2019-05-27 09:55:01 +03:00
// SPDX-License-Identifier: GPL-2.0-or-later
2005-04-17 02:20:36 +04:00
/*
* NET3 : Implementation of the ICMP protocol layer .
*
2008-10-14 06:01:08 +04:00
* Alan Cox , < alan @ lxorguk . ukuu . org . uk >
2005-04-17 02:20:36 +04:00
*
* Some of the function names and the icmp unreach table for this
* module were derived from [ icmp . c 1.0 .11 06 / 02 / 93 ] by
* Ross Biro , Fred N . van Kempen , Mark Evans , Alan Cox , Gerhard Koerting .
* Other than that this module is a complete rewrite .
*
* Fixes :
* Clemens Fruhwirth : introduce global icmp rate limiting
* with icmp type masking ability instead
* of broken per type icmp timeouts .
* Mike Shaver : RFC1122 checks .
* Alan Cox : Multicast ping reply as self .
* Alan Cox : Fix atomicity lockup in ip_build_xmit
* call .
* Alan Cox : Added 216 , 128 byte paths to the MTU
* code .
* Martin Mares : RFC1812 checks .
* Martin Mares : Can be configured to follow redirects
* if acting as a router _without_ a
* routing protocol ( RFC 1812 ) .
* Martin Mares : Echo requests may be configured to
* be ignored ( RFC 1812 ) .
* Martin Mares : Limitation of ICMP error message
* transmit rate ( RFC 1812 ) .
* Martin Mares : TOS and Precedence set correctly
* ( RFC 1812 ) .
* Martin Mares : Now copying as much data from the
* original packet as we can without
* exceeding 576 bytes ( RFC 1812 ) .
* Willy Konynenberg : Transparent proxying support .
* Keith Owens : RFC1191 correction for 4.2 BSD based
* path MTU bug .
* Thomas Quinot : ICMP Dest Unreach codes up to 15 are
* valid ( RFC 1812 ) .
* Andi Kleen : Check all packet lengths properly
* and moved all kfree_skb ( ) up to
* icmp_rcv .
* Andi Kleen : Move the rate limit bookkeeping
* into the dest entry and use a token
* bucket filter ( thanks to ANK ) . Make
* the rates sysctl configurable .
* Yu Tianli : Fixed two ugly bugs in icmp_send
* - IP option length was accounted wrongly
* - ICMP header length was not accounted
* at all .
* Tristan Greaves : Added sysctl option to ignore bogus
* broadcast responses from broken routers .
*
* To Fix :
*
* - Should use skb_pull ( ) instead of all the manual checking .
* This would also greatly simply some upper layer error handlers . - - AK
*/
2012-03-12 11:03:32 +04:00
# define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
2005-04-17 02:20:36 +04:00
# include <linux/module.h>
# include <linux/types.h>
# include <linux/jiffies.h>
# include <linux/kernel.h>
# include <linux/fcntl.h>
# include <linux/socket.h>
# include <linux/in.h>
# include <linux/inet.h>
2005-12-27 07:43:12 +03:00
# include <linux/inetdevice.h>
2005-04-17 02:20:36 +04:00
# include <linux/netdevice.h>
# include <linux/string.h>
# include <linux/netfilter_ipv4.h>
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 11:04:11 +03:00
# include <linux/slab.h>
2005-04-17 02:20:36 +04:00
# include <net/snmp.h>
# include <net/ip.h>
# include <net/route.h>
# include <net/protocol.h>
# include <net/icmp.h>
# include <net/tcp.h>
# include <net/udp.h>
# include <net/raw.h>
net: ipv4: add IPPROTO_ICMP socket kind
This patch adds IPPROTO_ICMP socket kind. It makes it possible to send
ICMP_ECHO messages and receive the corresponding ICMP_ECHOREPLY messages
without any special privileges. In other words, the patch makes it
possible to implement setuid-less and CAP_NET_RAW-less /bin/ping. In
order not to increase the kernel's attack surface, the new functionality
is disabled by default, but is enabled at bootup by supporting Linux
distributions, optionally with restriction to a group or a group range
(see below).
Similar functionality is implemented in Mac OS X:
http://www.manpagez.com/man/4/icmp/
A new ping socket is created with
socket(PF_INET, SOCK_DGRAM, PROT_ICMP)
Message identifiers (octets 4-5 of ICMP header) are interpreted as local
ports. Addresses are stored in struct sockaddr_in. No port numbers are
reserved for privileged processes, port 0 is reserved for API ("let the
kernel pick a free number"). There is no notion of remote ports, remote
port numbers provided by the user (e.g. in connect()) are ignored.
Data sent and received include ICMP headers. This is deliberate to:
1) Avoid the need to transport headers values like sequence numbers by
other means.
2) Make it easier to port existing programs using raw sockets.
ICMP headers given to send() are checked and sanitized. The type must be
ICMP_ECHO and the code must be zero (future extensions might relax this,
see below). The id is set to the number (local port) of the socket, the
checksum is always recomputed.
ICMP reply packets received from the network are demultiplexed according
to their id's, and are returned by recv() without any modifications.
IP header information and ICMP errors of those packets may be obtained
via ancillary data (IP_RECVTTL, IP_RETOPTS, and IP_RECVERR). ICMP source
quenches and redirects are reported as fake errors via the error queue
(IP_RECVERR); the next hop address for redirects is saved to ee_info (in
network order).
socket(2) is restricted to the group range specified in
"/proc/sys/net/ipv4/ping_group_range". It is "1 0" by default, meaning
that nobody (not even root) may create ping sockets. Setting it to "100
100" would grant permissions to the single group (to either make
/sbin/ping g+s and owned by this group or to grant permissions to the
"netadmins" group), "0 4294967295" would enable it for the world, "100
4294967295" would enable it for the users, but not daemons.
The existing code might be (in the unlikely case anyone needs it)
extended rather easily to handle other similar pairs of ICMP messages
(Timestamp/Reply, Information Request/Reply, Address Mask Request/Reply
etc.).
Userspace ping util & patch for it:
http://openwall.info/wiki/people/segoon/ping
For Openwall GNU/*/Linux it was the last step on the road to the
setuid-less distro. A revision of this patch (for RHEL5/OpenVZ kernels)
is in use in Owl-current, such as in the 2011/03/12 LiveCD ISOs:
http://mirrors.kernel.org/openwall/Owl/current/iso/
Initially this functionality was written by Pavel Kankovsky for
Linux 2.4.32, but unfortunately it was never made public.
All ping options (-b, -p, -Q, -R, -s, -t, -T, -M, -I), are tested with
the patch.
PATCH v3:
- switched to flowi4.
- minor changes to be consistent with raw sockets code.
PATCH v2:
- changed ping_debug() to pr_debug().
- removed CONFIG_IP_PING.
- removed ping_seq_fops.owner field (unused for procfs).
- switched to proc_net_fops_create().
- switched to %pK in seq_printf().
PATCH v1:
- fixed checksumming bug.
- CAP_NET_RAW may not create icmp sockets anymore.
RFC v2:
- minor cleanups.
- introduced sysctl'able group range to restrict socket(2).
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-05-13 14:01:00 +04:00
# include <net/ping.h>
2005-04-17 02:20:36 +04:00
# include <linux/skbuff.h>
# include <net/sock.h>
# include <linux/errno.h>
# include <linux/timer.h>
# include <linux/init.h>
2016-12-24 22:46:01 +03:00
# include <linux/uaccess.h>
2005-04-17 02:20:36 +04:00
# include <net/checksum.h>
2007-12-12 21:44:43 +03:00
# include <net/xfrm.h>
2008-04-04 01:29:00 +04:00
# include <net/inet_common.h>
2012-06-28 14:59:11 +04:00
# include <net/ip_fib.h>
2015-09-30 06:07:13 +03:00
# include <net/l3mdev.h>
2005-04-17 02:20:36 +04:00
/*
* Build xmit assembly blocks
*/
struct icmp_bxm {
struct sk_buff * skb ;
int offset ;
int data_len ;
struct {
struct icmphdr icmph ;
2006-09-28 05:38:30 +04:00
__be32 times [ 3 ] ;
2005-04-17 02:20:36 +04:00
} data ;
int head_len ;
2011-04-21 13:45:37 +04:00
struct ip_options_data replyopts ;
2005-04-17 02:20:36 +04:00
} ;
/* An array of errno for error messages from dest unreach. */
/* RFC 1122: 3.2.2.1 States that NET_UNREACH, HOST_UNREACH and SR_FAILED MUST be considered 'transient errs'. */
2010-01-22 13:18:25 +03:00
const struct icmp_err icmp_err_convert [ ] = {
2005-04-17 02:20:36 +04:00
{
. errno = ENETUNREACH , /* ICMP_NET_UNREACH */
. fatal = 0 ,
} ,
{
. errno = EHOSTUNREACH , /* ICMP_HOST_UNREACH */
. fatal = 0 ,
} ,
{
. errno = ENOPROTOOPT /* ICMP_PROT_UNREACH */ ,
. fatal = 1 ,
} ,
{
. errno = ECONNREFUSED , /* ICMP_PORT_UNREACH */
. fatal = 1 ,
} ,
{
. errno = EMSGSIZE , /* ICMP_FRAG_NEEDED */
. fatal = 0 ,
} ,
{
. errno = EOPNOTSUPP , /* ICMP_SR_FAILED */
. fatal = 0 ,
} ,
{
. errno = ENETUNREACH , /* ICMP_NET_UNKNOWN */
. fatal = 1 ,
} ,
{
. errno = EHOSTDOWN , /* ICMP_HOST_UNKNOWN */
. fatal = 1 ,
} ,
{
. errno = ENONET , /* ICMP_HOST_ISOLATED */
. fatal = 1 ,
} ,
{
. errno = ENETUNREACH , /* ICMP_NET_ANO */
. fatal = 1 ,
} ,
{
. errno = EHOSTUNREACH , /* ICMP_HOST_ANO */
. fatal = 1 ,
} ,
{
. errno = ENETUNREACH , /* ICMP_NET_UNR_TOS */
. fatal = 0 ,
} ,
{
. errno = EHOSTUNREACH , /* ICMP_HOST_UNR_TOS */
. fatal = 0 ,
} ,
{
. errno = EHOSTUNREACH , /* ICMP_PKT_FILTERED */
. fatal = 1 ,
} ,
{
. errno = EHOSTUNREACH , /* ICMP_PREC_VIOLATION */
. fatal = 1 ,
} ,
{
. errno = EHOSTUNREACH , /* ICMP_PREC_CUTOFF */
. fatal = 1 ,
} ,
} ;
2010-07-10 01:22:10 +04:00
EXPORT_SYMBOL ( icmp_err_convert ) ;
2005-04-17 02:20:36 +04:00
/*
* ICMP control array . This specifies what to do with each ICMP .
*/
struct icmp_control {
2022-04-07 09:20:52 +03:00
enum skb_drop_reason ( * handler ) ( struct sk_buff * skb ) ;
2005-04-17 02:20:36 +04:00
short error ; /* This ICMP is classed as an error message */
} ;
2005-11-30 03:21:38 +03:00
static const struct icmp_control icmp_pointers [ NR_ICMP_TYPES + 1 ] ;
2005-04-17 02:20:36 +04:00
2022-01-24 23:24:55 +03:00
static DEFINE_PER_CPU ( struct sock * , ipv4_icmp_sk ) ;
2005-04-17 02:20:36 +04:00
2017-01-09 18:04:14 +03:00
/* Called with BH disabled */
2008-08-23 15:43:33 +04:00
static inline struct sock * icmp_xmit_lock ( struct net * net )
2005-04-17 02:20:36 +04:00
{
2008-08-23 15:43:33 +04:00
struct sock * sk ;
2022-01-24 23:24:55 +03:00
sk = this_cpu_read ( ipv4_icmp_sk ) ;
2008-08-23 15:43:33 +04:00
2008-02-29 22:16:46 +03:00
if ( unlikely ( ! spin_trylock ( & sk - > sk_lock . slock ) ) ) {
2005-04-17 02:20:36 +04:00
/* This can happen if the output path signals a
* dst_link_failure ( ) for an outgoing ICMP packet .
*/
2008-08-23 15:43:33 +04:00
return NULL ;
2005-04-17 02:20:36 +04:00
}
2022-01-24 23:24:55 +03:00
sock_net_set ( sk , net ) ;
2008-08-23 15:43:33 +04:00
return sk ;
2005-04-17 02:20:36 +04:00
}
2008-02-29 22:16:46 +03:00
static inline void icmp_xmit_unlock ( struct sock * sk )
2005-04-17 02:20:36 +04:00
{
2022-01-24 23:24:55 +03:00
sock_net_set ( sk , & init_net ) ;
2017-01-09 18:04:14 +03:00
spin_unlock ( & sk - > sk_lock . slock ) ;
2005-04-17 02:20:36 +04:00
}
2014-09-19 18:38:40 +04:00
int sysctl_icmp_msgs_per_sec __read_mostly = 1000 ;
int sysctl_icmp_msgs_burst __read_mostly = 50 ;
static struct {
spinlock_t lock ;
u32 credit ;
u32 stamp ;
} icmp_global = {
. lock = __SPIN_LOCK_UNLOCKED ( icmp_global . lock ) ,
} ;
/**
* icmp_global_allow - Are we allowed to send one more ICMP message ?
*
2020-10-15 21:42:00 +03:00
* Uses a token bucket to limit our ICMP messages to ~ sysctl_icmp_msgs_per_sec .
2014-09-19 18:38:40 +04:00
* Returns false if we reached the limit and can not send another packet .
* Note : called with BH disabled
*/
bool icmp_global_allow ( void )
{
u32 credit , delta , incr = 0 , now = ( u32 ) jiffies ;
bool rc = false ;
/* Check if token bucket is empty and cannot be refilled
2019-11-08 21:34:47 +03:00
* without taking the spinlock . The READ_ONCE ( ) are paired
* with the following WRITE_ONCE ( ) in this same function .
2014-09-19 18:38:40 +04:00
*/
2019-11-08 21:34:47 +03:00
if ( ! READ_ONCE ( icmp_global . credit ) ) {
delta = min_t ( u32 , now - READ_ONCE ( icmp_global . stamp ) , HZ ) ;
2014-09-19 18:38:40 +04:00
if ( delta < HZ / 50 )
return false ;
}
spin_lock ( & icmp_global . lock ) ;
delta = min_t ( u32 , now - icmp_global . stamp , HZ ) ;
if ( delta > = HZ / 50 ) {
2022-07-07 02:40:02 +03:00
incr = READ_ONCE ( sysctl_icmp_msgs_per_sec ) * delta / HZ ;
2014-09-19 18:38:40 +04:00
if ( incr )
2019-11-08 21:34:47 +03:00
WRITE_ONCE ( icmp_global . stamp , now ) ;
2014-09-19 18:38:40 +04:00
}
2022-07-07 02:40:02 +03:00
credit = min_t ( u32 , icmp_global . credit + incr ,
READ_ONCE ( sysctl_icmp_msgs_burst ) ) ;
2014-09-19 18:38:40 +04:00
if ( credit ) {
2020-10-15 21:42:00 +03:00
/* We want to use a credit of one in average, but need to randomize
* it for security reasons .
*/
2022-10-10 05:44:02 +03:00
credit = max_t ( int , credit - get_random_u32_below ( 3 ) , 0 ) ;
2014-09-19 18:38:40 +04:00
rc = true ;
}
2019-11-08 21:34:47 +03:00
WRITE_ONCE ( icmp_global . credit , credit ) ;
2014-09-19 18:38:40 +04:00
spin_unlock ( & icmp_global . lock ) ;
return rc ;
}
EXPORT_SYMBOL ( icmp_global_allow ) ;
2017-01-09 18:04:09 +03:00
static bool icmpv4_mask_allow ( struct net * net , int type , int code )
{
if ( type > NR_ICMP_TYPES )
return true ;
/* Don't limit PMTU discovery. */
if ( type = = ICMP_DEST_UNREACH & & code = = ICMP_FRAG_NEEDED )
return true ;
/* Limit if icmp type is enabled in ratemask. */
2022-07-12 03:15:28 +03:00
if ( ! ( ( 1 < < type ) & READ_ONCE ( net - > ipv4 . sysctl_icmp_ratemask ) ) )
2017-01-09 18:04:09 +03:00
return true ;
return false ;
}
static bool icmpv4_global_allow ( struct net * net , int type , int code )
{
if ( icmpv4_mask_allow ( net , type , code ) )
return true ;
if ( icmp_global_allow ( ) )
return true ;
2023-01-25 03:16:52 +03:00
__ICMP_INC_STATS ( net , ICMP_MIB_RATELIMITGLOBAL ) ;
2017-01-09 18:04:09 +03:00
return false ;
}
2005-04-17 02:20:36 +04:00
/*
* Send an ICMP frame .
