From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48521) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WiHX7-0008SM-4f for qemu-devel@nongnu.org; Thu, 08 May 2014 02:10:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WiHX0-0003cN-OJ for qemu-devel@nongnu.org; Thu, 08 May 2014 02:10:17 -0400 Received: from mail-pd0-x232.google.com ([2607:f8b0:400e:c02::232]:35969) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WiHX0-0003cJ-Hk for qemu-devel@nongnu.org; Thu, 08 May 2014 02:10:10 -0400 Received: by mail-pd0-f178.google.com with SMTP id r10so2064991pdi.9 for ; Wed, 07 May 2014 23:10:09 -0700 (PDT) Date: Thu, 8 May 2014 06:10:18 +0000 From: "Edgar E. Iglesias" Message-ID: <20140508061018.GB7523@hostname> References: <1396218189-14422-1-git-send-email-samuel.thibault@ens-lyon.org> <1396218189-14422-2-git-send-email-samuel.thibault@ens-lyon.org> <20140507221509.GA3302@type.youpi.perso.aquilenet.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20140507221509.GA3302@type.youpi.perso.aquilenet.fr> Subject: Re: [Qemu-devel] [PATCH, DoS] slirp (arp): do not special-case bogus IP addresses List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Samuel Thibault Cc: qemu-devel@nongnu.org On Thu, May 08, 2014 at 12:15:09AM +0200, Samuel Thibault wrote: > Do not special-case addresses with zero host part, as we do not > necessarily know how big it is, and the guest can fake them anyway. Hi Samuel, The search part looks OK to me but when adding to the arp table, don't you at least want to avoid adding mappings for 0.0.0.0/32? to avoid for ex garps to pollute the cache with invalid entries? Cheers, Edgar > > Signed-off-by: Samuel Thibault > --- > > This is particularly bad actually, one can for instance simply do this > inside a Linux guest > > ip addr add 192.0.0.0/1 dev eth0 > > and crash qemu (thus a DoS) by just emitting a packet (thus from > 192.0.0.0), getting: > > qemu-system-x86_64: /usr/src/qemu/slirp/arp_table.c:77: arp_table_search: Assertion `(ip_addr & __bswap_32 (~(0xfU << 28))) != 0' failed. > > so it should probably go to all stable maintained versions. > > arp_table.c | 8 -------- > 1 file changed, 8 deletions(-) > > diff --git a/slirp/arp_table.c b/slirp/arp_table.c > index ecdb0ba..243cbbc 100644 > --- a/slirp/arp_table.c > +++ b/slirp/arp_table.c > @@ -37,11 +37,6 @@ void arp_table_add(Slirp *slirp, uint32_t ip_addr, uint8_t ethaddr[ETH_ALEN]) > ethaddr[0], ethaddr[1], ethaddr[2], > ethaddr[3], ethaddr[4], ethaddr[5])); > > - /* Check 0.0.0.0/8 invalid source-only addresses */ > - if ((ip_addr & htonl(~(0xfU << 28))) == 0) { > - return; > - } > - > if (ip_addr == 0xffffffff || ip_addr == broadcast_addr) { > /* Do not register broadcast addresses */ > return; > @@ -73,9 +68,6 @@ bool arp_table_search(Slirp *slirp, uint32_t ip_addr, > DEBUG_CALL("arp_table_search"); > DEBUG_ARG("ip = 0x%x", ip_addr); > > - /* Check 0.0.0.0/8 invalid source-only addresses */ > - assert((ip_addr & htonl(~(0xfU << 28))) != 0); > - > /* If broadcast address */ > if (ip_addr == 0xffffffff || ip_addr == broadcast_addr) { > /* return Ethernet broadcast address */ >