freebsd-nq/sys/netinet/ip_icmp.c

924 lines
24 KiB
C
Raw Normal View History

/*-
1994-05-24 10:09:53 +00:00
* Copyright (c) 1982, 1986, 1988, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)ip_icmp.c 8.2 (Berkeley) 1/4/94
1999-08-28 01:08:13 +00:00
* $FreeBSD$
1994-05-24 10:09:53 +00:00
*/
#include "opt_ipsec.h"
#include "opt_mac.h"
1994-05-24 10:09:53 +00:00
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/mac.h>
1994-05-24 10:09:53 +00:00
#include <sys/mbuf.h>
#include <sys/protosw.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <sys/kernel.h>
#include <sys/sysctl.h>
1994-05-24 10:09:53 +00:00
#include <net/if.h>
#include <net/if_types.h>
1994-05-24 10:09:53 +00:00
#include <net/route.h>
#include <netinet/in.h>
#include <netinet/in_pcb.h>
1994-05-24 10:09:53 +00:00
#include <netinet/in_systm.h>
#include <netinet/in_var.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/ip_var.h>
#include <netinet/tcp.h>
#include <netinet/tcp_var.h>
#include <netinet/tcpip.h>
1994-05-24 10:09:53 +00:00
#include <netinet/icmp_var.h>
#ifdef IPSEC
#include <netinet6/ipsec.h>
#include <netkey/key.h>
#endif
#ifdef FAST_IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/key.h>
#define IPSEC
#endif
#include <machine/in_cksum.h>
1994-05-24 10:09:53 +00:00
/*
* ICMP routines: error generation, receive packet processing, and
* routines to turnaround packets back to the originator, and
* host table maintenance routines.
*/
struct icmpstat icmpstat;
SYSCTL_STRUCT(_net_inet_icmp, ICMPCTL_STATS, stats, CTLFLAG_RW,
&icmpstat, icmpstat, "");
static int icmpmaskrepl = 0;
SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW,
&icmpmaskrepl, 0, "Reply to ICMP Address Mask Request packets.");
static u_int icmpmaskfake = 0;
SYSCTL_UINT(_net_inet_icmp, OID_AUTO, maskfake, CTLFLAG_RW,
&icmpmaskfake, 0, "Fake reply to ICMP Address Mask Request packets.");
static int drop_redirect = 0;
SYSCTL_INT(_net_inet_icmp, OID_AUTO, drop_redirect, CTLFLAG_RW,
&drop_redirect, 0, "");
1999-09-14 16:40:28 +00:00
static int log_redirect = 0;
SYSCTL_INT(_net_inet_icmp, OID_AUTO, log_redirect, CTLFLAG_RW,
1999-09-14 16:40:28 +00:00
&log_redirect, 0, "");
static int icmplim = 200;
SYSCTL_INT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RW,
&icmplim, 0, "");
static int icmplim_output = 1;
SYSCTL_INT(_net_inet_icmp, OID_AUTO, icmplim_output, CTLFLAG_RW,
&icmplim_output, 0, "");
static char reply_src[IFNAMSIZ];
SYSCTL_STRING(_net_inet_icmp, OID_AUTO, reply_src, CTLFLAG_RW,
&reply_src, IFNAMSIZ, "icmp reply source for non-local packets.");
/*
* ICMP broadcast echo sysctl
*/
static int icmpbmcastecho = 0;
SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW,
&icmpbmcastecho, 0, "");
1994-05-24 10:09:53 +00:00
#ifdef ICMPPRINTFS
int icmpprintfs = 0;
#endif
2002-03-19 21:25:46 +00:00
static void icmp_reflect(struct mbuf *);
static void icmp_send(struct mbuf *, struct mbuf *);
2002-03-19 21:25:46 +00:00
static int ip_next_mtu(int, int);
1994-05-24 10:09:53 +00:00
extern struct protosw inetsw[];
/*
* Generate an error packet of type error
* in response to bad packet ip.
*/
void
icmp_error(n, type, code, dest, destifp)
struct mbuf *n;
int type, code;
n_long dest;
struct ifnet *destifp;
{
register struct ip *oip = mtod(n, struct ip *), *nip;
register unsigned oiplen = oip->ip_hl << 2;
1994-05-24 10:09:53 +00:00
register struct icmp *icp;
register struct mbuf *m;
unsigned icmplen;
#ifdef ICMPPRINTFS
if (icmpprintfs)
printf("icmp_error(%p, %x, %d)\n", oip, type, code);
1994-05-24 10:09:53 +00:00
#endif
if (type != ICMP_REDIRECT)
icmpstat.icps_error++;
/*
* Don't send error if the original packet was encrypted.
1994-05-24 10:09:53 +00:00
* Don't send error if not the first fragment of message.
* Don't error if the old packet protocol was ICMP
* error message, only known informational types.