*/
2014-09-19 18:38:40 +04:00
static bool icmpv4_xrlim_allow ( struct net * net , struct rtable * rt ,
struct flowi4 * fl4 , int type , int code )
2005-04-17 02:20:36 +04:00
{
2010-06-11 10:31:35 +04:00
struct dst_entry * dst = & rt - > dst ;
2017-01-09 18:04:09 +03:00
struct inet_peer * peer ;
2011-02-05 02:55:25 +03:00
bool rc = true ;
2017-01-09 18:04:09 +03:00
int vif ;
2005-04-17 02:20:36 +04:00
2017-01-09 18:04:09 +03:00
if ( icmpv4_mask_allow ( net , type , code ) )
2005-04-17 02:20:36 +04:00
goto out ;
/* No rate limit on loopback */
if ( dst - > dev & & ( dst - > dev - > flags & IFF_LOOPBACK ) )
2007-02-09 17:24:47 +03:00
goto out ;
2005-04-17 02:20:36 +04:00
2017-01-09 18:04:09 +03:00
vif = l3mdev_master_ifindex ( dst - > dev ) ;
peer = inet_getpeer_v4 ( net - > ipv4 . peers , fl4 - > daddr , vif , 1 ) ;
2022-07-12 03:15:27 +03:00
rc = inet_peer_xrlim_allow ( peer ,
READ_ONCE ( net - > ipv4 . sysctl_icmp_ratelimit ) ) ;
2017-01-09 18:04:09 +03:00
if ( peer )
inet_putpeer ( peer ) ;
2005-04-17 02:20:36 +04:00
out :
2023-01-25 03:16:52 +03:00
if ( ! rc )
__ICMP_INC_STATS ( net , ICMP_MIB_RATELIMITHOST ) ;
2005-04-17 02:20:36 +04:00
return rc ;
}
/*
* Maintain the counters used in the SNMP statistics for outgoing ICMP
*/
2008-07-15 10:00:43 +04:00
void icmp_out_count ( struct net * net , unsigned char type )
2005-04-17 02:20:36 +04:00
{
2008-07-15 10:03:35 +04:00
ICMPMSGOUT_INC_STATS ( net , type ) ;
2008-07-15 10:02:35 +04:00
ICMP_INC_STATS ( net , ICMP_MIB_OUTMSGS ) ;
2005-04-17 02:20:36 +04:00
}
/*
* Checksum each fragment , and on the first include the headers and final
* checksum .
*/
static int icmp_glue_bits ( void * from , char * to , int offset , int len , int odd ,
struct sk_buff * skb )
{
2022-04-29 05:14:04 +03:00
struct icmp_bxm * icmp_param = from ;
2006-11-15 08:36:54 +03:00
__wsum csum ;
2005-04-17 02:20:36 +04:00
csum = skb_copy_and_csum_bits ( icmp_param - > skb ,
icmp_param - > offset + offset ,
2020-07-11 03:07:10 +03:00
to , len ) ;
2005-04-17 02:20:36 +04:00
skb - > csum = csum_block_add ( skb - > csum , csum , odd ) ;
if ( icmp_pointers [ icmp_param - > data . icmph . type ] . error )
nf_ct_attach ( skb , icmp_param - > skb ) ;
return 0 ;
}
2022-01-24 23:24:55 +03:00
static void icmp_push_reply ( struct sock * sk ,
struct icmp_bxm * icmp_param ,
2011-05-09 04:12:19 +04:00
struct flowi4 * fl4 ,
2008-11-25 02:52:46 +03:00
struct ipcm_cookie * ipc , struct rtable * * rt )
2005-04-17 02:20:36 +04:00
{
struct sk_buff * skb ;
2011-05-09 04:24:10 +04:00
if ( ip_append_data ( sk , fl4 , icmp_glue_bits , icmp_param ,
2007-02-09 17:24:47 +03:00
icmp_param - > data_len + icmp_param - > head_len ,
icmp_param - > head_len ,
2010-04-04 02:09:04 +04:00
ipc , rt , MSG_DONTWAIT ) < 0 ) {
2016-04-28 02:44:29 +03:00
__ICMP_INC_STATS ( sock_net ( sk ) , ICMP_MIB_OUTERRORS ) ;
2008-02-29 22:15:42 +03:00
ip_flush_pending_frames ( sk ) ;
2010-04-04 02:09:04 +04:00
} else if ( ( skb = skb_peek ( & sk - > sk_write_queue ) ) ! = NULL ) {
2007-03-13 20:43:18 +03:00
struct icmphdr * icmph = icmp_hdr ( skb ) ;
2020-07-11 03:10:34 +03:00
__wsum csum ;
2005-04-17 02:20:36 +04:00
struct sk_buff * skb1 ;
2020-07-11 03:10:34 +03:00
csum = csum_partial_copy_nocheck ( ( void * ) & icmp_param - > data ,
( char * ) icmph ,
2020-07-11 07:12:07 +03:00
icmp_param - > head_len ) ;
2008-02-29 22:15:42 +03:00
skb_queue_walk ( & sk - > sk_write_queue , skb1 ) {
2005-04-17 02:20:36 +04:00
csum = csum_add ( csum , skb1 - > csum ) ;
}
icmph - > checksum = csum_fold ( csum ) ;
skb - > ip_summed = CHECKSUM_NONE ;
2011-05-09 04:12:19 +04:00
ip_push_pending_frames ( sk , fl4 ) ;
2005-04-17 02:20:36 +04:00
}
}
/*
* Driving logic for building and sending ICMP messages .
*/
static void icmp_reply ( struct icmp_bxm * icmp_param , struct sk_buff * skb )
{
struct ipcm_cookie ipc ;
2009-06-02 09:14:27 +04:00
struct rtable * rt = skb_rtable ( skb ) ;
2010-06-11 10:31:35 +04:00
struct net * net = dev_net ( rt - > dst . dev ) ;
2011-05-09 04:12:19 +04:00
struct flowi4 fl4 ;
2008-08-23 15:43:33 +04:00
struct sock * sk ;
struct inet_sock * inet ;
2012-06-28 14:59:11 +04:00
__be32 daddr , saddr ;
2014-05-13 21:17:33 +04:00
u32 mark = IP4_REPLY_MARK ( net , skb - > mark ) ;
2017-01-09 18:04:09 +03:00
int type = icmp_param - > data . icmph . type ;
int code = icmp_param - > data . icmph . code ;
2005-04-17 02:20:36 +04:00
2017-08-03 19:07:06 +03:00
if ( ip_options_echo ( net , & icmp_param - > replyopts . opt . opt , skb ) )
2006-02-03 04:03:18 +03:00
return ;
2005-04-17 02:20:36 +04:00
2017-01-09 18:04:14 +03:00
/* Needed by both icmp_global_allow and icmp_xmit_lock */
local_bh_disable ( ) ;
2005-04-17 02:20:36 +04:00
2017-01-09 18:04:09 +03:00
/* global icmp_msgs_per_sec */
if ( ! icmpv4_global_allow ( net , type , code ) )
2017-01-09 18:04:14 +03:00
goto out_bh_enable ;
sk = icmp_xmit_lock ( net ) ;
if ( ! sk )
goto out_bh_enable ;
inet = inet_sk ( sk ) ;
2017-01-09 18:04:09 +03:00
2005-04-17 02:20:36 +04:00
icmp_param - > data . icmph . checksum = 0 ;
2018-07-06 17:12:54 +03:00
ipcm_init ( & ipc ) ;
2007-04-21 09:47:35 +04:00
inet - > tos = ip_hdr ( skb ) - > tos ;
2020-07-01 23:00:06 +03:00
ipc . sockc . mark = mark ;
2011-05-10 00:28:22 +04:00
daddr = ipc . addr = ip_hdr ( skb ) - > saddr ;
2012-06-28 14:59:11 +04:00
saddr = fib_compute_spec_dst ( skb ) ;
2013-09-24 17:43:09 +04:00
2011-04-21 13:45:37 +04:00
if ( icmp_param - > replyopts . opt . opt . optlen ) {
ipc . opt = & icmp_param - > replyopts . opt ;
if ( ipc . opt - > opt . srr )
daddr = icmp_param - > replyopts . opt . opt . faddr ;
2005-04-17 02:20:36 +04:00
}
2011-05-09 04:12:19 +04:00
memset ( & fl4 , 0 , sizeof ( fl4 ) ) ;
fl4 . daddr = daddr ;
2012-06-28 14:59:11 +04:00
fl4 . saddr = saddr ;
2014-05-13 21:17:33 +04:00
fl4 . flowi4_mark = mark ;
2016-11-03 20:23:43 +03:00
fl4 . flowi4_uid = sock_net_uid ( net , NULL ) ;
2011-05-09 04:12:19 +04:00
fl4 . flowi4_tos = RT_TOS ( ip_hdr ( skb ) - > tos ) ;
fl4 . flowi4_proto = IPPROTO_ICMP ;
2015-09-30 06:07:13 +03:00
fl4 . flowi4_oif = l3mdev_master_ifindex ( skb - > dev ) ;
2020-09-28 05:38:26 +03:00
security_skb_classify_flow ( skb , flowi4_to_flowi_common ( & fl4 ) ) ;
2011-05-09 04:12:19 +04:00
rt = ip_route_output_key ( net , & fl4 ) ;
if ( IS_ERR ( rt ) )
goto out_unlock ;
2017-01-09 18:04:09 +03:00
if ( icmpv4_xrlim_allow ( net , rt , & fl4 , type , code ) )
2022-01-24 23:24:55 +03:00
icmp_push_reply ( sk , icmp_param , & fl4 , & ipc , & rt ) ;
2005-04-17 02:20:36 +04:00
ip_rt_put ( rt ) ;
out_unlock :
2008-02-29 22:16:46 +03:00
icmp_xmit_unlock ( sk ) ;
2017-01-09 18:04:14 +03:00
out_bh_enable :
local_bh_enable ( ) ;
2005-04-17 02:20:36 +04:00
}
ipv4/icmp: l3mdev: Perform icmp error route lookup on source device routing table (v2)
As per RFC792, ICMP errors should be sent to the source host.
However, in configurations with Virtual Routing and Forwarding tables,
looking up which routing table to use is currently done by using the
destination net_device.
commit 9d1a6c4ea43e ("net: icmp_route_lookup should use rt dev to
determine L3 domain") changes the interface passed to
l3mdev_master_ifindex() and inet_addr_type_dev_table() from skb_in->dev
to skb_dst(skb_in)->dev. This effectively uses the destination device
rather than the source device for choosing which routing table should be
used to lookup where to send the ICMP error.
Therefore, if the source and destination interfaces are within separate
VRFs, or one in the global routing table and the other in a VRF, looking
up the source host in the destination interface's routing table will
fail if the destination interface's routing table contains no route to
the source host.
One observable effect of this issue is that traceroute does not work in
the following cases:
- Route leaking between global routing table and VRF
- Route leaking between VRFs
Preferably use the source device routing table when sending ICMP error
messages. If no source device is set, fall-back on the destination
device routing table. Else, use the main routing table (index 0).
[ It has been pointed out that a similar issue may exist with ICMP
errors triggered when forwarding between network namespaces. It would
be worthwhile to investigate, but is outside of the scope of this
investigation. ]
[ It has also been pointed out that a similar issue exists with
unreachable / fragmentation needed messages, which can be triggered by
changing the MTU of eth1 in r1 to 1400 and running:
ip netns exec h1 ping -s 1450 -Mdo -c1 172.16.2.2
Some investigation points to raw_icmp_error() and raw_err() as being
involved in this last scenario. The focus of this patch is TTL expired
ICMP messages, which go through icmp_route_lookup.
Investigation of failure modes related to raw_icmp_error() is beyond
this investigation's scope. ]
Fixes: 9d1a6c4ea43e ("net: icmp_route_lookup should use rt dev to determine L3 domain")
Link: https://tools.ietf.org/html/rfc792
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2020-10-12 17:50:14 +03:00
/*
* The device used for looking up which routing table to use for sending an ICMP
* error is preferably the source whenever it is set , which should ensure the
* icmp error can be sent to the source host , else lookup using the routing
* table of the destination device , else use the main routing table ( index 0 ) .
*/
static struct net_device * icmp_get_route_lookup_dev ( struct sk_buff * skb )
{
struct net_device * route_lookup_dev = NULL ;
if ( skb - > dev )
route_lookup_dev = skb - > dev ;
else if ( skb_dst ( skb ) )
route_lookup_dev = skb_dst ( skb ) - > dev ;
return route_lookup_dev ;
}
2011-05-09 04:12:19 +04:00
static struct rtable * icmp_route_lookup ( struct net * net ,
struct flowi4 * fl4 ,
struct sk_buff * skb_in ,
2011-04-22 08:53:02 +04:00
const struct iphdr * iph ,
2014-05-13 21:17:33 +04:00
__be32 saddr , u8 tos , u32 mark ,
2011-03-02 02:49:55 +03:00
int type , int code ,
struct icmp_bxm * param )
{
ipv4/icmp: l3mdev: Perform icmp error route lookup on source device routing table (v2)
As per RFC792, ICMP errors should be sent to the source host.
However, in configurations with Virtual Routing and Forwarding tables,
looking up which routing table to use is currently done by using the
destination net_device.
commit 9d1a6c4ea43e ("net: icmp_route_lookup should use rt dev to
determine L3 domain") changes the interface passed to
l3mdev_master_ifindex() and inet_addr_type_dev_table() from skb_in->dev
to skb_dst(skb_in)->dev. This effectively uses the destination device
rather than the source device for choosing which routing table should be
used to lookup where to send the ICMP error.
Therefore, if the source and destination interfaces are within separate
VRFs, or one in the global routing table and the other in a VRF, looking
up the source host in the destination interface's routing table will
fail if the destination interface's routing table contains no route to
the source host.
One observable effect of this issue is that traceroute does not work in
the following cases:
- Route leaking between global routing table and VRF
- Route leaking between VRFs
Preferably use the source device routing table when sending ICMP error
messages. If no source device is set, fall-back on the destination
device routing table. Else, use the main routing table (index 0).
[ It has been pointed out that a similar issue may exist with ICMP
errors triggered when forwarding between network namespaces. It would
be worthwhile to investigate, but is outside of the scope of this
investigation. ]
[ It has also been pointed out that a similar issue exists with
unreachable / fragmentation needed messages, which can be triggered by
changing the MTU of eth1 in r1 to 1400 and running:
ip netns exec h1 ping -s 1450 -Mdo -c1 172.16.2.2
Some investigation points to raw_icmp_error() and raw_err() as being
involved in this last scenario. The focus of this patch is TTL expired
ICMP messages, which go through icmp_route_lookup.
Investigation of failure modes related to raw_icmp_error() is beyond
this investigation's scope. ]
Fixes: 9d1a6c4ea43e ("net: icmp_route_lookup should use rt dev to determine L3 domain")
Link: https://tools.ietf.org/html/rfc792
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2020-10-12 17:50:14 +03:00
struct net_device * route_lookup_dev ;
2011-03-02 02:49:55 +03:00
struct rtable * rt , * rt2 ;
2011-07-22 17:22:10 +04:00
struct flowi4 fl4_dec ;
2011-03-02 02:49:55 +03:00
int err ;
2011-05-09 04:12:19 +04:00
memset ( fl4 , 0 , sizeof ( * fl4 ) ) ;
fl4 - > daddr = ( param - > replyopts . opt . opt . srr ?
param - > replyopts . opt . opt . faddr : iph - > saddr ) ;
fl4 - > saddr = saddr ;
2014-05-13 21:17:33 +04:00
fl4 - > flowi4_mark = mark ;
2016-11-03 20:23:43 +03:00
fl4 - > flowi4_uid = sock_net_uid ( net , NULL ) ;
2011-05-09 04:12:19 +04:00
fl4 - > flowi4_tos = RT_TOS ( tos ) ;
fl4 - > flowi4_proto = IPPROTO_ICMP ;
fl4 - > fl4_icmp_type = type ;
fl4 - > fl4_icmp_code = code ;
ipv4/icmp: l3mdev: Perform icmp error route lookup on source device routing table (v2)
As per RFC792, ICMP errors should be sent to the source host.
However, in configurations with Virtual Routing and Forwarding tables,
looking up which routing table to use is currently done by using the
destination net_device.
commit 9d1a6c4ea43e ("net: icmp_route_lookup should use rt dev to
determine L3 domain") changes the interface passed to
l3mdev_master_ifindex() and inet_addr_type_dev_table() from skb_in->dev
to skb_dst(skb_in)->dev. This effectively uses the destination device
rather than the source device for choosing which routing table should be
used to lookup where to send the ICMP error.
