Fix various ICMP handling issues in Squid pinger

* ICMP code type logging display could over-read the registered type
  string arrays.

* Malformed ICMP packets were accepted into processing with undefined
  and potentially nasty results.

Both sets of flaws can result in pinger segmentation fault and halting
the Squid functionality relying on pinger for correct operation.

 Thanks to the OpenSUSE project for analysis and resolution of these.

diff --git a/src/icmp/Icmp4.cc b/src/icmp/Icmp4.cc
index 72da1cf12a10a9328223cf836a42c512c066518a..75a012f33ae9a476e776c659186e16a04aea9724 100644 (file)
--- a/src/icmp/Icmp4.cc
+++ b/src/icmp/Icmp4.cc
@@ -20,26 +20,38 @@
 #include "leakcheck.h"
 #include "SquidTime.h"
 
-const char *icmpPktStr[] = {
-    "Echo Reply",
-    "ICMP 1",
-    "ICMP 2",
-    "Destination Unreachable",
-    "Source Quench",
-    "Redirect",
-    "ICMP 6",
-    "ICMP 7",
-    "Echo",
-    "ICMP 9",
-    "ICMP 10",
-    "Time Exceeded",
-    "Parameter Problem",
-    "Timestamp",
-    "Timestamp Reply",
-    "Info Request",
-    "Info Reply",
-    "Out of Range Type"
-};
+static const char *
+IcmpPacketType(uint8_t v)
+{
+    static const char *icmpPktStr[] = {
+        "Echo Reply",
+        "ICMP 1",
+        "ICMP 2",
+        "Destination Unreachable",
+        "Source Quench",
+        "Redirect",
+        "ICMP 6",
+        "ICMP 7",
+        "Echo",
+        "ICMP 9",
+        "ICMP 10",
+        "Time Exceeded",
+        "Parameter Problem",
+        "Timestamp",
+        "Timestamp Reply",
+        "Info Request",
+        "Info Reply",
+        "Out of Range Type"
+    };
+
+    if (v > 17) {
+        static char buf[50];
+        snprintf(buf, sizeof(buf), "ICMP %u (invalid)", v);
+        return buf;
+    }
+
+    return icmpPktStr[v];
+}
 
 Icmp4::Icmp4() : Icmp()
 {
@@ -166,6 +178,12 @@ Icmp4::Recv(void)
                  from->ai_addr,
                  &from->ai_addrlen);
 
+    if (n <= 0) {
+        debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMP socket.");
+        Ip::Address::FreeAddrInfo(from);
+        return;
+    }
+
     preply.from = *from;
 
 #if GETTIMEOFDAY_NO_TZP
@@ -222,9 +240,15 @@ Icmp4::Recv(void)
 
     preply.psize = n - iphdrlen - (sizeof(icmpEchoData) - MAX_PKT4_SZ);
 
+    if (preply.psize < 0) {
+        debugs(42, DBG_CRITICAL, HERE << "Malformed ICMP packet.");
+        Ip::Address::FreeAddrInfo(from);
+        return;
+    }
+
     control.SendResult(preply, (sizeof(pingerReplyData) - MAX_PKT4_SZ + preply.psize) );
 
-    Log(preply.from, icmp->icmp_type, icmpPktStr[icmp->icmp_type], preply.rtt, preply.hops);
+    Log(preply.from, icmp->icmp_type, IcmpPacketType(icmp->icmp_type), preply.rtt, preply.hops);
     Ip::Address::FreeAddrInfo(from);
 }
 

diff --git a/src/icmp/Icmp6.cc b/src/icmp/Icmp6.cc
index 370319c52d02f75526af9dad7039a58219867619..07b3bd232e8887633604d28479ba54342cd1bbc1 100644 (file)
--- a/src/icmp/Icmp6.cc
+++ b/src/icmp/Icmp6.cc
@@ -29,57 +29,61 @@
 
