From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35724) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WkNtd-0003Hu-86 for qemu-devel@nongnu.org; Tue, 13 May 2014 21:22:19 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WkNtX-0002Ve-He for qemu-devel@nongnu.org; Tue, 13 May 2014 21:22:13 -0400 Received: from mail-pa0-x22c.google.com ([2607:f8b0:400e:c03::22c]:61097) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WkNtX-0002VT-BM for qemu-devel@nongnu.org; Tue, 13 May 2014 21:22:07 -0400 Received: by mail-pa0-f44.google.com with SMTP id ld10so954848pab.17 for ; Tue, 13 May 2014 18:22:06 -0700 (PDT) Date: Wed, 14 May 2014 01:22:25 +0000 From: "Edgar E. Iglesias" Message-ID: <20140514012225.GA21829@hostname> References: <1396218189-14422-1-git-send-email-samuel.thibault@ens-lyon.org> <1396218189-14422-2-git-send-email-samuel.thibault@ens-lyon.org> <20140507221509.GA3302@type.youpi.perso.aquilenet.fr> <20140514011309.GY6302@type.youpi.perso.aquilenet.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20140514011309.GY6302@type.youpi.perso.aquilenet.fr> Subject: Re: [Qemu-devel] [PATCHv2, DoS] slirp (arp): do not special-case bogus IP addresses List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Samuel Thibault Cc: jan.kiszka@siemens.com, qemu-devel@nongnu.org On Wed, May 14, 2014 at 03:13:09AM +0200, Samuel Thibault wrote: > Do not special-case addresses with zero host part, as we do not > necessarily know how big it is, and the guest can fake them anyway. > Silently avoid having 0.0.0.0 as a destination, however. > > Signed-off-by: Samuel Thibault Reviewed-by: Edgar E. Iglesias > --- > > This is particularly bad actually, one can for instance simply do this > inside a Linux guest > > ip addr add 192.0.0.0/1 dev eth0 > > and crash qemu (thus a DoS) by just emitting a packet (thus from > 192.0.0.0), getting: > > qemu-system-x86_64: /usr/src/qemu/slirp/arp_table.c:77: arp_table_search: Assertion `(ip_addr & __bswap_32 (~(0xfU << 28))) != 0' failed. > > so it should probably go to all stable maintained versions. > > diff --git a/slirp/arp_table.c b/slirp/arp_table.c > index ecdb0ba..bcaeb44 100644 > --- a/slirp/arp_table.c > +++ b/slirp/arp_table.c > @@ -37,12 +37,7 @@ void arp_table_add(Slirp *slirp, uint32_t ip_addr, uint8_t ethaddr[ETH_ALEN]) > ethaddr[0], ethaddr[1], ethaddr[2], > ethaddr[3], ethaddr[4], ethaddr[5])); > > - /* Check 0.0.0.0/8 invalid source-only addresses */ > - if ((ip_addr & htonl(~(0xfU << 28))) == 0) { > - return; > - } > - > - if (ip_addr == 0xffffffff || ip_addr == broadcast_addr) { > + if (ip_addr == 0 || ip_addr == 0xffffffff || ip_addr == broadcast_addr) { > /* Do not register broadcast addresses */ > return; > } > @@ -73,9 +68,6 @@ bool arp_table_search(Slirp *slirp, uint32_t ip_addr, > DEBUG_CALL("arp_table_search"); > DEBUG_ARG("ip = 0x%x", ip_addr); > > - /* Check 0.0.0.0/8 invalid source-only addresses */ > - assert((ip_addr & htonl(~(0xfU << 28))) != 0); > - > /* If broadcast address */ > if (ip_addr == 0xffffffff || ip_addr == broadcast_addr) { > /* return Ethernet broadcast address */ > diff --git a/slirp/slirp.c b/slirp/slirp.c > index 3fb48a4..00f4eb5 100644 > --- a/slirp/slirp.c > +++ b/slirp/slirp.c > @@ -778,6 +778,11 @@ int if_encap(Slirp *slirp, struct mbuf *ifm) > return 1; > } > > + if (iph->ip_dst.s_addr == 0) { > + /* 0.0.0.0 can not be a destination address, something went wrong, > + * avoid making it worse */ > + return 1; > + } > if (!arp_table_search(slirp, iph->ip_dst.s_addr, ethaddr)) { > uint8_t arp_req[ETH_HLEN + sizeof(struct arphdr)]; > struct ethhdr *reh = (struct ethhdr *)arp_req; >