Therefore, if the source and destination interfaces are within separate
VRFs, or one in the global routing table and the other in a VRF, looking
up the source host in the destination interface's routing table will
fail if the destination interface's routing table contains no route to
the source host.
One observable effect of this issue is that traceroute does not work in
the following cases:
- Route leaking between global routing table and VRF
- Route leaking between VRFs
Preferably use the source device routing table when sending ICMP error
messages. If no source device is set, fall-back on the destination
device routing table. Else, use the main routing table (index 0).
[ It has been pointed out that a similar issue may exist with ICMP
errors triggered when forwarding between network namespaces. It would
be worthwhile to investigate, but is outside of the scope of this
investigation. ]
[ It has also been pointed out that a similar issue exists with
unreachable / fragmentation needed messages, which can be triggered by
changing the MTU of eth1 in r1 to 1400 and running:
ip netns exec h1 ping -s 1450 -Mdo -c1 172.16.2.2
Some investigation points to raw_icmp_error() and raw_err() as being
involved in this last scenario. The focus of this patch is TTL expired
ICMP messages, which go through icmp_route_lookup.
Investigation of failure modes related to raw_icmp_error() is beyond
this investigation's scope. ]
Fixes: 9d1a6c4ea43e ("net: icmp_route_lookup should use rt dev to determine L3 domain")
Link: https://tools.ietf.org/html/rfc792
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2020-10-12 17:50:14 +03:00
route_lookup_dev = icmp_get_route_lookup_dev ( skb_in ) ;
fl4 - > flowi4_oif = l3mdev_master_ifindex ( route_lookup_dev ) ;
2015-08-13 23:59:02 +03:00
2020-09-28 05:38:26 +03:00
security_skb_classify_flow ( skb_in , flowi4_to_flowi_common ( fl4 ) ) ;
2017-05-25 20:42:33 +03:00
rt = ip_route_output_key_hash ( net , fl4 , skb_in ) ;
2011-03-03 01:31:35 +03:00
if ( IS_ERR ( rt ) )
return rt ;
2011-03-02 02:49:55 +03:00
/* No need to clone since we're just using its address. */
rt2 = rt ;
2011-03-12 09:12:47 +03:00
rt = ( struct rtable * ) xfrm_lookup ( net , & rt - > dst ,
2011-05-09 04:12:19 +04:00
flowi4_to_flowi ( fl4 ) , NULL , 0 ) ;
2011-03-03 00:27:41 +03:00
if ( ! IS_ERR ( rt ) ) {
2011-03-02 02:49:55 +03:00
if ( rt ! = rt2 )
return rt ;
2011-03-03 00:27:41 +03:00
} else if ( PTR_ERR ( rt ) = = - EPERM ) {
2011-03-02 02:49:55 +03:00
rt = NULL ;
2011-03-03 00:27:41 +03:00
} else
return rt ;
2011-03-02 02:49:55 +03:00
2011-07-22 17:22:10 +04:00
err = xfrm_decode_session_reverse ( skb_in , flowi4_to_flowi ( & fl4_dec ) , AF_INET ) ;
2011-03-02 02:49:55 +03:00
if ( err )
goto relookup_failed ;
ipv4/icmp: l3mdev: Perform icmp error route lookup on source device routing table (v2)
As per RFC792, ICMP errors should be sent to the source host.
However, in configurations with Virtual Routing and Forwarding tables,
looking up which routing table to use is currently done by using the
destination net_device.
commit 9d1a6c4ea43e ("net: icmp_route_lookup should use rt dev to
determine L3 domain") changes the interface passed to
l3mdev_master_ifindex() and inet_addr_type_dev_table() from skb_in->dev
to skb_dst(skb_in)->dev. This effectively uses the destination device
rather than the source device for choosing which routing table should be
used to lookup where to send the ICMP error.
Therefore, if the source and destination interfaces are within separate
VRFs, or one in the global routing table and the other in a VRF, looking
up the source host in the destination interface's routing table will
fail if the destination interface's routing table contains no route to
the source host.
One observable effect of this issue is that traceroute does not work in
the following cases:
- Route leaking between global routing table and VRF
- Route leaking between VRFs
Preferably use the source device routing table when sending ICMP error
messages. If no source device is set, fall-back on the destination
device routing table. Else, use the main routing table (index 0).
[ It has been pointed out that a similar issue may exist with ICMP
errors triggered when forwarding between network namespaces. It would
be worthwhile to investigate, but is outside of the scope of this
investigation. ]
[ It has also been pointed out that a similar issue exists with
unreachable / fragmentation needed messages, which can be triggered by
changing the MTU of eth1 in r1 to 1400 and running:
ip netns exec h1 ping -s 1450 -Mdo -c1 172.16.2.2
Some investigation points to raw_icmp_error() and raw_err() as being
involved in this last scenario. The focus of this patch is TTL expired
ICMP messages, which go through icmp_route_lookup.
Investigation of failure modes related to raw_icmp_error() is beyond
this investigation's scope. ]
Fixes: 9d1a6c4ea43e ("net: icmp_route_lookup should use rt dev to determine L3 domain")
Link: https://tools.ietf.org/html/rfc792
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2020-10-12 17:50:14 +03:00
if ( inet_addr_type_dev_table ( net , route_lookup_dev ,
2015-08-13 23:59:05 +03:00
fl4_dec . saddr ) = = RTN_LOCAL ) {
2011-07-22 17:22:10 +04:00
rt2 = __ip_route_output_key ( net , & fl4_dec ) ;
2011-03-03 01:31:35 +03:00
if ( IS_ERR ( rt2 ) )
err = PTR_ERR ( rt2 ) ;
2011-03-02 02:49:55 +03:00
} else {
2011-03-12 09:12:47 +03:00
struct flowi4 fl4_2 = { } ;
2011-03-02 02:49:55 +03:00
unsigned long orefdst ;
2011-07-22 17:22:10 +04:00
fl4_2 . daddr = fl4_dec . saddr ;
2011-03-12 09:12:47 +03:00
rt2 = ip_route_output_key ( net , & fl4_2 ) ;
2011-03-03 01:31:35 +03:00
if ( IS_ERR ( rt2 ) ) {
err = PTR_ERR ( rt2 ) ;
2011-03-02 02:49:55 +03:00
goto relookup_failed ;
2011-03-03 01:31:35 +03:00
}
2011-03-02 02:49:55 +03:00
/* Ugh! */
orefdst = skb_in - > _skb_refdst ; /* save old refdst */
2015-07-21 11:43:55 +03:00
skb_dst_set ( skb_in , NULL ) ;
2011-07-22 17:22:10 +04:00
err = ip_route_input ( skb_in , fl4_dec . daddr , fl4_dec . saddr ,
2011-03-02 02:49:55 +03:00
RT_TOS ( tos ) , rt2 - > dst . dev ) ;
dst_release ( & rt2 - > dst ) ;
rt2 = skb_rtable ( skb_in ) ;
skb_in - > _skb_refdst = orefdst ; /* restore old refdst */
}
if ( err )
goto relookup_failed ;
2011-03-12 09:12:47 +03:00
rt2 = ( struct rtable * ) xfrm_lookup ( net , & rt2 - > dst ,
2011-07-22 17:22:10 +04:00
flowi4_to_flowi ( & fl4_dec ) , NULL ,
2011-03-12 09:12:47 +03:00
XFRM_LOOKUP_ICMP ) ;
2011-03-03 00:27:41 +03:00
if ( ! IS_ERR ( rt2 ) ) {
2011-03-02 02:49:55 +03:00
dst_release ( & rt - > dst ) ;
2011-07-22 17:22:10 +04:00
memcpy ( fl4 , & fl4_dec , sizeof ( * fl4 ) ) ;
2011-03-02 02:49:55 +03:00
rt = rt2 ;
2011-03-03 00:27:41 +03:00
} else if ( PTR_ERR ( rt2 ) = = - EPERM ) {
if ( rt )
dst_release ( & rt - > dst ) ;
return rt2 ;
} else {
err = PTR_ERR ( rt2 ) ;
goto relookup_failed ;
2011-03-02 02:49:55 +03:00
}
return rt ;
relookup_failed :
if ( rt )
return rt ;
return ERR_PTR ( err ) ;
}
2005-04-17 02:20:36 +04:00
/*
* Send an ICMP message in response to a situation
*
* RFC 1122 : 3.2 .2 MUST send at least the IP header and 8 bytes of header .
* MAY send more ( we do ) .
* MUST NOT change this header information .
* MUST NOT reply to a multicast / broadcast IP address .
* MUST NOT reply to a multicast / broadcast MAC address .
* MUST reply to only the first fragment .
*/
2019-02-25 19:24:15 +03:00
void __icmp_send ( struct sk_buff * skb_in , int type , int code , __be32 info ,
const struct ip_options * opt )
2005-04-17 02:20:36 +04:00
{
struct iphdr * iph ;
int room ;
2017-01-09 18:04:04 +03:00
struct icmp_bxm icmp_param ;
2009-06-02 09:14:27 +04:00
struct rtable * rt = skb_rtable ( skb_in ) ;
2005-04-17 02:20:36 +04:00
struct ipcm_cookie ipc ;
2011-05-09 04:12:19 +04:00
struct flowi4 fl4 ;
2006-09-27 08:27:54 +04:00
__be32 saddr ;
2005-04-17 02:20:36 +04:00
u8 tos ;
2014-05-13 21:17:33 +04:00
u32 mark ;
2008-01-23 10:50:57 +03:00
struct net * net ;
2008-02-29 22:19:58 +03:00
struct sock * sk ;
2005-04-17 02:20:36 +04:00
if ( ! rt )
goto out ;
2019-08-22 17:19:48 +03:00
if ( rt - > dst . dev )
net = dev_net ( rt - > dst . dev ) ;
else if ( skb_in - > dev )
net = dev_net ( skb_in - > dev ) ;
else
goto out ;
2005-04-17 02:20:36 +04:00
/*
* Find the original header . It is expected to be valid , of course .
* Check this , icmp_send is called from the most obscure devices
* sometimes .
*/
2007-04-21 09:47:35 +04:00
iph = ip_hdr ( skb_in ) ;
2005-04-17 02:20:36 +04:00
2007-04-20 07:29:13 +04:00
if ( ( u8 * ) iph < skb_in - > head | |
2013-05-29 00:34:27 +04:00
( skb_network_header ( skb_in ) + sizeof ( * iph ) ) >
skb_tail_pointer ( skb_in ) )
2005-04-17 02:20:36 +04:00
goto out ;
/*
* No replies to physical multicast / broadcast
*/
if ( skb_in - > pkt_type ! = PACKET_HOST )
goto out ;
/*
* Now check at the protocol level
*/
if ( rt - > rt_flags & ( RTCF_BROADCAST | RTCF_MULTICAST ) )
goto out ;
/*
* Only reply to fragment 0. We byte re - order the constant
* mask for efficiency .
*/
if ( iph - > frag_off & htons ( IP_OFFSET ) )
goto out ;
/*
* If we send an ICMP error to an ICMP error a mess would result . .
*/
if ( icmp_pointers [ type ] . error ) {
/*
* We are an error , check if we are replying to an
* ICMP error
*/
if ( iph - > protocol = = IPPROTO_ICMP ) {
u8 _inner_type , * itp ;
itp = skb_header_pointer ( skb_in ,
2007-04-11 07:50:43 +04:00
skb_network_header ( skb_in ) +
2005-04-17 02:20:36 +04:00
( iph - > ihl < < 2 ) +
offsetof ( struct icmphdr ,
type ) -
skb_in - > data ,
sizeof ( _inner_type ) ,
& _inner_type ) ;
2015-04-03 11:17:26 +03:00
if ( ! itp )
2005-04-17 02:20:36 +04:00
goto out ;
/*
* Assume any unknown ICMP type is an error . This
* isn ' t specified by the RFC , but think about it . .
*/
if ( * itp > NR_ICMP_TYPES | |
icmp_pointers [ * itp ] . error )
goto out ;
}
}
2017-01-09 18:04:14 +03:00
/* Needed by both icmp_global_allow and icmp_xmit_lock */
local_bh_disable ( ) ;
2017-01-09 18:04:09 +03:00
2017-06-14 14:27:37 +03:00
/* Check global sysctl_icmp_msgs_per_sec ratelimit, unless
* incoming dev is loopback . If outgoing dev change to not be
* loopback , then peer ratelimit still work ( in icmpv4_xrlim_allow )
*/
if ( ! ( skb_in - > dev & & ( skb_in - > dev - > flags & IFF_LOOPBACK ) ) & &
! icmpv4_global_allow ( net , type , code ) )
2017-01-09 18:04:14 +03:00
goto out_bh_enable ;
sk = icmp_xmit_lock ( net ) ;
if ( ! sk )
goto out_bh_enable ;
2005-04-17 02:20:36 +04:00
/*
* Construct source address and options .
*/
saddr = iph - > daddr ;
2015-10-14 15:25:53 +03:00
if ( ! ( rt - > rt_flags & RTCF_LOCAL ) ) {
2007-06-01 22:45:04 +04:00
struct net_device * dev = NULL ;
2009-11-01 22:31:03 +03:00
rcu_read_lock ( ) ;
2010-11-12 04:07:48 +03:00
if ( rt_is_input_route ( rt ) & &
2022-07-12 03:15:26 +03:00
READ_ONCE ( net - > ipv4 . sysctl_icmp_errors_use_inbound_ifaddr ) )
2012-07-24 03:29:00 +04:00
dev = dev_get_by_index_rcu ( net , inet_iif ( skb_in ) ) ;
2007-06-01 22:45:04 +04:00
2009-11-01 22:31:03 +03:00
if ( dev )
2019-11-01 03:44:13 +03:00
saddr = inet_select_addr ( dev , iph - > saddr ,
RT_SCOPE_LINK ) ;
2009-11-01 22:31:03 +03:00
else
2005-06-14 02:19:03 +04:00
saddr = 0 ;
2009-11-01 22:31:03 +03:00
rcu_read_unlock ( ) ;
2005-06-14 02:19:03 +04:00
}
2005-04-17 02:20:36 +04:00
2020-08-24 14:44:37 +03:00
tos = icmp_pointers [ type ] . error ? ( RT_TOS ( iph - > tos ) |
2005-04-17 02:20:36 +04:00
IPTOS_PREC_INTERNETCONTROL ) :
2020-08-24 14:44:37 +03:00
iph - > tos ;
2014-05-13 21:17:33 +04:00
mark = IP4_REPLY_MARK ( net , skb_in - > mark ) ;
2005-04-17 02:20:36 +04:00
2019-02-25 19:24:15 +03:00
if ( __ip_options_echo ( net , & icmp_param . replyopts . opt . opt , skb_in , opt ) )
2006-02-04 13:09:34 +03:00
goto out_unlock ;
2005-04-17 02:20:36 +04:00
/*
* Prepare data for ICMP header .
*/
2017-01-09 18:04:04 +03:00
icmp_param . data . icmph . type = type ;
icmp_param . data . icmph . code = code ;
icmp_param . data . icmph . un . gateway = info ;
icmp_param . data . icmph . checksum = 0 ;
icmp_param . skb = skb_in ;
icmp_param . offset = skb_network_offset ( skb_in ) ;
2008-02-29 22:16:46 +03:00
inet_sk ( sk ) - > tos = tos ;
2018-07-06 17:12:54 +03:00
ipcm_init ( & ipc ) ;
2005-04-17 02:20:36 +04:00
ipc . addr = iph - > saddr ;
2017-01-09 18:04:04 +03:00
ipc . opt = & icmp_param . replyopts . opt ;
2020-07-01 23:00:06 +03:00
ipc . sockc . mark = mark ;
2005-04-17 02:20:36 +04:00
2014-05-13 21:17:33 +04:00
rt = icmp_route_lookup ( net , & fl4 , skb_in , iph , saddr , tos , mark ,
2017-01-09 18:04:04 +03:00
type , code , & icmp_param ) ;
2011-03-02 02:49:55 +03:00
if ( IS_ERR ( rt ) )
goto out_unlock ;
2005-04-17 02:20:36 +04:00
2017-01-09 18:04:09 +03:00
/* peer icmp_ratelimit */
2011-05-19 02:42:43 +04:00
if ( ! icmpv4_xrlim_allow ( net , rt , & fl4 , type , code ) )
2005-04-17 02:20:36 +04:00
goto ende ;
/* RFC says return as much as we can without exceeding 576 bytes. */
2010-06-11 10:31:35 +04:00
room = dst_mtu ( & rt - > dst ) ;
2005-04-17 02:20:36 +04:00
if ( room > 576 )
room = 576 ;
2017-01-09 18:04:04 +03:00
room - = sizeof ( struct iphdr ) + icmp_param . replyopts . opt . opt . optlen ;
2005-04-17 02:20:36 +04:00
room - = sizeof ( struct icmphdr ) ;
2023-03-30 20:45:02 +03:00
/* Guard against tiny mtu. We need to include at least one
* IP network header for this message to make any sense .