*/
if (n->m_flags & M_DECRYPTED)
goto freeit;
1994-05-24 10:09:53 +00:00
if (oip->ip_off &~ (IP_MF|IP_DF))
goto freeit;
if (oip->ip_p == IPPROTO_ICMP && type != ICMP_REDIRECT &&
n->m_len >= oiplen + ICMP_MINLEN &&
!ICMP_INFOTYPE(((struct icmp *)((caddr_t)oip + oiplen))->icmp_type)) {
icmpstat.icps_oldicmp++;
goto freeit;
}
/* Don't send error in response to a multicast or broadcast packet */
if (n->m_flags & (M_BCAST|M_MCAST))
goto freeit;
/*
* First, formulate icmp message
*/
m = m_gethdr(M_DONTWAIT, MT_HEADER);
1994-05-24 10:09:53 +00:00
if (m == NULL)
goto freeit;
#ifdef MAC
mac_create_mbuf_netlayer(n, m);
#endif
icmplen = min(oiplen + 8, oip->ip_len);
if (icmplen < sizeof(struct ip))
panic("icmp_error: bad length");
1994-05-24 10:09:53 +00:00
m->m_len = icmplen + ICMP_MINLEN;
MH_ALIGN(m, m->m_len);
icp = mtod(m, struct icmp *);
if ((u_int)type > ICMP_MAXTYPE)
panic("icmp_error");
icmpstat.icps_outhist[type]++;
icp->icmp_type = type;
if (type == ICMP_REDIRECT)
icp->icmp_gwaddr.s_addr = dest;
else {
icp->icmp_void = 0;
1995-05-30 08:16:23 +00:00
/*
1994-05-24 10:09:53 +00:00
* The following assignments assume an overlay with the
* zeroed icmp_void field.
*/
if (type == ICMP_PARAMPROB) {
icp->icmp_pptr = code;
code = 0;
} else if (type == ICMP_UNREACH &&
code == ICMP_UNREACH_NEEDFRAG && destifp) {
icp->icmp_nextmtu = htons(destifp->if_mtu);
}
}
icp->icmp_code = code;
m_copydata(n, 0, icmplen, (caddr_t)&icp->icmp_ip);
1994-05-24 10:09:53 +00:00
nip = &icp->icmp_ip;
Fixed broken ICMP error generation, unified conversion of IP header fields between host and network byte order. The details: o icmp_error() now does not add IP header length. This fixes the problem when icmp_error() is called from ip_forward(). In this case the ip_len of the original IP datagram returned with ICMP error was wrong. o icmp_error() expects all three fields, ip_len, ip_id and ip_off in host byte order, so DTRT and convert these fields back to network byte order before sending a message. This fixes the problem described in PR 16240 and PR 20877 (ip_id field was returned in host byte order). o ip_ttl decrement operation in ip_forward() was moved down to make sure that it does not corrupt the copy of original IP datagram passed later to icmp_error(). o A copy of original IP datagram in ip_forward() was made a read-write, independent copy. This fixes the problem I first reported to Garrett Wollman and Bill Fenner and later put in audit trail of PR 16240: ip_output() (not always) converts fields of original datagram to network byte order, but because copy (mcopy) and its original (m) most likely share the same mbuf cluster, ip_output()'s manipulations on original also corrupted the copy. o ip_output() now expects all three fields, ip_len, ip_off and (what is significant) ip_id in host byte order. It was a headache for years that ip_id was handled differently. The only compatibility issue here is the raw IP socket interface with IP_HDRINCL socket option set and a non-zero ip_id field, but ip.4 manual page was unclear on whether in this case ip_id field should be in host or network byte order.
2000-09-01 12:33:03 +00:00
/*
* Convert fields to network representation.
*/
nip->ip_len = htons(nip->ip_len);
nip->ip_off = htons(nip->ip_off);
1994-05-24 10:09:53 +00:00
/*
* Now, copy old ip header (without options)
* in front of icmp message.
*/
if (m->m_data - sizeof(struct ip) < m->m_pktdat)
panic("icmp len");
/*
* If the original mbuf was meant to bypass the firewall, the error
* reply should bypass as well.
*/
m->m_flags |= n->m_flags & M_SKIP_FIREWALL;
1994-05-24 10:09:53 +00:00
m->m_data -= sizeof(struct ip);
m->m_len += sizeof(struct ip);
m->m_pkthdr.len = m->m_len;
m->m_pkthdr.rcvif = n->m_pkthdr.rcvif;
nip = mtod(m, struct ip *);
bcopy((caddr_t)oip, (caddr_t)nip, sizeof(struct ip));
nip->ip_len = m->m_len;
nip->ip_v = IPVERSION;
nip->ip_hl = 5;
1994-05-24 10:09:53 +00:00
nip->ip_p = IPPROTO_ICMP;
nip->ip_tos = 0;
icmp_reflect(m);
freeit:
m_freem(n);
}
/*
* Process a received ICMP message.
*/
void
icmp_input(m, off)
struct mbuf *m;
int off;
1994-05-24 10:09:53 +00:00
{
struct icmp *icp;
struct in_ifaddr *ia;
struct ip *ip = mtod(m, struct ip *);
struct sockaddr_in icmpsrc, icmpdst, icmpgw;
int hlen = off;
1994-05-24 10:09:53 +00:00
int icmplen = ip->ip_len;
int i, code;
2002-03-19 21:25:46 +00:00
void (*ctlfunc)(int, struct sockaddr *, void *);
1994-05-24 10:09:53 +00:00
/*
* Locate icmp structure in mbuf, and check
* that not corrupted and of at least minimum length.
