[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH, DoS] slirp (arp): do not special-case bogus IP
From: |
Edgar E. Iglesias |
Subject: |
Re: [Qemu-devel] [PATCH, DoS] slirp (arp): do not special-case bogus IP addresses |
Date: |
Thu, 8 May 2014 06:10:18 +0000 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Thu, May 08, 2014 at 12:15:09AM +0200, Samuel Thibault wrote:
> Do not special-case addresses with zero host part, as we do not
> necessarily know how big it is, and the guest can fake them anyway.
Hi Samuel,
The search part looks OK to me but when adding to the arp table, don't
you at least want to avoid adding mappings for 0.0.0.0/32? to avoid
for ex garps to pollute the cache with invalid entries?
Cheers,
Edgar
>
> Signed-off-by: Samuel Thibault <address@hidden>
> ---
>
> This is particularly bad actually, one can for instance simply do this
> inside a Linux guest
>
> ip addr add 192.0.0.0/1 dev eth0
>
> and crash qemu (thus a DoS) by just emitting a packet (thus from
> 192.0.0.0), getting:
>
> qemu-system-x86_64: /usr/src/qemu/slirp/arp_table.c:77: arp_table_search:
> Assertion `(ip_addr & __bswap_32 (~(0xfU << 28))) != 0' failed.
>
> so it should probably go to all stable maintained versions.
>
> arp_table.c | 8 --------
> 1 file changed, 8 deletions(-)
>
> diff --git a/slirp/arp_table.c b/slirp/arp_table.c
> index ecdb0ba..243cbbc 100644
> --- a/slirp/arp_table.c
> +++ b/slirp/arp_table.c
> @@ -37,11 +37,6 @@ void arp_table_add(Slirp *slirp, uint32_t ip_addr, uint8_t
> ethaddr[ETH_ALEN])
> ethaddr[0], ethaddr[1], ethaddr[2],
> ethaddr[3], ethaddr[4], ethaddr[5]));
>
> - /* Check 0.0.0.0/8 invalid source-only addresses */
> - if ((ip_addr & htonl(~(0xfU << 28))) == 0) {
> - return;
> - }
> -
> if (ip_addr == 0xffffffff || ip_addr == broadcast_addr) {
> /* Do not register broadcast addresses */
> return;
> @@ -73,9 +68,6 @@ bool arp_table_search(Slirp *slirp, uint32_t ip_addr,
> DEBUG_CALL("arp_table_search");
> DEBUG_ARG("ip = 0x%x", ip_addr);
>
> - /* Check 0.0.0.0/8 invalid source-only addresses */
> - assert((ip_addr & htonl(~(0xfU << 28))) != 0);
> -
> /* If broadcast address */
> if (ip_addr == 0xffffffff || ip_addr == broadcast_addr) {
> /* return Ethernet broadcast address */
>
- [Qemu-devel] [PATCH, DoS] slirp (arp): do not special-case bogus IP addresses, Samuel Thibault, 2014/05/07
- Re: [Qemu-devel] [PATCH, DoS] slirp (arp): do not special-case bogus IP addresses,
Edgar E. Iglesias <=
- Re: [Qemu-devel] [PATCH, DoS] slirp (arp): do not special-case bogus IP addresses, Samuel Thibault, 2014/05/08
- Re: [Qemu-devel] [PATCH, DoS] slirp (arp): do not special-case bogus IP addresses, Edgar E. Iglesias, 2014/05/08
- Re: [Qemu-devel] [PATCH, DoS] slirp (arp): do not special-case bogus IP addresses, Samuel Thibault, 2014/05/13
- Re: [Qemu-devel] [PATCH, DoS] slirp (arp): do not special-case bogus IP addresses, Edgar E. Iglesias, 2014/05/13
- Re: [Qemu-devel] [PATCH, DoS] slirp (arp): do not special-case bogus IP addresses, Samuel Thibault, 2014/05/13
- Re: [Qemu-devel] [PATCH, DoS] slirp (arp): do not special-case bogus IP addresses, Edgar E. Iglesias, 2014/05/13
- Re: [Qemu-devel] [PATCH, DoS] slirp (arp): do not special-case bogus IP addresses, Samuel Thibault, 2014/05/13
[Qemu-devel] [PATCHv2, DoS] slirp (arp): do not special-case bogus IP addresses, Samuel Thibault, 2014/05/13