------------------------------------------------------------ revno: 13173 revision-id: squid3@treenet.co.nz-20140915050614-6uo8tfwrpbrd47kw parent: squid3@treenet.co.nz-20140915045834-qo85nnsinp9wu4gt author: Amos Jeffries , Sebastian Krahmer committer: Amos Jeffries branch nick: 3.4 timestamp: Sun 2014-09-14 23:06:14 -0600 message: Fix various ICMP handling issues in Squid pinger * ICMP code type logging display could over-read the registered type string arrays. * Malformed ICMP packets were accepted into processing with undefined and potentially nasty results. Both sets of flaws can result in pinger segmentation fault and halting the Squid functionality relying on pinger for correct operation. Thanks to the OpenSUSE project for analysis and resolution of these. ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20140915050614-6uo8tfwrpbrd47kw # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 # testament_sha1: 234c1592673c5317e1b323018226e04941cc61a8 # timestamp: 2014-09-15 11:08:18 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 # base_revision_id: squid3@treenet.co.nz-20140915045834-\ # qo85nnsinp9wu4gt # # Begin patch === modified file 'src/icmp/Icmp4.cc' --- src/icmp/Icmp4.cc 2013-06-03 14:05:16 +0000 +++ src/icmp/Icmp4.cc 2014-09-15 05:06:14 +0000 @@ -41,26 +41,38 @@ #include "IcmpPinger.h" #include "Debug.h" -const char *icmpPktStr[] = { - "Echo Reply", - "ICMP 1", - "ICMP 2", - "Destination Unreachable", - "Source Quench", - "Redirect", - "ICMP 6", - "ICMP 7", - "Echo", - "ICMP 9", - "ICMP 10", - "Time Exceeded", - "Parameter Problem", - "Timestamp", - "Timestamp Reply", - "Info Request", - "Info Reply", - "Out of Range Type" -}; +static const char * +IcmpPacketType(uint8_t v) +{ + static const char *icmpPktStr[] = { + "Echo Reply", + "ICMP 1", + "ICMP 2", + "Destination Unreachable", + "Source Quench", + "Redirect", + "ICMP 6", + "ICMP 7", + "Echo", + "ICMP 9", + "ICMP 10", + "Time Exceeded", + "Parameter Problem", + "Timestamp", + "Timestamp Reply", + "Info Request", + "Info Reply", + "Out of Range Type" + }; + + if (v > 17) { + static char buf[50]; + snprintf(buf, sizeof(buf), "ICMP %u (invalid)", v); + return buf; + } + + return icmpPktStr[v]; +} Icmp4::Icmp4() : Icmp() { @@ -187,6 +199,12 @@ from->ai_addr, &from->ai_addrlen); + if (n <= 0) { + debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMP socket."); + Ip::Address::FreeAddrInfo(from); + return; + } + preply.from = *from; #if GETTIMEOFDAY_NO_TZP @@ -243,9 +261,15 @@ preply.psize = n - iphdrlen - (sizeof(icmpEchoData) - MAX_PKT4_SZ); + if (preply.psize < 0) { + debugs(42, DBG_CRITICAL, HERE << "Malformed ICMP packet."); + Ip::Address::FreeAddrInfo(from); + return; + } + control.SendResult(preply, (sizeof(pingerReplyData) - MAX_PKT4_SZ + preply.psize) ); - Log(preply.from, icmp->icmp_type, icmpPktStr[icmp->icmp_type], preply.rtt, preply.hops); + Log(preply.from, icmp->icmp_type, IcmpPacketType(icmp->icmp_type), preply.rtt, preply.hops); Ip::Address::FreeAddrInfo(from); } === modified file 'src/icmp/Icmp6.cc' --- src/icmp/Icmp6.cc 2013-06-03 14:05:16 +0000 +++ src/icmp/Icmp6.cc 2014-09-15 05:06:14 +0000 @@ -50,57 +50,61 @@ // Icmp6 OP-Codes // see http://www.iana.org/assignments/icmpv6-parameters -// NP: LowPktStr is for codes 0-127 -static const char *icmp6LowPktStr[] = { - "ICMP 0", // 0 - "Destination Unreachable", // 1 - RFC2463 - "Packet Too Big", // 2 - RFC2463 - "Time Exceeded", // 3 - RFC2463 - "Parameter Problem", // 4 - RFC2463 - "ICMP 5", // 5 - "ICMP 6", // 6 - "ICMP 7", // 7 - "ICMP 8", // 8 - "ICMP 9", // 9 - "ICMP 10" // 10 -}; - -// NP: HighPktStr is for codes 128-255 -static const char *icmp6HighPktStr[] = { - "Echo Request", // 128 - RFC2463 - "Echo Reply", // 129 - RFC2463 - "Multicast Listener Query", // 130 - RFC2710 - "Multicast Listener Report", // 131 - RFC2710 - "Multicast Listener Done", // 132 - RFC2710 - "Router Solicitation", // 