*/
if ( room < = ( int ) sizeof ( struct iphdr ) )
goto ende ;
2005-04-17 02:20:36 +04:00
2017-01-09 18:04:04 +03:00
icmp_param . data_len = skb_in - > len - icmp_param . offset ;
if ( icmp_param . data_len > room )
icmp_param . data_len = room ;
icmp_param . head_len = sizeof ( struct icmphdr ) ;
2005-04-17 02:20:36 +04:00
icmp: don't send out ICMP messages with a source address of 0.0.0.0
When constructing ICMP response messages, the kernel will try to pick a
suitable source address for the outgoing packet. However, if no IPv4
addresses are configured on the system at all, this will fail and we end up
producing an ICMP message with a source address of 0.0.0.0. This can happen
on a box routing IPv4 traffic via v6 nexthops, for instance.
Since 0.0.0.0 is not generally routable on the internet, there's a good
chance that such ICMP messages will never make it back to the sender of the
original packet that the ICMP message was sent in response to. This, in
turn, can create connectivity and PMTUd problems for senders. Fortunately,
RFC7600 reserves a dummy address to be used as a source for ICMP
messages (192.0.0.8/32), so let's teach the kernel to substitute that
address as a last resort if the regular source address selection procedure
fails.
Below is a quick example reproducing this issue with network namespaces:
ip netns add ns0
ip l add type veth peer netns ns0
ip l set dev veth0 up
ip a add 10.0.0.1/24 dev veth0
ip a add fc00:dead:cafe:42::1/64 dev veth0
ip r add 10.1.0.0/24 via inet6 fc00:dead:cafe:42::2
ip -n ns0 l set dev veth0 up
ip -n ns0 a add fc00:dead:cafe:42::2/64 dev veth0
ip -n ns0 r add 10.0.0.0/24 via inet6 fc00:dead:cafe:42::1
ip netns exec ns0 sysctl -w net.ipv4.icmp_ratelimit=0
ip netns exec ns0 sysctl -w net.ipv4.ip_forward=1
tcpdump -tpni veth0 -c 2 icmp &
ping -w 1 10.1.0.1 > /dev/null
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on veth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
IP 10.0.0.1 > 10.1.0.1: ICMP echo request, id 29, seq 1, length 64
IP 0.0.0.0 > 10.0.0.1: ICMP net 10.1.0.1 unreachable, length 92
2 packets captured
2 packets received by filter
0 packets dropped by kernel
With this patch the above capture changes to:
IP 10.0.0.1 > 10.1.0.1: ICMP echo request, id 31127, seq 1, length 64
IP 192.0.0.8 > 10.0.0.1: ICMP net 10.1.0.1 unreachable, length 92
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Juliusz Chroboczek <jch@irif.fr>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2021-06-18 14:04:35 +03:00
/* if we don't have a source address at this point, fall back to the
* dummy address instead of sending out a packet with a source address
* of 0.0 .0 .0
*/
if ( ! fl4 . saddr )
fl4 . saddr = htonl ( INADDR_DUMMY ) ;
2022-01-24 23:24:55 +03:00
icmp_push_reply ( sk , & icmp_param , & fl4 , & ipc , & rt ) ;
2005-04-17 02:20:36 +04:00
ende :
ip_rt_put ( rt ) ;
out_unlock :
2008-02-29 22:16:46 +03:00
icmp_xmit_unlock ( sk ) ;
2017-01-09 18:04:14 +03:00
out_bh_enable :
local_bh_enable ( ) ;
2005-04-17 02:20:36 +04:00
out : ;
}
2019-02-25 19:24:15 +03:00
EXPORT_SYMBOL ( __icmp_send ) ;
2005-04-17 02:20:36 +04:00
2020-02-11 22:47:05 +03:00
# if IS_ENABLED(CONFIG_NF_NAT)
# include <net/netfilter/nf_conntrack.h>
void icmp_ndo_send ( struct sk_buff * skb_in , int type , int code , __be32 info )
{
struct sk_buff * cloned_skb = NULL ;
net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending
The icmp{,v6}_send functions make all sorts of use of skb->cb, casting
it with IPCB or IP6CB, assuming the skb to have come directly from the
inet layer. But when the packet comes from the ndo layer, especially
when forwarded, there's no telling what might be in skb->cb at that
point. As a result, the icmp sending code risks reading bogus memory
contents, which can result in nasty stack overflows such as this one
reported by a user:
panic+0x108/0x2ea
__stack_chk_fail+0x14/0x20
__icmp_send+0x5bd/0x5c0
icmp_ndo_send+0x148/0x160
In icmp_send, skb->cb is cast with IPCB and an ip_options struct is read
from it. The optlen parameter there is of particular note, as it can
induce writes beyond bounds. There are quite a few ways that can happen
in __ip_options_echo. For example:
// sptr/skb are attacker-controlled skb bytes
sptr = skb_network_header(skb);
// dptr/dopt points to stack memory allocated by __icmp_send
dptr = dopt->__data;
// sopt is the corrupt skb->cb in question
if (sopt->rr) {
optlen = sptr[sopt->rr+1]; // corrupt skb->cb + skb->data
soffset = sptr[sopt->rr+2]; // corrupt skb->cb + skb->data
// this now writes potentially attacker-controlled data, over
// flowing the stack:
memcpy(dptr, sptr+sopt->rr, optlen);
}
In the icmpv6_send case, the story is similar, but not as dire, as only
IP6CB(skb)->iif and IP6CB(skb)->dsthao are used. The dsthao case is
worse than the iif case, but it is passed to ipv6_find_tlv, which does
a bit of bounds checking on the value.
This is easy to simulate by doing a `memset(skb->cb, 0x41,
sizeof(skb->cb));` before calling icmp{,v6}_ndo_send, and it's only by
good fortune and the rarity of icmp sending from that context that we've
avoided reports like this until now. For example, in KASAN:
BUG: KASAN: stack-out-of-bounds in __ip_options_echo+0xa0e/0x12b0
Write of size 38 at addr ffff888006f1f80e by task ping/89
CPU: 2 PID: 89 Comm: ping Not tainted 5.10.0-rc7-debug+ #5
Call Trace:
dump_stack+0x9a/0xcc
print_address_description.constprop.0+0x1a/0x160
__kasan_report.cold+0x20/0x38
kasan_report+0x32/0x40
check_memory_region+0x145/0x1a0
memcpy+0x39/0x60
__ip_options_echo+0xa0e/0x12b0
__icmp_send+0x744/0x1700
Actually, out of the 4 drivers that do this, only gtp zeroed the cb for
the v4 case, while the rest did not. So this commit actually removes the
gtp-specific zeroing, while putting the code where it belongs in the
shared infrastructure of icmp{,v6}_ndo_send.
This commit fixes the issue by passing an empty IPCB or IP6CB along to
the functions that actually do the work. For the icmp_send, this was
already trivial, thanks to __icmp_send providing the plumbing function.
For icmpv6_send, this required a tiny bit of refactoring to make it
behave like the v4 case, after which it was straight forward.
Fixes: a2b78e9b2cac ("sunvnet: generate ICMP PTMUD messages for smaller port MTUs")
Reported-by: SinYu <liuxyon@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://lore.kernel.org/netdev/CAF=yD-LOF116aHub6RMe8vB8ZpnrrnoTdqhobEx+bvoA8AsP0w@mail.gmail.com/T/
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Link: https://lore.kernel.org/r/20210223131858.72082-1-Jason@zx2c4.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-02-23 16:18:58 +03:00
struct ip_options opts = { 0 } ;
2020-02-11 22:47:05 +03:00
enum ip_conntrack_info ctinfo ;
struct nf_conn * ct ;
__be32 orig_ip ;
ct = nf_ct_get ( skb_in , & ctinfo ) ;
if ( ! ct | | ! ( ct - > status & IPS_SRC_NAT ) ) {
net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending
The icmp{,v6}_send functions make all sorts of use of skb->cb, casting
it with IPCB or IP6CB, assuming the skb to have come directly from the
inet layer. But when the packet comes from the ndo layer, especially
when forwarded, there's no telling what might be in skb->cb at that
point. As a result, the icmp sending code risks reading bogus memory
contents, which can result in nasty stack overflows such as this one
reported by a user:
panic+0x108/0x2ea
__stack_chk_fail+0x14/0x20
__icmp_send+0x5bd/0x5c0
icmp_ndo_send+0x148/0x160
In icmp_send, skb->cb is cast with IPCB and an ip_options struct is read
from it. The optlen parameter there is of particular note, as it can
induce writes beyond bounds. There are quite a few ways that can happen
in __ip_options_echo. For example:
// sptr/skb are attacker-controlled skb bytes
sptr = skb_network_header(skb);
// dptr/dopt points to stack memory allocated by __icmp_send
dptr = dopt->__data;
// sopt is the corrupt skb->cb in question
if (sopt->rr) {
optlen = sptr[sopt->rr+1]; // corrupt skb->cb + skb->data
soffset = sptr[sopt->rr+2]; // corrupt skb->cb + skb->data
// this now writes potentially attacker-controlled data, over
// flowing the stack:
memcpy(dptr, sptr+sopt->rr, optlen);
}
In the icmpv6_send case, the story is similar, but not as dire, as only
IP6CB(skb)->iif and IP6CB(skb)->dsthao are used. The dsthao case is
worse than the iif case, but it is passed to ipv6_find_tlv, which does
a bit of bounds checking on the value.
This is easy to simulate by doing a `memset(skb->cb, 0x41,
sizeof(skb->cb));` before calling icmp{,v6}_ndo_send, and it's only by
good fortune and the rarity of icmp sending from that context that we've
avoided reports like this until now. For example, in KASAN:
BUG: KASAN: stack-out-of-bounds in __ip_options_echo+0xa0e/0x12b0
Write of size 38 at addr ffff888006f1f80e by task ping/89
CPU: 2 PID: 89 Comm: ping Not tainted 5.10.0-rc7-debug+ #5
Call Trace:
dump_stack+0x9a/0xcc
print_address_description.constprop.0+0x1a/0x160
__kasan_report.cold+0x20/0x38
kasan_report+0x32/0x40
check_memory_region+0x145/0x1a0
memcpy+0x39/0x60
__ip_options_echo+0xa0e/0x12b0
__icmp_send+0x744/0x1700
Actually, out of the 4 drivers that do this, only gtp zeroed the cb for
the v4 case, while the rest did not. So this commit actually removes the
gtp-specific zeroing, while putting the code where it belongs in the
shared infrastructure of icmp{,v6}_ndo_send.
This commit fixes the issue by passing an empty IPCB or IP6CB along to
the functions that actually do the work. For the icmp_send, this was
already trivial, thanks to __icmp_send providing the plumbing function.
For icmpv6_send, this required a tiny bit of refactoring to make it
behave like the v4 case, after which it was straight forward.
Fixes: a2b78e9b2cac ("sunvnet: generate ICMP PTMUD messages for smaller port MTUs")
Reported-by: SinYu <liuxyon@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://lore.kernel.org/netdev/CAF=yD-LOF116aHub6RMe8vB8ZpnrrnoTdqhobEx+bvoA8AsP0w@mail.gmail.com/T/
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Link: https://lore.kernel.org/r/20210223131858.72082-1-Jason@zx2c4.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-02-23 16:18:58 +03:00
__icmp_send ( skb_in , type , code , info , & opts ) ;
2020-02-11 22:47:05 +03:00
return ;
}
if ( skb_shared ( skb_in ) )
skb_in = cloned_skb = skb_clone ( skb_in , GFP_ATOMIC ) ;
if ( unlikely ( ! skb_in | | skb_network_header ( skb_in ) < skb_in - > head | |
( skb_network_header ( skb_in ) + sizeof ( struct iphdr ) ) >
skb_tail_pointer ( skb_in ) | | skb_ensure_writable ( skb_in ,
skb_network_offset ( skb_in ) + sizeof ( struct iphdr ) ) ) )
goto out ;
orig_ip = ip_hdr ( skb_in ) - > saddr ;
ip_hdr ( skb_in ) - > saddr = ct - > tuplehash [ 0 ] . tuple . src . u3 . ip ;
net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending
The icmp{,v6}_send functions make all sorts of use of skb->cb, casting
it with IPCB or IP6CB, assuming the skb to have come directly from the
inet layer. But when the packet comes from the ndo layer, especially
when forwarded, there's no telling what might be in skb->cb at that
point. As a result, the icmp sending code risks reading bogus memory
contents, which can result in nasty stack overflows such as this one
reported by a user:
panic+0x108/0x2ea
__stack_chk_fail+0x14/0x20
__icmp_send+0x5bd/0x5c0
icmp_ndo_send+0x148/0x160
In icmp_send, skb->cb is cast with IPCB and an ip_options struct is read
from it. The optlen parameter there is of particular note, as it can
induce writes beyond bounds. There are quite a few ways that can happen
in __ip_options_echo. For example:
// sptr/skb are attacker-controlled skb bytes
sptr = skb_network_header(skb);
// dptr/dopt points to stack memory allocated by __icmp_send
dptr = dopt->__data;
// sopt is the corrupt skb->cb in question
if (sopt->rr) {
optlen = sptr[sopt->rr+1]; // corrupt skb->cb + skb->data
soffset = sptr[sopt->rr+2]; // corrupt skb->cb + skb->data
// this now writes potentially attacker-controlled data, over
// flowing the stack:
memcpy(dptr, sptr+sopt->rr, optlen);
}
In the icmpv6_send case, the story is similar, but not as dire, as only
IP6CB(skb)->iif and IP6CB(skb)->dsthao are used. The dsthao case is
worse than the iif case, but it is passed to ipv6_find_tlv, which does
a bit of bounds checking on the value.
This is easy to simulate by doing a `memset(skb->cb, 0x41,
sizeof(skb->cb));` before calling icmp{,v6}_ndo_send, and it's only by
good fortune and the rarity of icmp sending from that context that we've
avoided reports like this until now. For example, in KASAN:
BUG: KASAN: stack-out-of-bounds in __ip_options_echo+0xa0e/0x12b0
Write of size 38 at addr ffff888006f1f80e by task ping/89
CPU: 2 PID: 89 Comm: ping Not tainted 5.10.0-rc7-debug+ #5
Call Trace:
dump_stack+0x9a/0xcc
print_address_description.constprop.0+0x1a/0x160
__kasan_report.cold+0x20/0x38
kasan_report+0x32/0x40
check_memory_region+0x145/0x1a0
memcpy+0x39/0x60
__ip_options_echo+0xa0e/0x12b0
__icmp_send+0x744/0x1700
Actually, out of the 4 drivers that do this, only gtp zeroed the cb for
the v4 case, while the rest did not. So this commit actually removes the
gtp-specific zeroing, while putting the code where it belongs in the
shared infrastructure of icmp{,v6}_ndo_send.
This commit fixes the issue by passing an empty IPCB or IP6CB along to
the functions that actually do the work. For the icmp_send, this was
already trivial, thanks to __icmp_send providing the plumbing function.
For icmpv6_send, this required a tiny bit of refactoring to make it
behave like the v4 case, after which it was straight forward.
Fixes: a2b78e9b2cac ("sunvnet: generate ICMP PTMUD messages for smaller port MTUs")
Reported-by: SinYu <liuxyon@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://lore.kernel.org/netdev/CAF=yD-LOF116aHub6RMe8vB8ZpnrrnoTdqhobEx+bvoA8AsP0w@mail.gmail.com/T/
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Link: https://lore.kernel.org/r/20210223131858.72082-1-Jason@zx2c4.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-02-23 16:18:58 +03:00
__icmp_send ( skb_in , type , code , info , & opts ) ;
2020-02-11 22:47:05 +03:00
ip_hdr ( skb_in ) - > saddr = orig_ip ;
out :
consume_skb ( cloned_skb ) ;
}
EXPORT_SYMBOL ( icmp_ndo_send ) ;
# endif
2005-04-17 02:20:36 +04:00
2012-07-12 05:32:17 +04:00
static void icmp_socket_deliver ( struct sk_buff * skb , u32 info )
{
2020-08-29 12:21:30 +03:00
const struct iphdr * iph = ( const struct iphdr * ) skb - > data ;
2012-07-12 05:32:17 +04:00
const struct net_protocol * ipprot ;
int protocol = iph - > protocol ;
2012-07-12 19:06:04 +04:00
/* Checkin full IP header plus 8 bytes of protocol to
* avoid additional coding at protocol handlers .
