summaryrefslogtreecommitdiff
path: root/regress
diff options
context:
space:
mode:
authorAlexander Bluhm <bluhm@cvs.openbsd.org>2024-03-12 21:31:30 +0000
committerAlexander Bluhm <bluhm@cvs.openbsd.org>2024-03-12 21:31:30 +0000
commit1c69541e28c6a739c4a72ed0ec42d5db64c9d5d4 (patch)
treea6764c8117dfe9ddb15006b124099c3180c618ff /regress
parent2b9759531f3fb2da07756e975ad8eed0e3977bfe (diff)
Add regress test showing that OpenBSD IPv6 fragment reassembly is
not affected by FreeBSD-SA-23:06.ipv6 security advisory. Scapy test frag6_oversize.py reassembles fragments of a packet too big to fit. Test frag6_unfragsize.py also plays games with ECN bits and hop-by-hop extension header to check overflow protection. ICMP6 parameter problem responses are expected. As pf does not generate such ICMP6 error packets, these tests are only run with frag6_input() in the IPv6 stack.
Diffstat (limited to 'regress')
-rw-r--r--regress/sys/netinet6/frag6/LICENSE2
-rw-r--r--regress/sys/netinet6/frag6/Makefile8
-rw-r--r--regress/sys/netinet6/frag6/frag6_oversize.py65
-rw-r--r--regress/sys/netinet6/frag6/frag6_unfragsize.py77
4 files changed, 149 insertions, 3 deletions
diff --git a/regress/sys/netinet6/frag6/LICENSE b/regress/sys/netinet6/frag6/LICENSE
index 866739d7ee3..95f9e99b44c 100644
--- a/regress/sys/netinet6/frag6/LICENSE
+++ b/regress/sys/netinet6/frag6/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2012-2020 Alexander Bluhm <bluhm@openbsd.org>
+Copyright (c) 2012-2024 Alexander Bluhm <bluhm@openbsd.org>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
diff --git a/regress/sys/netinet6/frag6/Makefile b/regress/sys/netinet6/frag6/Makefile
index 8d1436c4f65..cec85216c42 100644
--- a/regress/sys/netinet6/frag6/Makefile
+++ b/regress/sys/netinet6/frag6/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.29 2023/09/08 21:15:02 bluhm Exp $
+# $OpenBSD: Makefile,v 1.30 2024/03/12 21:31:29 bluhm Exp $
# The following ports must be installed:
#
@@ -88,7 +88,11 @@ stamp-pf: addr.py pf.conf
FRAG6_SCRIPTS !!= cd ${.CURDIR} && ls -1 frag6*.py
run-stack-frag6_queuelimit.py:
- # the stack does not limit the amount of fragments during reassembly
+ # stack does not limit the amount of fragments during reassembly
+ @echo DISABLED
+
+run-pf-frag6_oversize.py run-pf-frag6_unfragsize.py:
+ # pf does not send icmp parameter problem, so test does not work
@echo DISABLED
run-stack-frag6_doubleatomic.py: addr.py stamp-stack
diff --git a/regress/sys/netinet6/frag6/frag6_oversize.py b/regress/sys/netinet6/frag6/frag6_oversize.py
new file mode 100644
index 00000000000..3fbdfcae53c
--- /dev/null
+++ b/regress/sys/netinet6/frag6/frag6_oversize.py
@@ -0,0 +1,65 @@
+#!/usr/local/bin/python3
+
+print("ping6 fragments in total larger than IP maximum packet")
+
+# |---------|
+# |--------|
+# ... ...
