Merge pull request #32818 from keszybz/libsystemd-network-size-check

Check packet size in libsystemd-network
author: Luca Boccassi <bluca@debian.org> 2024-05-15 17:33:22 +0200
committer: GitHub <noreply@github.com> 2024-05-15 17:33:22 +0200
commit: 5de20f561925a7f4233aa4250a317677a9ed95de (patch)
tree: 6df707f9fff22109c5cc1165e81e4045252537e3 /src/libsystemd-network
parent: man: fix typo 'ot' -> 'or' (diff)
parent: test: rename file with stub functions (diff)
download: systemd-5de20f561925a7f4233aa4250a317677a9ed95de.tar.xz
systemd-5de20f561925a7f4233aa4250a317677a9ed95de.zip
9 files changed, 24 insertions, 23 deletions
diff --git a/src/libsystemd-network/fuzz-ndisc-rs.c b/src/libsystemd-network/fuzz-ndisc-rs.c
index 780a5d7f5a..e6ee76895f 100644
--- a/src/libsystemd-network/fuzz-ndisc-rs.c
+++ b/src/libsystemd-network/fuzz-ndisc-rs.c
@@ -11,7 +11,7 @@
 #include "fd-util.h"
 #include "fuzz.h"
 #include "icmp6-packet.h"
-#include "icmp6-util-unix.h"
+#include "icmp6-test-util.h"
 #include "ndisc-internal.h"
 #include "ndisc-option.h"
 #include "socket-util.h"
diff --git a/src/libsystemd-network/icmp6-packet.c b/src/libsystemd-network/icmp6-packet.c
index 21d744beaa..02865a40c2 100644
--- a/src/libsystemd-network/icmp6-packet.c
+++ b/src/libsystemd-network/icmp6-packet.c
@@ -88,6 +88,11 @@ static int icmp6_packet_verify(ICMP6Packet *p) {
         if (hdr->icmp6_code != 0)
                 return -EBADMSG;
 
+        /* Drop any overly large packets early. We are not interested in jumbograms,
+         * which could cause excessive processing. */
+        if (p->raw_size > ICMP6_MAX_NORMAL_PAYLOAD_SIZE)
+                return -EMSGSIZE;
+
         return 0;
 }
 
@@ -108,20 +113,14 @@ int icmp6_packet_receive(int fd, ICMP6Packet **ret) {
                 return -ENOMEM;
 
         r = icmp6_receive(fd, p->raw_packet, p->raw_size, &p->sender_address, &p->timestamp);
+        if (r == -EADDRNOTAVAIL)
+                return log_debug_errno(r, "ICMPv6: Received a packet from neither link-local nor null address.");
+        if (r == -EMULTIHOP)
+                return log_debug_errno(r, "ICMPv6: Received a packet with an invalid hop limit.");
+        if (r == -EPFNOSUPPORT)
+                return log_debug_errno(r, "ICMPv6: Received a packet with an invalid source address.");
         if (r < 0)
-                switch (r) {
-                case -EADDRNOTAVAIL:
-                        return log_debug_errno(r, "ICMPv6: Received a packet from neither link-local nor null address.");
-
-                case -EMULTIHOP:
-                        return log_debug_errno(r, "ICMPv6: Received a packet with an invalid hop limit.");
-
-                case -EPFNOSUPPORT:
-                        return log_debug_errno(r, "ICMPv6: Received a packet with an invalid source address.");
-
-                default:
-                        return log_debug_errno(r, "ICMPv6: Unexpected error while receiving a packet: %m");
-                }
+                return log_debug_errno(r, "ICMPv6: Unexpected error while receiving a packet: %m");
 
         r = icmp6_packet_verify(p);
         if (r < 0)
diff --git a/src/libsystemd-network/icmp6-packet.h b/src/libsystemd-network/icmp6-packet.h
index 16f354fc95..b402255806 100644
--- a/src/libsystemd-network/icmp6-packet.h
+++ b/src/libsystemd-network/icmp6-packet.h
@@ -21,6 +21,10 @@ ICMP6Packet* icmp6_packet_ref(ICMP6Packet *p);
 ICMP6Packet* icmp6_packet_unref(ICMP6Packet *p);
 DEFINE_TRIVIAL_CLEANUP_FUNC(ICMP6Packet*, icmp6_packet_unref);
 