*/
2014-07-31 13:54:32 +04:00
if ( ! pskb_may_pull ( skb , iph - > ihl * 4 + 8 ) ) {
2016-04-28 02:44:29 +03:00
__ICMP_INC_STATS ( dev_net ( skb - > dev ) , ICMP_MIB_INERRORS ) ;
2012-07-12 19:06:04 +04:00
return ;
2014-07-31 13:54:32 +04:00
}
2012-07-12 19:06:04 +04:00
2012-07-12 05:32:17 +04:00
raw_icmp_error ( skb , protocol , info ) ;
ipprot = rcu_dereference ( inet_protos [ protocol ] ) ;
if ( ipprot & & ipprot - > err_handler )
ipprot - > err_handler ( skb , info ) ;
}
2014-01-09 13:01:17 +04:00
static bool icmp_tag_validation ( int proto )
{
bool ok ;
rcu_read_lock ( ) ;
ok = rcu_dereference ( inet_protos [ proto ] ) - > icmp_strict_tag_validation ;
rcu_read_unlock ( ) ;
return ok ;
}
2005-04-17 02:20:36 +04:00
/*
icmp: don't fail on fragment reassembly time exceeded
The ICMP implementation currently replies to an ICMP time exceeded message
(type 11) with an ICMP host unreachable message (type 3, code 1).
However, time exceeded messages can either represent "time to live exceeded
in transit" (code 0) or "fragment reassembly time exceeded" (code 1).
Unconditionally replying to "fragment reassembly time exceeded" with
host unreachable messages might cause unjustified connection resets
which are now easily triggered as UFO has been removed, because, in turn,
sending large buffers triggers IP fragmentation.
The issue can be easily reproduced by running a lot of UDP streams
which is likely to trigger IP fragmentation:
# start netserver in the test namespace
ip netns add test
ip netns exec test netserver
# create a VETH pair
ip link add name veth0 type veth peer name veth0 netns test
ip link set veth0 up
ip -n test link set veth0 up
for i in $(seq 20 29); do
# assign addresses to both ends
ip addr add dev veth0 192.168.$i.1/24
ip -n test addr add dev veth0 192.168.$i.2/24
# start the traffic
netperf -L 192.168.$i.1 -H 192.168.$i.2 -t UDP_STREAM -l 0 &
done
# wait
send_data: data send error: No route to host (errno 113)
netperf: send_omni: send_data failed: No route to host
We need to differentiate instead: if fragment reassembly time exceeded
is reported, we need to silently drop the packet,
if time to live exceeded is reported, maintain the current behaviour.
In both cases increment the related error count "icmpInTimeExcds".
While at it, fix a typo in a comment, and convert the if statement
into a switch to mate it more readable.
Signed-off-by: Matteo Croce <mcroce@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-12 17:12:37 +03:00
* Handle ICMP_DEST_UNREACH , ICMP_TIME_EXCEEDED , ICMP_QUENCH , and
2013-06-03 04:23:25 +04:00
* ICMP_PARAMETERPROB .
2005-04-17 02:20:36 +04:00
*/
2022-04-07 09:20:52 +03:00
static enum skb_drop_reason icmp_unreach ( struct sk_buff * skb )
2005-04-17 02:20:36 +04:00
{
2022-04-07 09:20:52 +03:00
enum skb_drop_reason reason = SKB_NOT_DROPPED_YET ;
2011-04-22 08:53:02 +04:00
const struct iphdr * iph ;
2005-04-17 02:20:36 +04:00
struct icmphdr * icmph ;
2008-01-23 10:50:57 +03:00
struct net * net ;
2012-06-20 05:56:21 +04:00
u32 info = 0 ;
2008-01-23 10:50:57 +03:00
2009-06-02 09:19:30 +04:00
net = dev_net ( skb_dst ( skb ) - > dev ) ;
2005-04-17 02:20:36 +04:00
/*
* Incomplete header ?
* Only checks for the IP header , there should be an
* additional check for longer headers in upper levels .
*/
if ( ! pskb_may_pull ( skb , sizeof ( struct iphdr ) ) )
goto out_err ;
2007-03-13 20:43:18 +03:00
icmph = icmp_hdr ( skb ) ;
2011-04-22 08:53:02 +04:00
iph = ( const struct iphdr * ) skb - > data ;
2005-04-17 02:20:36 +04:00
2022-04-07 09:20:52 +03:00
if ( iph - > ihl < 5 ) { /* Mangled header, drop. */
reason = SKB_DROP_REASON_IP_INHDR ;
2005-04-17 02:20:36 +04:00
goto out_err ;
2022-04-07 09:20:52 +03:00
}
2005-04-17 02:20:36 +04:00
icmp: don't fail on fragment reassembly time exceeded
The ICMP implementation currently replies to an ICMP time exceeded message
(type 11) with an ICMP host unreachable message (type 3, code 1).
However, time exceeded messages can either represent "time to live exceeded
in transit" (code 0) or "fragment reassembly time exceeded" (code 1).
Unconditionally replying to "fragment reassembly time exceeded" with
host unreachable messages might cause unjustified connection resets
which are now easily triggered as UFO has been removed, because, in turn,
sending large buffers triggers IP fragmentation.
The issue can be easily reproduced by running a lot of UDP streams
which is likely to trigger IP fragmentation:
# start netserver in the test namespace
ip netns add test
ip netns exec test netserver
# create a VETH pair
ip link add name veth0 type veth peer name veth0 netns test
ip link set veth0 up
ip -n test link set veth0 up
for i in $(seq 20 29); do
# assign addresses to both ends
ip addr add dev veth0 192.168.$i.1/24
ip -n test addr add dev veth0 192.168.$i.2/24
# start the traffic
netperf -L 192.168.$i.1 -H 192.168.$i.2 -t UDP_STREAM -l 0 &
done
# wait
send_data: data send error: No route to host (errno 113)
netperf: send_omni: send_data failed: No route to host
We need to differentiate instead: if fragment reassembly time exceeded
is reported, we need to silently drop the packet,
if time to live exceeded is reported, maintain the current behaviour.
In both cases increment the related error count "icmpInTimeExcds".
While at it, fix a typo in a comment, and convert the if statement
into a switch to mate it more readable.
Signed-off-by: Matteo Croce <mcroce@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-12 17:12:37 +03:00
switch ( icmph - > type ) {
case ICMP_DEST_UNREACH :
2005-04-17 02:20:36 +04:00
switch ( icmph - > code & 15 ) {
case ICMP_NET_UNREACH :
case ICMP_HOST_UNREACH :
case ICMP_PROT_UNREACH :
case ICMP_PORT_UNREACH :
break ;
case ICMP_FRAG_NEEDED :
2014-01-09 13:01:17 +04:00
/* for documentation of the ip_no_pmtu_disc
* values please see
2020-04-28 01:01:49 +03:00
* Documentation / networking / ip - sysctl . rst
2014-01-09 13:01:17 +04:00
*/
2022-07-13 23:51:52 +03:00
switch ( READ_ONCE ( net - > ipv4 . sysctl_ip_no_pmtu_disc ) ) {
2014-01-09 13:01:17 +04:00
default :
2014-11-11 21:59:17 +03:00
net_dbg_ratelimited ( " %pI4: fragmentation needed and DF set \n " ,
& iph - > daddr ) ;
2014-01-09 13:01:17 +04:00
break ;
case 2 :
goto out ;
case 3 :
if ( ! icmp_tag_validation ( iph - > protocol ) )
goto out ;
2020-03-13 01:50:22 +03:00
fallthrough ;
2014-01-09 13:01:17 +04:00
case 0 :
2012-06-10 11:04:12 +04:00
info = ntohs ( icmph - > un . frag . mtu ) ;
2005-04-17 02:20:36 +04:00
}
break ;
case ICMP_SR_FAILED :
2014-11-11 21:59:17 +03:00
net_dbg_ratelimited ( " %pI4: Source Route Failed \n " ,
& iph - > daddr ) ;
2005-04-17 02:20:36 +04:00
break ;
default :
break ;
}
if ( icmph - > code > NR_ICMP_UNREACH )
goto out ;
icmp: don't fail on fragment reassembly time exceeded
The ICMP implementation currently replies to an ICMP time exceeded message
(type 11) with an ICMP host unreachable message (type 3, code 1).
However, time exceeded messages can either represent "time to live exceeded
in transit" (code 0) or "fragment reassembly time exceeded" (code 1).
Unconditionally replying to "fragment reassembly time exceeded" with
host unreachable messages might cause unjustified connection resets
which are now easily triggered as UFO has been removed, because, in turn,
sending large buffers triggers IP fragmentation.
The issue can be easily reproduced by running a lot of UDP streams
which is likely to trigger IP fragmentation:
# start netserver in the test namespace
ip netns add test
ip netns exec test netserver
# create a VETH pair
ip link add name veth0 type veth peer name veth0 netns test
ip link set veth0 up
ip -n test link set veth0 up
for i in $(seq 20 29); do
# assign addresses to both ends
ip addr add dev veth0 192.168.$i.1/24
ip -n test addr add dev veth0 192.168.$i.2/24
# start the traffic
netperf -L 192.168.$i.1 -H 192.168.$i.2 -t UDP_STREAM -l 0 &
done
# wait
send_data: data send error: No route to host (errno 113)
netperf: send_omni: send_data failed: No route to host
We need to differentiate instead: if fragment reassembly time exceeded
is reported, we need to silently drop the packet,
if time to live exceeded is reported, maintain the current behaviour.
In both cases increment the related error count "icmpInTimeExcds".
While at it, fix a typo in a comment, and convert the if statement
into a switch to mate it more readable.
Signed-off-by: Matteo Croce <mcroce@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-12 17:12:37 +03:00
break ;
case ICMP_PARAMETERPROB :
2005-04-17 02:20:36 +04:00
info = ntohl ( icmph - > un . gateway ) > > 24 ;
icmp: don't fail on fragment reassembly time exceeded
The ICMP implementation currently replies to an ICMP time exceeded message
(type 11) with an ICMP host unreachable message (type 3, code 1).
However, time exceeded messages can either represent "time to live exceeded
in transit" (code 0) or "fragment reassembly time exceeded" (code 1).
Unconditionally replying to "fragment reassembly time exceeded" with
host unreachable messages might cause unjustified connection resets
which are now easily triggered as UFO has been removed, because, in turn,
sending large buffers triggers IP fragmentation.
The issue can be easily reproduced by running a lot of UDP streams
which is likely to trigger IP fragmentation:
# start netserver in the test namespace
ip netns add test
ip netns exec test netserver
# create a VETH pair
ip link add name veth0 type veth peer name veth0 netns test
ip link set veth0 up
ip -n test link set veth0 up
for i in $(seq 20 29); do
# assign addresses to both ends
ip addr add dev veth0 192.168.$i.1/24
ip -n test addr add dev veth0 192.168.$i.2/24
# start the traffic
netperf -L 192.168.$i.1 -H 192.168.$i.2 -t UDP_STREAM -l 0 &
done
# wait
send_data: data send error: No route to host (errno 113)
netperf: send_omni: send_data failed: No route to host
We need to differentiate instead: if fragment reassembly time exceeded
is reported, we need to silently drop the packet,
if time to live exceeded is reported, maintain the current behaviour.
In both cases increment the related error count "icmpInTimeExcds".
While at it, fix a typo in a comment, and convert the if statement
into a switch to mate it more readable.
Signed-off-by: Matteo Croce <mcroce@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-12 17:12:37 +03:00
break ;
case ICMP_TIME_EXCEEDED :
__ICMP_INC_STATS ( net , ICMP_MIB_INTIMEEXCDS ) ;
if ( icmph - > code = = ICMP_EXC_FRAGTIME )
goto out ;
break ;
}
2005-04-17 02:20:36 +04:00
/*
* Throw it at our lower layers
*
* RFC 1122 : 3.2 .2 MUST extract the protocol ID from the passed
* header .
* RFC 1122 : 3.2 .2 .1 MUST pass ICMP unreach messages to the
* transport layer .
* RFC 1122 : 3.2 .2 .2 MUST pass ICMP time expired messages to
* transport layer .
*/
/*
2011-03-31 05:57:33 +04:00
* Check the other end isn ' t violating RFC 1122. Some routers send
2005-04-17 02:20:36 +04:00
* bogus responses to broadcast frames . If you see this message
* first check your netmask matches at both ends , if it does then
* get the other vendor to fix their kit .
*/
2022-07-12 03:15:25 +03:00
if ( ! READ_ONCE ( net - > ipv4 . sysctl_icmp_ignore_bogus_error_responses ) & &
2015-08-13 23:59:05 +03:00
inet_addr_type_dev_table ( net , skb - > dev , iph - > daddr ) = = RTN_BROADCAST ) {
2012-05-14 01:56:26 +04:00
net_warn_ratelimited ( " %pI4 sent an invalid ICMP type %u, code %u error to a broadcast: %pI4 on %s \n " ,
& ip_hdr ( skb ) - > saddr ,
icmph - > type , icmph - > code ,
& iph - > daddr , skb - > dev - > name ) ;
2005-04-17 02:20:36 +04:00
goto out ;
}
2012-07-12 05:32:17 +04:00
icmp_socket_deliver ( skb , info ) ;
2005-04-17 02:20:36 +04:00
out :
2022-04-07 09:20:52 +03:00
return reason ;
2005-04-17 02:20:36 +04:00
out_err :
2016-04-28 02:44:29 +03:00
__ICMP_INC_STATS ( net , ICMP_MIB_INERRORS ) ;
2022-04-07 09:20:52 +03:00
return reason ? : SKB_DROP_REASON_NOT_SPECIFIED ;
2005-04-17 02:20:36 +04:00
}
/*
* Handle ICMP_REDIRECT .
*/
2022-04-07 09:20:52 +03:00
static enum skb_drop_reason icmp_redirect ( struct sk_buff * skb )
2005-04-17 02:20:36 +04:00
{
2012-07-12 07:38:08 +04:00
if ( skb - > len < sizeof ( struct iphdr ) ) {
2016-04-28 02:44:29 +03:00
__ICMP_INC_STATS ( dev_net ( skb - > dev ) , ICMP_MIB_INERRORS ) ;
2022-04-07 09:20:52 +03:00
return SKB_DROP_REASON_PKT_TOO_SMALL ;
2012-07-12 07:38:08 +04:00
}
2005-04-17 02:20:36 +04:00
2014-11-18 01:04:29 +03:00
if ( ! pskb_may_pull ( skb , sizeof ( struct iphdr ) ) ) {
/* there aught to be a stat */
2022-04-07 09:20:52 +03:00
return SKB_DROP_REASON_NOMEM ;
2014-11-18 01:04:29 +03:00
}
net: ipv4: add IPPROTO_ICMP socket kind
This patch adds IPPROTO_ICMP socket kind. It makes it possible to send
ICMP_ECHO messages and receive the corresponding ICMP_ECHOREPLY messages
without any special privileges. In other words, the patch makes it
possible to implement setuid-less and CAP_NET_RAW-less /bin/ping. In
order not to increase the kernel's attack surface, the new functionality
is disabled by default, but is enabled at bootup by supporting Linux
distributions, optionally with restriction to a group or a group range
(see below).
Similar functionality is implemented in Mac OS X:
http://www.manpagez.com/man/4/icmp/
A new ping socket is created with
socket(PF_INET, SOCK_DGRAM, PROT_ICMP)
Message identifiers (octets 4-5 of ICMP header) are interpreted as local
ports. Addresses are stored in struct sockaddr_in. No port numbers are
reserved for privileged processes, port 0 is reserved for API ("let the
kernel pick a free number"). There is no notion of remote ports, remote
port numbers provided by the user (e.g. in connect()) are ignored.
Data sent and received include ICMP headers. This is deliberate to:
1) Avoid the need to transport headers values like sequence numbers by
other means.
2) Make it easier to port existing programs using raw sockets.
ICMP headers given to send() are checked and sanitized. The type must be
ICMP_ECHO and the code must be zero (future extensions might relax this,
see below). The id is set to the number (local port) of the socket, the
checksum is always recomputed.
ICMP reply packets received from the network are demultiplexed according
to their id's, and are returned by recv() without any modifications.
