summaryrefslogtreecommitdiff
path: root/libnet
diff options
context:
space:
mode:
Diffstat (limited to 'libnet')
-rw-r--r--libnet/include/libnet/libnet-functions.h5
-rw-r--r--libnet/include/libnet/libnet-structures.h15
-rw-r--r--libnet/sample/Makefile.am3
-rw-r--r--libnet/sample/test_ipv4.c165
-rw-r--r--libnet/src/libnet_build_ip.c47
-rw-r--r--libnet/src/libnet_init.c1
-rw-r--r--libnet/src/libnet_pblock.c18
7 files changed, 237 insertions, 17 deletions
diff --git a/libnet/include/libnet/libnet-functions.h b/libnet/include/libnet/libnet-functions.h
index c4fe599..99b1139 100644
--- a/libnet/include/libnet/libnet-functions.h
+++ b/libnet/include/libnet/libnet-functions.h
@@ -794,6 +794,7 @@ u_int8_t *payload, u_int32_t payload_s, libnet_t *l, libnet_ptag_t ptag);
/**
* Builds a version 4 RFC 791 Internet Protocol (IP) header.
* @param len total length of the IP packet including all subsequent data
+ * FIXME There is no reason this can't be calculated if zero is passed.
* @param tos type of service bits
* @param id IP identification number
* @param frag fragmentation bits and offset
@@ -2080,10 +2081,10 @@ u_int8_t type);
* Function updates referer used to compute the checksum. All
* pblock need to know where is their referer (ie IP header).
* So, this function is called each time a new IP header is inserted.
- * It updates the ip_pos field (referer) of each subsequent pblock.
+ * It updates the ip_offset field (referer) of each previous pblock.
*/
void
-libnet_pblock_record_ip_offset(libnet_t *l, u_int32_t offset);
+libnet_pblock_record_ip_offset(libnet_t *l, libnet_pblock_t *p);
/*
* [Internal]
diff --git a/libnet/include/libnet/libnet-structures.h b/libnet/include/libnet/libnet-structures.h
index 38aff5d..eb7de76 100644
--- a/libnet/include/libnet/libnet-structures.h
+++ b/libnet/include/libnet/libnet-structures.h
@@ -79,8 +79,19 @@ struct libnet_protocol_block
u_int8_t *buf; /* protocol buffer */
u_int32_t b_len; /* length of buf */
u_int16_t h_len; /* header length (for checksumming) */
- u_int32_t ip_offset; /* offset to IP header for csums */
- u_int32_t copied; /* bytes copied */
+ /* Unused for IPV4_H block types.
+ * For protocols that sit on top of IP, it should be the the amount of
+ * buf that is the header, and will be included in the checksum.
+ */
+ u_int32_t ip_offset; /* offset from end of pkt to beginning of IP header for csums */
+ /* Unused for IPV4_H block types.
+ * For protocols that sit on top of IP (UDP, ICMP, ...), they often
+ * include some information from the IP header (in the form of a "pseudo
+ * header") in their own checksum calculation. To build that
+ * pseudo-header, thet need to find the real header.
+ */
+ u_int32_t copied; /* bytes copied - the amount of data copied into buf */
+ /* Used and updated by libnet_pblock_append(). */
u_int8_t type; /* type of pblock */
/* this needs to be updated every time a new packet builder is added */
#define LIBNET_PBLOCK_ARP_H 0x01 /* ARP header */
diff --git a/libnet/sample/Makefile.am b/libnet/sample/Makefile.am
index 05cccbb..3186f5d 100644
--- a/libnet/sample/Makefile.am
+++ b/libnet/sample/Makefile.am
@@ -14,7 +14,7 @@ noinst_PROGRAMS = arp cdp dhcp_discover get_addr icmp_timestamp icmp_unreach \
