From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:57770) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WkNJ9-0000P0-59 for qemu-devel@nongnu.org; Tue, 13 May 2014 20:44:37 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WkNJ3-00073B-2j for qemu-devel@nongnu.org; Tue, 13 May 2014 20:44:31 -0400 Received: from toccata.ens-lyon.org ([140.77.166.68]:43121) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WkNJ2-000732-OH for qemu-devel@nongnu.org; Tue, 13 May 2014 20:44:24 -0400 Date: Wed, 14 May 2014 02:44:20 +0200 From: Samuel Thibault Message-ID: <20140514004420.GV6302@type.youpi.perso.aquilenet.fr> References: <1396218189-14422-1-git-send-email-samuel.thibault@ens-lyon.org> <1396218189-14422-2-git-send-email-samuel.thibault@ens-lyon.org> <20140507221509.GA3302@type.youpi.perso.aquilenet.fr> <20140508061018.GB7523@hostname> <20140508065033.GT6261@type.youpi.perso.aquilenet.fr> <20140508065921.GH7381@hostname> <20140513221547.GE6302@type.youpi.perso.aquilenet.fr> <20140514003009.GB21821@hostname> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="mSxgbZZZvrAyzONB" Content-Disposition: inline In-Reply-To: <20140514003009.GB21821@hostname> Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH, DoS] slirp (arp): do not special-case bogus IP addresses List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Edgar E. Iglesias" Cc: qemu-devel@nongnu.org --mSxgbZZZvrAyzONB Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Edgar E. Iglesias, le Wed 14 May 2014 00:30:09 +0000, a =E9crit : > > At best I could think of using the patch below, which avoids register= ing > > anything for 0.0.0.0, and use a broadcast to answer a guest which > > would have used 0.0.0.0 as a source for whatever reason. I don't fin= d > > anything else reasonable. What would be preferred? >=20 > Specs are not super clear on this but rfc1700 says that 0.0.0.0 is a so= urce only address. I agree. > What I was trying to suggest was a mix between your two versions. > Removing the assert in table_search and avoid adding 0.0.0.0/32 to the = cache > in table_add. We might need to complement with something that drops dat= agrams > destined to 0.0.0.0 in upper layers so we dont keep trying, not sure. > Does something like that make sense? So that would be this. Samuel Do not special-case addresses with zero host part, as we do not necessarily know how big it is, and the guest can fake them anyway. Silently avoiding having 0.0.0.0 as a destination, however. Signed-off-by: Samuel Thibault --- diff --git a/slirp/arp_table.c b/slirp/arp_table.c index ecdb0ba..bcaeb44 100644 --- a/slirp/arp_table.c +++ b/slirp/arp_table.c @@ -37,12 +37,7 @@ void arp_table_add(Slirp *slirp, uint32_t ip_addr, uin= t8_t ethaddr[ETH_ALEN]) ethaddr[0], ethaddr[1], ethaddr[2], ethaddr[3], ethaddr[4], ethaddr[5])); =20 - /* Check 0.0.0.0/8 invalid source-only addresses */ - if ((ip_addr & htonl(~(0xfU << 28))) =3D=3D 0) { - return; - } - - if (ip_addr =3D=3D 0xffffffff || ip_addr =3D=3D broadcast_addr) { + if (ip_addr =3D=3D 0 || ip_addr =3D=3D 0xffffffff || ip_addr =3D=3D = broadcast_addr) { /* Do not register broadcast addresses */ return; } @@ -73,9 +68,6 @@ bool arp_table_search(Slirp *slirp, uint32_t ip_addr, DEBUG_CALL("arp_table_search"); DEBUG_ARG("ip =3D 0x%x", ip_addr); =20 - /* Check 0.0.0.0/8 invalid source-only addresses */ - assert((ip_addr & htonl(~(0xfU << 28))) !=3D 0); - /* If broadcast address */ if (ip_addr =3D=3D 0xffffffff || ip_addr =3D=3D broadcast_addr) { /* return Ethernet broadcast address */ diff --git a/slirp/slirp.c b/slirp/slirp.c index 3fb48a4..2f189e0 100644 --- a/slirp/slirp.c +++ b/slirp/slirp.c @@ -778,6 +778,11 @@ int if_encap(Slirp *slirp, struct mbuf *ifm) return 1; } =20 + if (!iph->ip_dst.s_addr) { + /* 0.0.0.0 can not be a source address, something went wrong, av= oid + * making it worse */ + return 1; + } if (!arp_table_search(slirp, iph->ip_dst.s_addr, ethaddr)) { uint8_t arp_req[ETH_HLEN + sizeof(struct arphdr)]; struct ethhdr *reh =3D (struct ethhdr *)arp_req; --mSxgbZZZvrAyzONB Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=patch diff --git a/slirp/arp_table.c b/slirp/arp_table.c index ecdb0ba..bcaeb44 100644 --- a/slirp/arp_table.c +++ b/slirp/arp_table.c @@ -37,12 +37,7 @@ void arp_table_add(Slirp *slirp, uint32_t ip_addr, uint8_t ethaddr[ETH_ALEN]) ethaddr[0], ethaddr[1], ethaddr[2], ethaddr[3], ethaddr[4], ethaddr[5])); - /* Check 0.0.0.0/8 invalid source-only addresses */ - if ((ip_addr & htonl(~(0xfU << 28))) == 0) { - return; - } - - if (ip_addr == 0xffffffff || ip_addr == broadcast_addr) { + if (ip_addr == 0 || ip_addr == 0xffffffff || ip_addr == broadcast_addr) { /* Do not register broadcast addresses */ return; } @@ -73,9 +68,6 @@ bool arp_table_search(Slirp *slirp, uint32_t ip_addr, DEBUG_CALL("arp_table_search"); DEBUG_ARG("ip = 0x%x", ip_addr); - /* Check 0.0.0.0/8 invalid source-only addresses */ - assert((ip_addr & htonl(~(0xfU << 28))) != 0); - /* If broadcast address */ if (ip_addr == 0xffffffff || ip_addr == broadcast_addr) { /* return Ethernet broadcast address */ diff --git a/slirp/slirp.c b/slirp/slirp.c index 3fb48a4..2f189e0 100644 --- a/slirp/slirp.c +++ b/slirp/slirp.c @@ -778,6 +778,11 @@ int if_encap(Slirp *slirp, struct mbuf *ifm) return 1; } + if (!iph->ip_dst.s_addr) { + /* 0.0.0.0 can not a a source address, something went wrong, avoid + * making it it worse */ + return 1; + } if (!arp_table_search(slirp, iph->ip_dst.s_addr, ethaddr)) { uint8_t arp_req[ETH_HLEN + sizeof(struct arphdr)]; struct ethhdr *reh = (struct ethhdr *)arp_req; --mSxgbZZZvrAyzONB--