 // Icmp6 OP-Codes
 // see http://www.iana.org/assignments/icmpv6-parameters
-// NP: LowPktStr is for codes 0-127
-static const char *icmp6LowPktStr[] = {
-    "ICMP 0",                  // 0
-    "Destination Unreachable", // 1 - RFC2463
-    "Packet Too Big",          // 2 - RFC2463
-    "Time Exceeded",           // 3 - RFC2463
-    "Parameter Problem",               // 4 - RFC2463
-    "ICMP 5",                  // 5
-    "ICMP 6",                  // 6
-    "ICMP 7",                  // 7
-    "ICMP 8",                  // 8
-    "ICMP 9",                  // 9
-    "ICMP 10"                  // 10
-};
-
-// NP: HighPktStr is for codes 128-255
-static const char *icmp6HighPktStr[] = {
-    "Echo Request",                                    // 128 - RFC2463
-    "Echo Reply",                                      // 129 - RFC2463
-    "Multicast Listener Query",                        // 130 - RFC2710
-    "Multicast Listener Report",                       // 131 - RFC2710
-    "Multicast Listener Done",                 // 132 - RFC2710
-    "Router Solicitation",                             // 133 - RFC4861
-    "Router Advertisement",                            // 134 - RFC4861
-    "Neighbor Solicitation",                   // 135 - RFC4861
-    "Neighbor Advertisement",                  // 136 - RFC4861
-    "Redirect Message",                                // 137 - RFC4861
-    "Router Renumbering",                              // 138 - Crawford
-    "ICMP Node Information Query",                     // 139 - RFC4620
-    "ICMP Node Information Response",          // 140 - RFC4620
-    "Inverse Neighbor Discovery Solicitation", // 141 - RFC3122
-    "Inverse Neighbor Discovery Advertisement",        // 142 - RFC3122
-    "Version 2 Multicast Listener Report",             // 143 - RFC3810
-    "Home Agent Address Discovery Request",            // 144 - RFC3775
-    "Home Agent Address Discovery Reply",              // 145 - RFC3775
-    "Mobile Prefix Solicitation",                      // 146 - RFC3775
-    "Mobile Prefix Advertisement",                     // 147 - RFC3775
-    "Certification Path Solicitation",         // 148 - RFC3971
-    "Certification Path Advertisement",                // 149 - RFC3971
-    "ICMP Experimental (150)",                 // 150 - RFC4065
-    "Multicast Router Advertisement",          // 151 - RFC4286
-    "Multicast Router Solicitation",           // 152 - RFC4286
-    "Multicast Router Termination",                    // 153 - [RFC4286]
-    "ICMP 154",
-    "ICMP 155",
-    "ICMP 156",
-    "ICMP 157",
-    "ICMP 158",
-    "ICMP 159",
-    "ICMP 160"
-};
+static const char *
+IcmpPacketType(uint8_t v)
+{
+    // NP: LowPktStr is for codes 0-127
+    static const char *icmp6LowPktStr[] = {
+        "ICMPv6 0",                    // 0
+        "Destination Unreachable",     // 1 - RFC2463
+        "Packet Too Big",              // 2 - RFC2463
+        "Time Exceeded",               // 3 - RFC2463
+        "Parameter Problem",           // 4 - RFC2463
+    };
+
+    // low codes 1-4 registered
+    if (0 < v && v < 5)
+        return icmp6LowPktStr[(int)(v&0x7f)];
+
+    // NP: HighPktStr is for codes 128-255
+    static const char *icmp6HighPktStr[] = {
+        "Echo Request",                                        // 128 - RFC2463
+        "Echo Reply",                                  // 129 - RFC2463
+        "Multicast Listener Query",                    // 130 - RFC2710
+        "Multicast Listener Report",                   // 131 - RFC2710
+        "Multicast Listener Done",                     // 132 - RFC2710
+        "Router Solicitation",                         // 133 - RFC4861
+        "Router Advertisement",                                // 134 - RFC4861
+        "Neighbor Solicitation",                       // 135 - RFC4861
+        "Neighbor Advertisement",                      // 136 - RFC4861
+        "Redirect Message",                            // 137 - RFC4861
+        "Router Renumbering",                          // 138 - Crawford
+        "ICMP Node Information Query",                 // 139 - RFC4620
+        "ICMP Node Information Response",              // 140 - RFC4620
+        "Inverse Neighbor Discovery Solicitation",     // 141 - RFC3122
+        "Inverse Neighbor Discovery Advertisement",    // 142 - RFC3122
+        "Version 2 Multicast Listener Report",         // 143 - RFC3810
+        "Home Agent Address Discovery Request",                // 144 - RFC3775
+        "Home Agent Address Discovery Reply",          // 145 - RFC3775
+        "Mobile Prefix Solicitation",                  // 146 - RFC3775
+        "Mobile Prefix Advertisement",                 // 147 - RFC3775
+        "Certification Path Solicitation",             // 148 - RFC3971
+        "Certification Path Advertisement",            // 149 - RFC3971
+        "ICMP Experimental (150)",                     // 150 - RFC4065
+        "Multicast Router Advertisement",              // 151 - RFC4286
+        "Multicast Router Solicitation",               // 152 - RFC4286
+        "Multicast Router Termination",                        // 153 - [RFC4286]
+    };
+
+    // high codes 127-153 registered
+    if (127 < v && v < 154)
+        return icmp6HighPktStr[(int)(v&0x7f)];
+
+    // give all others a generic display
+    static char buf[50];
+    snprintf(buf, sizeof(buf), "ICMPv6 %u", v);
+    return buf;
+}
 
 Icmp6::Icmp6() : Icmp()
 {
@@ -215,6 +219,12 @@ Icmp6::Recv(void)
                  from->ai_addr,
                  &from->ai_addrlen);
 
+    if (n <= 0) {
+        debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMPv6 socket.");
+        Ip::Address::FreeAddrInfo(from);
+        return;
+    }
+
     preply.from = *from;
 
 #if GETTIMEOFDAY_NO_TZP
@@ -270,8 +280,7 @@ Icmp6::Recv(void)
 
         default:
             debugs(42, 8, HERE << preply.from << " said: " << icmp6header->icmp6_type << "/" << (int)icmp6header->icmp6_code << " " <<
-                   ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] )
-                  );
+                   IcmpPacketType(icmp6header->icmp6_type));
         }
         Ip::Address::FreeAddrInfo(from);
         return;
@@ -310,7 +319,7 @@ Icmp6::Recv(void)
 
     Log(preply.from,
         icmp6header->icmp6_type,
-        ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] ),
+        IcmpPacketType(icmp6header->icmp6_type),
         preply.rtt,
         preply.hops);