IP header information and ICMP errors of those packets may be obtained
via ancillary data (IP_RECVTTL, IP_RETOPTS, and IP_RECVERR). ICMP source
quenches and redirects are reported as fake errors via the error queue
(IP_RECVERR); the next hop address for redirects is saved to ee_info (in
network order).
socket(2) is restricted to the group range specified in
"/proc/sys/net/ipv4/ping_group_range". It is "1 0" by default, meaning
that nobody (not even root) may create ping sockets. Setting it to "100
100" would grant permissions to the single group (to either make
/sbin/ping g+s and owned by this group or to grant permissions to the
"netadmins" group), "0 4294967295" would enable it for the world, "100
4294967295" would enable it for the users, but not daemons.
The existing code might be (in the unlikely case anyone needs it)
extended rather easily to handle other similar pairs of ICMP messages
(Timestamp/Reply, Information Request/Reply, Address Mask Request/Reply
etc.).
Userspace ping util & patch for it:
http://openwall.info/wiki/people/segoon/ping
For Openwall GNU/*/Linux it was the last step on the road to the
setuid-less distro. A revision of this patch (for RHEL5/OpenVZ kernels)
is in use in Owl-current, such as in the 2011/03/12 LiveCD ISOs:
http://mirrors.kernel.org/openwall/Owl/current/iso/
Initially this functionality was written by Pavel Kankovsky for
Linux 2.4.32, but unfortunately it was never made public.
All ping options (-b, -p, -Q, -R, -s, -t, -T, -M, -I), are tested with
the patch.
PATCH v3:
- switched to flowi4.
- minor changes to be consistent with raw sockets code.
PATCH v2:
- changed ping_debug() to pr_debug().
- removed CONFIG_IP_PING.
- removed ping_seq_fops.owner field (unused for procfs).
- switched to proc_net_fops_create().
- switched to %pK in seq_printf().
PATCH v1:
- fixed checksumming bug.
- CAP_NET_RAW may not create icmp sockets anymore.
RFC v2:
- minor cleanups.
- introduced sysctl'able group range to restrict socket(2).
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-05-13 14:01:00 +04:00
2019-08-20 05:46:00 +03:00
icmp_socket_deliver ( skb , ntohl ( icmp_hdr ( skb ) - > un . gateway ) ) ;
2022-04-07 09:20:52 +03:00
return SKB_NOT_DROPPED_YET ;
2005-04-17 02:20:36 +04:00
}
/*
2021-03-30 04:45:51 +03:00
* Handle ICMP_ECHO ( " ping " ) and ICMP_EXT_ECHO ( " PROBE " ) requests .
2005-04-17 02:20:36 +04:00
*
* RFC 1122 : 3.2 .2 .6 MUST have an echo server that answers ICMP echo
* requests .
* RFC 1122 : 3.2 .2 .6 Data received in the ICMP_ECHO request MUST be
* included in the reply .
* RFC 1812 : 4.3 .3 .6 SHOULD have a config option for silently ignoring
* echo requests , MUST have default = NOT .
2021-03-30 04:45:51 +03:00
* RFC 8335 : 8 MUST have a config option to enable / disable ICMP
* Extended Echo Functionality , MUST be disabled by default
2005-04-17 02:20:36 +04:00
* See also WRT handling of options once they are done and working .
*/
2022-04-07 09:20:52 +03:00
static enum skb_drop_reason icmp_echo ( struct sk_buff * skb )
2005-04-17 02:20:36 +04:00
{
2021-03-30 04:45:51 +03:00
struct icmp_bxm icmp_param ;
2008-03-26 12:00:21 +03:00
struct net * net ;
2009-06-02 09:19:30 +04:00
net = dev_net ( skb_dst ( skb ) - > dev ) ;
2021-03-30 04:45:51 +03:00
/* should there be an ICMP stat for ignored echos? */
2022-07-12 03:15:22 +03:00
if ( READ_ONCE ( net - > ipv4 . sysctl_icmp_echo_ignore_all ) )
2022-04-07 09:20:52 +03:00
return SKB_NOT_DROPPED_YET ;
2021-03-30 04:45:51 +03:00
icmp_param . data . icmph = * icmp_hdr ( skb ) ;
icmp_param . skb = skb ;
icmp_param . offset = 0 ;
icmp_param . data_len = skb - > len ;
icmp_param . head_len = sizeof ( struct icmphdr ) ;
2005-04-17 02:20:36 +04:00
2021-06-26 17:07:46 +03:00
if ( icmp_param . data . icmph . type = = ICMP_ECHO )
2005-04-17 02:20:36 +04:00
icmp_param . data . icmph . type = ICMP_ECHOREPLY ;
2021-06-26 17:07:46 +03:00
else if ( ! icmp_build_probe ( skb , & icmp_param . data . icmph ) )
2022-04-07 09:20:52 +03:00
return SKB_NOT_DROPPED_YET ;
2021-06-26 17:07:46 +03:00
icmp_reply ( & icmp_param , skb ) ;
2022-04-07 09:20:52 +03:00
return SKB_NOT_DROPPED_YET ;
2021-06-26 17:07:46 +03:00
}
/* Helper for icmp_echo and icmpv6_echo_reply.
* Searches for net_device that matches PROBE interface identifier
* and builds PROBE reply message in icmphdr .
*
* Returns false if PROBE responses are disabled via sysctl
*/
bool icmp_build_probe ( struct sk_buff * skb , struct icmphdr * icmphdr )
{
struct icmp_ext_hdr * ext_hdr , _ext_hdr ;
struct icmp_ext_echo_iio * iio , _iio ;
struct net * net = dev_net ( skb - > dev ) ;
struct net_device * dev ;
char buff [ IFNAMSIZ ] ;
u16 ident_len ;
u8 status ;
2022-07-12 03:15:23 +03:00
if ( ! READ_ONCE ( net - > ipv4 . sysctl_icmp_echo_enable_probe ) )
2021-06-26 17:07:46 +03:00
return false ;
2021-03-30 04:45:51 +03:00
/* We currently only support probing interfaces on the proxy node
* Check to ensure L - bit is set
*/
2021-06-26 17:07:46 +03:00
if ( ! ( ntohs ( icmphdr - > un . echo . sequence ) & 1 ) )
return false ;
2021-03-30 04:45:51 +03:00
/* Clear status bits in reply message */
2021-06-26 17:07:46 +03:00
icmphdr - > un . echo . sequence & = htons ( 0xFF00 ) ;
if ( icmphdr - > type = = ICMP_EXT_ECHO )
icmphdr - > type = ICMP_EXT_ECHOREPLY ;
else
icmphdr - > type = ICMPV6_EXT_ECHO_REPLY ;
2021-03-30 04:45:51 +03:00
ext_hdr = skb_header_pointer ( skb , 0 , sizeof ( _ext_hdr ) , & _ext_hdr ) ;
/* Size of iio is class_type dependent.
* Only check header here and assign length based on ctype in the switch statement
*/
iio = skb_header_pointer ( skb , sizeof ( _ext_hdr ) , sizeof ( iio - > extobj_hdr ) , & _iio ) ;
if ( ! ext_hdr | | ! iio )
goto send_mal_query ;
icmp: fix icmp_ext_echo_iio parsing in icmp_build_probe
In icmp_build_probe(), the icmp_ext_echo_iio parsing should be done
step by step and skb_header_pointer() return value should always be
checked, this patch fixes 3 places in there:
- On case ICMP_EXT_ECHO_CTYPE_NAME, it should only copy ident.name
from skb by skb_header_pointer(), its len is ident_len. Besides,
the return value of skb_header_pointer() should always be checked.
- On case ICMP_EXT_ECHO_CTYPE_INDEX, move ident_len check ahead of
skb_header_pointer(), and also do the return value check for
skb_header_pointer().
- On case ICMP_EXT_ECHO_CTYPE_ADDR, before accessing iio->ident.addr.
ctype3_hdr.addrlen, skb_header_pointer() should be called first,
then check its return value and ident_len.
On subcases ICMP_AFI_IP and ICMP_AFI_IP6, also do check for ident.
addr.ctype3_hdr.addrlen and skb_header_pointer()'s return value.
On subcase ICMP_AFI_IP, the len for skb_header_pointer() should be
"sizeof(iio->extobj_hdr) + sizeof(iio->ident.addr.ctype3_hdr) +
sizeof(struct in_addr)" or "ident_len".
v1->v2:
- To make it more clear, call skb_header_pointer() once only for
iio->indent's parsing as Jakub Suggested.
v2->v3:
- The extobj_hdr.length check against sizeof(_iio) should be done
before calling skb_header_pointer(), as Eric noticed.
Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/31628dd76657ea62f5cf78bb55da6b35240831f1.1634205050.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-10-14 12:50:50 +03:00
if ( ntohs ( iio - > extobj_hdr . length ) < = sizeof ( iio - > extobj_hdr ) | |
ntohs ( iio - > extobj_hdr . length ) > sizeof ( _iio ) )
2021-03-30 04:45:51 +03:00
goto send_mal_query ;
ident_len = ntohs ( iio - > extobj_hdr . length ) - sizeof ( iio - > extobj_hdr ) ;
icmp: fix icmp_ext_echo_iio parsing in icmp_build_probe
In icmp_build_probe(), the icmp_ext_echo_iio parsing should be done
step by step and skb_header_pointer() return value should always be
checked, this patch fixes 3 places in there:
- On case ICMP_EXT_ECHO_CTYPE_NAME, it should only copy ident.name
from skb by skb_header_pointer(), its len is ident_len. Besides,
the return value of skb_header_pointer() should always be checked.
- On case ICMP_EXT_ECHO_CTYPE_INDEX, move ident_len check ahead of
skb_header_pointer(), and also do the return value check for
skb_header_pointer().
- On case ICMP_EXT_ECHO_CTYPE_ADDR, before accessing iio->ident.addr.
ctype3_hdr.addrlen, skb_header_pointer() should be called first,
then check its return value and ident_len.
On subcases ICMP_AFI_IP and ICMP_AFI_IP6, also do check for ident.
addr.ctype3_hdr.addrlen and skb_header_pointer()'s return value.
On subcase ICMP_AFI_IP, the len for skb_header_pointer() should be
"sizeof(iio->extobj_hdr) + sizeof(iio->ident.addr.ctype3_hdr) +
sizeof(struct in_addr)" or "ident_len".
v1->v2:
- To make it more clear, call skb_header_pointer() once only for
iio->indent's parsing as Jakub Suggested.
v2->v3:
- The extobj_hdr.length check against sizeof(_iio) should be done
before calling skb_header_pointer(), as Eric noticed.
Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/31628dd76657ea62f5cf78bb55da6b35240831f1.1634205050.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-10-14 12:50:50 +03:00
iio = skb_header_pointer ( skb , sizeof ( _ext_hdr ) ,
sizeof ( iio - > extobj_hdr ) + ident_len , & _iio ) ;
if ( ! iio )
goto send_mal_query ;
2021-03-30 04:45:51 +03:00
status = 0 ;
dev = NULL ;
switch ( iio - > extobj_hdr . class_type ) {
2021-04-27 18:36:35 +03:00
case ICMP_EXT_ECHO_CTYPE_NAME :
2021-03-30 04:45:51 +03:00
if ( ident_len > = IFNAMSIZ )
goto send_mal_query ;
memset ( buff , 0 , sizeof ( buff ) ) ;
memcpy ( buff , & iio - > ident . name , ident_len ) ;
dev = dev_get_by_name ( net , buff ) ;
break ;
2021-04-27 18:36:35 +03:00
case ICMP_EXT_ECHO_CTYPE_INDEX :
2021-03-30 04:45:51 +03:00
if ( ident_len ! = sizeof ( iio - > ident . ifindex ) )
goto send_mal_query ;
dev = dev_get_by_index ( net , ntohl ( iio - > ident . ifindex ) ) ;
break ;
2021-04-27 18:36:35 +03:00
case ICMP_EXT_ECHO_CTYPE_ADDR :
icmp: fix icmp_ext_echo_iio parsing in icmp_build_probe
In icmp_build_probe(), the icmp_ext_echo_iio parsing should be done
step by step and skb_header_pointer() return value should always be
checked, this patch fixes 3 places in there:
- On case ICMP_EXT_ECHO_CTYPE_NAME, it should only copy ident.name
from skb by skb_header_pointer(), its len is ident_len. Besides,
the return value of skb_header_pointer() should always be checked.
- On case ICMP_EXT_ECHO_CTYPE_INDEX, move ident_len check ahead of
skb_header_pointer(), and also do the return value check for
skb_header_pointer().
- On case ICMP_EXT_ECHO_CTYPE_ADDR, before accessing iio->ident.addr.
ctype3_hdr.addrlen, skb_header_pointer() should be called first,
then check its return value and ident_len.
On subcases ICMP_AFI_IP and ICMP_AFI_IP6, also do check for ident.
addr.ctype3_hdr.addrlen and skb_header_pointer()'s return value.
On subcase ICMP_AFI_IP, the len for skb_header_pointer() should be
"sizeof(iio->extobj_hdr) + sizeof(iio->ident.addr.ctype3_hdr) +
sizeof(struct in_addr)" or "ident_len".
v1->v2:
- To make it more clear, call skb_header_pointer() once only for
iio->indent's parsing as Jakub Suggested.
v2->v3:
- The extobj_hdr.length check against sizeof(_iio) should be done
before calling skb_header_pointer(), as Eric noticed.
Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/31628dd76657ea62f5cf78bb55da6b35240831f1.1634205050.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-10-14 12:50:50 +03:00
if ( ident_len < sizeof ( iio - > ident . addr . ctype3_hdr ) | |
ident_len ! = sizeof ( iio - > ident . addr . ctype3_hdr ) +
2021-03-30 04:45:51 +03:00
iio - > ident . addr . ctype3_hdr . addrlen )
goto send_mal_query ;
switch ( ntohs ( iio - > ident . addr . ctype3_hdr . afi ) ) {
case ICMP_AFI_IP :
icmp: fix icmp_ext_echo_iio parsing in icmp_build_probe
In icmp_build_probe(), the icmp_ext_echo_iio parsing should be done
step by step and skb_header_pointer() return value should always be
checked, this patch fixes 3 places in there:
- On case ICMP_EXT_ECHO_CTYPE_NAME, it should only copy ident.name
from skb by skb_header_pointer(), its len is ident_len. Besides,
the return value of skb_header_pointer() should always be checked.
- On case ICMP_EXT_ECHO_CTYPE_INDEX, move ident_len check ahead of
skb_header_pointer(), and also do the return value check for
skb_header_pointer().
- On case ICMP_EXT_ECHO_CTYPE_ADDR, before accessing iio->ident.addr.
ctype3_hdr.addrlen, skb_header_pointer() should be called first,
then check its return value and ident_len.
On subcases ICMP_AFI_IP and ICMP_AFI_IP6, also do check for ident.
addr.ctype3_hdr.addrlen and skb_header_pointer()'s return value.
On subcase ICMP_AFI_IP, the len for skb_header_pointer() should be
"sizeof(iio->extobj_hdr) + sizeof(iio->ident.addr.ctype3_hdr) +
sizeof(struct in_addr)" or "ident_len".
v1->v2:
- To make it more clear, call skb_header_pointer() once only for
iio->indent's parsing as Jakub Suggested.
v2->v3:
- The extobj_hdr.length check against sizeof(_iio) should be done
before calling skb_header_pointer(), as Eric noticed.
Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/31628dd76657ea62f5cf78bb55da6b35240831f1.1634205050.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-10-14 12:50:50 +03:00
if ( iio - > ident . addr . ctype3_hdr . addrlen ! = sizeof ( struct in_addr ) )
2021-03-30 04:45:51 +03:00
goto send_mal_query ;
2021-06-04 00:22:11 +03:00
dev = ip_dev_find ( net , iio - > ident . addr . ip_addr . ipv4_addr ) ;
2021-03-30 04:45:51 +03:00
break ;
# if IS_ENABLED(CONFIG_IPV6)
case ICMP_AFI_IP6 :
icmp: fix icmp_ext_echo_iio parsing in icmp_build_probe
In icmp_build_probe(), the icmp_ext_echo_iio parsing should be done
step by step and skb_header_pointer() return value should always be
checked, this patch fixes 3 places in there:
- On case ICMP_EXT_ECHO_CTYPE_NAME, it should only copy ident.name
from skb by skb_header_pointer(), its len is ident_len. Besides,
the return value of skb_header_pointer() should always be checked.
- On case ICMP_EXT_ECHO_CTYPE_INDEX, move ident_len check ahead of
skb_header_pointer(), and also do the return value check for
skb_header_pointer().
- On case ICMP_EXT_ECHO_CTYPE_ADDR, before accessing iio->ident.addr.
ctype3_hdr.addrlen, skb_header_pointer() should be called first,
then check its return value and ident_len.
