git: 0fc80e44f600 - stable/12 - pf tests: Test CVE-2019-5598

Sun Jan 3 22:18:49 UTC 2021

The branch stable/12 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=0fc80e44f600b65830da93b7b56e47250f978f06

commit 0fc80e44f600b65830da93b7b56e47250f978f06
Author:     Kristof Provost <kp at FreeBSD.org>
AuthorDate: 2019-03-22 07:39:28 +0000
Commit:     Kristof Provost <kp at FreeBSD.org>
CommitDate: 2021-01-03 20:26:49 +0000

    pf tests: Test CVE-2019-5598
    
    Verify that pf correctly drops inconsistent ICMP packets (i.e. where the
    IP src/dst do not match the IP src/dst in the ICMP packet.
    
    (cherry picked from commit 7de4bd92b8a1f510c88ea3b5af0bcb106af6ba11)
---
 tests/sys/netpfil/pf/CVE-2019-5598.py | 130 ++++++++++++++++++++++++++++++++++
 tests/sys/netpfil/pf/Makefile         |   7 +-
 tests/sys/netpfil/pf/icmp.sh          |  99 ++++++++++++++++++++++++++
 3 files changed, 234 insertions(+), 2 deletions(-)

diff --git a/tests/sys/netpfil/pf/CVE-2019-5598.py b/tests/sys/netpfil/pf/CVE-2019-5598.py
new file mode 100644
index 000000000000..648b8ef9d6f0
--- /dev/null
+++ b/tests/sys/netpfil/pf/CVE-2019-5598.py
@@ -0,0 +1,130 @@
+#!/usr/local/bin/python2.7
+
+import argparse
+import scapy.all as sp
+import sys
+from sniffer import Sniffer
+
+def check_icmp_error(args, packet):
+	ip = packet.getlayer(sp.IP)
+	if not ip:
+		return False
+	if ip.dst != args.to[0]:
+		return False
+
+	icmp = packet.getlayer(sp.ICMP)
+	if not icmp:
+		return False
+	if icmp.type != 3 or icmp.code != 3:
+		return False
+
+	return True
+
+def main():
+	parser = argparse.ArgumentParser("CVE-2019-icmp.py",
+		description="CVE-2019-icmp test tool")
+	parser.add_argument('--sendif', nargs=1,
+		required=True,
+		help='The interface through which the packet will be sent')
+	parser.add_argument('--recvif', nargs=1,
+		required=True,
+		help='The interface on which to check for the packet')
+	parser.add_argument('--src', nargs=1,
+		required=True,
+		help='The source IP address')
+	parser.add_argument('--to', nargs=1,
+		required=True,
+		help='The destination IP address')
+
+	args = parser.parse_args()
+
+        # Send the allowed packet to establish state
+        udp = sp.Ether() / \
+            sp.IP(src=args.src[0], dst=args.to[0]) / \
+            sp.UDP(dport=53, sport=1234)
+        sp.sendp(udp, iface=args.sendif[0], verbose=False)
+
+	# Start sniffing on recvif
+	sniffer = Sniffer(args, check_icmp_error)
+
+	# Send the bad error packet
+	icmp_reachable = sp.Ether() / \
+            sp.IP(src=args.src[0], dst=args.to[0]) / \
+	    sp.ICMP(type=3, code=3) / \
+	    sp.IP(src="4.3.2.1", dst="1.2.3.4") / \
+	    sp.UDP(dport=53, sport=1234)
+	sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False)
+
+	sniffer.join()
+	if sniffer.foundCorrectPacket:
+		sys.exit(1)
+
+	sys.exit(0)
+
+if __name__ == '__main__':
+	main()
+#!/usr/local/bin/python2.7
+
+import argparse
+import scapy.all as sp
+import sys
+from sniffer import Sniffer
+
+def check_icmp_error(args, packet):
+	ip = packet.getlayer(sp.IP)
+	if not ip:
+		return False
+	if ip.dst != args.to[0]:
+		return False
+
+	icmp = packet.getlayer(sp.ICMP)
+	if not icmp:
+		return False
+	if icmp.type != 3 or icmp.code != 3:
+		return False
+
+	return True
+
+def main():
+	parser = argparse.ArgumentParser("CVE-2019-icmp.py",
+		description="CVE-2019-icmp test tool")
+	parser.add_argument('--sendif', nargs=1,
+		required=True,
+		help='The interface through which the packet will be sent')
+	parser.add_argument('--recvif', nargs=1,
+		required=True,
+		help='The interface on which to check for the packet')
+	parser.add_argument('--src', nargs=1,
+		required=True,
+		help='The source IP address')
+	parser.add_argument('--to', nargs=1,
+		required=True,
+		help='The destination IP address')
+
+	args = parser.parse_args()
+
+        # Send the allowed packet to establish state
+        udp = sp.Ether() / \
+            sp.IP(src=args.src[0], dst=args.to[0]) / \
+            sp.UDP(dport=53, sport=1234)
+        sp.sendp(udp, iface=args.sendif[0], verbose=False)
+
+	# Start sniffing on recvif
+	sniffer = Sniffer(args, check_icmp_error)
+
+	# Send the bad error packet
+	icmp_reachable = sp.Ether() / \
+            sp.IP(src=args.src[0], dst=args.to[0]) / \
+	    sp.ICMP(type=3, code=3) / \
+	    sp.IP(src=args.src[0], dst=args.to[0]) / \
+	    sp.UDP(dport=53, sport=1234)
+	sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False)
+
+	sniffer.join()
+	if sniffer.foundCorrectPacket:
+		sys.exit(1)
+
+	sys.exit(0)
+
+if __name__ == '__main__':
+	main()
diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile
index 115a38666cc7..474b3c3b9b4b 100644
--- a/tests/sys/netpfil/pf/Makefile
+++ b/tests/sys/netpfil/pf/Makefile
@@ -18,15 +18,18 @@ ATF_TESTS_SH+=	anchor \
 		synproxy \
 		set_skip \
 		pfsync \
-		table
+		table \
+		icmp
 
