << 28))) == 0) { > > - return; > > - } > > - > > - if (ip_addr == 0xffffffff || ip_addr == broadcast_addr) { > > + if (ip_addr == 0 || ip_addr == 0xffffffff || ip_addr == broadcast_addr) { > > /* Do not register broadcast addresses */ > > return; > > } > > @@ -73,9 +68,6 @@ bool arp_table_search(Slirp *slirp, uint32_t ip_addr, > > DEBUG_CALL("arp_table_search"); > > DEBUG_ARG("ip = 0x%x", ip_addr); > > > > - /* Check 0.0.0.0/8 invalid source-only addresses */ > > - assert((ip_addr & htonl(~(0xfU << 28))) != 0); > > - > > /* If broadcast address */ > > if (ip_addr == 0xffffffff || ip_addr == broadcast_addr) { > > /* return Ethernet broadcast address */ > > diff --git a/slirp/slirp.c b/slirp/slirp.c > > index 3fb48a4..00f4eb5 100644 > > --- a/slirp/slirp.c > > +++ b/slirp/slirp.c > > @@ -778,6 +778,11 @@ int if_encap(Slirp *slirp, struct mbuf *ifm) > > return 1; > > } > > > > + if (iph->ip_dst.s_addr == 0) { > > + /* 0.0.0.0 can not be a destination address, something went wrong, > > + * avoid making it worse */ > > + return 1; > > + } > > if (!arp_table_search(slirp, iph->ip_dst.s_addr, ethaddr)) { > > uint8_t arp_req[ETH_HLEN + sizeof(struct arphdr)]; > > struct ethhdr *reh = (struct ethhdr *)arp_req; > >
On Wed, May 14, 2014 at 03:13:09AM +0200, Samuel Thibault wrote: > Do not special-case addresses with zero host part, as we do not > necessarily know how big it is, and the guest can fake them anyway. > Silently avoid having 0.0.0.0 as a destination, however. > > Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> I've pushed this to master, thanks. Edgar > --- > > This is particularly bad actually, one can for instance simply do this > inside a Linux guest > > ip addr add 192.0.0.0/1 dev eth0 > > and crash qemu (thus a DoS) by just emitting a packet (thus from > 192.0.0.0), getting: > > qemu-system-x86_64: /usr/src/qemu/slirp/arp_table.c:77: arp_table_search: Assertion `(ip_addr & __bswap_32 (~(0xfU << 28))) != 0' failed. > > so it should probably go to all stable maintained versions. > > diff --git a/slirp/arp_table.c b/slirp/arp_table.c > index ecdb0ba..bcaeb44 100644 > --- a/slirp/arp_table.c > +++ b/slirp/arp_table.c > @@ -37,12 +37,7 @@ void arp_table_add(Slirp *slirp, uint32_t ip_addr, uint8_t ethaddr[ETH_ALEN]) > ethaddr[0], ethaddr[1], ethaddr[2], > ethaddr[3], ethaddr[4], ethaddr[5])); > > - /* Check 0.0.0.0/8 invalid source-only addresses */ > - if ((ip_addr & htonl(~(0xfU << 28))) == 0) { > - return; > - } > - > - if (ip_addr == 0xffffffff || ip_addr == broadcast_addr) { > + if (ip_addr == 0 || ip_addr == 0xffffffff || ip_addr == broadcast_addr) { > /* Do not register broadcast addresses */ > return; > } > @@ -73,9 +68,6 @@ bool arp_table_search(Slirp *slirp, uint32_t ip_addr, > DEBUG_CALL("arp_table_search"); > DEBUG_ARG("ip = 0x%x", ip_addr); > > - /* Check 0.0.0.0/8 invalid source-only addresses */ > - assert((ip_addr & htonl(~(0xfU << 28))) != 0); > - > /* If broadcast address */ > if (ip_addr == 0xffffffff || ip_addr == broadcast_addr) { > /* return Ethernet broadcast address */ > diff --git a/slirp/slirp.c b/slirp/slirp.c > index 3fb48a4..00f4eb5 100644 > --- a/slirp/slirp.c > +++ b/slirp/slirp.c > @@ -778,6 +778,11 @@ int if_encap(Slirp *slirp, struct mbuf *ifm) > return 1; > } > > + if (iph->ip_dst.s_addr == 0) { > + /* 0.0.0.0 can not be a destination address, something went wrong, > + * avoid making it worse */ > + return 1; > + } > if (!arp_table_search(slirp, iph->ip_dst.s_addr, ethaddr)) { > uint8_t arp_req[ETH_HLEN + sizeof(struct arphdr)]; > struct ethhdr *reh = (struct ethhdr *)arp_req; >