smurf dot1x dns rpc_tcp rpc_udp mpls icmp_timeexceed \
fddi_tcp1 fddi_tcp2 tring_tcp1 tring_tcp2 icmp_redirect \
bgp4_hdr bgp4_open bgp4_update bgp4_notification gre \
- synflood6_frag tftp ip_link ip_raw sebek
+ synflood6_frag tftp ip_link ip_raw sebek test_ipv4
arp_SOURCES = arp.c
cdp_SOURCES = cdp.c
@@ -59,5 +59,6 @@ gre_SOURCES = gre.c
ip_raw_SOURCES = ip_raw.c
ip_link_SOURCES = ip_link.c
sebek_SOURCES = sebek.c
+test_ipv4_SOURCES = test_ipv4.c
LDADD = $(top_srcdir)/src/libnet.la
diff --git a/libnet/sample/test_ipv4.c b/libnet/sample/test_ipv4.c
new file mode 100644
index 0000000..cf1646b
--- /dev/null
+++ b/libnet/sample/test_ipv4.c
@@ -0,0 +1,165 @@
+/*
+ * Regression test for bugs in ipv4 ip_offset and h_len handling, such as
+ * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=418975
+ *
+ * Copyright (c) 2009 Sam Roberts <sroberts@wurldtech.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+#if (HAVE_CONFIG_H)
+#include "../include/config.h"
+#endif
+#include "./libnet_test.h"
+
+#include <assert.h>
+
+static void print_pblocks(libnet_t* l)
+{
+ libnet_pblock_t* p = l->protocol_blocks;
+
+ while(p) {
+ /* h_len is header length for checksumming? "chksum length"? */
+ printf(" tag %d flags %d type %20s/%#x buf %p b_len %2u h_len %2u ip_offset %2u, copied %2u\n",
+ p->ptag, p->flags,
+ libnet_diag_dump_pblock_type(p->type), p->type,
+ p->buf, p->b_len, p->h_len, p->ip_offset, p->copied);
+ p = p->next;
+ }
+ printf(" link_offset %d aligner %d total_size %u nblocks %d\n",
+ l->link_offset, l->aligner, l->total_size, l->n_pblocks);
+
+}
+
+static int build_ipv4(libnet_t* l, libnet_ptag_t ip_ptag, int payload_s)
+{
+ u_long src_ip = 0xf101f1f1;
+ u_long dst_ip = 0xf102f1f1;
+ u_int8_t* payload = malloc(payload_s);
+ assert(payload);
+ memset(payload, '\x00', payload_s);
+
+ ip_ptag = libnet_build_ipv4(
+ LIBNET_IPV4_H + payload_s, /* length */
+ 0, /* TOS */
+ 0xbbbb, /* IP ID */
+ 0, /* IP Frag */
+ 0xcc, /* TTL */
+ IPPROTO_UDP, /* protocol */
+ 0, /* checksum */
+ src_ip, /* source IP */
+ dst_ip, /* destination IP */
+ payload, /* payload */
+ payload_s, /* payload size */
+ l, /* libnet handle */
+ ip_ptag); /* libnet id */
+
+ assert(ip_ptag > 0);
+
+ free(payload);
+
+ return ip_ptag;
+}
+
+int
+main(int argc, char *argv[])
+{
+ libnet_t *l;
+ int r;
+ char *device = "eth0";
+ u_int8_t enet_src[6] = {0x11, 0x11, 0x11, 0x11, 0x11, 0x11};
+ u_int8_t enet_dst[6] = {0x22, 0x22, 0x22, 0x22, 0x22, 0x22};
+ char errbuf[LIBNET_ERRBUF_SIZE];
+ libnet_ptag_t ip_ptag = 0;
+ libnet_ptag_t eth_ptag = 0;
+ int pkt1_payload = 10;
+ u_int8_t* pkt1 = NULL;
+ u_int32_t pkt1_sz = 0;
+ struct libnet_ipv4_hdr* h1;
+ int pkt2_payload = 2;
+ u_int8_t* pkt2 = NULL;
+ u_int32_t pkt2_sz = 0;
+ struct libnet_ipv4_hdr* h2;
+
+
+
+ l = libnet_init( LIBNET_LINK, device, errbuf);
+
+ assert(l);
+
+ /* Bug is triggered when rebuilding the ipv4 blocks with smaller payload.
+ * If change in payload size is larger than 20 (iph) + 14 (ether) +
+ * aligner, it will cause checksum to be written into the unallocated
+ * memory before the packet, possibly corrupting glib's memory allocation
+ * structures.
