From: bluhm <bluhm@openbsd.org>
Date: Fri, 29 Apr 2022 18:58:33 +0000 (+0000)
Subject: Send IP options with maximum length to check for overflow.
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=b6589a98955edbd71f9c21ec60910f94156af23c;p=openbsd

Send IP options with maximum length to check for overflow.
---

diff --git a/regress/sys/net/pf_opts/Makefile b/regress/sys/net/pf_opts/Makefile
index 1917596dfc4..55088a8596c 100644
--- a/regress/sys/net/pf_opts/Makefile
+++ b/regress/sys/net/pf_opts/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.4 2022/04/29 17:27:37 bluhm Exp $
+# $OpenBSD: Makefile,v 1.5 2022/04/29 18:58:33 bluhm Exp $
 
 # Copyright (c) 2022 Alexander Bluhm <bluhm@openbsd.org>
 #
@@ -235,8 +235,8 @@ run-icmp6-dst: stamp-bpf
 REGRESS_TARGETS +=	run-bpf-ext
 run-bpf-ext: stamp-stop
 	# Check that icmp6 packet with extension headers were blocked
-	fgrep ' fe80::${N2}: HBH icmp6' pflog0.tcpdump
-	fgrep ' fe80::${N2}: DSTOPT icmp6' pflog0.tcpdump
+	fgrep ' fe80::${N2}: HBH icmp6:' pflog0.tcpdump
+	fgrep ' fe80::${N2}: DSTOPT icmp6:' pflog0.tcpdump
 	! grep fe80::${N1} pflog0.tcpdump
 
 # icmp with options
@@ -256,6 +256,16 @@ run-icmp6-pad: stamp-bpf
 	${SUDO} /sbin/route -T ${N1} exec ${PYTHON}icmp6_hop_pad.py N1
 	${SUDO} /sbin/route -T ${N2} exec ${PYTHON}icmp6_hop_pad.py N2
 
+REGRESS_TARGETS +=	run-icmp-max
+run-icmp-max: stamp-bpf
+	${SUDO} /sbin/route -T ${N1} exec ${PYTHON}icmp_max.py N1
+	${SUDO} /sbin/route -T ${N2} exec ${PYTHON}icmp_max.py N2
+
+REGRESS_TARGETS +=	run-icmp6-max
+run-icmp6-max: stamp-bpf
+	${SUDO} /sbin/route -T ${N1} exec ${PYTHON}icmp6_hop_max.py N1
+	${SUDO} /sbin/route -T ${N2} exec ${PYTHON}icmp6_hop_max.py N2
+
 REGRESS_TARGETS +=	run-icmp-ra
 run-icmp-ra: stamp-bpf
 	${SUDO} /sbin/route -T ${N1} exec ${PYTHON}icmp_ra.py N1
@@ -281,11 +291,13 @@ run-bpf-opts: stamp-stop
 	# Check that icmp packet with options were blocked
 	grep ' 127.0.0.${N2}:.* optlen=4 NOP NOP NOP NOP)' pflog0.tcpdump
 	grep ' 127.0.0.${N2}:.* optlen=4 NOP EOL-2)' pflog0.tcpdump
+	grep ' 127.0.0.${N2}:.* optlen=40 NOP ' pflog0.tcpdump
 	grep ' 127.0.0.${N2}:.* optlen=8 NOP IPOPT-148{4} NOP ' pflog0.tcpdump
 	grep ' 127.0.0.${N2}:.* optlen=4 IPOPT-3{4})' pflog0.tcpdump
-	grep ' fe80::${N2}: HBH icmp6' pflog0.tcpdump
-	grep ' fe80::${N2}: HBH (rtalert: 0x0000) icmp6' pflog0.tcpdump
-	grep ' fe80::${N2}: HBH (type 0x03: len=0) icmp6' pflog0.tcpdump
+	grep ' fe80::${N2}: HBH icmp6:.* (len 28,' pflog0.tcpdump
+	grep ' fe80::${N2}: HBH icmp6:.* (len 284,' pflog0.tcpdump
+	grep ' fe80::${N2}: HBH (rtalert: 0x0000) icmp6:' pflog0.tcpdump
+	grep ' fe80::${N2}: HBH (type 0x03: len=0) icmp6:' pflog0.tcpdump
 	! grep '127.0.0.${N1}' pflog0.tcpdump
 	! grep 'fe80::${N1}' pflog0.tcpdump
 
