Fix various ICMP handling issues in Squid pinger

* ICMP code type logging display could over-read the registered type
  string arrays.

* Malformed ICMP packets were accepted into processing with undefined
  and potentially nasty results.

Both sets of flaws can result in pinger segmentation fault and halting
the Squid functionality relying on pinger for correct operation.

 Thanks to the OpenSUSE project for analysis and resolution of these.

diff --git a/src/icmp/Icmp4.cc b/src/icmp/Icmp4.cc
index a983cca1ca5624c54de6c2d95ce42b1312a6d82b..5c7bc821eaa643a6fe9f5a28b0211f50e2a42e45 100644 (file)
--- a/src/icmp/Icmp4.cc
+++ b/src/icmp/Icmp4.cc
@@ -41,26 +41,38 @@
 #include "IcmpPinger.h"
 #include "Debug.h"
 
-const char *icmpPktStr[] = {
-    "Echo Reply",
-    "ICMP 1",
-    "ICMP 2",
-    "Destination Unreachable",
-    "Source Quench",
-    "Redirect",
-    "ICMP 6",
-    "ICMP 7",
-    "Echo",
-    "ICMP 9",
-    "ICMP 10",
-    "Time Exceeded",
-    "Parameter Problem",
-    "Timestamp",
-    "Timestamp Reply",
-    "Info Request",
-    "Info Reply",
-    "Out of Range Type"
-};
+static const char *
+IcmpPacketType(uint8_t v)
+{
+    static const char *icmpPktStr[] = {
+        "Echo Reply",
+        "ICMP 1",
+        "ICMP 2",
+        "Destination Unreachable",
+        "Source Quench",
+        "Redirect",
+        "ICMP 6",
+        "ICMP 7",
+        "Echo",
+        "ICMP 9",
+        "ICMP 10",
+        "Time Exceeded",
+        "Parameter Problem",
+        "Timestamp",
+        "Timestamp Reply",
+        "Info Request",
+        "Info Reply",
+        "Out of Range Type"
+    };
+
+    if (v > 17) {
+        static char buf[50];
+        snprintf(buf, sizeof(buf), "ICMP %u (invalid)", v);
+        return buf;
+    }
+
+    return icmpPktStr[v];
+}
 
 Icmp4::Icmp4() : Icmp()
 {
@@ -187,6 +199,12 @@ Icmp4::Recv(void)
                  from->ai_addr,
                  &from->ai_addrlen);
 
+    if (n <= 0) {
+        debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMP socket.");
+        Ip::Address::FreeAddrInfo(from);
+        return;
+    }
+
     preply.from = *from;
 
 #if GETTIMEOFDAY_NO_TZP
@@ -243,9 +261,15 @@ Icmp4::Recv(void)
 
     preply.psize = n - iphdrlen - (sizeof(icmpEchoData) - MAX_PKT4_SZ);
 
+    if (preply.psize < 0) {
+        debugs(42, DBG_CRITICAL, HERE << "Malformed ICMP packet.");
+        Ip::Address::FreeAddrInfo(from);
+        return;
+    }
+
     control.SendResult(preply, (sizeof(pingerReplyData) - MAX_PKT4_SZ + preply.psize) );
 
-    Log(preply.from, icmp->icmp_type, icmpPktStr[icmp->icmp_type], preply.rtt, preply.hops);
+    Log(preply.from, icmp->icmp_type, IcmpPacketType(icmp->icmp_type), preply.rtt, preply.hops);
     Ip::Address::FreeAddrInfo(from);
 }
 

diff --git a/src/icmp/Icmp6.cc b/src/icmp/Icmp6.cc
index 7b4bde6ec739fc0748af88f3cc3e45dc0040257f..a99830b4a22a529883d14e741d7751c1bba36d9f 100644 (file)
--- a/src/icmp/Icmp6.cc
+++ b/src/icmp/Icmp6.cc
@@ -50,57 +50,61 @@
 