*/
#ifdef ICMPPRINTFS
if (icmpprintfs) {
char buf[4 * sizeof "123"];
strcpy(buf, inet_ntoa(ip->ip_src));
printf("icmp_input from %s to %s, len %d\n",
buf, inet_ntoa(ip->ip_dst), icmplen);
}
1994-05-24 10:09:53 +00:00
#endif
if (icmplen < ICMP_MINLEN) {
icmpstat.icps_tooshort++;
goto freeit;
}
i = hlen + min(icmplen, ICMP_ADVLENMIN);
if (m->m_len < i && (m = m_pullup(m, i)) == 0) {
icmpstat.icps_tooshort++;
return;
}
ip = mtod(m, struct ip *);
m->m_len -= hlen;
m->m_data += hlen;
icp = mtod(m, struct icmp *);
if (in_cksum(m, icmplen)) {
icmpstat.icps_checksum++;
goto freeit;
}
m->m_len += hlen;
m->m_data -= hlen;
if (m->m_pkthdr.rcvif && m->m_pkthdr.rcvif->if_type == IFT_FAITH) {
/*
* Deliver very specific ICMP type only.
*/
switch (icp->icmp_type) {
case ICMP_UNREACH:
case ICMP_TIMXCEED:
break;
default:
goto freeit;
}
}
1994-05-24 10:09:53 +00:00
#ifdef ICMPPRINTFS
if (icmpprintfs)
printf("icmp_input, type %d code %d\n", icp->icmp_type,
icp->icmp_code);
#endif
/*
* Message type specific processing.
*/
1994-05-24 10:09:53 +00:00
if (icp->icmp_type > ICMP_MAXTYPE)
goto raw;
/* Initialize */
bzero(&icmpsrc, sizeof(icmpsrc));
icmpsrc.sin_len = sizeof(struct sockaddr_in);
icmpsrc.sin_family = AF_INET;
bzero(&icmpdst, sizeof(icmpdst));
icmpdst.sin_len = sizeof(struct sockaddr_in);
icmpdst.sin_family = AF_INET;
bzero(&icmpgw, sizeof(icmpgw));
icmpgw.sin_len = sizeof(struct sockaddr_in);
icmpgw.sin_family = AF_INET;
1994-05-24 10:09:53 +00:00
icmpstat.icps_inhist[icp->icmp_type]++;
code = icp->icmp_code;
switch (icp->icmp_type) {
case ICMP_UNREACH:
switch (code) {
case ICMP_UNREACH_NET:
case ICMP_UNREACH_HOST:
case ICMP_UNREACH_SRCFAIL:
case ICMP_UNREACH_NET_UNKNOWN:
case ICMP_UNREACH_HOST_UNKNOWN:
case ICMP_UNREACH_ISOLATED:
case ICMP_UNREACH_TOSNET:
case ICMP_UNREACH_TOSHOST:
case ICMP_UNREACH_HOST_PRECEDENCE:
case ICMP_UNREACH_PRECEDENCE_CUTOFF:
code = PRC_UNREACH_NET;
1994-05-24 10:09:53 +00:00
break;
case ICMP_UNREACH_NEEDFRAG:
code = PRC_MSGSIZE;
break;
1995-05-30 08:16:23 +00:00
/*
* RFC 1122, Sections 3.2.2.1 and 4.2.3.9.
* Treat subcodes 2,3 as immediate RST
*/
case ICMP_UNREACH_PROTOCOL:
case ICMP_UNREACH_PORT:
code = PRC_UNREACH_PORT;
break;
We currently does not react to ICMP administratively prohibited messages send by routers when they deny our traffic, this causes a timeout when trying to connect to TCP ports/services on a remote host, which is blocked by routers or firewalls. rfc1122 (Requirements for Internet Hosts) section 3.2.2.1 actually requi re that we treat such a message for a TCP session, that we treat it like if we had recieved a RST. quote begin. A Destination Unreachable message that is received MUST be reported to the transport layer. The transport layer SHOULD use the information appropriately; for example, see Sections 4.1.3.3, 4.2.3.9, and 4.2.4 below. A transport protocol that has its own mechanism for notifying the sender that a port is unreachable (e.g., TCP, which sends RST segments) MUST nevertheless accept an ICMP Port Unreachable for the same purpose. quote end. I've written a small extension that implement this, it also create a sysctl "net.inet.tcp.icmp_admin_prohib_like_rst" to control if this new behaviour is activated. When it's activated (set to 1) we'll treat a ICMP administratively prohibited message (icmp type 3 code 9, 10 and 13) for a TCP sessions, as if we recived a TCP RST, but only if the TCP session is in SYN_SENT state. The reason for only reacting when in SYN_SENT state, is that this will solve the problem, and at the same time minimize the risk of this being abused. I suggest that we enable this new behaviour by default, but it would be a change of current behaviour, so if people prefer to leave it disabled by default, at least for now, this would be ok for me, the attached diff actually have the sysctl set to 0 by default. PR: 23086 Submitted by: Jesper Skriver <jesper@skriver.dk>
2000-12-16 19:42:06 +00:00
case ICMP_UNREACH_NET_PROHIB:
1994-05-24 10:09:53 +00:00
case ICMP_UNREACH_HOST_PROHIB:
case ICMP_UNREACH_FILTER_PROHIB:
code = PRC_UNREACH_ADMIN_PROHIB;
break;