 ${PACKAGE}FILES+=	utils.subr \
 			echo_inetd.conf \
 			sniffer.py \
 			pft_ping.py \
-			CVE-2019-5597.py
+			CVE-2019-5597.py \
+			CVE-2019-5598.py
 
 ${PACKAGE}FILESMODE_pft_ping.py=	0555
 ${PACKAGE}FILESMODE_CVE-2019-5597.py=	0555
+${PACKAGE}FILESMODE_CVE-2019-5598.py=	0555
 
 .include <bsd.test.mk>
diff --git a/tests/sys/netpfil/pf/icmp.sh b/tests/sys/netpfil/pf/icmp.sh
new file mode 100755
index 000000000000..5cc1a769c799
--- /dev/null
+++ b/tests/sys/netpfil/pf/icmp.sh
@@ -0,0 +1,99 @@
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "cve_2019_5598" "cleanup"
+cve_2019_5598_head()
+{
+	atf_set descr 'Test CVE-2019-5598'
+	atf_set require.user root
+	atf_set require.progs scapy
+}
+
+cve_2019_5598_body()
+{
+	pft_init
+
+	epair_in=$(vnet_mkepair)
+	epair_out=$(vnet_mkepair)
+	ifconfig ${epair_in}a 192.0.2.1/24 up
+	ifconfig ${epair_out}a up
+
+	vnet_mkjail alcatraz ${epair_in}b ${epair_out}b
+	jexec alcatraz ifconfig ${epair_in}b 192.0.2.2/24 up
+	jexec alcatraz ifconfig ${epair_out}b 198.51.100.2/24 up
+	jexec alcatraz sysctl net.inet.ip.forwarding=1
+	jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05
+	jexec alcatraz route add default 198.51.100.3
+	route add -net 198.51.100.0/24 192.0.2.2
+
+	jexec alcatraz pfctl -e
+	pft_set_rules alcatraz "block all" \
+		"pass in proto udp to 198.51.100.3 port 53" \
+		"pass out proto udp to 198.51.100.3 port 53"
+
+	atf_check -s exit:0 $(atf_get_srcdir)/CVE-2019-icmp.py \
+		--sendif ${epair_in}a \
+		--recvif ${epair_out}a \
+		--src 192.0.2.1 \
+		--to 198.51.100.3
+}
+
+cve_2019_5598_cleanup()
+{
+	pft_cleanup
+}
+
+atf_init_test_cases()
+{
+	atf_add_test_case "cve_2019_5598"
+}
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "cve_2019_5598" "cleanup"
+cve_2019_5598_head()
+{
+	atf_set descr 'Test CVE-2019-5598'
+	atf_set require.user root
+	atf_set require.progs scapy
+}
+
+cve_2019_5598_body()
+{
+	pft_init
+
+	epair_in=$(vnet_mkepair)
+	epair_out=$(vnet_mkepair)
+	ifconfig ${epair_in}a 192.0.2.1/24 up
+	ifconfig ${epair_out}a up
+
+	vnet_mkjail alcatraz ${epair_in}b ${epair_out}b
+	jexec alcatraz ifconfig ${epair_in}b 192.0.2.2/24 up
+	jexec alcatraz ifconfig ${epair_out}b 198.51.100.2/24 up
+	jexec alcatraz sysctl net.inet.ip.forwarding=1
+	jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05
+	route add -net 198.51.100.0/24 192.0.2.2
+
+	jexec alcatraz pfctl -e
+	pft_set_rules alcatraz "block all" \
+		"pass in proto udp to 198.51.100.3 port 53" \
+		"pass out proto udp to 198.51.100.3 port 53"
+
+	atf_check -s exit:0 $(atf_get_srcdir)/CVE-2019-icmp.py \
+		--sendif ${epair_in}a \
+		--recvif ${epair_out}a \
+		--src 192.0.2.1 \
+		--to 198.51.100.3
+}
+
+cve_2019_5598_cleanup()
+{
+	pft_cleanup
+}
+
+atf_init_test_cases()
+{
+	atf_add_test_case "cve_2019_5598"
+}
