NetBSD Problem Report #39018

From mlelstv@henery.1st.de  Sun Jun 22 15:09:01 2008
Return-Path: <mlelstv@henery.1st.de>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id D315863BCE5
	for <gnats-bugs@gnats.NetBSD.org>; Sun, 22 Jun 2008 15:09:01 +0000 (UTC)
Message-Id: <20080622150724.7442028181@henery.1st.de>
Date: Sun, 22 Jun 2008 17:07:24 +0200 (CEST)
From: mlelstv@serpens.de
Reply-To: mlelstv@serpens.de
To: gnats-bugs@gnats.NetBSD.org
Subject: ipsec code doesn't handle specific icmp codes
X-Send-Pr-Version: 3.95

>Number:         39018
>Category:       kern
>Synopsis:       ipsec code doesn't handle specific icmp codes
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jun 22 15:10:00 +0000 2008
>Closed-Date:    Fri Feb 09 20:07:42 +0000 2018
>Last-Modified:  Fri Feb 09 20:07:42 +0000 2018
>Originator:     Michael van Elst
>Release:        NetBSD 4.0_STABLE
>Organization:
-- 
                                Michael van Elst
Internet: mlelstv@serpens.de
                                "A potential Snark may lurk in every tree."
>Environment:


System: NetBSD henery 4.0_STABLE NetBSD 4.0_STABLE (HENERY) #10: Sun Jun 15 18:35:06 CEST 2008 mlelstv@henery:/home/netbsd4/obj.i386/home/netbsd4/src/sys/arch/i386/compile/HENERY i386
Architecture: i386
Machine: i386
>Description:
IPSEC allows to specify rules for specific ICMP packets by qualifying
these with type and code values. This is necessary for example to
use unencrypted packets for IPv6 neighbour detection but encrypted packets
for any other communication.

However, neither the KAME nor FASTIPSEC code honor such rules.

setkey(8) stores ICMP type and code values in the source and destination
port fields of an IPSEC rule. But when searching for such a rule the
secpolicyindex structure is filled with zero values, ignoring the
type and code values of the packet.

>How-To-Repeat:

Try to use IPSEC with IPv6 and specify a rule for ICMP codes 135 and 136.

>Fix:

The problem is in ipsec{4,6}_get_ulp that ignore type and code values.

NetBSD ignores the packet data:
[...]
        case IPPROTO_ICMPV6:
        default:
                /* XXX intermediate headers??? */
                spidx->ul_proto = nxt;
                break;
[...]


FreeBSD does it correctly for V6 (still ignores it for V4):

[...]
        case IPPROTO_ICMPV6:
                spidx->ul_proto = nxt;
                if (off + sizeof(struct icmp6_hdr) > m->m_pkthdr.len)
                        break;
                m_copydata(m, off, sizeof(ih), (caddr_t)&ih);
                ((struct sockaddr_in6 *)&spidx->src)->sin6_port =
                    htons((uint16_t)ih.icmp6_type);
                ((struct sockaddr_in6 *)&spidx->dst)->sin6_port =
                    htons((uint16_t)ih.icmp6_code);
                break;
        default:
                /* XXX intermediate headers??? */
                spidx->ul_proto = nxt;
                break;
[...]

>Release-Note:

>Audit-Trail:
From: Michael van Elst <mlelstv@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/39018 CVS commit: src/sys
Date: Fri, 27 Jun 2008 05:18:58 +0000 (UTC)

 Module Name:	src
 Committed By:	mlelstv
 Date:		Fri Jun 27 05:18:58 UTC 2008

 Modified Files:
 	src/sys/netinet6: ipsec.c
 	src/sys/netipsec: ipsec.c

 Log Message:
 Verify icmp type and code in IPSEC rules.
 Fixes PR kern/39018


 To generate a diff of this commit:
 cvs rdiff -r1.130 -r1.131 src/sys/netinet6/ipsec.c
 cvs rdiff -r1.37 -r1.38 src/sys/netipsec/ipsec.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->feedback
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Mon, 01 Sep 2008 09:27:40 +0000
State-Changed-Why:
Can this PR be closed now?


From: Michael van Elst <mlelstv@serpens.de>
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@NetBSD.org, netbsd-bugs@NetBSD.org, gnats-admin@NetBSD.org,
        dholland@NetBSD.org
Subject: Re: kern/39018 (ipsec code doesn't handle specific icmp codes)
Date: Tue, 2 Sep 2008 00:12:08 +0200

 On Mon, Sep 01, 2008 at 09:27:41AM +0000, dholland@NetBSD.org wrote:
 > Synopsis: ipsec code doesn't handle specific icmp codes
 > 
 > State-Changed-From-To: open->feedback
 > State-Changed-By: dholland@NetBSD.org
 > State-Changed-When: Mon, 01 Sep 2008 09:27:40 +0000
 > State-Changed-Why:
 > Can this PR be closed now?

 If someone verifies operation with FAST_IPSEC this should be pulled
 up to netbsd-4.

 Greetings,
 -- 
                                 Michael van Elst
 Internet: mlelstv@serpens.de
                                 "A potential Snark may lurk in every tree."

State-Changed-From-To: feedback->analyzed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Mon, 01 Sep 2008 22:38:44 +0000
State-Changed-Why:
Feedback received... unfortunately, I can't test it, but hopefully someone
else can.


State-Changed-From-To: analyzed->closed
State-Changed-By: maxv@NetBSD.org
State-Changed-When: Fri, 09 Feb 2018 20:07:42 +0000
State-Changed-Why:
Close this PR. NetBSD-4 is not supported anymore, so no pull up.


>Unformatted:

Home	PR Database Search