We currently does not react to ICMP administratively prohibited messages send by routers when they deny our traffic, this causes a timeout when trying to connect to TCP ports/services on a remote host, which is blocked by routers or firewalls. rfc1122 (Requirements for Internet Hosts) section 3.2.2.1 actually requi re that we treat such a message for a TCP session, that we treat it like if we had recieved a RST. quote begin. A Destination Unreachable message that is received MUST be reported to the transport layer. The transport layer SHOULD use the information appropriately; for example, see Sections 4.1.3.3, 4.2.3.9, and 4.2.4 below. A transport protocol that has its own mechanism for notifying the sender that a port is unreachable (e.g., TCP, which sends RST segments) MUST nevertheless accept an ICMP Port Unreachable for the same purpose. quote end. I've written a small extension that implement this, it also create a sysctl "net.inet.tcp.icmp_admin_prohib_like_rst" to control if this new behaviour is activated. When it's activated (set to 1) we'll treat a ICMP administratively prohibited message (icmp type 3 code 9, 10 and 13) for a TCP sessions, as if we recived a TCP RST, but only if the TCP session is in SYN_SENT state. The reason for only reacting when in SYN_SENT state, is that this will solve the problem, and at the same time minimize the risk of this being abused. I suggest that we enable this new behaviour by default, but it would be a change of current behaviour, so if people prefer to leave it disabled by default, at least for now, this would be ok for me, the attached diff actually have the sysctl set to 0 by default. PR: 23086 Submitted by: Jesper Skriver <jesper@skriver.dk>
2000-12-16 19:42:06 +00:00
1994-05-24 10:09:53 +00:00
default:
goto badcode;
}
goto deliver;
case ICMP_TIMXCEED:
if (code > 1)
goto badcode;
code += PRC_TIMXCEED_INTRANS;
goto deliver;
case ICMP_PARAMPROB:
if (code > 1)
goto badcode;
code = PRC_PARAMPROB;
goto deliver;
case ICMP_SOURCEQUENCH:
if (code)
goto badcode;
code = PRC_QUENCH;
deliver:
/*
* Problem with datagram; advise higher level routines.
*/
if (icmplen < ICMP_ADVLENMIN || icmplen < ICMP_ADVLEN(icp) ||
icp->icmp_ip.ip_hl < (sizeof(struct ip) >> 2)) {
1994-05-24 10:09:53 +00:00
icmpstat.icps_badlen++;
goto freeit;
}
icp->icmp_ip.ip_len = ntohs(icp->icmp_ip.ip_len);
/* Discard ICMP's in response to multicast packets */
if (IN_MULTICAST(ntohl(icp->icmp_ip.ip_dst.s_addr)))
goto badcode;
1994-05-24 10:09:53 +00:00
#ifdef ICMPPRINTFS
if (icmpprintfs)
printf("deliver to protocol %d\n", icp->icmp_ip.ip_p);
#endif
icmpsrc.sin_addr = icp->icmp_ip.ip_dst;
/*
* MTU discovery:
* If we got a needfrag and there is a host route to the
* original destination, and the MTU is not locked, then
* set the MTU in the route to the suggested new value
* (if given) and then notify as usual. The ULPs will
* notice that the MTU has changed and adapt accordingly.
* If no new MTU was suggested, then we guess a new one
* less than the current value. If the new MTU is
Limiters and sanity checks for TCP MSS (maximum segement size) resource exhaustion attacks. For network link optimization TCP can adjust its MSS and thus packet size according to the observed path MTU. This is done dynamically based on feedback from the remote host and network components along the packet path. This information can be abused to pretend an extremely low path MTU. The resource exhaustion works in two ways: o during tcp connection setup the advertized local MSS is exchanged between the endpoints. The remote endpoint can set this arbitrarily low (except for a minimum MTU of 64 octets enforced in the BSD code). When the local host is sending data it is forced to send many small IP packets instead of a large one. For example instead of the normal TCP payload size of 1448 it forces TCP payload size of 12 (MTU 64) and thus we have a 120 times increase in workload and packets. On fast links this quickly saturates the local CPU and may also hit pps processing limites of network components along the path. This type of attack is particularly effective for servers where the attacker can download large files (WWW and FTP). We mitigate it by enforcing a minimum MTU settable by sysctl net.inet.tcp.minmss defaulting to 256 octets. o the local host is reveiving data on a TCP connection from the remote host. The local host has no control over the packet size the remote host is sending. The remote host may chose to do what is described in the first attack and send the data in packets with an TCP payload of at least one byte. For each packet the tcp_input() function will be entered, the packet is processed and a sowakeup() is signalled to the connected process. For example an attack with 2 Mbit/s gives 4716 packets per second and the same amount of sowakeup()s to the process (and context switches). This type of attack is particularly effective for servers where the attacker can upload large amounts of data. Normally this is the case with WWW server where large POSTs can be made. We mitigate this by calculating the average MSS payload per second. If it goes below 'net.inet.tcp.minmss' and the pps rate is above 'net.inet.tcp.minmssoverload' defaulting to 1000 this particular TCP connection is resetted and dropped. MITRE CVE: CAN-2004-0002 Reviewed by: sam (mentor) MFC after: 1 day
2004-01-08 17:40:07 +00:00
* unreasonably small (defined by sysctl tcp_minmss), then
* we don't update the MTU value.