+/* IPv6 Header is 40 bytes and reserves 2 bytes to represent the Payload Length. Thus, the max payload size,
+ * including extension headers, is 65535 bytes (2^16 - 1). Jumbograms can be larger (2^32 - 1). */
+#define ICMP6_MAX_NORMAL_PAYLOAD_SIZE 65535
+
 int icmp6_packet_set_sender_address(ICMP6Packet *p, const struct in6_addr *addr);
 int icmp6_packet_get_sender_address(ICMP6Packet *p, struct in6_addr *ret);
 int icmp6_packet_get_timestamp(ICMP6Packet *p, clockid_t clock, usec_t *ret);
diff --git a/src/libsystemd-network/icmp6-util-unix.c b/src/libsystemd-network/icmp6-test-util.c
index d6d505717d..3c781095bc 100644
--- a/src/libsystemd-network/icmp6-util-unix.c
+++ b/src/libsystemd-network/icmp6-test-util.c
@@ -5,7 +5,7 @@
 #include <unistd.h>
 
 #include "fd-util.h"
-#include "icmp6-util-unix.h"
+#include "icmp6-test-util.h"
 
 int test_fd[2] = EBADF_PAIR;
 
diff --git a/src/libsystemd-network/icmp6-util-unix.h b/src/libsystemd-network/icmp6-test-util.h
index d7b0cc84b3..d7b0cc84b3 100644
--- a/src/libsystemd-network/icmp6-util-unix.h
+++ b/src/libsystemd-network/icmp6-test-util.h
diff --git a/src/libsystemd-network/icmp6-util.c b/src/libsystemd-network/icmp6-util.c
index a28f175b5e..75a6489967 100644
--- a/src/libsystemd-network/icmp6-util.c
+++ b/src/libsystemd-network/icmp6-util.c
@@ -121,7 +121,7 @@ int icmp6_receive(
         /* This needs to be initialized with zero. See #20741. */
         CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(int)) + /* ttl */
                          CMSG_SPACE_TIMEVAL) control = {};
-        struct iovec iov = {};
+        struct iovec iov = { buffer, size };
         union sockaddr_union sa = {};
         struct msghdr msg = {
                 .msg_name = &sa.sa,
@@ -133,8 +133,6 @@ int icmp6_receive(
         };
         ssize_t len;
 
-        iov = IOVEC_MAKE(buffer, size);
-
         len = recvmsg_safe(fd, &msg, MSG_DONTWAIT);
         if (len < 0)
                 return (int) len;
diff --git a/src/libsystemd-network/meson.build b/src/libsystemd-network/meson.build
index fdd8806a23..718495cd8e 100644
--- a/src/libsystemd-network/meson.build
+++ b/src/libsystemd-network/meson.build
@@ -91,13 +91,13 @@ executables += [
         network_test_template + {
                 'sources' : files(
                         'test-ndisc-ra.c',
-                        'icmp6-util-unix.c',
+                        'icmp6-test-util.c',
                 ),
         },
         network_test_template + {
                 'sources' : files(
                         'test-ndisc-rs.c',
-                        'icmp6-util-unix.c',
+                        'icmp6-test-util.c',
                 ),
         },
         network_test_template + {
@@ -125,7 +125,7 @@ executables += [
         network_fuzz_template + {
                 'sources' : files(
                         'fuzz-ndisc-rs.c',
-                        'icmp6-util-unix.c',
+                        'icmp6-test-util.c',
                 ),
         },
 ]
diff --git a/src/libsystemd-network/test-ndisc-ra.c b/src/libsystemd-network/test-ndisc-ra.c
index 8be7351a09..14c9164585 100644
--- a/src/libsystemd-network/test-ndisc-ra.c
+++ b/src/libsystemd-network/test-ndisc-ra.c
@@ -11,7 +11,7 @@
 
 #include "alloc-util.h"
 #include "hexdecoct.h"
-#include "icmp6-util-unix.h"
+#include "icmp6-test-util.h"
 #include "socket-util.h"
 #include "strv.h"
 #include "tests.h"
diff --git a/src/libsystemd-network/test-ndisc-rs.c b/src/libsystemd-network/test-ndisc-rs.c
index 5ad2c92b49..66aad2600a 100644
--- a/src/libsystemd-network/test-ndisc-rs.c
+++ b/src/libsystemd-network/test-ndisc-rs.c
@@ -13,7 +13,7 @@
 #include "fd-util.h"
 #include "hexdecoct.h"
 #include "icmp6-packet.h"
-#include "icmp6-util-unix.h"
+#include "icmp6-test-util.h"
 #include "socket-util.h"
 #include "strv.h"
 #include "ndisc-internal.h"
author	Luca Boccassi <bluca@debian.org>	2024-05-15 17:33:22 +0200
committer	GitHub <noreply@github.com>	2024-05-15 17:33:22 +0200
commit	5de20f561925a7f4233aa4250a317677a9ed95de (patch)
tree	6df707f9fff22109c5cc1165e81e4045252537e3 /src/libsystemd-network
parent	man: fix typo 'ot' -> 'or' (diff)
parent	test: rename file with stub functions (diff)
download	systemd-5de20f561925a7f4233aa4250a317677a9ed95de.tar.xz systemd-5de20f561925a7f4233aa4250a317677a9ed95de.zip