+ */
+
+ printf("Packet 1:\n");
+
+ ip_ptag = build_ipv4(l, ip_ptag, pkt1_payload);
+
+ eth_ptag = libnet_build_ethernet(
+ enet_dst, /* ethernet destination */
+ enet_src, /* ethernet source */
+ ETHERTYPE_IP, /* protocol type */
+ NULL, /* payload */
+ 0, /* payload size */
+ l, /* libnet handle */
+ 0); /* libnet id */
+ assert(eth_ptag > 0);
+
+ r = libnet_pblock_coalesce(l, &pkt1, &pkt1_sz);
+ assert(r >= 0);
+
+ print_pblocks(l);
+
+ libnet_diag_dump_hex(pkt1, 14, 0, stdout);
+ libnet_diag_dump_hex(pkt1+14, pkt1_sz-14, 0, stdout);
+
+ printf("Packet 2:\n");
+
+ ip_ptag = build_ipv4(l, ip_ptag, pkt2_payload);
+
+ r = libnet_pblock_coalesce(l, &pkt2, &pkt2_sz);
+ assert(r >= 0);
+
+ print_pblocks(l);
+
+ libnet_diag_dump_hex(pkt2, 14, 0, stdout);
+ libnet_diag_dump_hex(pkt2+14, pkt2_sz-14, 0, stdout);
+
+ /* Packets should differ only in the total length and cksum. */
+ h1 = (struct libnet_ipv4_hdr*) (pkt1+14);
+ h2 = (struct libnet_ipv4_hdr*) (pkt2+14);
+
+ assert(h1->ip_len == htons(20+pkt1_payload));
+ assert(h2->ip_len == htons(20+pkt2_payload));
+
+ h1->ip_len = h2->ip_len = 0x5555;
+ h1->ip_sum = h2->ip_sum = 0x6666;
+
+ assert(memcmp(pkt1, pkt2, 14 + 20) == 0);
+
+ return (EXIT_SUCCESS);
+}
+
diff --git a/libnet/src/libnet_build_ip.c b/libnet/src/libnet_build_ip.c
index 3d3675b..e0e760d 100644
--- a/libnet/src/libnet_build_ip.c
+++ b/libnet/src/libnet_build_ip.c
@@ -45,7 +45,6 @@ libnet_build_ipv4(u_int16_t len, u_int8_t tos, u_int16_t id, u_int16_t frag,
u_int8_t ttl, u_int8_t prot, u_int16_t sum, u_int32_t src, u_int32_t dst,
u_int8_t *payload, u_int32_t payload_s, libnet_t *l, libnet_ptag_t ptag)
{
- int offset;
u_int32_t h, n, i, j;
libnet_pblock_t *p, *p_data, *p_temp;
struct libnet_ipv4_hdr ip_hdr;
@@ -58,9 +57,12 @@ u_int8_t *payload, u_int32_t payload_s, libnet_t *l, libnet_ptag_t ptag)
n = LIBNET_IPV4_H; /* size of memory block */
h = len; /* header length */
+ // WRONG - this is total len of ip packet, and is put into the IP header
ptag_data = 0; /* used if options are present */
+ // WRONG - is used if there is ipv4 payload
if (h + payload_s > IP_MAXPACKET)
+ // WRONG - h is the total length, it already includes payload_s
{
snprintf(l->err_buf, LIBNET_ERRBUF_SIZE,
"%s(): IP packet too large\n", __func__);
@@ -97,6 +99,9 @@ u_int8_t *payload, u_int32_t payload_s, libnet_t *l, libnet_ptag_t ptag)
ip_hdr.ip_hl += j;
}
}
+ // Note that p->h_len is not adjusted. This seems a bug, but it is because
+ // it is not used! libnet_do_checksum() is passed the h_len (as `len'),
+ // but for IPPROTO_IP it is ignored in favor of the ip_hl.
ip_hdr.ip_tos = tos; /* IP tos */
ip_hdr.ip_len = htons(h); /* total length */
@@ -123,7 +128,10 @@ u_int8_t *payload, u_int32_t payload_s, libnet_t *l, libnet_ptag_t ptag)
}
/* find and set the appropriate ptag, or else use the default of 0 */
- offset = payload_s;
+ /* When updating the ipv4 block, we need to find the data block, and
+ * adjust our ip_offset if the new payload size is different from what
+ * it used to be.
+ */
if (ptag_hold && p->prev)
{
p_temp = p->prev;
@@ -136,9 +144,13 @@ u_int8_t *payload, u_int32_t payload_s, libnet_t *l, libnet_ptag_t ptag)
if (p_temp->type == LIBNET_PBLOCK_IPDATA)
{
+ int offset = payload_s;
+
ptag_data = p_temp->ptag;
offset -= p_temp->b_len;
- p->h_len += offset;
+ //p->h_len += offset;
+ // WRONG h_len is unused for checksum for IPv4, and even if it was used,
+ // the h_len doesn't depend on the payload size.