*
* XXX: All this should be done in tcp_mtudisc() because
* the way we do it now, everyone can send us bogus ICMP
* MSGSIZE packets for any destination. By doing this far
* higher in the chain we have a matching tcp connection.
* Thus spoofing is much harder. However there is no easy
* non-hackish way to pass the new MTU up to tcp_mtudisc().
* Also see next XXX regarding IPv4 AH TCP.
*/
if (code == PRC_MSGSIZE) {
int mtu;
struct in_conninfo inc;
bzero(&inc, sizeof(inc));
inc.inc_flags = 0; /* IPv4 */
inc.inc_faddr = icmpsrc.sin_addr;
mtu = ntohs(icp->icmp_nextmtu);
if (!mtu)
mtu = ip_next_mtu(mtu, 1);
Limiters and sanity checks for TCP MSS (maximum segement size) resource exhaustion attacks. For network link optimization TCP can adjust its MSS and thus packet size according to the observed path MTU. This is done dynamically based on feedback from the remote host and network components along the packet path. This information can be abused to pretend an extremely low path MTU. The resource exhaustion works in two ways: o during tcp connection setup the advertized local MSS is exchanged between the endpoints. The remote endpoint can set this arbitrarily low (except for a minimum MTU of 64 octets enforced in the BSD code). When the local host is sending data it is forced to send many small IP packets instead of a large one. For example instead of the normal TCP payload size of 1448 it forces TCP payload size of 12 (MTU 64) and thus we have a 120 times increase in workload and packets. On fast links this quickly saturates the local CPU and may also hit pps processing limites of network components along the path. This type of attack is particularly effective for servers where the attacker can download large files (WWW and FTP). We mitigate it by enforcing a minimum MTU settable by sysctl net.inet.tcp.minmss defaulting to 256 octets. o the local host is reveiving data on a TCP connection from the remote host. The local host has no control over the packet size the remote host is sending. The remote host may chose to do what is described in the first attack and send the data in packets with an TCP payload of at least one byte. For each packet the tcp_input() function will be entered, the packet is processed and a sowakeup() is signalled to the connected process. For example an attack with 2 Mbit/s gives 4716 packets per second and the same amount of sowakeup()s to the process (and context switches). This type of attack is particularly effective for servers where the attacker can upload large amounts of data. Normally this is the case with WWW server where large POSTs can be made. We mitigate this by calculating the average MSS payload per second. If it goes below 'net.inet.tcp.minmss' and the pps rate is above 'net.inet.tcp.minmssoverload' defaulting to 1000 this particular TCP connection is resetted and dropped. MITRE CVE: CAN-2004-0002 Reviewed by: sam (mentor) MFC after: 1 day
2004-01-08 17:40:07 +00:00
if (mtu >= max(296, (tcp_minmss +
sizeof(struct tcpiphdr))))
tcp_hc_updatemtu(&inc, mtu);
#ifdef DEBUG_MTUDISC
printf("MTU for %s reduced to %d\n",
inet_ntoa(icmpsrc.sin_addr), mtu);
#endif
}
/*
* XXX if the packet contains [IPv4 AH TCP], we can't make a
* notification to TCP layer.
*/
ctlfunc = inetsw[ip_protox[icp->icmp_ip.ip_p]].pr_ctlinput;
if (ctlfunc)
1994-05-24 10:09:53 +00:00
(*ctlfunc)(code, (struct sockaddr *)&icmpsrc,
(void *)&icp->icmp_ip);
1994-05-24 10:09:53 +00:00
break;
badcode:
icmpstat.icps_badcode++;
break;
case ICMP_ECHO:
if (!icmpbmcastecho
&& (m->m_flags & (M_MCAST | M_BCAST)) != 0) {
icmpstat.icps_bmcastecho++;
break;
}
1994-05-24 10:09:53 +00:00
icp->icmp_type = ICMP_ECHOREPLY;
if (badport_bandlim(BANDLIM_ICMP_ECHO) < 0)
goto freeit;
else
goto reflect;
1994-05-24 10:09:53 +00:00
case ICMP_TSTAMP:
if (!icmpbmcastecho
&& (m->m_flags & (M_MCAST | M_BCAST)) != 0) {
icmpstat.icps_bmcasttstamp++;
break;
}
1994-05-24 10:09:53 +00:00
if (icmplen < ICMP_TSLEN) {
icmpstat.icps_badlen++;
break;
}
icp->icmp_type = ICMP_TSTAMPREPLY;
icp->icmp_rtime = iptime();
icp->icmp_ttime = icp->icmp_rtime; /* bogus, do later! */
if (badport_bandlim(BANDLIM_ICMP_TSTAMP) < 0)
goto freeit;
else
goto reflect;
1995-05-30 08:16:23 +00:00
1994-05-24 10:09:53 +00:00
case ICMP_MASKREQ:
if (icmpmaskrepl == 0)
break;
/*
* We are not able to respond with all ones broadcast
* unless we receive it over a point-to-point interface.
