From c915fd0fc69fa9d556d57a1b18f1107f13392fc3 Mon Sep 17 00:00:00 2001 From: Amos Jeffries Date: Sun, 14 Sep 2014 23:08:18 -0600 Subject: [PATCH] Fix various ICMP handling issues in Squid pinger * ICMP code type logging display could over-read the registered type string arrays. * Malformed ICMP packets were accepted into processing with undefined and potentially nasty results. Both sets of flaws can result in pinger segmentation fault and halting the Squid functionality relying on pinger for correct operation. Thanks to the OpenSUSE project for analysis and resolution of these. --- src/icmp/Icmp4.cc | 66 +++++++++++++++++--------- src/icmp/Icmp6.cc | 117 +++++++++++++++++++++++++--------------------- 2 files changed, 108 insertions(+), 75 deletions(-) diff --git a/src/icmp/Icmp4.cc b/src/icmp/Icmp4.cc index ffb3c3de73..81c03cf47f 100644 --- a/src/icmp/Icmp4.cc +++ b/src/icmp/Icmp4.cc @@ -42,26 +42,38 @@ #include "IcmpPinger.h" #include "Debug.h" -const char *icmpPktStr[] = { - "Echo Reply", - "ICMP 1", - "ICMP 2", - "Destination Unreachable", - "Source Quench", - "Redirect", - "ICMP 6", - "ICMP 7", - "Echo", - "ICMP 9", - "ICMP 10", - "Time Exceeded", - "Parameter Problem", - "Timestamp", - "Timestamp Reply", - "Info Request", - "Info Reply", - "Out of Range Type" -}; +static const char * +IcmpPacketType(uint8_t v) +{ + static const char *icmpPktStr[] = { + "Echo Reply", + "ICMP 1", + "ICMP 2", + "Destination Unreachable", + "Source Quench", + "Redirect", + "ICMP 6", + "ICMP 7", + "Echo", + "ICMP 9", + "ICMP 10", + "Time Exceeded", + "Parameter Problem", + "Timestamp", + "Timestamp Reply", + "Info Request", + "Info Reply", + "Out of Range Type" + }; + + if (v > 17) { + static char buf[50]; + snprintf(buf, sizeof(buf), "ICMP %u (invalid)", v); + return buf; + } + + return icmpPktStr[v]; +} Icmp4::Icmp4() : Icmp() { @@ -188,6 +200,12 @@ Icmp4::Recv(void) from->ai_addr, &from->ai_addrlen); + if (n <= 0) { + debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMP socket."); + Ip::Address::FreeAddrInfo(from); + return; + } + preply.from = *from; #if GETTIMEOFDAY_NO_TZP @@ -244,9 +262,15 @@ Icmp4::Recv(void) preply.psize = n - iphdrlen - (sizeof(icmpEchoData) - MAX_PKT4_SZ); + if (preply.psize < 0) { + debugs(42, DBG_CRITICAL, HERE << "Malformed ICMP packet."); + Ip::Address::FreeAddrInfo(from); + return; + } + control.SendResult(preply, (sizeof(pingerReplyData) - MAX_PKT4_SZ + preply.psize) ); - Log(preply.from, icmp->icmp_type, icmpPktStr[icmp->icmp_type], preply.rtt, preply.hops); + Log(preply.from, icmp->icmp_type, IcmpPacketType(icmp->icmp_type), preply.rtt, preply.hops); preply.from.FreeAddrInfo(from); } diff --git a/src/icmp/Icmp6.cc b/src/icmp/Icmp6.cc index 5738e79d5d..06bc9890cc 100644 --- a/src/icmp/Icmp6.cc +++ b/src/icmp/Icmp6.cc @@ -51,57 +51,61 @@ // Icmp6 OP-Codes // see http://www.iana.org/assignments/icmpv6-parameters -// NP: LowPktStr is for codes 0-127 -static const char *icmp6LowPktStr[] = { - "ICMP 0", // 0 - "Destination Unreachable", // 1 - RFC2463 - "Packet Too Big", // 2 - RFC2463 - "Time Exceeded", // 3 - RFC2463 - "Parameter Problem", // 4 - RFC2463 - "ICMP 5", // 5 - "ICMP 6", // 6 - "ICMP 7", // 7 - "ICMP 8", // 8 - "ICMP 9", // 9 - "ICMP 10" // 10 -}; - -// NP: HighPktStr is for codes 128-255 -static const char *icmp6HighPktStr[] = { - "Echo Request", // 128 - RFC2463 - "Echo Reply", // 129 - RFC2463 - "Multicast Listener Query", // 130 - RFC2710 - "Multicast Listener Report", // 131 - RFC2710 - "Multicast Listener Done", // 132 - RFC2710 - "Router Solicitation", // 133 - RFC4861 - "Router Advertisement", // 134 - RFC4861 - "Neighbor Solicitation", // 135 - RFC4861 - "Neighbor Advertisement", // 136 - RFC4861 - "Redirect Message", // 137 - RFC4861 - "Router