diff --git a/regress/sys/net/pf_opts/icmp6_hop_max.py b/regress/sys/net/pf_opts/icmp6_hop_max.py
new file mode 100644
index 00000000000..9ebed74e3d0
--- /dev/null
+++ b/regress/sys/net/pf_opts/icmp6_hop_max.py
@@ -0,0 +1,29 @@
+#!/usr/local/bin/python3
+
+print("send icmp6 with hop by hop header with maxium padding")
+
+import os
+import sys
+from struct import pack
+from addr import *
+from scapy.all import *
+
+if len(sys.argv) != 2:
+	print("usage: icmp6_hop_max.py Nn")
+	exit(2)
+
+N=sys.argv[1]
+IF=eval("IF_"+N);
+ADDR6=eval("ADDR6_"+N);
+
+pid=os.getpid()
+eid=pid & 0xffff
+payload=b"ABCDEFGHIJKLMNOP"
+packet=IPv6(src=ADDR6, dst=ADDR6)/ \
+    IPv6ExtHdrHopByHop(options=[PadN(optdata=255*b"\x11")])/ \
+    ICMPv6Unknown(type=6, code=0, msgbody=payload)
+
+# send does not work for some reason, add the bpf loopback layer manually
+#send(packet)
+bpf=pack('!I', 24) + bytes(packet)
+sendp(bpf, iface=IF)
diff --git a/regress/sys/net/pf_opts/icmp6_hop_pad.py b/regress/sys/net/pf_opts/icmp6_hop_pad.py
index 4e996ca53a8..0629a284883 100644
--- a/regress/sys/net/pf_opts/icmp6_hop_pad.py
+++ b/regress/sys/net/pf_opts/icmp6_hop_pad.py
@@ -20,7 +20,7 @@ pid=os.getpid()
 eid=pid & 0xffff
 payload=b"ABCDEFGHIJKLMNOP"
 packet=IPv6(src=ADDR6, dst=ADDR6)/ \
-    IPv6ExtHdrHopByHop(options=[Pad1(),PadN(optlen=2),Pad1()])/ \
+    IPv6ExtHdrHopByHop(options=[Pad1(),PadN(optdata=b"\x11\x22"),Pad1()])/ \
     ICMPv6Unknown(type=6, code=0, msgbody=payload)
 
 # send does not work for some reason, add the bpf loopback layer manually
diff --git a/regress/sys/net/pf_opts/icmp6_hop_ra.py b/regress/sys/net/pf_opts/icmp6_hop_ra.py
index 43b03e2458c..04027e2964a 100644
--- a/regress/sys/net/pf_opts/icmp6_hop_ra.py
+++ b/regress/sys/net/pf_opts/icmp6_hop_ra.py
@@ -20,7 +20,8 @@ pid=os.getpid()
 eid=pid & 0xffff
 payload=b"ABCDEFGHIJKLMNOP"
 packet=IPv6(src=ADDR6, dst=ADDR6)/ \
-    IPv6ExtHdrHopByHop(options=[Pad1(),Pad1(),RouterAlert(),PadN(optlen=6)])/ \
+    IPv6ExtHdrHopByHop(options=[Pad1(),Pad1(),RouterAlert(),\
+    PadN(optdata=b"\x11\x22\x33\x44\x55\x66")])/ \
     ICMPv6Unknown(type=6, code=0, msgbody=payload)
 
 # send does not work for some reason, add the bpf loopback layer manually
diff --git a/regress/sys/net/pf_opts/icmp_max.py b/regress/sys/net/pf_opts/icmp_max.py
new file mode 100644
index 00000000000..8c5aaee338f
--- /dev/null
+++ b/regress/sys/net/pf_opts/icmp_max.py
@@ -0,0 +1,24 @@
+#!/usr/local/bin/python3
+
+print("send icmp with maximum length option")
+
+import os
+import sys
+from addr import *
+from scapy.all import *
+
+if len(sys.argv) != 2:
+	print("usage: icmp_max.py Nn")
+	exit(2)
+
+N=sys.argv[1]
+IF=eval("IF_"+N);
+ADDR=eval("ADDR_"+N);
+
+pid=os.getpid()
+eid=pid & 0xffff
+payload=b"ABCDEFGHIJKLMNOP"
+packet=IP(src=ADDR, dst=ADDR, options=40*b"\001")/ \
+    ICMP(type=6, id=eid)/payload
+
+send(packet, iface=IF)