}
else
{
@@ -157,6 +169,16 @@ u_int8_t *payload, u_int32_t payload_s, libnet_t *l, libnet_ptag_t ptag)
if (payload && payload_s)
{
/* update ptag_data with the new payload */
+ // on create:
+ // b_len = payload_s
+ // l->total_size += b_len
+ // h_len = 0
+ // on update:
+ // b_len = payload_s
+ // h_len += <diff in size between new b_len and old b_len>
+ // increments if if b_len goes up, down if it goes down
+ // in either case:
+ // copied = 0
p_data = libnet_pblock_probe(l, ptag_data, payload_s,
LIBNET_PBLOCK_IPDATA);
if (p_data == NULL)
@@ -171,6 +193,7 @@ u_int8_t *payload, u_int32_t payload_s, libnet_t *l, libnet_ptag_t ptag)
if (ptag_data == LIBNET_PTAG_INITIALIZER)
{
+ // IPDATA's h_len gets set to payload_s in both branches
if (p_data->prev->type == LIBNET_PBLOCK_IPV4_H)
{
libnet_pblock_update(l, p_data, payload_s,
@@ -180,6 +203,10 @@ u_int8_t *payload, u_int32_t payload_s, libnet_t *l, libnet_ptag_t ptag)
}
else
{
+ // SR - I'm not sure how to reach this code. Maybe if the first
+ // time we added an ipv4 block, there was no payload, but when
+ // we modify the block the next time, we have payload?
+
/* update without setting this as the final pblock */
p_data->type = LIBNET_PBLOCK_IPDATA;
p_data->ptag = ++(l->ptag_state);
@@ -187,6 +214,7 @@ u_int8_t *payload, u_int32_t payload_s, libnet_t *l, libnet_ptag_t ptag)
/* Adjust h_len for checksum. */
p->h_len += payload_s;
+ // WRONG - IPV4 checksum doesn't include the payload_s.
/* data was added after the initial construction */
for (p_temp = l->protocol_blocks;
@@ -238,7 +266,16 @@ u_int8_t *payload, u_int32_t payload_s, libnet_t *l, libnet_ptag_t ptag)
* FREDRAYNAL: as we insert a new IP header, all checksums for headers
* placed after this one will refer to here.
*/
- libnet_pblock_record_ip_offset(l, l->total_size);
+ // WRONG - the total_size when updating the pblock will include the link layer
+ // WRONG - it isn't called after adding options, so will be wrong by the amount of ip options
+ // WRONG - it updates the wrong protocol blocks:
+ // - the first time it runs we set the ip offsets for p (ipv4), and
+ // ipdata to the total size of just the ip portion
+ // - the next time, it starts at end, which is the ethernet block, and
+ // updates everything up to but not including the ipv4 block to the total size, which means it
+ // changes just the ethernet block, and the offset it sets is the total size including the ethernet
+ // header.... WTF?
+ libnet_pblock_record_ip_offset(l, p);
return (ptag);
bad:
@@ -323,7 +360,7 @@ libnet_autobuild_ipv4(u_int16_t len, u_int8_t prot, u_int32_t dst, libnet_t *l)
* FREDRAYNAL: as we insert a new IP header, all checksums for headers
* placed after this one will refer to here.
*/
- libnet_pblock_record_ip_offset(l, l->total_size);
+ libnet_pblock_record_ip_offset(l, p);
return (ptag);
bad:
diff --git a/libnet/src/libnet_init.c b/libnet/src/libnet_init.c
index 976b44c..58f4df1 100644
--- a/libnet/src/libnet_init.c
+++ b/libnet/src/libnet_init.c
@@ -250,6 +250,7 @@ libnet_getpbuf_size(libnet_t *l, libnet_ptag_t ptag)
u_int32_t
libnet_getpacket_size(libnet_t *l)
{
+ // Why doesn't this return l->total_size?
libnet_pblock_t *p;
u_int32_t n;
diff --git a/libnet/src/libnet_pblock.c b/libnet/src/libnet_pblock.c
index 5e35aa5..b213b1d 100644
--- a/libnet/src/libnet_pblock.c
+++ b/libnet/src/libnet_pblock.c
@@ -38,6 +38,7 @@
#else
#include "../include/win32/libnet.h"
#endif
+#include <assert.h>
libnet_pblock_t *
libnet_pblock_probe(libnet_t *l, libnet_ptag_t ptag, u_int32_t n, u_int8_t type)
@@ -500,15 +501,18 @@ libnet_pblock_p2p(u_int8_t type)
}
void
-libnet_pblock_record_ip_offset(libnet_t *l, u_int32_t offset)
+libnet_pblock_record_ip_offset(libnet_t *l, libnet_pblock_t *p)
{
- libnet_pblock_t *p = l->pblock_end;
+ libnet_pblock_t *c;
+ u_int32_t ip_offset = 0;
- do
- {
- p->ip_offset = offset;
- p = p->prev;
- } while (p && p->type != LIBNET_PBLOCK_IPV4_H);
+ assert(p->type == LIBNET_PBLOCK_IPV4_H);
+
+ for(c = p; c; c = c->prev)
+ ip_offset += c->b_len;
+
+ for(c = p; c; c = c->prev)
+ c->ip_offset = ip_offset;
}