+# |--------|
+
+import os
+from addr import *
+from scapy.all import *
+
+pid=os.getpid()
+eid=pid & 0xffff
+payload=b"ABCDEFGHIJKLMNOP"
+packet=IPv6(src=LOCAL_ADDR6, dst=REMOTE_ADDR6)/ \
+ ICMPv6EchoRequest(id=eid, data=4095*payload)
+plen=IPv6(raw(packet)).plen
+print("plen=%u" % (plen))
+if plen != 0xfff8:
+ print("PLEN!=%u" % (0xfff8))
+ exit(2)
+bytes=bytes(packet)+b"12345678"
+
+frag=[]
+fid=pid & 0xffffffff
+frag.append(IPv6ExtHdrFragment(nh=58, id=fid, m=1)/bytes[40:40+2**10])
+off=2**7
+while off < 2**13:
+ frag.append(IPv6ExtHdrFragment(nh=58, id=fid, offset=off)/ \
+ bytes[40+off*8:40+off*8+2**10])
+ off+=2**7
+eth=[]
+for f in frag:
+ pkt=IPv6(src=LOCAL_ADDR6, dst=REMOTE_ADDR6)/f
+ eth.append(Ether(src=LOCAL_MAC, dst=REMOTE_MAC)/pkt)
+
+if os.fork() == 0:
+ time.sleep(1)
+ sendp(eth, iface=LOCAL_IF)
+ os._exit(0)
+
+ans=sniff(iface=LOCAL_IF, timeout=3, filter=
+ "ip6 and src "+REMOTE_ADDR6+" and dst "+LOCAL_ADDR6+" and icmp6")
+for a in ans:
+ print("type %d" % (a.payload.payload.type))
+ print("icmp %s" % (icmp6types[a.payload.payload.type]))
+ if a and a.type == ETH_P_IPV6 and \
+ ipv6nh[a.payload.nh] == 'ICMPv6' and \
+ icmp6types[a.payload.payload.type] == 'Parameter problem':
+ print("code=%u" % (a.payload.payload.code))
+ # 0: 'erroneous header field encountered'
+ if a.payload.payload.code != 0:
+ print("WRONG PARAMETER PROBLEM CODE")
+ exit(1)
+ ptr=a.payload.payload.ptr
+ print("ptr=%u" % (ptr))
+ # 42: sizeof IPv6 header + offset in fragment header
+ if ptr != 42:
+ print("PTR!=%u" % (ptr))
+ exit(1)
+ exit(0)
+print("NO ICMP PARAMETER PROBLEM")
+exit(2)
diff --git a/regress/sys/netinet6/frag6/frag6_unfragsize.py b/regress/sys/netinet6/frag6/frag6_unfragsize.py
new file mode 100644
index 00000000000..05585d7d95e
--- /dev/null
+++ b/regress/sys/netinet6/frag6/frag6_unfragsize.py
@@ -0,0 +1,77 @@
+#!/usr/local/bin/python3
+
+print("ping6 fragments with options total larger than IP maximum packet")
+
+# |--------|
+# ... ...
+# |--------|
+# drop first fragment with ECN conflict, reinsert with longer unfrag part
+# |---------|
+# HopByHop|---------|
+
+import os
+from addr import *
+from scapy.all import *
+
+pid=os.getpid()
+eid=pid & 0xffff
+payload=b"ABCDEFGHIJKLMNOP"
+packet=IPv6(src=LOCAL_ADDR6, dst=REMOTE_ADDR6)/ \
+ ICMPv6EchoRequest(id=eid, data=4095*payload)
+plen=IPv6(raw(packet)).plen
+print("plen=%u" % (plen))
+if plen != 0xfff8:
+ print("PLEN!=%u" % (0xfff8))
+ exit(2)
+bytes=bytes(packet)
+
+frag=[]
+fid=pid & 0xffffffff
+off=2**7
+while off < 2**13:
+ frag.append(IPv6ExtHdrFragment(nh=58, id=fid, offset=off)/ \
+ bytes[40+off*8:40+off*8+2**10])
+ off+=2**7
+eth=[]
+for f in frag:
+ pkt=IPv6(src=LOCAL_ADDR6, dst=REMOTE_ADDR6)/f
+ eth.append(Ether(src=LOCAL_MAC, dst=REMOTE_MAC)/pkt)
+
+# first fragment with ECN to be dropped
+eth.append(Ether(src=LOCAL_MAC, dst=REMOTE_MAC)/
+ IPv6(src=LOCAL_ADDR6, dst=REMOTE_ADDR6, tc=3)/
+ IPv6ExtHdrFragment(nh=58, id=fid, m=1)/bytes[40:40+2**10])
+
+# resend first fragment with unfragmentable part too long for IP plen
+eth.append(Ether(src=LOCAL_MAC, dst=REMOTE_MAC)/
+ IPv6(src=LOCAL_ADDR6, dst=REMOTE_ADDR6)/
+ IPv6ExtHdrHopByHop(options=PadN(optdata="\0"*4))/
+ IPv6ExtHdrFragment(nh=58, id=fid, m=1)/bytes[40:40+2**10])
+
+if os.fork() == 0:
+ time.sleep(1)
+ sendp(eth, iface=LOCAL_IF)
+ os._exit(0)
+
+ans=sniff(iface=LOCAL_IF, timeout=3, filter=
+ "ip6 and src "+REMOTE_ADDR6+" and dst "+LOCAL_ADDR6+" and icmp6")
+for a in ans:
+ print("type %d" % (a.payload.payload.type))
+ print("icmp %s" % (icmp6types[a.payload.payload.type]))
+ if a and a.type == ETH_P_IPV6 and \
+ ipv6nh[a.payload.nh] == 'ICMPv6' and \
+ icmp6types[a.payload.payload.type] == 'Parameter problem':
+ print("code=%u" % (a.payload.payload.code))
+ # 0: 'erroneous header field encountered'
+ if a.payload.payload.code != 0:
+ print("WRONG PARAMETER PROBLEM CODE")
+ exit(1)
+ ptr=a.payload.payload.ptr
+ print("ptr=%u" % (ptr))
+ # 42: sizeof IPv6 header + offset in fragment header
+ if ptr != 42:
+ print("PTR!=%u" % (ptr))
+ exit(1)
+ exit(0)
+print("NO ICMP PARAMETER PROBLEM")
+exit(2)