On 2014-05-28 01:10, Edgar E. Iglesias wrote: > On Wed, May 14, 2014 at 01:22:25AM +0000, Edgar E. Iglesias wrote: >> On Wed, May 14, 2014 at 03:13:09AM +0200, Samuel Thibault wrote: >>> Do not special-case addresses with zero host part, as we do not >>> necessarily know how big it is, and the guest can fake them anyway. >>> Silently avoid having 0.0.0.0 as a destination, however. >>> >>> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> >> >> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> > > Ping Thanks for merging! Jan > > > >> >>> --- >>> >>> This is particularly bad actually, one can for instance simply do this >>> inside a Linux guest >>> >>> ip addr add 192.0.0.0/1 dev eth0 >>> >>> and crash qemu (thus a DoS) by just emitting a packet (thus from >>> 192.0.0.0), getting: >>> >>> qemu-system-x86_64: /usr/src/qemu/slirp/arp_table.c:77: arp_table_search: Assertion `(ip_addr & __bswap_32 (~(0xfU << 28))) != 0' failed. >>> >>> so it should probably go to all stable maintained versions. >>> >>> diff --git a/slirp/arp_table.c b/slirp/arp_table.c >>> index ecdb0ba..bcaeb44 100644 >>> --- a/slirp/arp_table.c >>> +++ b/slirp/arp_table.c >>> @@ -37,12 +37,7 @@ void arp_table_add(Slirp *slirp, uint32_t ip_addr, uint8_t ethaddr[ETH_ALEN]) >>> ethaddr[0], ethaddr[1], ethaddr[2], >>> ethaddr[3], ethaddr[4], ethaddr[5])); >>> >>> - /* Check 0.0.0.0/8 invalid source-only addresses */ >>> - if ((ip_addr & htonl(~(0xfU << 28))) == 0) { >>> - return; >>> - } >>> - >>> - if (ip_addr == 0xffffffff || ip_addr == broadcast_addr) { >>> + if (ip_addr == 0 || ip_addr == 0xffffffff || ip_addr == broadcast_addr) { >>> /* Do not register broadcast addresses */ >>> return; >>> } >>> @@ -73,9 +68,6 @@ bool arp_table_search(Slirp *slirp, uint32_t ip_addr, >>> DEBUG_CALL("arp_table_search"); >>> DEBUG_ARG("ip = 0x%x", ip_addr); >>> >>> - /* Check 0.0.0.0/8 invalid source-only addresses */ >>> - assert((ip_addr & htonl(~(0xfU << 28))) != 0); >>> - >>> /* If broadcast address */ >>> if (ip_addr == 0xffffffff || ip_addr == broadcast_addr) { >>> /* return Ethernet broadcast address */ >>> diff --git a/slirp/slirp.c b/slirp/slirp.c >>> index 3fb48a4..00f4eb5 100644 >>> --- a/slirp/slirp.c >>> +++ b/slirp/slirp.c >>> @@ -778,6 +778,11 @@ int if_encap(Slirp *slirp, struct mbuf *ifm) >>> return 1; >>> } >>> >>> + if (iph->ip_dst.s_addr == 0) { >>> + /* 0.0.0.0 can not be a destination address, something went wrong, >>> + * avoid making it worse */ >>> + return 1; >>> + } >>> if (!arp_table_search(slirp, iph->ip_dst.s_addr, ethaddr)) { >>> uint8_t arp_req[ETH_HLEN + sizeof(struct arphdr)]; >>> struct ethhdr *reh = (struct ethhdr *)arp_req; >>>
diff --git a/slirp/arp_table.c b/slirp/arp_table.c index ecdb0ba..bcaeb44 100644 --- a/slirp/arp_table.c +++ b/slirp/arp_table.c @@ -37,12 +37,7 @@ void arp_table_add(Slirp *slirp, uint32_t ip_addr, uint8_t ethaddr[ETH_ALEN]) ethaddr[0], ethaddr[1], ethaddr[2], ethaddr[3], ethaddr[4], ethaddr[5])); - /* Check 0.0.0.0/8 invalid source-only addresses */ - if ((ip_addr & htonl(~(0xfU << 28))) == 0) { - return; - } - - if (ip_addr == 0xffffffff || ip_addr == broadcast_addr) { + if (ip_addr == 0 || ip_addr == 0xffffffff || ip_addr == broadcast_addr) { /* Do not register broadcast addresses */ return; } @@ -73,9 +68,6 @@ bool arp_table_search(Slirp *slirp, uint32_t ip_addr, DEBUG_CALL("arp_table_search"); DEBUG_ARG("ip = 0x%x", ip_addr); - /* Check 0.0.0.0/8 invalid source-only addresses */ - assert((ip_addr & htonl(~(0xfU << 28))) != 0); - /* If broadcast address */ if (ip_addr == 0xffffffff || ip_addr == broadcast_addr) { /* return Ethernet broadcast address */ diff --git a/slirp/slirp.c b/slirp/slirp.c index 3fb48a4..00f4eb5 100644 --- a/slirp/slirp.c +++ b/slirp/slirp.c @@ -778,6 +778,11 @@ int if_encap(Slirp *slirp, struct mbuf *ifm) return 1; } + if (iph->ip_dst.s_addr == 0) { + /* 0.0.0.0 can not be a destination address, something went wrong, + * avoid making it worse */ + return 1; + } if (!arp_table_search(slirp, iph->ip_dst.s_addr, ethaddr)) { uint8_t arp_req[ETH_HLEN + sizeof(struct arphdr)]; struct ethhdr *reh = (struct ethhdr *)arp_req;
Do not special-case addresses with zero host part, as we do not necessarily know how big it is, and the guest can fake them anyway. Silently avoid having 0.0.0.0 as a destination, however. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> --- This is particularly bad actually, one can for instance simply do this inside a Linux guest ip addr add 192.0.0.0/1 dev eth0 and crash qemu (thus a DoS) by just emitting a packet (thus from 192.0.0.0), getting: qemu-system-x86_64: /usr/src/qemu/slirp/arp_table.c:77: arp_table_search: Assertion `(ip_addr & __bswap_32 (~(0xfU << 28))) != 0' failed. so it should probably go to all stable maintained versions.