From: Klement Sekera Date: Fri, 14 Dec 2018 11:00:44 +0000 (+0100) Subject: VPP-1523: harden reassembly X-Git-Tag: v19.04-rc0~161 X-Git-Url: https://gerrit.fd.io/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F78%2F16478%2F3;p=vpp.git VPP-1523: harden reassembly Change-Id: I00d7b38bd99e81e3921ce08cce50d613f11de36e Signed-off-by: Klement Sekera --- diff --git a/src/vnet/ip/ip4_reassembly.c b/src/vnet/ip/ip4_reassembly.c index 346b223416e..3e9d22f7e55 100644 --- a/src/vnet/ip/ip4_reassembly.c +++ b/src/vnet/ip/ip4_reassembly.c @@ -930,13 +930,11 @@ ip4_reassembly_inline (vlib_main_t * vm, } else { - ip4_header_t *fip = vlib_buffer_get_current (b0); - const u32 fragment_first = ip4_get_fragment_offset_bytes (fip); + const u32 fragment_first = ip4_get_fragment_offset_bytes (ip0); const u32 fragment_length = - clib_net_to_host_u16 (fip->length) - ip4_header_bytes (fip); + clib_net_to_host_u16 (ip0->length) - ip4_header_bytes (ip0); const u32 fragment_last = fragment_first + fragment_length - 1; - if (fragment_first > fragment_last - || fragment_first + fragment_length > UINT16_MAX - 20) + if (fragment_first > fragment_last || fragment_first + fragment_length > UINT16_MAX - 20 || (fragment_length < 8 && ip4_get_fragment_more (ip0))) // 8 is minimum frag length per RFC 791 { next0 = IP4_REASSEMBLY_NEXT_DROP; error0 = IP4_ERROR_REASS_MALFORMED_PACKET; diff --git a/test/test_reassembly.py b/test/test_reassembly.py index 1fa05a4efb6..96e00c6bb60 100644 --- a/test/test_reassembly.py +++ b/test/test_reassembly.py @@ -180,6 +180,7 @@ class TestIPv4Reassembly(VppTestCase): def test_5737(self): """ fragment length + ip header size > 65535 """ + self.vapi.cli("clear errors") raw = ('E\x00\x00\x88,\xf8\x1f\xfe@\x01\x98\x00\xc0\xa8\n-\xc0\xa8\n' '\x01\x08\x00\xf0J\xed\xcb\xf1\xf5Test-group: IPv4.IPv4.ipv4-' 'message.Ethernet-Payload.IPv4-Packet.IPv4-Header.Fragment-Of' @@ -200,8 +201,11 @@ class TestIPv4Reassembly(VppTestCase): self.pg_start() self.dst_if.get_capture(1) - self.assert_packet_counter_equal( - "/err/ip4-reassembly-feature/malformed packets", 1) + self.assert_packet_counter_equal("ip4-reassembly-feature", 1) + # TODO remove above, uncomment below once clearing of counters + # is supported + # self.assert_packet_counter_equal( + # "/err/ip4-reassembly-feature/malformed packets", 1) def test_44924(self): """ compress tiny fragments """ @@ -234,6 +238,42 @@ class TestIPv4Reassembly(VppTestCase): self.dst_if.get_capture(1) + def test_frag_1(self): + """ fragment of size 1 """ + self.vapi.cli("clear errors") + malformed_packets = [(Ether(dst=self.src_if.local_mac, + src=self.src_if.remote_mac) / + IP(id=7, len=21, flags="MF", frag=0, ttl=64, + src=self.src_if.remote_ip4, + dst=self.dst_if.remote_ip4) / + ICMP(type="echo-request")), + (Ether(dst=self.src_if.local_mac, + src=self.src_if.remote_mac) / + IP(id=7, len=21, frag=1, ttl=64, + src=self.src_if.remote_ip4, + dst=self.dst_if.remote_ip4) / + Raw(load='\x08')), + ] + + p = (Ether(dst=self.src_if.local_mac, src=self.src_if.remote_mac) / + IP(id=1000, src=self.src_if.remote_ip4, + dst=self.dst_if.remote_ip4) / + UDP(sport=1234, dport=5678) / + Raw("X" * 1000)) + valid_fragments = fragment_rfc791(p, 400) + + self.pg_enable_capture() + self.src_if.add_stream(malformed_packets + valid_fragments) + self.pg_start() + + self.dst_if.get_capture(1) + + self.assert_packet_counter_equal("ip4-reassembly-feature", 1) + # TODO remove above, uncomment below once clearing of counters + # is supported + # self.assert_packet_counter_equal( + # "/err/ip4-reassembly-feature/malformed packets", 1) + @unittest.skipIf(is_skip_aarch64_set() and is_platform_aarch64(), "test doesn't work on aarch64") def test_random(self):