133 - RFC4861 - "Router Advertisement", // 134 - RFC4861 - "Neighbor Solicitation", // 135 - RFC4861 - "Neighbor Advertisement", // 136 - RFC4861 - "Redirect Message", // 137 - RFC4861 - "Router Renumbering", // 138 - Crawford - "ICMP Node Information Query", // 139 - RFC4620 - "ICMP Node Information Response", // 140 - RFC4620 - "Inverse Neighbor Discovery Solicitation", // 141 - RFC3122 - "Inverse Neighbor Discovery Advertisement", // 142 - RFC3122 - "Version 2 Multicast Listener Report", // 143 - RFC3810 - "Home Agent Address Discovery Request", // 144 - RFC3775 - "Home Agent Address Discovery Reply", // 145 - RFC3775 - "Mobile Prefix Solicitation", // 146 - RFC3775 - "Mobile Prefix Advertisement", // 147 - RFC3775 - "Certification Path Solicitation", // 148 - RFC3971 - "Certification Path Advertisement", // 149 - RFC3971 - "ICMP Experimental (150)", // 150 - RFC4065 - "Multicast Router Advertisement", // 151 - RFC4286 - "Multicast Router Solicitation", // 152 - RFC4286 - "Multicast Router Termination", // 153 - [RFC4286] - "ICMP 154", - "ICMP 155", - "ICMP 156", - "ICMP 157", - "ICMP 158", - "ICMP 159", - "ICMP 160" -}; +static const char * +IcmpPacketType(uint8_t v) +{ + // NP: LowPktStr is for codes 0-127 + static const char *icmp6LowPktStr[] = { + "ICMPv6 0", // 0 + "Destination Unreachable", // 1 - RFC2463 + "Packet Too Big", // 2 - RFC2463 + "Time Exceeded", // 3 - RFC2463 + "Parameter Problem", // 4 - RFC2463 + }; + + // low codes 1-4 registered + if (0 < v && v < 5) + return icmp6LowPktStr[(int)(v&0x7f)]; + + // NP: HighPktStr is for codes 128-255 + static const char *icmp6HighPktStr[] = { + "Echo Request", // 128 - RFC2463 + "Echo Reply", // 129 - RFC2463 + "Multicast Listener Query", // 130 - RFC2710 + "Multicast Listener Report", // 131 - RFC2710 + "Multicast Listener Done", // 132 - RFC2710 + "Router Solicitation", // 133 - RFC4861 + "Router Advertisement", // 134 - RFC4861 + "Neighbor Solicitation", // 135 - RFC4861 + "Neighbor Advertisement", // 136 - RFC4861 + "Redirect Message", // 137 - RFC4861 + "Router Renumbering", // 138 - Crawford + "ICMP Node Information Query", // 139 - RFC4620 + "ICMP Node Information Response", // 140 - RFC4620 + "Inverse Neighbor Discovery Solicitation", // 141 - RFC3122 + "Inverse Neighbor Discovery Advertisement", // 142 - RFC3122 + "Version 2 Multicast Listener Report", // 143 - RFC3810 + "Home Agent Address Discovery Request", // 144 - RFC3775 + "Home Agent Address Discovery Reply", // 145 - RFC3775 + "Mobile Prefix Solicitation", // 146 - RFC3775 + "Mobile Prefix Advertisement", // 147 - RFC3775 + "Certification Path Solicitation", // 148 - RFC3971 + "Certification Path Advertisement", // 149 - RFC3971 + "ICMP Experimental (150)", // 150 - RFC4065 + "Multicast Router Advertisement", // 151 - RFC4286 + "Multicast Router Solicitation", // 152 - RFC4286 + "Multicast Router Termination", // 153 - [RFC4286] + }; + + // high codes 127-153 registered + if (127 < v && v < 154) + return icmp6HighPktStr[(int)(v&0x7f)]; + + // give all others a generic display + static char buf[50]; + snprintf(buf, sizeof(buf), "ICMPv6 %u", v); + return buf; +} Icmp6::Icmp6() : Icmp() { @@ -236,6 +240,12 @@ from->ai_addr, &from->ai_addrlen); + if (n <= 0) { + debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMPv6 socket."); + Ip::Address::FreeAddrInfo(from); + return; + } + preply.from = *from; #if GETTIMEOFDAY_NO_TZP @@ -291,8 +301,7 @@ default: debugs(42, 8, HERE << preply.from << " said: " << icmp6header->icmp6_type << "/" << (int)icmp6header->icmp6_code << " " << - ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] ) - ); + IcmpPacketType(icmp6header->icmp6_type)); } Ip::Address::FreeAddrInfo(from); return; @@ -331,7 +340,7 @@ Log(preply.from, icmp6header->icmp6_type, - ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] ), + IcmpPacketType(icmp6header->icmp6_type), preply.rtt, preply.hops);