Date: Mon, 28 Aug 2000 09:50:04 -0700 (PDT) From: Ruslan Ermilov <ru@FreeBSD.org> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/20877: ICMP error msg on UDP port unreachable is incorrect Message-ID: <200008281650.JAA76236@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/20877; it has been noted by GNATS.
From: Ruslan Ermilov <ru@FreeBSD.org>
To: Frank Volf <volf@oasis.IAEhv.nl>
Cc: bug-followup@FreeBSD.org, Garrett Wollman <wollman@FreeBSD.org>,
Sheldon Hearn <sheldonh@FreeBSD.org>
Subject: Re: kern/20877: ICMP error msg on UDP port unreachable is incorrect
Date: Mon, 28 Aug 2000 19:46:47 +0300
--EeQfGwPcQSOJBaQU
Content-Type: text/plain; charset=us-ascii
On Sun, Aug 27, 2000 at 07:45:22PM +0200, Frank Volf wrote:
>
> I disagree with the fact that you simply close this pr as being a duplicate
> case of PR 16240.
>
> PR 16240 tries to address the generic problem, which is indeed present in
> many network implementations and may or maynot be difficult to fix.
>
> Here, a very simple patch is presented for a special instance of 16240
> (an instance that occurs a lot, e.g. using udp based tracerouted). I see no
> reason why this patch cannot be applied to FreeBSD.
>
The reason is simple -- your patch is wrong and incomplete.
> If there *are* issues that I overlooked I would like to hear about them,
> and have them properly discussed.
>
You overlooked (amongst other things) that ip_off field is also vulnerable.
The basic idea is that all IP header fields SHOULD BE in host byte order
right after the start of ip_input(), and ip_output() converts them back
to network byte order. So in icmp_error() the bytes should still be in
host byte order, this is even implied by the following piece of code:
/*
* Don't send error if not the first fragment of message.
* Don't error if the old packet protocol was ICMP
* error message, only known informational types.
*/
if (oip->ip_off &~ (IP_MF|IP_DF))
goto freeit;
Attached is the patch that fixes part of problems with ICMP error generation.
It could be applied to both 5.0-CURRENT and 4.1-STABLE. This patch is still
incomplete, it misses the ip_output() portion of fixes. I will develop and
test the remaining bits tomorrow and commit it along with this patch.
Cheers,
--
Ruslan Ermilov Oracle Developer/DBA,
ru@sunbay.com Sunbay Software AG,
ru@FreeBSD.org FreeBSD committer,
+380.652.512.251 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
--EeQfGwPcQSOJBaQU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=p
Index: ip_icmp.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v
retrieving revision 1.43
diff -u -p -r1.43 ip_icmp.c
--- ip_icmp.c 2000/06/02 20:18:38 1.43
+++ ip_icmp.c 2000/08/28 16:28:41
@@ -191,7 +191,14 @@ icmp_error(n, type, code, dest, destifp)
icp->icmp_code = code;
bcopy((caddr_t)oip, (caddr_t)&icp->icmp_ip, icmplen);
nip = &icp->icmp_ip;
- nip->ip_len = htons((u_short)(nip->ip_len + oiplen));
+ nip->ip_len += oiplen;
+
+ /*
+ * Convert fields to network representation.
+ */
+ HTONS(nip->ip_len);
+ HTONS(nip->ip_id);
+ HTONS(nip->ip_off);
/*
* Now, copy old ip header (without options)
Index: ip_input.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_input.c,v
retrieving revision 1.138
diff -u -p -r1.138 ip_input.c
--- ip_input.c 2000/07/31 23:41:47 1.138
+++ ip_input.c 2000/08/28 16:28:41
@@ -1496,7 +1496,6 @@ ip_forward(m, srcrt)
m_freem(m);
return;
}
- HTONS(ip->ip_id);
#ifdef IPSTEALTH
if (!ipstealth) {
#endif
--EeQfGwPcQSOJBaQU--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008281650.JAA76236>