*/
if (icmplen < ICMP_MASKLEN)
break;
switch (ip->ip_dst.s_addr) {
case INADDR_BROADCAST:
case INADDR_ANY:
icmpdst.sin_addr = ip->ip_src;
break;
default:
icmpdst.sin_addr = ip->ip_dst;
}
ia = (struct in_ifaddr *)ifaof_ifpforaddr(
(struct sockaddr *)&icmpdst, m->m_pkthdr.rcvif);
if (ia == 0)
break;
if (ia->ia_ifp == 0)
break;
1994-05-24 10:09:53 +00:00
icp->icmp_type = ICMP_MASKREPLY;
if (icmpmaskfake == 0)
icp->icmp_mask = ia->ia_sockmask.sin_addr.s_addr;
else
icp->icmp_mask = icmpmaskfake;
1994-05-24 10:09:53 +00:00
if (ip->ip_src.s_addr == 0) {
if (ia->ia_ifp->if_flags & IFF_BROADCAST)
ip->ip_src = satosin(&ia->ia_broadaddr)->sin_addr;
else if (ia->ia_ifp->if_flags & IFF_POINTOPOINT)
ip->ip_src = satosin(&ia->ia_dstaddr)->sin_addr;
}
reflect:
ip->ip_len += hlen; /* since ip_input deducts this */
icmpstat.icps_reflect++;
icmpstat.icps_outhist[icp->icmp_type]++;
icmp_reflect(m);
return;
case ICMP_REDIRECT:
if (log_redirect) {
u_long src, dst, gw;
src = ntohl(ip->ip_src.s_addr);
dst = ntohl(icp->icmp_ip.ip_dst.s_addr);
gw = ntohl(icp->icmp_gwaddr.s_addr);
printf("icmp redirect from %d.%d.%d.%d: "
"%d.%d.%d.%d => %d.%d.%d.%d\n",
(int)(src >> 24), (int)((src >> 16) & 0xff),
(int)((src >> 8) & 0xff), (int)(src & 0xff),
(int)(dst >> 24), (int)((dst >> 16) & 0xff),
(int)((dst >> 8) & 0xff), (int)(dst & 0xff),
(int)(gw >> 24), (int)((gw >> 16) & 0xff),
(int)((gw >> 8) & 0xff), (int)(gw & 0xff));
}
/*
* RFC1812 says we must ignore ICMP redirects if we
* are acting as router.
*/
if (drop_redirect || ipforwarding)
break;
1994-05-24 10:09:53 +00:00
if (code > 3)
goto badcode;
if (icmplen < ICMP_ADVLENMIN || icmplen < ICMP_ADVLEN(icp) ||
icp->icmp_ip.ip_hl < (sizeof(struct ip) >> 2)) {
1994-05-24 10:09:53 +00:00
icmpstat.icps_badlen++;
break;
}
/*
* Short circuit routing redirects to force
* immediate change in the kernel's routing
* tables. The message is also handed to anyone
* listening on a raw socket (e.g. the routing
* daemon for use in updating its tables).
*/
icmpgw.sin_addr = ip->ip_src;
icmpdst.sin_addr = icp->icmp_gwaddr;
#ifdef ICMPPRINTFS
if (icmpprintfs) {
char buf[4 * sizeof "123"];
strcpy(buf, inet_ntoa(icp->icmp_ip.ip_dst));
printf("redirect dst %s to %s\n",
buf, inet_ntoa(icp->icmp_gwaddr));
}
1994-05-24 10:09:53 +00:00
#endif
icmpsrc.sin_addr = icp->icmp_ip.ip_dst;
rtredirect((struct sockaddr *)&icmpsrc,
(struct sockaddr *)&icmpdst,
(struct sockaddr *)0, RTF_GATEWAY | RTF_HOST,
(struct sockaddr *)&icmpgw);
1994-05-24 10:09:53 +00:00
pfctlinput(PRC_REDIRECT_HOST, (struct sockaddr *)&icmpsrc);
#ifdef IPSEC
key_sa_routechange((struct sockaddr *)&icmpsrc);
#endif
1994-05-24 10:09:53 +00:00
break;
/*
* No kernel processing for the following;
* just fall through to send to raw listener.