On subcases ICMP_AFI_IP and ICMP_AFI_IP6, also do check for ident.
addr.ctype3_hdr.addrlen and skb_header_pointer()'s return value.
On subcase ICMP_AFI_IP, the len for skb_header_pointer() should be
"sizeof(iio->extobj_hdr) + sizeof(iio->ident.addr.ctype3_hdr) +
sizeof(struct in_addr)" or "ident_len".
v1->v2:
- To make it more clear, call skb_header_pointer() once only for
iio->indent's parsing as Jakub Suggested.
v2->v3:
- The extobj_hdr.length check against sizeof(_iio) should be done
before calling skb_header_pointer(), as Eric noticed.
Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/31628dd76657ea62f5cf78bb55da6b35240831f1.1634205050.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-10-14 12:50:50 +03:00
if ( iio - > ident . addr . ctype3_hdr . addrlen ! = sizeof ( struct in6_addr ) )
2021-03-30 04:45:51 +03:00
goto send_mal_query ;
dev = ipv6_stub - > ipv6_dev_find ( net , & iio - > ident . addr . ip_addr . ipv6_addr , dev ) ;
2021-08-05 14:55:27 +03:00
dev_hold ( dev ) ;
2021-03-30 04:45:51 +03:00
break ;
# endif
default :
goto send_mal_query ;
}
break ;
default :
goto send_mal_query ;
}
if ( ! dev ) {
2021-06-26 17:07:46 +03:00
icmphdr - > code = ICMP_EXT_CODE_NO_IF ;
return true ;
2021-03-30 04:45:51 +03:00
}
/* Fill bits in reply message */
if ( dev - > flags & IFF_UP )
2021-04-27 18:36:35 +03:00
status | = ICMP_EXT_ECHOREPLY_ACTIVE ;
2021-03-30 04:45:51 +03:00
if ( __in_dev_get_rcu ( dev ) & & __in_dev_get_rcu ( dev ) - > ifa_list )
2021-04-27 18:36:35 +03:00
status | = ICMP_EXT_ECHOREPLY_IPV4 ;
2021-03-30 04:45:51 +03:00
if ( ! list_empty ( & rcu_dereference ( dev - > ip6_ptr ) - > addr_list ) )
2021-04-27 18:36:35 +03:00
status | = ICMP_EXT_ECHOREPLY_IPV6 ;
2021-03-30 04:45:51 +03:00
dev_put ( dev ) ;
2021-06-26 17:07:46 +03:00
icmphdr - > un . echo . sequence | = htons ( status ) ;
return true ;
2021-03-30 04:45:51 +03:00
send_mal_query :
2021-06-26 17:07:46 +03:00
icmphdr - > code = ICMP_EXT_CODE_MAL_QUERY ;
return true ;
2005-04-17 02:20:36 +04:00
}
2021-06-26 17:07:46 +03:00
EXPORT_SYMBOL_GPL ( icmp_build_probe ) ;
2005-04-17 02:20:36 +04:00
/*
* Handle ICMP Timestamp requests .
* RFC 1122 : 3.2 .2 .8 MAY implement ICMP timestamp requests .
* SHOULD be in the kernel for minimum random latency .
* MUST be accurate to a few minutes .
* MUST be updated at least at 15 Hz .
*/
2022-04-07 09:20:52 +03:00
static enum skb_drop_reason icmp_timestamp ( struct sk_buff * skb )
2005-04-17 02:20:36 +04:00
{
struct icmp_bxm icmp_param ;
/*
* Too short .
*/
if ( skb - > len < 4 )
goto out_err ;
/*
* Fill in the current time as ms since midnight UT :
*/
2016-02-27 11:32:15 +03:00
icmp_param . data . times [ 1 ] = inet_current_timestamp ( ) ;
2005-04-17 02:20:36 +04:00
icmp_param . data . times [ 2 ] = icmp_param . data . times [ 1 ] ;
2017-10-23 21:08:14 +03:00
BUG_ON ( skb_copy_bits ( skb , 0 , & icmp_param . data . times [ 0 ] , 4 ) ) ;
2007-03-13 20:43:18 +03:00
icmp_param . data . icmph = * icmp_hdr ( skb ) ;
2005-04-17 02:20:36 +04:00
icmp_param . data . icmph . type = ICMP_TIMESTAMPREPLY ;
icmp_param . data . icmph . code = 0 ;
icmp_param . skb = skb ;
icmp_param . offset = 0 ;
icmp_param . data_len = 0 ;
icmp_param . head_len = sizeof ( struct icmphdr ) + 12 ;
icmp_reply ( & icmp_param , skb ) ;
2022-04-07 09:20:52 +03:00
return SKB_NOT_DROPPED_YET ;
2014-11-18 01:04:29 +03:00
2005-04-17 02:20:36 +04:00
out_err :
2016-04-28 02:44:29 +03:00
__ICMP_INC_STATS ( dev_net ( skb_dst ( skb ) - > dev ) , ICMP_MIB_INERRORS ) ;
2022-04-07 09:20:52 +03:00
return SKB_DROP_REASON_PKT_TOO_SMALL ;
2005-04-17 02:20:36 +04:00
}
2022-04-07 09:20:52 +03:00
static enum skb_drop_reason icmp_discard ( struct sk_buff * skb )
2005-04-17 02:20:36 +04:00
{
2014-11-18 01:04:29 +03:00
/* pretend it was a success */
2022-04-07 09:20:52 +03:00
return SKB_NOT_DROPPED_YET ;
2005-04-17 02:20:36 +04:00
}
/*
* Deal with incoming ICMP packets .
*/
int icmp_rcv ( struct sk_buff * skb )
{
2022-04-07 09:20:52 +03:00
enum skb_drop_reason reason = SKB_DROP_REASON_NOT_SPECIFIED ;
2009-06-02 09:14:27 +04:00
struct rtable * rt = skb_rtable ( skb ) ;
2010-06-11 10:31:35 +04:00
struct net * net = dev_net ( rt - > dst . dev ) ;
2022-04-07 09:20:52 +03:00
struct icmphdr * icmph ;
2005-04-17 02:20:36 +04:00
2007-12-13 05:54:16 +03:00
if ( ! xfrm4_policy_check ( NULL , XFRM_POLICY_IN , skb ) ) {
2008-10-28 23:24:06 +03:00
struct sec_path * sp = skb_sec_path ( skb ) ;
2007-12-12 21:44:43 +03:00
int nh ;
2008-10-28 23:24:06 +03:00
if ( ! ( sp & & sp - > xvec [ sp - > len - 1 ] - > props . flags &
2022-04-07 09:20:52 +03:00
XFRM_STATE_ICMP ) ) {
reason = SKB_DROP_REASON_XFRM_POLICY ;
2007-12-13 05:54:16 +03:00
goto drop ;
2022-04-07 09:20:52 +03:00
}
2007-12-13 05:54:16 +03:00
2007-12-12 21:44:43 +03:00
if ( ! pskb_may_pull ( skb , sizeof ( * icmph ) + sizeof ( struct iphdr ) ) )
goto drop ;
nh = skb_network_offset ( skb ) ;
skb_set_network_header ( skb , sizeof ( * icmph ) ) ;
2022-04-07 09:20:52 +03:00
if ( ! xfrm4_policy_check_reverse ( NULL , XFRM_POLICY_IN ,
skb ) ) {
reason = SKB_DROP_REASON_XFRM_POLICY ;
2007-12-12 21:44:43 +03:00
goto drop ;
2022-04-07 09:20:52 +03:00
}
2007-12-12 21:44:43 +03:00
skb_set_network_header ( skb , nh ) ;
}
2016-04-28 02:44:29 +03:00
__ICMP_INC_STATS ( net , ICMP_MIB_INMSGS ) ;
2005-04-17 02:20:36 +04:00
2014-05-08 03:52:21 +04:00
if ( skb_checksum_simple_validate ( skb ) )
goto csum_error ;
2005-04-17 02:20:36 +04:00
2008-02-05 14:15:50 +03:00
if ( ! pskb_pull ( skb , sizeof ( * icmph ) ) )
goto error ;
2005-04-17 02:20:36 +04:00
2007-03-13 20:43:18 +03:00
icmph = icmp_hdr ( skb ) ;
2005-04-17 02:20:36 +04:00
2016-04-28 02:44:33 +03:00
ICMPMSGIN_INC_STATS ( net , icmph - > type ) ;
2021-03-30 04:45:51 +03:00
/* Check for ICMP Extended Echo (PROBE) messages */
if ( icmph - > type = = ICMP_EXT_ECHO ) {
/* We can't use icmp_pointers[].handler() because it is an array of
* size NR_ICMP_TYPES + 1 ( 19 elements ) and PROBE has code 42.
*/
2022-04-07 09:20:52 +03:00
reason = icmp_echo ( skb ) ;
goto reason_check ;
2021-03-30 04:45:51 +03:00
}
2021-04-13 00:23:56 +03:00
if ( icmph - > type = = ICMP_EXT_ECHOREPLY ) {
2022-04-07 09:20:52 +03:00
reason = ping_rcv ( skb ) ;
goto reason_check ;
2021-04-13 00:23:56 +03:00
}
2005-04-17 02:20:36 +04:00
/*
* 18 is the highest ' known ' ICMP type . Anything else is a mystery
*
* RFC 1122 : 3.2 .2 Unknown ICMP messages types MUST be silently
* discarded .
*/
2022-04-07 09:20:52 +03:00
if ( icmph - > type > NR_ICMP_TYPES ) {
reason = SKB_DROP_REASON_UNHANDLED_PROTO ;
2005-04-17 02:20:36 +04:00
goto error ;
2022-04-07 09:20:52 +03:00
}
2005-04-17 02:20:36 +04:00
/*
* Parse the ICMP message
*/
2007-02-09 17:24:47 +03:00
if ( rt - > rt_flags & ( RTCF_BROADCAST | RTCF_MULTICAST ) ) {
2005-04-17 02:20:36 +04:00
/*
* RFC 1122 : 3.2 .2 .6 An ICMP_ECHO to broadcast MAY be
* silently ignored ( we let user decide with a sysctl ) .
* RFC 1122 : 3.2 .2 .8 An ICMP_TIMESTAMP MAY be silently
* discarded if to broadcast / multicast .
*/
2005-07-09 04:34:46 +04:00
if ( ( icmph - > type = = ICMP_ECHO | |
icmph - > type = = ICMP_TIMESTAMP ) & &
2022-07-12 03:15:24 +03:00
READ_ONCE ( net - > ipv4 . sysctl_icmp_echo_ignore_broadcasts ) ) {
2022-04-07 09:20:52 +03:00
reason = SKB_DROP_REASON_INVALID_PROTO ;
2005-04-17 02:20:36 +04:00
goto error ;
}
if ( icmph - > type ! = ICMP_ECHO & &
icmph - > type ! = ICMP_TIMESTAMP & &
icmph - > type ! = ICMP_ADDRESS & &
icmph - > type ! = ICMP_ADDRESSREPLY ) {
2022-04-07 09:20:52 +03:00
reason = SKB_DROP_REASON_INVALID_PROTO ;
2005-04-17 02:20:36 +04:00
goto error ;
2007-02-09 17:24:47 +03:00
}
2005-04-17 02:20:36 +04:00
}
2022-04-07 09:20:52 +03:00
reason = icmp_pointers [ icmph - > type ] . handler ( skb ) ;
reason_check :
if ( ! reason ) {
2014-11-18 01:04:29 +03:00
consume_skb ( skb ) ;
2016-12-07 09:52:53 +03:00
return NET_RX_SUCCESS ;
2014-11-18 01:04:29 +03:00
}
2005-04-17 02:20:36 +04:00
drop :
2022-04-07 09:20:52 +03:00
kfree_skb_reason ( skb , reason ) ;
2016-12-07 09:52:53 +03:00
return NET_RX_DROP ;
2013-04-29 12:39:56 +04:00
csum_error :
2022-04-07 09:20:52 +03:00
reason = SKB_DROP_REASON_ICMP_CSUM ;
2016-04-28 02:44:29 +03:00
__ICMP_INC_STATS ( net , ICMP_MIB_CSUMERRORS ) ;
2005-04-17 02:20:36 +04:00
error :
2016-04-28 02:44:29 +03:00
__ICMP_INC_STATS ( net , ICMP_MIB_INERRORS ) ;
2005-04-17 02:20:36 +04:00
goto drop ;
}
icmp: support rfc 4884
Add setsockopt SOL_IP/IP_RECVERR_4884 to return the offset to an
extension struct if present.
ICMP messages may include an extension structure after the original
datagram. RFC 4884 standardized this behavior. It stores the offset
in words to the extension header in u8 icmphdr.un.reserved[1].
The field is valid only for ICMP types destination unreachable, time
exceeded and parameter problem, if length is at least 128 bytes and
entire packet does not exceed 576 bytes.
Return the offset to the start of the extension struct when reading an
ICMP error from the error queue, if it matches the above constraints.
Do not return the raw u8 field. Return the offset from the start of
the user buffer, in bytes. The kernel does not return the network and
transport headers, so subtract those.
Also validate the headers. Return the offset regardless of validation,
as an invalid extension must still not be misinterpreted as part of
the original datagram. Note that !invalid does not imply valid. If
the extension version does not match, no validation can take place,
for instance.
For backward compatibility, make this optional, set by setsockopt
SOL_IP/IP_RECVERR_RFC4884. For API example and feature test, see
github.com/wdebruij/kerneltools/blob/master/tests/recv_icmp_v2.c
For forward compatibility, reserve only setsockopt value 1, leaving
other bits for additional icmp extensions.
Changes
v1->v2:
- convert word offset to byte offset from start of user buffer
- return in ee_data as u8 may be insufficient
- define extension struct and object header structs
- return len only if constraints met
- if returning len, also validate
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-07-10 16:29:02 +03:00
static bool ip_icmp_error_rfc4884_validate ( const struct sk_buff * skb , int off )
{
struct icmp_extobj_hdr * objh , _objh ;
struct icmp_ext_hdr * exth , _exth ;
u16 olen ;
exth = skb_header_pointer ( skb , off , sizeof ( _exth ) , & _exth ) ;
if ( ! exth )
return false ;
if ( exth - > version ! = 2 )
return true ;
if ( exth - > checksum & &
csum_fold ( skb_checksum ( skb , off , skb - > len - off , 0 ) ) )
return false ;
off + = sizeof ( _exth ) ;
while ( off < skb - > len ) {
objh = skb_header_pointer ( skb , off , sizeof ( _objh ) , & _objh ) ;
if ( ! objh )
return false ;
olen = ntohs ( objh - > length ) ;
if ( olen < sizeof ( _objh ) )
return false ;
off + = olen ;
if ( off > skb - > len )
return false ;
}
return true ;
}
void ip_icmp_error_rfc4884 ( const struct sk_buff * skb ,
2020-07-24 16:03:09 +03:00
struct sock_ee_data_rfc4884 * out ,
int thlen , int off )
icmp: support rfc 4884
Add setsockopt SOL_IP/IP_RECVERR_4884 to return the offset to an
extension struct if present.
ICMP messages may include an extension structure after the original
datagram. RFC 4884 standardized this behavior. It stores the offset
in words to the extension header in u8 icmphdr.un.reserved[1].
The field is valid only for ICMP types destination unreachable, time
exceeded and parameter problem, if length is at least 128 bytes and
entire packet does not exceed 576 bytes.
Return the offset to the start of the extension struct when reading an
ICMP error from the error queue, if it matches the above constraints.
Do not return the raw u8 field. Return the offset from the start of
the user buffer, in bytes. The kernel does not return the network and
transport headers, so subtract those.
Also validate the headers. Return the offset regardless of validation,
as an invalid extension must still not be misinterpreted as part of
the original datagram. Note that !invalid does not imply valid. If
the extension version does not match, no validation can take place,
for instance.
For backward compatibility, make this optional, set by setsockopt
SOL_IP/IP_RECVERR_RFC4884. For API example and feature test, see
github.com/wdebruij/kerneltools/blob/master/tests/recv_icmp_v2.c
For forward compatibility, reserve only setsockopt value 1, leaving
other bits for additional icmp extensions.
Changes
v1->v2:
- convert word offset to byte offset from start of user buffer
- return in ee_data as u8 may be insufficient
- define extension struct and object header structs
- return len only if constraints met
- if returning len, also validate
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-07-10 16:29:02 +03:00
{
2020-07-24 16:03:09 +03:00
int hlen ;
icmp: support rfc 4884
Add setsockopt SOL_IP/IP_RECVERR_4884 to return the offset to an
extension struct if present.
ICMP messages may include an extension structure after the original
datagram. RFC 4884 standardized this behavior. It stores the offset
in words to the extension header in u8 icmphdr.un.reserved[1].
