This is the mail archive of the ecos-discuss@sourceware.org mailing list for the eCos project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: RE: Security issue with bsd stack


A capture of the datagram which caused the error with wireshark or
some other sniffer could be useful. Anyway IMHO the solution would be
as follows:

* Short answer: Replace panic("icmp len") with a logging function
(printf of whatever), then a call to freeit and finish the function
execution with return.

*Explanation: In the BSD TCP/IP stack m->m_data would point to the IP
header and m->m_pktdat to 16 (ethernet header) or 72 bytes (ethernet
header + IP options) before m_data . If (m->m_data - sizeof(struct ip)
< m->m_pktdat) I would say that the IP header was malformed and wasn't
properly parsed in the m_buf so IMHO you can discard it and not
sending the ICMP message. (I think Linux, for example,  expects that
the original datagram's header is properly formed, otherwise no ICMP
answer is sent).

I hope it helps.

Best regards,
Marcos Del Puerto

On Tue, Mar 31, 2009 at 8:33 PM, Saritha Yellanki <ysaritha@broadcom.com> wrote:
> ?More info on the ISIC can be found at <http://www.packetfactory.net/projects/ISIC/>
>
> Thanks
> saritha
>
>
> -----Original Message-----
> From: Saritha Yellanki
> Sent: Tuesday, March 31, 2009 11:59 PM
> To: 'ecos-discuss'
> Subject: Security issue with bsd stack
>
> Hi All,
>
> I am testing our ecos system ?with bsd tcp/ip stack with ISIC tool (ISIC -- IP Stack Integrity Checker) ?and found an issue as mentioned below
>
> Description:
>
> (ISIC is a suite of utilities to exercise the stability of an IP Stack and its component stacks (TCP, UDP, ICMP et. al.) It generates piles of pseudo random packets of the target protocol. The packets be given tendancies to conform to. Ie 50% of the packets generated can have IP Options. 25% of the packets can be IP fragments... But the percentages are arbitrary and most of the packet fields have a configurable tendancy.)
>
> When ?we send stream of packets ?using the command ?"tcpsic -s 10.10.10.10,23 -d 10.10.10.100 -I 100" ,our system hangs ,and we ?observed that ?the ?code ( panic ("icmp len") ) ?highlighted ?below was hit , when ?we run the above test case
>
> What should be the correct behaviour?
> Could you please give your inputs or opinion on how to handle this case ?
>
> Thanks
> saritha
>
> Details of the Panic message
> ============================
> In ?the file "src/sys/netinet/ip_icmp.c"
>
> /*
> ?* Generate an error packet of type error
> ?* in response to bad packet ip.
> ?*/
> void
> icmp_error(n, type, code, dest, destifp)
> ?struct mbuf *n;
> ?int type, code;
> ?n_long dest;
> ?struct ifnet *destifp;
>
> {
> ?register struct ip *oip = mtod(n, struct ip *), *nip;
> ?register unsigned oiplen = IP_VHL_HL(oip->ip_vhl) << 2;
> ?register struct icmp *icp;
> ?register struct mbuf *m;
> ?unsigned icmplen;
> ? .......
> ? ..........
>
> ? ? /*
> ? * Now, copy old ip header (without options)
> ? * in front of icmp message.
> ? ? if (m->m_data - sizeof(struct ip) < m->m_pktdat)
> ? ? ? panic("icmp len"); ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ////////////////////////////////////////// ?This PANIC OCCURED when the test case was run ?//////////////////////////////////
>
> ?..............
> ?............
>
> }
>
> --
> Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
> and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss
>
>

--
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]