*/
case ICMP_ECHOREPLY:
case ICMP_ROUTERADVERT:
case ICMP_ROUTERSOLICIT:
case ICMP_TSTAMPREPLY:
case ICMP_IREQREPLY:
case ICMP_MASKREPLY:
default:
break;
}
raw:
rip_input(m, off);
1994-05-24 10:09:53 +00:00
return;
freeit:
m_freem(m);
}
/*
* Reflect the ip packet back to the source
*/
static void
1994-05-24 10:09:53 +00:00
icmp_reflect(m)
struct mbuf *m;
{
struct ip *ip = mtod(m, struct ip *);
struct ifaddr *ifa;
struct ifnet *ifn;
struct in_ifaddr *ia;
1994-05-24 10:09:53 +00:00
struct in_addr t;
struct mbuf *opts = 0;
int optlen = (ip->ip_hl << 2) - sizeof(struct ip);
1994-05-24 10:09:53 +00:00
if (!in_canforward(ip->ip_src) &&
((ntohl(ip->ip_src.s_addr) & IN_CLASSA_NET) !=
(IN_LOOPBACKNET << IN_CLASSA_NSHIFT))) {
m_freem(m); /* Bad return address */
icmpstat.icps_badaddr++;
1994-05-24 10:09:53 +00:00
goto done; /* Ip_output() will check for broadcast */
}
t = ip->ip_dst;
ip->ip_dst = ip->ip_src;
1994-05-24 10:09:53 +00:00
/*
* Source selection for ICMP replies:
*
* If the incoming packet was addressed directly to one of our
* own addresses, use dst as the src for the reply.
1994-05-24 10:09:53 +00:00
*/
LIST_FOREACH(ia, INADDR_HASH(t.s_addr), ia_hash)
1994-05-24 10:09:53 +00:00
if (t.s_addr == IA_SIN(ia)->sin_addr.s_addr)
goto match;
/*
* If the incoming packet was addressed to one of our broadcast
* addresses, use the first non-broadcast address which corresponds
* to the incoming interface.
*/
if (m->m_pkthdr.rcvif != NULL &&
m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) {
TAILQ_FOREACH(ifa, &m->m_pkthdr.rcvif->if_addrhead, ifa_link) {
if (ifa->ifa_addr->sa_family != AF_INET)
continue;
2001-12-14 19:32:47 +00:00
ia = ifatoia(ifa);
if (satosin(&ia->ia_broadaddr)->sin_addr.s_addr ==
t.s_addr)
goto match;
}
}
/*
* If the incoming packet was not addressed directly to us, use
* designated interface for icmp replies specified by sysctl
* net.inet.icmp.reply_src (default not set). Otherwise continue
* with normal source selection.
*/
if (reply_src[0] != '\0' && (ifn = ifunit(reply_src))) {
TAILQ_FOREACH(ifa, &ifn->if_addrhead, ifa_link) {
if (ifa->ifa_addr->sa_family != AF_INET)
continue;
ia = ifatoia(ifa);
goto match;
}
}
/*
* If the packet was transiting through us, use the address of
* the interface that is the closest to the packet source.
* When we don't have a route back to the packet source, stop here
* and drop the packet.
*/
ia = ip_rtaddr(ip->ip_dst);
if (ia == NULL) {
m_freem(m);
icmpstat.icps_noroute++;
goto done;
}
match:
#ifdef MAC
mac_reflect_mbuf_icmp(m);
#endif
1994-05-24 10:09:53 +00:00
t = IA_SIN(ia)->sin_addr;
ip->ip_src = t;
ip->ip_ttl = ip_defttl;
1994-05-24 10:09:53 +00:00
if (optlen > 0) {
register u_char *cp;
int opt, cnt;
u_int len;
/*
* Retrieve any source routing from the incoming packet;
* add on any record-route or timestamp options.
*/
cp = (u_char *) (ip + 1);
if ((opts = ip_srcroute(m)) == 0 &&
(opts = m_gethdr(M_DONTWAIT, MT_HEADER))) {
1994-05-24 10:09:53 +00:00
opts->m_len = sizeof(struct in_addr);
mtod(opts, struct in_addr *)->s_addr = 0;
}
if (opts) {
#ifdef ICMPPRINTFS
if (icmpprintfs)
printf("icmp_reflect optlen %d rt %d => ",
optlen, opts->m_len);
#endif
for (cnt = optlen; cnt > 0; cnt -= len, cp += len) {
opt = cp[IPOPT_OPTVAL];
if (opt == IPOPT_EOL)
break;
if (opt == IPOPT_NOP)
len = 1;
else {
if (cnt < IPOPT_OLEN + sizeof(*cp))
break;
1994-05-24 10:09:53 +00:00
len = cp[IPOPT_OLEN];
if (len < IPOPT_OLEN + sizeof(*cp) ||
len > cnt)
1994-05-24 10:09:53 +00:00
break;
}
/*
* Should check for overflow, but it "can't happen"
*/
1995-05-30 08:16:23 +00:00
if (opt == IPOPT_RR || opt == IPOPT_TS ||
1994-05-24 10:09:53 +00:00
opt == IPOPT_SECURITY) {
bcopy((caddr_t)cp,
mtod(opts, caddr_t) + opts->m_len, len);
opts->m_len += len;
}
}
/* Terminate & pad, if necessary */
cnt = opts->m_len % 4;
if (cnt) {
1994-05-24 10:09:53 +00:00
for (; cnt < 4; cnt++) {
*(mtod(opts, caddr_t) + opts->m_len) =
IPOPT_EOL;
opts->m_len++;
}
}
#ifdef ICMPPRINTFS
if (icmpprintfs)
printf("%d\n", opts->m_len);
#endif
}
/*
* Now strip out original options by copying rest of first
* mbuf's data back, and adjust the IP length.
