mirrors/passt
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

tcp: Validate TCP endpoint addresses

Browse source 
TCP connections should typically not have wildcard addresses (0.0.0.0
or ::) nor a zero port number for either endpoint.  It's not entirely
clear (at least to me) if it's strictly against the RFCs to do so, but
at any rate the socket interfaces often treat those values
specially[1], so it's not really possible to manipulate such
connections.  Likewise they should not have broadcast or multicast
addresses for either endpoint.

However, nothing prevents a guest from creating a SYN packet with such
values, and it's not entirely clear what the effect on passt would be.
To ensure sane behaviour, explicitly check for this case and drop such
packets, logging a debug warning (we don't want a higher level,
because that would allow a guest to spam the logs).

We never expect such an address on an accept()ed socket either, but
just in case, check for it as well.

[1] Depending on context as "unknown", "match any" or "kernel, pick
    something for me"

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
David Gibson 2024-02-28 22:25:17 +11:00 committed by Stefano Brivio
parent dc9a5d71e9
commit 3b59b9748a
1 changed files with 67 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

74
tcp.c
View file

@ -284,6 +284,7 @@
#include <sys/types.h> #include <sys/types.h>
#include <sys/uio.h> #include <sys/uio.h>
#include <time.h> #include <time.h>
#include <arpa/inet.h>
#include <linux/tcp.h> /* For struct tcp_info */ #include <linux/tcp.h> /* For struct tcp_info */
@ -1935,27 +1936,59 @@ static void tcp_conn_from_tap(struct ctx *c, sa_family_t af,
const struct tcphdr *th, const char *opts, const struct tcphdr *th, const char *opts,
size_t optlen, const struct timespec *now) size_t optlen, const struct timespec *now)
{ {
in_port_t srcport = ntohs(th->source);
in_port_t dstport = ntohs(th->dest);
struct sockaddr_in addr4 = { struct sockaddr_in addr4 = {
.sin_family = AF_INET, .sin_family = AF_INET,
.sin_port = th->dest, .sin_port = htons(dstport),
.sin_addr = *(struct in_addr *)daddr, .sin_addr = *(struct in_addr *)daddr,
}; };
struct sockaddr_in6 addr6 = { struct sockaddr_in6 addr6 = {
.sin6_family = AF_INET6, .sin6_family = AF_INET6,
.sin6_port = th->dest, .sin6_port = htons(dstport),
.sin6_addr = *(struct in6_addr *)daddr, .sin6_addr = *(struct in6_addr *)daddr,
}; };
const struct sockaddr *sa; const struct sockaddr *sa;
struct tcp_tap_conn *conn; struct tcp_tap_conn *conn;
union flow *flow; union flow *flow;
int s = -1, mss;
socklen_t sl; socklen_t sl;
int s, mss;
(void)saddr;
if (!(flow = flow_alloc())) if (!(flow = flow_alloc()))
return; return;
if (af == AF_INET) {
if (IN4_IS_ADDR_UNSPECIFIED(saddr) ||
IN4_IS_ADDR_BROADCAST(saddr) ||
IN4_IS_ADDR_MULTICAST(saddr) || srcport == 0 ||
IN4_IS_ADDR_UNSPECIFIED(daddr) ||
IN4_IS_ADDR_BROADCAST(daddr) ||
IN4_IS_ADDR_MULTICAST(daddr) || dstport == 0) {
char sstr[INET_ADDRSTRLEN], dstr[INET_ADDRSTRLEN];
debug("Invalid endpoint in TCP SYN: %s:%hu -> %s:%hu",
inet_ntop(AF_INET, saddr, sstr, sizeof(sstr)),
srcport,
inet_ntop(AF_INET, daddr, dstr, sizeof(dstr)),
dstport);
goto cancel;
}
} else if (af == AF_INET6) {
if (IN6_IS_ADDR_UNSPECIFIED(saddr) ||
IN6_IS_ADDR_MULTICAST(saddr) || srcport == 0 ||
IN6_IS_ADDR_UNSPECIFIED(daddr) ||
IN6_IS_ADDR_MULTICAST(daddr) || dstport == 0) {
char sstr[INET6_ADDRSTRLEN], dstr[INET6_ADDRSTRLEN];
debug("Invalid endpoint in TCP SYN: %s:%hu -> %s:%hu",
inet_ntop(AF_INET6, saddr, sstr, sizeof(sstr)),
srcport,
inet_ntop(AF_INET6, daddr, dstr, sizeof(dstr)),
dstport);
goto cancel;
}
}
if ((s = tcp_conn_sock(c, af)) < 0) if ((s = tcp_conn_sock(c, af)) < 0)
goto cancel; goto cancel;
@ -2006,8 +2039,8 @@ static void tcp_conn_from_tap(struct ctx *c, sa_family_t af,
sl = sizeof(addr6); sl = sizeof(addr6);
} }
conn->fport = ntohs(th->dest); conn->fport = dstport;
conn->eport = ntohs(th->source); conn->eport = srcport;
conn->seq_init_from_tap = ntohl(th->seq); conn->seq_init_from_tap = ntohl(th->seq);
conn->seq_from_tap = conn->seq_init_from_tap + 1; conn->seq_from_tap = conn->seq_init_from_tap + 1;
@ -2736,6 +2769,33 @@ void tcp_listen_handler(struct ctx *c, union epoll_ref ref,
if (s < 0) if (s < 0)
goto cancel; goto cancel;
if (sa.sa_family == AF_INET) {
const struct in_addr *addr = &sa.sa4.sin_addr;
in_port_t port = sa.sa4.sin_port;
if (IN4_IS_ADDR_UNSPECIFIED(addr) ||
IN4_IS_ADDR_BROADCAST(addr) ||
IN4_IS_ADDR_MULTICAST(addr) || port == 0) {
char str[INET_ADDRSTRLEN];
err("Invalid endpoint from TCP accept(): %s:%hu",
inet_ntop(AF_INET, addr, str, sizeof(str)), port);
goto cancel;
}
} else if (sa.sa_family == AF_INET6) {
const struct in6_addr *addr = &sa.sa6.sin6_addr;
in_port_t port = sa.sa6.sin6_port;
if (IN6_IS_ADDR_UNSPECIFIED(addr) ||
IN6_IS_ADDR_MULTICAST(addr) || port == 0) {
char str[INET6_ADDRSTRLEN];
err("Invalid endpoint from TCP accept(): %s:%hu",
inet_ntop(AF_INET6, addr, str, sizeof(str)), port);
goto cancel;
}
}
if (tcp_splice_conn_from_sock(c, ref.tcp_listen.pif, if (tcp_splice_conn_from_sock(c, ref.tcp_listen.pif,
ref.tcp_listen.port, flow, s, &sa)) ref.tcp_listen.port, flow, s, &sa))
return; return;