From owner-dev-commits-src-branches@freebsd.org  Sun Jan  3 22:18:49 2021
Return-Path: <owner-dev-commits-src-branches@freebsd.org>
Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5625D4C1506;
 Sun,  3 Jan 2021 22:18:49 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4D8CpJ6cxhz4qrd;
 Sun,  3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:5])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D29597515;
 Sun,  3 Jan 2021 22:18:48 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
 by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 103MImnK020475;
 Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
 by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 103MIm5L020474;
 Sun, 3 Jan 2021 22:18:48 GMT (envelope-from git)
Date: Sun, 3 Jan 2021 22:18:48 GMT
Message-Id: <202101032218.103MIm5L020474@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
 dev-commits-src-branches@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: 0fc80e44f600 - stable/12 - pf tests: Test CVE-2019-5598
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/12
X-Git-Reftype: branch
X-Git-Commit: 0fc80e44f600b65830da93b7b56e47250f978f06
Auto-Submitted: auto-generated
X-BeenThere: dev-commits-src-branches@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commits to the stable branches of the FreeBSD src repository
 <dev-commits-src-branches.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-src-branches>, 
 <mailto:dev-commits-src-branches-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-src-branches/>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Help: <mailto:dev-commits-src-branches-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-src-branches>, 
 <mailto:dev-commits-src-branches-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Jan 2021 22:18:57 -0000

The branch stable/12 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=0fc80e44f600b65830da93b7b56e47250f978f06

commit 0fc80e44f600b65830da93b7b56e47250f978f06
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2019-03-22 07:39:28 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2021-01-03 20:26:49 +0000

    pf tests: Test CVE-2019-5598
    
    Verify that pf correctly drops inconsistent ICMP packets (i.e. where the
    IP src/dst do not match the IP src/dst in the ICMP packet.
    
    (cherry picked from commit 7de4bd92b8a1f510c88ea3b5af0bcb106af6ba11)
---
 tests/sys/netpfil/pf/CVE-2019-5598.py | 130 ++++++++++++++++++++++++++++++++++
 tests/sys/netpfil/pf/Makefile         |   7 +-
 tests/sys/netpfil/pf/icmp.sh          |  99 ++++++++++++++++++++++++++
 3 files changed, 234 insertions(+), 2 deletions(-)

diff --git a/tests/sys/netpfil/pf/CVE-2019-5598.py b/tests/sys/netpfil/pf/CVE-2019-5598.py
new file mode 100644
index 000000000000..648b8ef9d6f0
--- /dev/null
+++ b/tests/sys/netpfil/pf/CVE-2019-5598.py
@@ -0,0 +1,130 @@
+#!/usr/local/bin/python2.7
+
+import argparse
+import scapy.all as sp
+import sys
+from sniffer import Sniffer
+
+def check_icmp_error(args, packet):
+	ip = packet.getlayer(sp.IP)
+	if not ip:
+		return False
+	if ip.dst != args.to[0]:
+		return False
+
+	icmp = packet.getlayer(sp.ICMP)
+	if not icmp:
+		return False
+	if icmp.type != 3 or icmp.code != 3:
+		return False
+
+	return True
+
+def main():
+	parser = argparse.ArgumentParser("CVE-2019-icmp.py",
+		description="CVE-2019-icmp test tool")
+	parser.add_argument('--sendif', nargs=1,
+		required=True,
+		help='The interface through which the packet will be sent')
+	parser.add_argument('--recvif', nargs=1,
+		required=True,
+		help='The interface on which to check for the packet')
+	parser.add_argument('--src', nargs=1,
+		required=True,
+		help='The source IP address')
+	parser.add_argument('--to', nargs=1,
+		required=True,
+		help='The destination IP address')
+
+	args = parser.parse_args()
+
+        # Send the allowed packet to establish state
+        udp = sp.Ether() / \
+            sp.IP(src=args.src[0], dst=args.to[0]) / \
+            sp.UDP(dport=53, sport=1234)
+        sp.sendp(udp, iface=args.sendif[0], verbose=False)
+
+	# Start sniffing on recvif
+	sniffer = Sniffer(args, check_icmp_error)
+
+	# Send the bad error packet
+	icmp_reachable = sp.Ether() / \
+            sp.IP(src=args.src[0], dst=args.to[0]) / \
+	    sp.ICMP(type=3, code=3) / \
+	    sp.IP(src="4.3.2.1", dst="1.2.3.4") / \
+	    sp.UDP(dport=53, sport=1234)
+	sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False)
+
+	sniffer.join()
+	if sniffer.foundCorrectPacket:
+		sys.exit(1)
+
+	sys.exit(0)
+
+if __name__ == '__main__':
+	main()
+#!/usr/local/bin/python2.7
+
+import argparse
+import scapy.all as sp
+import sys
+from sniffer import Sniffer
+
+def check_icmp_error(args, packet):
+	ip = packet.getlayer(sp.IP)
+	if not ip:
+		return False
+	if ip.dst != args.to[0]:
+		return False
+
+	icmp = packet.getlayer(sp.ICMP)
+	if not icmp:
+		return False
+	if icmp.type != 3 or icmp.code != 3:
+		return False
+
+	return True
+
+def main():
+	parser = argparse.ArgumentParser("CVE-2019-icmp.py",
+		description="CVE-2019-icmp test tool")
+	parser.add_argument('--sendif', nargs=1,
+		required=True,
+		help='The interface through which the packet will be sent')
+	parser.add_argument('--recvif', nargs=1,
+		required=True,
+		help='The interface on which to check for the packet')
+	parser.add_argument('--src', nargs=1,
+		required=True,
+		help='The source IP address')
+	parser.add_argument('--to', nargs=1,
+		required=True,
+		help='The destination IP address')
+
+	args = parser.parse_args()
+
+        # Send the allowed packet to establish state
+        udp = sp.Ether() / \
+            sp.IP(src=args.src[0], dst=args.to[0]) / \
+            sp.UDP(dport=53, sport=1234)
+        sp.sendp(udp, iface=args.sendif[0], verbose=False)
+
+	# Start sniffing on recvif
+	sniffer = Sniffer(args, check_icmp_error)
+
+	# Send the bad error packet
+	icmp_reachable = sp.Ether() / \
+            sp.IP(src=args.src[0], dst=args.to[0]) / \
+	    sp.ICMP(type=3, code=3) / \
+	    sp.IP(src=args.src[0], dst=args.to[0]) / \
+	    sp.UDP(dport=53, sport=1234)
+	sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False)
+
+	sniffer.join()
+	if sniffer.foundCorrectPacket:
+		sys.exit(1)
+
+	sys.exit(0)
+
+if __name__ == '__main__':
+	main()
diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile
index 115a38666cc7..474b3c3b9b4b 100644
--- a/tests/sys/netpfil/pf/Makefile
+++ b/tests/sys/netpfil/pf/Makefile
@@ -18,15 +18,18 @@ ATF_TESTS_SH+=	anchor \
 		synproxy \
 		set_skip \
 		pfsync \
-		table
+		table \
+		icmp
 
