From nobody Mon Mar 06 20:19:55 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PVqgb51yXz3wKT3; Mon, 6 Mar 2023 20:19:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PVqgb4N2Mz4RTj; Mon, 6 Mar 2023 20:19:55 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1678133995; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AsQr2Q6H7AVj/EQhP0H/h8tjshj5aY6UOO0YTroB1j8=; b=RHSZe+TRMEUoZtfXlEUssOKKia7wtQe3Cf69dbSLg1DxIdZGBW+7ivK0c205VAhJNnX64y vJSVX+hBne/pvhyY1sMiuussOS7kt0cFR11G+i7OLt9lUwBTMgzx5NxI9Qb0rUAf7KenHU ZA89hb3gxdBtgk8qtMw0jpTzkkYHZfsWLMOL+1d853nS9CIS9brWBgOWW449cgG4+9Ufgb nL29dTP13/SK8eTetyX52Z0uSRUwJUgWt53M5YPCGXhskQH0+MhhKAq7Z9j0qK0imoTc8t pLuI7n6j8RnoQWk53OAnE1olXzp8oYadKbsTA/sp7Hhu0hj7IdTSGuCu2gf8eQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1678133995; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AsQr2Q6H7AVj/EQhP0H/h8tjshj5aY6UOO0YTroB1j8=; b=jIL3ZVUwouVmLP68UIb+km06rGlrox47YngVhF/cJnBuqu4xfmQCAVa5JZl8DnrFcI5baU M+Dmng8+brvN3+AAoMP/1X3uLgvX0dGh/9bym2K0BqlOj19j3JF+XE5oOHIK0blkH8Wi/q 2SHazmuVdfS6gyOrBCo9B5oM/p4gZckKHfp6FepI2IG/s2e8V48S1ph4xV8QjHJuva5Rrt kTp0rigyvtVz6t7F12v1SYSEW4wx7QsFuAhfIq1nK+NJw/bTU2LVEg/l3uDOaNkI0GkF5r bSSQfFzOORBFGdzqX/k2qXCZoQsIXdxMPbsynFbGoW59jIkMaWA9nHrciNiaeg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1678133995; a=rsa-sha256; cv=none; b=i3Rk3+9tJGBmkl+IStcqIzu5oqGQ0osblqr3w2K7W7UdaYgkQC+hExEaoQh0nXxruL5hL4 YmnEH8e/aGsog/j701DlIZ1BvkWy7bs2WXfo2gULeW99+8LtRzfblFIy1VYaiz96knFDk2 RJuCQK+TgYX8OixLoh0r1Nlf004TeiSABYReUIdWMrm2zb/VWjaNwlcIz6ntBfLv8jmuDh YdJPgAwYDtgEn+PaG93HjMvUOo8niLvWYRXWY4k6+P30Cn0OvHJwhS1hEqAWVyvsnoMHto sRWUfwOGt4XW0KrFUQUaOYTctHabH37ohxSTiQ/SKwGbSdcZRiSc7GGzSN1slg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PVqgb3QJZzG6w; Mon, 6 Mar 2023 20:19:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 326KJtbX086488; Mon, 6 Mar 2023 20:19:55 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 326KJtJr086487; Mon, 6 Mar 2023 20:19:55 GMT (envelope-from git) Date: Mon, 6 Mar 2023 20:19:55 GMT Message-Id: <202303062019.326KJtJr086487@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mark Johnston Subject: git: 713264f6b8bc - main - netinet: Tighten checks for unspecified source addresses List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 713264f6b8bc5f927dd52cf8ffcccfa397034fec Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=713264f6b8bc5f927dd52cf8ffcccfa397034fec commit 713264f6b8bc5f927dd52cf8ffcccfa397034fec Author: Mark Johnston AuthorDate: 2023-03-06 20:06:00 +0000 Commit: Mark Johnston CommitDate: 2023-03-06 20:06:00 +0000 netinet: Tighten checks for unspecified source addresses The assertions added in commit b0ccf53f2455 ("inpcb: Assert against wildcard addrs in in_pcblookup_hash_locked()") revealed that protocol layers may pass the unspecified address to in_pcblookup(). Add some checks to filter out such packets before we attempt an inpcb lookup: - Disallow the use of an unspecified source address in in_pcbladdr() and in6_pcbladdr(). - Disallow IP packets with an unspecified destination address. - Disallow TCP packets with an unspecified source address, and add an assertion to verify the comment claiming that the case of an unspecified destination address is handled by the IP layer. Reported by: syzbot+9ca890fb84e984e82df2@syzkaller.appspotmail.com Reported by: syzbot+ae873c71d3c71d5f41cb@syzkaller.appspotmail.com Reported by: syzbot+e3e689aba1d442905067@syzkaller.appspotmail.com Reviewed by: glebius, melifaro MFC after: 2 weeks Sponsored by: Klara, Inc. Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D38570 --- sys/netinet/in_pcb.c | 2 ++ sys/netinet/ip_input.c | 5 +++++ sys/netinet/tcp_input.c | 8 ++++++++ sys/netinet6/in6_pcb.c | 2 ++ 4 files changed, 17 insertions(+) diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index 5768979f21e0..3b8931a90262 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -1262,6 +1262,8 @@ in_pcbladdr(struct inpcb *inp, struct in_addr *faddr, struct in_addr *laddr, } done: + if (error == 0 && laddr->s_addr == INADDR_ANY) + return (EHOSTUNREACH); return (error); } diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index b8fb3861c5b8..5de09a32a2f5 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -519,6 +519,11 @@ ip_input(struct mbuf *m) goto bad; } } + /* The unspecified address can appear only as a src address - RFC1122 */ + if (__predict_false(ntohl(ip->ip_dst.s_addr) == INADDR_ANY)) { + IPSTAT_INC(ips_badaddr); + goto bad; + } if (m->m_pkthdr.csum_flags & CSUM_IP_CHECKED) { sum = !(m->m_pkthdr.csum_flags & CSUM_IP_VALID); diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 72faf53299e4..7b9c5668e888 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -672,6 +672,8 @@ tcp_input_with_port(struct mbuf **mp, int *offp, int proto, uint16_t port) * Note that packets with unspecified IPv6 destination is * already dropped in ip6_input. */ + KASSERT(!IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst), + ("%s: unspecified destination v6 address", __func__)); if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) { /* XXX stat */ goto drop; @@ -740,6 +742,12 @@ tcp_input_with_port(struct mbuf **mp, int *offp, int proto, uint16_t port) TCPSTAT_INC(tcps_rcvbadsum); goto drop; } + KASSERT(ip->ip_dst.s_addr != INADDR_ANY, + ("%s: unspecified destination v4 address", __func__)); + if (__predict_false(ip->ip_src.s_addr == INADDR_ANY)) { + /* XXX stat */ + goto drop; + } } #endif /* INET */ diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c index 8b1f97f322ef..81a3fd49a93d 100644 --- a/sys/netinet6/in6_pcb.c +++ b/sys/netinet6/in6_pcb.c @@ -368,6 +368,8 @@ in6_pcbladdr(struct inpcb *inp, struct sockaddr_in6 *sin6, inp, inp->inp_cred, scope_ambiguous, &in6a, NULL); if (error) return (error); + if (IN6_IS_ADDR_UNSPECIFIED(&in6a)) + return (EHOSTUNREACH); /* * Do not update this earlier, in case we return with an error.