*/
ip->ip_len -= optlen;
ip->ip_v = IPVERSION;
ip->ip_hl = 5;
1994-05-24 10:09:53 +00:00
m->m_len -= optlen;
if (m->m_flags & M_PKTHDR)
m->m_pkthdr.len -= optlen;
optlen += sizeof(struct ip);
bcopy((caddr_t)ip + optlen, (caddr_t)(ip + 1),
(unsigned)(m->m_len - sizeof(struct ip)));
}
m_tag_delete_nonpersistent(m);
1994-05-24 10:09:53 +00:00
m->m_flags &= ~(M_BCAST|M_MCAST);
icmp_send(m, opts);
1994-05-24 10:09:53 +00:00
done:
if (opts)
(void)m_free(opts);
}
/*
* Send an icmp packet back to the ip level,
* after supplying a checksum.
*/
static void
icmp_send(m, opts)
1994-05-24 10:09:53 +00:00
register struct mbuf *m;
struct mbuf *opts;
{
register struct ip *ip = mtod(m, struct ip *);
register int hlen;
register struct icmp *icp;
hlen = ip->ip_hl << 2;
1994-05-24 10:09:53 +00:00
m->m_data += hlen;
m->m_len -= hlen;
icp = mtod(m, struct icmp *);
icp->icmp_cksum = 0;
icp->icmp_cksum = in_cksum(m, ip->ip_len - hlen);
m->m_data -= hlen;
m->m_len += hlen;
m->m_pkthdr.rcvif = (struct ifnet *)0;
1994-05-24 10:09:53 +00:00
#ifdef ICMPPRINTFS
if (icmpprintfs) {
char buf[4 * sizeof "123"];
strcpy(buf, inet_ntoa(ip->ip_dst));
printf("icmp_send dst %s src %s\n",
buf, inet_ntoa(ip->ip_src));
}
1994-05-24 10:09:53 +00:00
#endif
(void) ip_output(m, opts, NULL, 0, NULL, NULL);
1994-05-24 10:09:53 +00:00
}
n_time
iptime()
{
struct timeval atv;
u_long t;
getmicrotime(&atv);
1994-05-24 10:09:53 +00:00
t = (atv.tv_sec % (24*60*60)) * 1000 + atv.tv_usec / 1000;
return (htonl(t));
}
/*
* Return the next larger or smaller MTU plateau (table from RFC 1191)
* given current value MTU. If DIR is less than zero, a larger plateau
* is returned; otherwise, a smaller value is returned.
*/
static int
ip_next_mtu(mtu, dir)
int mtu;
int dir;
{
static int mtutab[] = {
65535, 32000, 17914, 8166, 4352, 2002, 1492, 1006, 508, 296,
68, 0
};
int i;
for (i = 0; i < (sizeof mtutab) / (sizeof mtutab[0]); i++) {
if (mtu >= mtutab[i])
break;
}
if (dir < 0) {
if (i == 0) {
return 0;
} else {
return mtutab[i - 1];
}
} else {
if (mtutab[i] == 0) {
return 0;
} else if(mtu > mtutab[i]) {
return mtutab[i];
} else {
return mtutab[i + 1];
}
}
}
/*
* badport_bandlim() - check for ICMP bandwidth limit
*
* Return 0 if it is ok to send an ICMP error response, -1 if we have
* hit our bandwidth limit and it is not ok.
*
* If icmplim is <= 0, the feature is disabled and 0 is returned.
*
* For now we separate the TCP and UDP subsystems w/ different 'which'
* values. We may eventually remove this separation (and simplify the
* code further).
*
* Note that the printing of the error message is delayed so we can
* properly print the icmp error rate that the system was trying to do
* (i.e. 22000/100 pps, etc...). This can cause long delays in printing
* the 'final' error, but it doesn't make sense to solve the printing
* delay with more complex code.
*/
int
badport_bandlim(int which)
{
#define N(a) (sizeof (a) / sizeof (a[0]))
static struct rate {
const char *type;
struct timeval lasttime;
2004-07-13 16:06:19 +00:00
int curpps;
} rates[BANDLIM_MAX+1] = {
{ "icmp unreach response" },
{ "icmp ping response" },
{ "icmp tstamp response" },
{ "closed port RST response" },
{ "open port RST response" }
};
/*
* Return ok status if feature disabled or argument out of range.
*/
if (icmplim > 0 && (u_int) which < N(rates)) {
struct rate *r = &rates[which];
int opps = r->curpps;
if (!ppsratecheck(&r->lasttime, &r->curpps, icmplim))
return -1; /* discard packet */
/*
* If we've dropped below the threshold after having
* rate-limited traffic print the message. This preserves
* the previous behaviour at the expense of added complexity.
*/
2002-12-30 18:45:31 +00:00
if (icmplim_output && opps > icmplim)
printf("Limiting %s from %d to %d packets/sec\n",
2002-12-30 18:45:31 +00:00
r->type, opps, icmplim);
}
return 0; /* okay to send packet */
#undef N
}