 ${PACKAGE}FILES+=	utils.subr \
 			echo_inetd.conf \
 			sniffer.py \
 			pft_ping.py \
-			CVE-2019-5597.py
+			CVE-2019-5597.py \
+			CVE-2019-5598.py
 
 ${PACKAGE}FILESMODE_pft_ping.py=	0555
 ${PACKAGE}FILESMODE_CVE-2019-5597.py=	0555
+${PACKAGE}FILESMODE_CVE-2019-5598.py=	0555
 
 .include <bsd.test.mk>
diff --git a/tests/sys/netpfil/pf/icmp.sh b/tests/sys/netpfil/pf/icmp.sh
new file mode 100755
index 000000000000..5cc1a769c799
--- /dev/null
+++ b/tests/sys/netpfil/pf/icmp.sh
@@ -0,0 +1,99 @@
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "cve_2019_5598" "cleanup"
+cve_2019_5598_head()
+{
+	atf_set descr 'Test CVE-2019-5598'
+	atf_set require.user root
+	atf_set require.progs scapy
+}
+
+cve_2019_5598_body()
+{
+	pft_init
+
+	epair_in=$(vnet_mkepair)
+	epair_out=$(vnet_mkepair)
+	ifconfig ${epair_in}a 192.0.2.1/24 up
+	ifconfig ${epair_out}a up
+
+	vnet_mkjail alcatraz ${epair_in}b ${epair_out}b
+	jexec alcatraz ifconfig ${epair_in}b 192.0.2.2/24 up
+	jexec alcatraz ifconfig ${epair_out}b 198.51.100.2/24 up
+	jexec alcatraz sysctl net.inet.ip.forwarding=1
+	jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05
+	jexec alcatraz route add default 198.51.100.3
+	route add -net 198.51.100.0/24 192.0.2.2
+
+	jexec alcatraz pfctl -e
+	pft_set_rules alcatraz "block all" \
+		"pass in proto udp to 198.51.100.3 port 53" \
+		"pass out proto udp to 198.51.100.3 port 53"
+
+	atf_check -s exit:0 $(atf_get_srcdir)/CVE-2019-icmp.py \
+		--sendif ${epair_in}a \
+		--recvif ${epair_out}a \
+		--src 192.0.2.1 \
+		--to 198.51.100.3
+}
+
+cve_2019_5598_cleanup()
+{
+	pft_cleanup
+}
+
+atf_init_test_cases()
+{
+	atf_add_test_case "cve_2019_5598"
+}
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "cve_2019_5598" "cleanup"
+cve_2019_5598_head()
+{
+	atf_set descr 'Test CVE-2019-5598'
+	atf_set require.user root
+	atf_set require.progs scapy
+}
+
+cve_2019_5598_body()
+{
+	pft_init
+
+	epair_in=$(vnet_mkepair)
+	epair_out=$(vnet_mkepair)
+	ifconfig ${epair_in}a 192.0.2.1/24 up
+	ifconfig ${epair_out}a up
+
+	vnet_mkjail alcatraz ${epair_in}b ${epair_out}b
+	jexec alcatraz ifconfig ${epair_in}b 192.0.2.2/24 up
+	jexec alcatraz ifconfig ${epair_out}b 198.51.100.2/24 up
+	jexec alcatraz sysctl net.inet.ip.forwarding=1
+	jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05
+	route add -net 198.51.100.0/24 192.0.2.2
+
+	jexec alcatraz pfctl -e
+	pft_set_rules alcatraz "block all" \
+		"pass in proto udp to 198.51.100.3 port 53" \
+		"pass out proto udp to 198.51.100.3 port 53"
+
+	atf_check -s exit:0 $(atf_get_srcdir)/CVE-2019-icmp.py \
+		--sendif ${epair_in}a \
+		--recvif ${epair_out}a \
+		--src 192.0.2.1 \
+		--to 198.51.100.3
+}
+
+cve_2019_5598_cleanup()
+{
+	pft_cleanup
+}
+
+atf_init_test_cases()
+{
+	atf_add_test_case "cve_2019_5598"
+}