Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/net/npf Fix a vulnerability in NPF, that allows whatever...
details: https://anonhg.NetBSD.org/src/rev/a543771a95ed
branches: trunk
changeset: 358171:a543771a95ed
user: maxv <maxv%NetBSD.org@localhost>
date: Fri Dec 15 21:00:26 2017 +0000
description:
Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.
Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.
As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.
If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.
The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.
Simple example, a packet with:
packet + 0 = IP6 Header
packet + 40 = IP6 Routing header (ip6r_len = 31)
packet + 48 = Crafted UDP header (uh_dport = 7777)
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = 6666)
Will bypass a rule of the kind "block port 6666". Here NPF reads the
crafted UDP header, sees 7777, lets the packet in; later the kernel reads
the real UDP header, and delivers it on port 6666.
Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.
diffstat:
sys/net/npf/npf.h | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diffs (18 lines):
diff -r 6597f54013b6 -r a543771a95ed sys/net/npf/npf.h
--- a/sys/net/npf/npf.h Fri Dec 15 16:41:40 2017 +0000
+++ b/sys/net/npf/npf.h Fri Dec 15 21:00:26 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.54 2017/01/29 00:15:54 christos Exp $ */
+/* $NetBSD: npf.h,v 1.55 2017/12/15 21:00:26 maxv Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -159,7 +159,7 @@
uint8_t npc_alen;
/* IP header length and L4 protocol. */
- uint8_t npc_hlen;
+ uint32_t npc_hlen;
uint16_t npc_proto;
/* IPv4, IPv6. */
Home |
Main Index |
Thread Index |
Old Index