git: ca4cd20c4afe - main - Address issue pointed out in CVE-2020-25705
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 31 Mar 2022 14:46:16 UTC
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=ca4cd20c4afeb68ae30c4cc1103280590a099fe7 commit ca4cd20c4afeb68ae30c4cc1103280590a099fe7 Author: George V. Neville-Neil <gnn@FreeBSD.org> AuthorDate: 2022-03-19 16:48:16 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2022-03-31 14:45:50 +0000 Address issue pointed out in CVE-2020-25705 Add jitter to the ICMP bandwidth limit to deny a side-channel port scan. Reviewed by: kp, philip, cy, emaste MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D27354 --- sys/netinet/ip_icmp.c | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index 463ac8c8e04d..76bce4b38e24 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -88,6 +88,14 @@ SYSCTL_INT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(icmplim), 0, "Maximum number of ICMP responses per second"); +VNET_DEFINE_STATIC(int, icmplim_curr_jitter) = 0; +#define V_icmplim_curr_jitter VNET(icmplim_curr_jitter) +VNET_DEFINE_STATIC(int, icmplim_jitter) = 16; +#define V_icmplim_jitter VNET(icmplim_jitter) +SYSCTL_INT(_net_inet_icmp, OID_AUTO, icmplim_jitter, CTLFLAG_VNET | CTLFLAG_RW, + &VNET_NAME(icmplim_jitter), 0, + "Random icmplim jitter adjustment limit"); + VNET_DEFINE_STATIC(int, icmplim_output) = 1; #define V_icmplim_output VNET(icmplim_output) SYSCTL_INT(_net_inet_icmp, OID_AUTO, icmplim_output, CTLFLAG_VNET | CTLFLAG_RW, @@ -1122,11 +1130,29 @@ badport_bandlim(int which) KASSERT(which >= 0 && which < BANDLIM_MAX, ("%s: which %d", __func__, which)); - pps = counter_ratecheck(&V_icmp_rates[which].cr, V_icmplim); + if ((V_icmplim + V_icmplim_curr_jitter) <= 0) + V_icmplim_curr_jitter = -V_icmplim + 1; + + pps = counter_ratecheck(&V_icmp_rates[which].cr, V_icmplim + + V_icmplim_curr_jitter); + if (pps > 0) { + /* + * Adjust limit +/- to jitter the measurement to deny a + * side-channel port scan as in CVE-2020-25705 + */ + if (V_icmplim_jitter > 0) { + int32_t inc = + arc4random_uniform(V_icmplim_jitter * 2 +1) + - V_icmplim_jitter; + + V_icmplim_curr_jitter = inc; + } + } if (pps == -1) return (-1); if (pps > 0 && V_icmplim_output) log(LOG_NOTICE, "Limiting %s from %jd to %d packets/sec\n", - V_icmp_rates[which].descr, (intmax_t )pps, V_icmplim); + V_icmp_rates[which].descr, (intmax_t )pps, V_icmplim + + V_icmplim_curr_jitter); return (0); }