 // Icmp6 OP-Codes
 // see http://www.iana.org/assignments/icmpv6-parameters
-// NP: LowPktStr is for codes 0-127
-static const char *icmp6LowPktStr[] = {
-    "ICMP 0",                  // 0
-    "Destination Unreachable", // 1 - RFC2463
-    "Packet Too Big",          // 2 - RFC2463
-    "Time Exceeded",           // 3 - RFC2463
-    "Parameter Problem",               // 4 - RFC2463
-    "ICMP 5",                  // 5
-    "ICMP 6",                  // 6
-    "ICMP 7",                  // 7
-    "ICMP 8",                  // 8
-    "ICMP 9",                  // 9
-    "ICMP 10"                  // 10
-};
-
-// NP: HighPktStr is for codes 128-255
-static const char *icmp6HighPktStr[] = {
-    "Echo Request",                                    // 128 - RFC2463
-    "Echo Reply",                                      // 129 - RFC2463
-    "Multicast Listener Query",                        // 130 - RFC2710
-    "Multicast Listener Report",                       // 131 - RFC2710
-    "Multicast Listener Done",                 // 132 - RFC2710
-    "Router Solicitation",                             // 133 - RFC4861
-    "Router Advertisement",                            // 134 - RFC4861
-    "Neighbor Solicitation",                   // 135 - RFC4861
-    "Neighbor Advertisement",                  // 136 - RFC4861
-    "Redirect Message",                                // 137 - RFC4861
-    "Router Renumbering",                              // 138 - Crawford
-    "ICMP Node Information Query",                     // 139 - RFC4620
-    "ICMP Node Information Response",          // 140 - RFC4620
-    "Inverse Neighbor Discovery Solicitation", // 141 - RFC3122
-    "Inverse Neighbor Discovery Advertisement",        // 142 - RFC3122
-    "Version 2 Multicast Listener Report",             // 143 - RFC3810
-    "Home Agent Address Discovery Request",            // 144 - RFC3775
-    "Home Agent Address Discovery Reply",              // 145 - RFC3775
-    "Mobile Prefix Solicitation",                      // 146 - RFC3775
-    "Mobile Prefix Advertisement",                     // 147 - RFC3775
-    "Certification Path Solicitation",         // 148 - RFC3971
-    "Certification Path Advertisement",                // 149 - RFC3971
-    "ICMP Experimental (150)",                 // 150 - RFC4065
-    "Multicast Router Advertisement",          // 151 - RFC4286
-    "Multicast Router Solicitation",           // 152 - RFC4286
-    "Multicast Router Termination",                    // 153 - [RFC4286]
-    "ICMP 154",
-    "ICMP 155",
-    "ICMP 156",
-    "ICMP 157",
-    "ICMP 158",
-    "ICMP 159",
-    "ICMP 160"
-};
+static const char *
+IcmpPacketType(uint8_t v)
+{
+    // NP: LowPktStr is for codes 0-127
+    static const char *icmp6LowPktStr[] = {
+        "ICMPv6 0",                    // 0
+        "Destination Unreachable",     // 1 - RFC2463
+        "Packet Too Big",              // 2 - RFC2463
+        "Time Exceeded",               // 3 - RFC2463
+        "Parameter Problem",           // 4 - RFC2463
+    };
+
+    // low codes 1-4 registered
+    if (0 < v && v < 5)
+        return icmp6LowPktStr[(int)(v&0x7f)];
+
+    // NP: HighPktStr is for codes 128-255
+    static const char *icmp6HighPktStr[] = {
+        "Echo Request",                                        // 128 - RFC2463
+        "Echo Reply",                                  // 129 - RFC2463
+        "Multicast Listener Query",                    // 130 - RFC2710
+        "Multicast Listener Report",                   // 131 - RFC2710
+        "Multicast Listener Done",                     // 132 - RFC2710
+        "Router Solicitation",                         // 133 - RFC4861
+        "Router Advertisement",                                // 134 - RFC4861
+        "Neighbor Solicitation",                       // 135 - RFC4861
+        "Neighbor Advertisement",                      // 136 - RFC4861
+        "Redirect Message",                            // 137 - RFC4861
+        "Router Renumbering",                          // 138 - Crawford
+        "ICMP Node Information Query",                 // 139 - RFC4620
+        "ICMP Node Information Response",              // 140 - RFC4620
+        "Inverse Neighbor Discovery Solicitation",     // 141 - RFC3122
+        "Inverse Neighbor Discovery Advertisement",    // 142 - RFC3122
+        "Version 2 Multicast Listener Report",         // 143 - RFC3810
+        "Home Agent Address Discovery Request",                // 144 - RFC3775
+        "Home Agent Address Discovery Reply",          // 145 - RFC3775
+        "Mobile Prefix Solicitation",                  // 146 - RFC3775
+        "Mobile Prefix Advertisement",                 // 147 - RFC3775
+        "Certification Path Solicitation",             // 148 - RFC3971
+        "Certification Path Advertisement",            // 149 - RFC3971
+        "ICMP Experimental (150)",                     // 150 - RFC4065
+        "Multicast Router Advertisement",              // 151 - RFC4286
+        "Multicast Router Solicitation",               // 152 - RFC4286
+        "Multicast Router Termination",                        // 153 - [RFC4286]
+    };
+
+    // high codes 127-153 registered
+    if (127 < v && v < 154)
+        return icmp6HighPktStr[(int)(v&0x7f)];
+
+    // give all others a generic display
+    static char buf[50];
+    snprintf(buf, sizeof(buf), "ICMPv6 %u", v);
+    return buf;
+}
 
 Icmp6::Icmp6() : Icmp()
 {
@@ -236,6 +240,12 @@ Icmp6::Recv(void)
                  from->ai_addr,
                  &from->ai_addrlen);
 
+    if (n <= 0) {
+        debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMPv6 socket.");
+        Ip::Address::FreeAddrInfo(from);
+        return;
+    }
+
     preply.from = *from;
 
 #if GETTIMEOFDAY_NO_TZP
@@ -291,8 +301,7 @@ Icmp6::Recv(void)
 
         default:
             debugs(42, 8, HERE << preply.from << " said: " << icmp6header->icmp6_type << "/" << (int)icmp6header->icmp6_code << " " <<
-                   ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] )
-                  );
+                   IcmpPacketType(icmp6header->icmp6_type));
         }
         Ip::Address::FreeAddrInfo(from);
         return;
@@ -331,7 +340,7 @@ Icmp6::Recv(void)
 
     Log(preply.from,
         icmp6header->icmp6_type,
-        ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] ),
+        IcmpPacketType(icmp6header->icmp6_type),
         preply.rtt,
         preply.hops);