Renumbering", // 138 - Crawford - "ICMP Node Information Query", // 139 - RFC4620 - "ICMP Node Information Response", // 140 - RFC4620 - "Inverse Neighbor Discovery Solicitation", // 141 - RFC3122 - "Inverse Neighbor Discovery Advertisement", // 142 - RFC3122 - "Version 2 Multicast Listener Report", // 143 - RFC3810 - "Home Agent Address Discovery Request", // 144 - RFC3775 - "Home Agent Address Discovery Reply", // 145 - RFC3775 - "Mobile Prefix Solicitation", // 146 - RFC3775 - "Mobile Prefix Advertisement", // 147 - RFC3775 - "Certification Path Solicitation", // 148 - RFC3971 - "Certification Path Advertisement", // 149 - RFC3971 - "ICMP Experimental (150)", // 150 - RFC4065 - "Multicast Router Advertisement", // 151 - RFC4286 - "Multicast Router Solicitation", // 152 - RFC4286 - "Multicast Router Termination", // 153 - [RFC4286] - "ICMP 154", - "ICMP 155", - "ICMP 156", - "ICMP 157", - "ICMP 158", - "ICMP 159", - "ICMP 160" -}; +static const char * +IcmpPacketType(uint8_t v) +{ + // NP: LowPktStr is for codes 0-127 + static const char *icmp6LowPktStr[] = { + "ICMPv6 0", // 0 + "Destination Unreachable", // 1 - RFC2463 + "Packet Too Big", // 2 - RFC2463 + "Time Exceeded", // 3 - RFC2463 + "Parameter Problem", // 4 - RFC2463 + }; + + // low codes 1-4 registered + if (0 < v && v < 5) + return icmp6LowPktStr[(int)(v&0x7f)]; + + // NP: HighPktStr is for codes 128-255 + static const char *icmp6HighPktStr[] = { + "Echo Request", // 128 - RFC2463 + "Echo Reply", // 129 - RFC2463 + "Multicast Listener Query", // 130 - RFC2710 + "Multicast Listener Report", // 131 - RFC2710 + "Multicast Listener Done", // 132 - RFC2710 + "Router Solicitation", // 133 - RFC4861 + "Router Advertisement", // 134 - RFC4861 + "Neighbor Solicitation", // 135 - RFC4861 + "Neighbor Advertisement", // 136 - RFC4861 + "Redirect Message", // 137 - RFC4861 + "Router Renumbering", // 138 - Crawford + "ICMP Node Information Query", // 139 - RFC4620 + "ICMP Node Information Response", // 140 - RFC4620 + "Inverse Neighbor Discovery Solicitation", // 141 - RFC3122 + "Inverse Neighbor Discovery Advertisement", // 142 - RFC3122 + "Version 2 Multicast Listener Report", // 143 - RFC3810 + "Home Agent Address Discovery Request", // 144 - RFC3775 + "Home Agent Address Discovery Reply", // 145 - RFC3775 + "Mobile Prefix Solicitation", // 146 - RFC3775 + "Mobile Prefix Advertisement", // 147 - RFC3775 + "Certification Path Solicitation", // 148 - RFC3971 + "Certification Path Advertisement", // 149 - RFC3971 + "ICMP Experimental (150)", // 150 - RFC4065 + "Multicast Router Advertisement", // 151 - RFC4286 + "Multicast Router Solicitation", // 152 - RFC4286 + "Multicast Router Termination", // 153 - [RFC4286] + }; + + // high codes 127-153 registered + if (127 < v && v < 154) + return icmp6HighPktStr[(int)(v&0x7f)]; + + // give all others a generic display + static char buf[50]; + snprintf(buf, sizeof(buf), "ICMPv6 %u", v); + return buf; +} Icmp6::Icmp6() : Icmp() { @@ -238,6 +242,12 @@ Icmp6::Recv(void) from->ai_addr, &from->ai_addrlen); + if (n <= 0) { + debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMPv6 socket."); + Ip::Address::FreeAddrInfo(from); + return; + } + preply.from = *from; #if GETTIMEOFDAY_NO_TZP @@ -294,8 +304,7 @@ Icmp6::Recv(void) default: debugs(42, 8, HERE << preply.from << " said: " << icmp6header->icmp6_type << "/" << (int)icmp6header->icmp6_code << " " << - ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] ) - ); + IcmpPacketType(icmp6header->icmp6_type)); } preply.from.FreeAddrInfo(from); return; @@ -334,7 +343,7 @@ Icmp6::Recv(void) Log(preply.from, icmp6header->icmp6_type, - ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] ), + IcmpPacketType(icmp6header->icmp6_type), preply.rtt, preply.hops); -- 2.47.2