What basic sanity checking on packet headers is done

What basic sanity checking on packet headers is done

[Wayne Schroeder]

I've written a new target module that uses the ip header fields of ihl
and tot_len for offsets into the packets.  How safe is the data in the
ip headers?  Is there sanity checking when the packet is received off
the wire... for instance -- is it safe to assume in the prerouting chain
of the mangle table that tot_len will not put me past the memory
allocated for the packet?  Same goes for ihl?

Wayne

Re: What basic sanity checking on packet headers is done

[Patrick McHardy]

Wayne Schroeder wrote:
> I've written a new target module that uses the ip header fields of ihl
> and tot_len for offsets into the packets.  How safe is the data in the
> ip headers?  Is there sanity checking when the packet is received off
> the wire... for instance -- is it safe to assume in the prerouting chain
> of the mangle table that tot_len will not put me past the memory
> allocated for the packet?  Same goes for ihl?

Check out ip_rcv() in ip_input.c. ihl and tot_len are _usually_ valid
within netfilter. The only exception is raw sockets, on the outgoing
hooks the only guarantee is that ihl * 4 >= sizeof(struct iphdr) (
only for ip_tables, see iptable_filter.c). We could consider providing
stricter guarantees, I'm pretty sure some modules only perform
insufficient checks.

Re: What basic sanity checking on packet headers is done

[Wayne Schroeder]

Sounds like somone as root on the local machine could make packets that
would pop the kernel if the conditions were right, but everything else,
specifically remote traffic, will be safe to trust ihl and tot_len on?
If that's the case, then I'm in the clear.

Wayne


Patrick McHardy wrote:
> Wayne Schroeder wrote:
> 
>>I've written a new target module that uses the ip header fields of ihl
>>and tot_len for offsets into the packets.  How safe is the data in the
>>ip headers?  Is there sanity checking when the packet is received off
>>the wire... for instance -- is it safe to assume in the prerouting chain
>>of the mangle table that tot_len will not put me past the memory
>>allocated for the packet?  Same goes for ihl?
> 
> 
> Check out ip_rcv() in ip_input.c. ihl and tot_len are _usually_ valid
> within netfilter. The only exception is raw sockets, on the outgoing
> hooks the only guarantee is that ihl * 4 >= sizeof(struct iphdr) (
> only for ip_tables, see iptable_filter.c). We could consider providing
> stricter guarantees, I'm pretty sure some modules only perform
> insufficient checks.
> 

Re: What basic sanity checking on packet headers is done

[Patrick McHardy]

Wayne Schroeder wrote:
> Sounds like somone as root on the local machine could make packets that
> would pop the kernel if the conditions were right, but everything else,
> specifically remote traffic, will be safe to trust ihl and tot_len on?
> If that's the case, then I'm in the clear.

Right. I didn't find any problematic cases by doing a quick grep,
but I guess its worth going over everything to make sure.
With things like OpenVZ even "root might crash the machine" is
a problem.