The field is valid only for ICMP types destination unreachable, time
exceeded and parameter problem, if length is at least 128 bytes and
entire packet does not exceed 576 bytes.
Return the offset to the start of the extension struct when reading an
ICMP error from the error queue, if it matches the above constraints.
Do not return the raw u8 field. Return the offset from the start of
the user buffer, in bytes. The kernel does not return the network and
transport headers, so subtract those.
Also validate the headers. Return the offset regardless of validation,
as an invalid extension must still not be misinterpreted as part of
the original datagram. Note that !invalid does not imply valid. If
the extension version does not match, no validation can take place,
for instance.
For backward compatibility, make this optional, set by setsockopt
SOL_IP/IP_RECVERR_RFC4884. For API example and feature test, see
github.com/wdebruij/kerneltools/blob/master/tests/recv_icmp_v2.c
For forward compatibility, reserve only setsockopt value 1, leaving
other bits for additional icmp extensions.
Changes
v1->v2:
- convert word offset to byte offset from start of user buffer
- return in ee_data as u8 may be insufficient
- define extension struct and object header structs
- return len only if constraints met
- if returning len, also validate
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-07-10 16:29:02 +03:00
2020-07-24 16:03:08 +03:00
/* original datagram headers: end of icmph to payload (skb->data) */
2020-07-24 16:03:09 +03:00
hlen = - skb_transport_offset ( skb ) - thlen ;
icmp: support rfc 4884
Add setsockopt SOL_IP/IP_RECVERR_4884 to return the offset to an
extension struct if present.
ICMP messages may include an extension structure after the original
datagram. RFC 4884 standardized this behavior. It stores the offset
in words to the extension header in u8 icmphdr.un.reserved[1].
The field is valid only for ICMP types destination unreachable, time
exceeded and parameter problem, if length is at least 128 bytes and
entire packet does not exceed 576 bytes.
Return the offset to the start of the extension struct when reading an
ICMP error from the error queue, if it matches the above constraints.
Do not return the raw u8 field. Return the offset from the start of
the user buffer, in bytes. The kernel does not return the network and
transport headers, so subtract those.
Also validate the headers. Return the offset regardless of validation,
as an invalid extension must still not be misinterpreted as part of
the original datagram. Note that !invalid does not imply valid. If
the extension version does not match, no validation can take place,
for instance.
For backward compatibility, make this optional, set by setsockopt
SOL_IP/IP_RECVERR_RFC4884. For API example and feature test, see
github.com/wdebruij/kerneltools/blob/master/tests/recv_icmp_v2.c
For forward compatibility, reserve only setsockopt value 1, leaving
other bits for additional icmp extensions.
Changes
v1->v2:
- convert word offset to byte offset from start of user buffer
- return in ee_data as u8 may be insufficient
- define extension struct and object header structs
- return len only if constraints met
- if returning len, also validate
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-07-10 16:29:02 +03:00
/* per rfc 4884: minimal datagram length of 128 bytes */
2020-07-24 16:03:08 +03:00
if ( off < 128 | | off < hlen )
icmp: support rfc 4884
Add setsockopt SOL_IP/IP_RECVERR_4884 to return the offset to an
extension struct if present.
ICMP messages may include an extension structure after the original
datagram. RFC 4884 standardized this behavior. It stores the offset
in words to the extension header in u8 icmphdr.un.reserved[1].
The field is valid only for ICMP types destination unreachable, time
exceeded and parameter problem, if length is at least 128 bytes and
entire packet does not exceed 576 bytes.
Return the offset to the start of the extension struct when reading an
ICMP error from the error queue, if it matches the above constraints.
Do not return the raw u8 field. Return the offset from the start of
the user buffer, in bytes. The kernel does not return the network and
transport headers, so subtract those.
Also validate the headers. Return the offset regardless of validation,
as an invalid extension must still not be misinterpreted as part of
the original datagram. Note that !invalid does not imply valid. If
the extension version does not match, no validation can take place,
for instance.
For backward compatibility, make this optional, set by setsockopt
SOL_IP/IP_RECVERR_RFC4884. For API example and feature test, see
github.com/wdebruij/kerneltools/blob/master/tests/recv_icmp_v2.c
For forward compatibility, reserve only setsockopt value 1, leaving
other bits for additional icmp extensions.
Changes
v1->v2:
- convert word offset to byte offset from start of user buffer
- return in ee_data as u8 may be insufficient
- define extension struct and object header structs
- return len only if constraints met
- if returning len, also validate
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-07-10 16:29:02 +03:00
return ;
/* kernel has stripped headers: return payload offset in bytes */
off - = hlen ;
if ( off + sizeof ( struct icmp_ext_hdr ) > skb - > len )
return ;
out - > len = off ;
if ( ! ip_icmp_error_rfc4884_validate ( skb , off ) )
out - > flags | = SO_EE_RFC4884_FLAG_INVALID ;
}
2020-07-24 16:03:10 +03:00
EXPORT_SYMBOL_GPL ( ip_icmp_error_rfc4884 ) ;
icmp: support rfc 4884
Add setsockopt SOL_IP/IP_RECVERR_4884 to return the offset to an
extension struct if present.
ICMP messages may include an extension structure after the original
datagram. RFC 4884 standardized this behavior. It stores the offset
in words to the extension header in u8 icmphdr.un.reserved[1].
The field is valid only for ICMP types destination unreachable, time
exceeded and parameter problem, if length is at least 128 bytes and
entire packet does not exceed 576 bytes.
Return the offset to the start of the extension struct when reading an
ICMP error from the error queue, if it matches the above constraints.
Do not return the raw u8 field. Return the offset from the start of
the user buffer, in bytes. The kernel does not return the network and
transport headers, so subtract those.
Also validate the headers. Return the offset regardless of validation,
as an invalid extension must still not be misinterpreted as part of
the original datagram. Note that !invalid does not imply valid. If
the extension version does not match, no validation can take place,
for instance.
For backward compatibility, make this optional, set by setsockopt
SOL_IP/IP_RECVERR_RFC4884. For API example and feature test, see
github.com/wdebruij/kerneltools/blob/master/tests/recv_icmp_v2.c
For forward compatibility, reserve only setsockopt value 1, leaving
other bits for additional icmp extensions.
Changes
v1->v2:
- convert word offset to byte offset from start of user buffer
- return in ee_data as u8 may be insufficient
- define extension struct and object header structs
- return len only if constraints met
- if returning len, also validate
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-07-10 16:29:02 +03:00
2018-11-08 14:19:21 +03:00
int icmp_err ( struct sk_buff * skb , u32 info )
2013-02-22 02:18:44 +04:00
{
struct iphdr * iph = ( struct iphdr * ) skb - > data ;
2013-05-23 00:17:31 +04:00
int offset = iph - > ihl < < 2 ;
struct icmphdr * icmph = ( struct icmphdr * ) ( skb - > data + offset ) ;
2013-02-22 02:18:44 +04:00
int type = icmp_hdr ( skb ) - > type ;
int code = icmp_hdr ( skb ) - > code ;
struct net * net = dev_net ( skb - > dev ) ;
/*
* Use ping_err to handle all icmp errors except those
* triggered by ICMP_ECHOREPLY which sent from kernel .
*/
if ( icmph - > type ! = ICMP_ECHOREPLY ) {
2013-05-23 00:17:31 +04:00
ping_err ( skb , offset , info ) ;
2018-11-08 14:19:21 +03:00
return 0 ;
2013-02-22 02:18:44 +04:00
}
if ( type = = ICMP_DEST_UNREACH & & code = = ICMP_FRAG_NEEDED )
2018-09-26 06:56:26 +03:00
ipv4_update_pmtu ( skb , net , info , 0 , IPPROTO_ICMP ) ;
2013-02-22 02:18:44 +04:00
else if ( type = = ICMP_REDIRECT )
2018-09-26 06:56:27 +03:00
ipv4_redirect ( skb , net , 0 , IPPROTO_ICMP ) ;
2018-11-08 14:19:21 +03:00
return 0 ;
2013-02-22 02:18:44 +04:00
}
2005-04-17 02:20:36 +04:00
/*
* This table is the definition of how we handle ICMP .
*/
2005-11-30 03:21:38 +03:00
static const struct icmp_control icmp_pointers [ NR_ICMP_TYPES + 1 ] = {
2005-04-17 02:20:36 +04:00
[ ICMP_ECHOREPLY ] = {
net: ipv4: add IPPROTO_ICMP socket kind
This patch adds IPPROTO_ICMP socket kind. It makes it possible to send
ICMP_ECHO messages and receive the corresponding ICMP_ECHOREPLY messages
without any special privileges. In other words, the patch makes it
possible to implement setuid-less and CAP_NET_RAW-less /bin/ping. In
order not to increase the kernel's attack surface, the new functionality
is disabled by default, but is enabled at bootup by supporting Linux
distributions, optionally with restriction to a group or a group range
(see below).
Similar functionality is implemented in Mac OS X:
http://www.manpagez.com/man/4/icmp/
A new ping socket is created with
socket(PF_INET, SOCK_DGRAM, PROT_ICMP)
Message identifiers (octets 4-5 of ICMP header) are interpreted as local
ports. Addresses are stored in struct sockaddr_in. No port numbers are
reserved for privileged processes, port 0 is reserved for API ("let the
kernel pick a free number"). There is no notion of remote ports, remote
port numbers provided by the user (e.g. in connect()) are ignored.
Data sent and received include ICMP headers. This is deliberate to:
1) Avoid the need to transport headers values like sequence numbers by
other means.
2) Make it easier to port existing programs using raw sockets.
ICMP headers given to send() are checked and sanitized. The type must be
ICMP_ECHO and the code must be zero (future extensions might relax this,
see below). The id is set to the number (local port) of the socket, the
checksum is always recomputed.
ICMP reply packets received from the network are demultiplexed according
to their id's, and are returned by recv() without any modifications.
IP header information and ICMP errors of those packets may be obtained
via ancillary data (IP_RECVTTL, IP_RETOPTS, and IP_RECVERR). ICMP source
quenches and redirects are reported as fake errors via the error queue
(IP_RECVERR); the next hop address for redirects is saved to ee_info (in
network order).
socket(2) is restricted to the group range specified in
"/proc/sys/net/ipv4/ping_group_range". It is "1 0" by default, meaning
that nobody (not even root) may create ping sockets. Setting it to "100
100" would grant permissions to the single group (to either make
/sbin/ping g+s and owned by this group or to grant permissions to the
"netadmins" group), "0 4294967295" would enable it for the world, "100
4294967295" would enable it for the users, but not daemons.
The existing code might be (in the unlikely case anyone needs it)
extended rather easily to handle other similar pairs of ICMP messages
(Timestamp/Reply, Information Request/Reply, Address Mask Request/Reply
etc.).
Userspace ping util & patch for it:
http://openwall.info/wiki/people/segoon/ping
For Openwall GNU/*/Linux it was the last step on the road to the
setuid-less distro. A revision of this patch (for RHEL5/OpenVZ kernels)
is in use in Owl-current, such as in the 2011/03/12 LiveCD ISOs:
http://mirrors.kernel.org/openwall/Owl/current/iso/
Initially this functionality was written by Pavel Kankovsky for
Linux 2.4.32, but unfortunately it was never made public.
All ping options (-b, -p, -Q, -R, -s, -t, -T, -M, -I), are tested with
the patch.
PATCH v3:
- switched to flowi4.
- minor changes to be consistent with raw sockets code.
PATCH v2:
- changed ping_debug() to pr_debug().
- removed CONFIG_IP_PING.
- removed ping_seq_fops.owner field (unused for procfs).
- switched to proc_net_fops_create().
- switched to %pK in seq_printf().
PATCH v1:
- fixed checksumming bug.
- CAP_NET_RAW may not create icmp sockets anymore.
RFC v2:
- minor cleanups.
- introduced sysctl'able group range to restrict socket(2).
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-05-13 14:01:00 +04:00
. handler = ping_rcv ,
2005-04-17 02:20:36 +04:00
} ,
[ 1 ] = {
. handler = icmp_discard ,
. error = 1 ,
} ,
[ 2 ] = {
. handler = icmp_discard ,
. error = 1 ,
} ,
[ ICMP_DEST_UNREACH ] = {
. handler = icmp_unreach ,
. error = 1 ,
} ,
[ ICMP_SOURCE_QUENCH ] = {
. handler = icmp_unreach ,
. error = 1 ,
} ,
[ ICMP_REDIRECT ] = {
. handler = icmp_redirect ,
. error = 1 ,
} ,
[ 6 ] = {
. handler = icmp_discard ,
. error = 1 ,
} ,
[ 7 ] = {
. handler = icmp_discard ,
. error = 1 ,
} ,
[ ICMP_ECHO ] = {
. handler = icmp_echo ,
} ,
[ 9 ] = {
. handler = icmp_discard ,
. error = 1 ,
} ,
[ 10 ] = {
. handler = icmp_discard ,
. error = 1 ,
} ,
[ ICMP_TIME_EXCEEDED ] = {
. handler = icmp_unreach ,
. error = 1 ,
} ,
[ ICMP_PARAMETERPROB ] = {
. handler = icmp_unreach ,
. error = 1 ,
} ,
[ ICMP_TIMESTAMP ] = {
. handler = icmp_timestamp ,
} ,
[ ICMP_TIMESTAMPREPLY ] = {
. handler = icmp_discard ,
} ,
[ ICMP_INFO_REQUEST ] = {
. handler = icmp_discard ,
} ,
2007-02-09 17:24:47 +03:00
[ ICMP_INFO_REPLY ] = {
2005-04-17 02:20:36 +04:00
. handler = icmp_discard ,
} ,
[ ICMP_ADDRESS ] = {
2012-07-24 00:20:26 +04:00
. handler = icmp_discard ,
2005-04-17 02:20:36 +04:00
} ,
[ ICMP_ADDRESSREPLY ] = {
2012-07-24 00:20:26 +04:00
. handler = icmp_discard ,
2005-04-17 02:20:36 +04:00
} ,
} ;
2008-04-21 13:31:23 +04:00
static int __net_init icmp_sk_init ( struct net * net )
2008-02-29 22:14:50 +03:00
{
2008-03-26 11:55:37 +03:00
/* Control parameters for ECHO replies. */
net - > ipv4 . sysctl_icmp_echo_ignore_all = 0 ;
2021-03-30 04:45:51 +03:00
net - > ipv4 . sysctl_icmp_echo_enable_probe = 0 ;
2008-03-26 11:55:37 +03:00
net - > ipv4 . sysctl_icmp_echo_ignore_broadcasts = 1 ;
/* Control parameter - ignore bogus broadcast responses? */
net - > ipv4 . sysctl_icmp_ignore_bogus_error_responses = 1 ;
/*
* Configurable global rate limit .
*
* ratelimit defines tokens / packet consumed for dst - > rate_token
* bucket ratemask defines which icmp types are ratelimited by
* setting it ' s bit position .
*
* default :
* dest unreachable ( 3 ) , source quench ( 4 ) ,
* time exceeded ( 11 ) , parameter problem ( 12 )
*/
net - > ipv4 . sysctl_icmp_ratelimit = 1 * HZ ;
net - > ipv4 . sysctl_icmp_ratemask = 0x1818 ;
net - > ipv4 . sysctl_icmp_errors_use_inbound_ifaddr = 0 ;
2008-02-29 22:14:50 +03:00
return 0 ;
2005-04-17 02:20:36 +04:00
}
2008-02-29 22:19:58 +03:00
static struct pernet_operations __net_initdata icmp_sk_ops = {
. init = icmp_sk_init ,
} ;
int __init icmp_init ( void )
{
2022-01-24 23:24:55 +03:00
int err , i ;
for_each_possible_cpu ( i ) {
struct sock * sk ;
err = inet_ctl_sock_create ( & sk , PF_INET ,
SOCK_RAW , IPPROTO_ICMP , & init_net ) ;
if ( err < 0 )
return err ;
per_cpu ( ipv4_icmp_sk , i ) = sk ;
/* Enough space for 2 64K ICMP packets, including
* sk_buff / skb_shared_info struct overhead .
*/
sk - > sk_sndbuf = 2 * SKB_TRUESIZE ( 64 * 1024 ) ;
/*
* Speedup sock_wfree ( )
*/
sock_set_flag ( sk , SOCK_USE_WRITE_QUEUE ) ;
inet_sk ( sk ) - > pmtudisc = IP_PMTUDISC_DONT ;
}
2009-02-22 11:09:14 +03:00
return register_pernet_subsys ( & icmp_sk_ops ) ;
2008-02-29 22:19:58 +03:00
}