Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-7-0]: src/sys/net/npf Pullup the following revision, requested by...



details:   https://anonhg.NetBSD.org/src/rev/dcbbb49933c6
branches:  netbsd-7-0
changeset: 801473:dcbbb49933c6
user:      martin <martin%NetBSD.org@localhost>
date:      Thu Apr 05 11:43:51 2018 +0000

description:
Pullup the following revision, requested by maxv in ticket #1593:

        sys/net/npf/npf.h                               1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
        packet +   0 = IP6 Header
        packet +  40 = IP6 Routing header (ip6r_len = 31)
        packet +  48 = Crafted UDP header (uh_dport = 7777)
        packet + 296 = IP6 Dest header (ip6e_len = 0)
        packet + 304 = Real UDP header (uh_dport = 6666)
Will bypass a rule of the kind "block port 6666". Here NPF reads the
crafted UDP header, sees 7777, lets the packet in; later the kernel reads
the real UDP header, and delivers it on port 6666.

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.

diffstat:

 sys/net/npf/npf.h |  4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diffs (18 lines):

diff -r 8fc4d370eecd -r dcbbb49933c6 sys/net/npf/npf.h
--- a/sys/net/npf/npf.h Sun Apr 01 09:15:43 2018 +0000
+++ b/sys/net/npf/npf.h Thu Apr 05 11:43:51 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf.h,v 1.47 2014/08/10 19:09:43 rmind Exp $   */
+/*     $NetBSD: npf.h,v 1.47.6.1 2018/04/05 11:43:51 martin Exp $      */
 
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -150,7 +150,7 @@
        uint8_t                 npc_alen;
 
        /* IP header length and L4 protocol. */
-       uint8_t                 npc_hlen;
+       uint32_t                npc_hlen;
        uint16_t                npc_proto;
 
        /* IPv4, IPv6. */



Home | Main Index | Thread Index | Old Index