Date: Fri, 23 Jun 2006 17:56:50 GMT From: Clément Lecigne <clem1@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 99877 for review Message-ID: <200606231756.k5NHuoWY037912@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=99877 Change 99877 by clem1@clem1_ipv6vulns on 2006/06/23 17:56:08 - partial icmp6 integration... - echo reply/request - packet toobig - parameter problem - destination unreachable - redirect message - sample test programs (ping6, toobig6...) - icmp6 checksum bug fix. - redir6.c : implementation of the routing table alteration attack presented by Vanhauser. Affected files ... .. //depot/projects/soc2006/clem1_ipv6vulns/libnet/include/libnet/libnet-functions.h#2 edit .. //depot/projects/soc2006/clem1_ipv6vulns/libnet/include/libnet/libnet-headers.h#2 edit .. //depot/projects/soc2006/clem1_ipv6vulns/libnet/include/libnet/libnet-structures.h#2 edit .. //depot/projects/soc2006/clem1_ipv6vulns/libnet/sample/paramprob6.c#1 add .. //depot/projects/soc2006/clem1_ipv6vulns/libnet/sample/ping6.c#1 add .. //depot/projects/soc2006/clem1_ipv6vulns/libnet/sample/redir6.c#1 add .. //depot/projects/soc2006/clem1_ipv6vulns/libnet/sample/toobig6.c#1 add .. //depot/projects/soc2006/clem1_ipv6vulns/libnet/src/Makefile.am#2 edit .. //depot/projects/soc2006/clem1_ipv6vulns/libnet/src/Makefile.in#2 edit .. //depot/projects/soc2006/clem1_ipv6vulns/libnet/src/libnet_build_icmp.c#2 delete .. //depot/projects/soc2006/clem1_ipv6vulns/libnet/src/libnet_build_icmpv4.c#1 add .. //depot/projects/soc2006/clem1_ipv6vulns/libnet/src/libnet_build_icmpv6.c#1 add .. //depot/projects/soc2006/clem1_ipv6vulns/libnet/src/libnet_checksum.c#2 edit .. //depot/projects/soc2006/clem1_ipv6vulns/libnet/src/libnet_internal.c#2 edit .. //depot/projects/soc2006/clem1_ipv6vulns/libnet/src/libnet_pblock.c#2 edit .. //depot/projects/soc2006/clem1_ipv6vulns/libnet/src/libnet_resolve.c#2 edit Differences ... ==== //depot/projects/soc2006/clem1_ipv6vulns/libnet/include/libnet/libnet-functions.h#2 (text+ko) ==== @@ -252,6 +252,15 @@ char *host_name, int host_name_len); /** + * Takes a human readable mac address and returns a network bytes ordered + * ethernet address. + * @param human readable mac address (aa:bb:cc:dd:ee) + * @return network byte ordered ethernet address. + */ +u_int8_t * +libnet_mac2eth(int8_t *); + +/** * Creates a new port list. Port list chains are useful for TCP and UDP-based * applications that need to send packets to a range of ports (contiguous or * otherwise). The port list chain, which token_list points to, should contain @@ -776,6 +785,118 @@ u_int8_t *payload, u_int32_t payload_s, libnet_t *l, libnet_ptag_t ptag); /** + * Builds an IP version 6 RFC 2463 Internet Control Message Protocol (ICMP) + * echo request/reply header + * @param type type of ICMP packet (should be ICMP6_ECHOREPLY or ICMP6_ECHO) + * @param code code of ICMP packet (should be 0) + * @param sum checksum (0 for libnet to autofill) + * @param id identification number + * @param seq packet sequence number + * @param payload optional payload or NULL + * @param payload_s payload length or 0 + * @param l pointer to a libnet context + * @param ptag protocol tag to modify an existing header, 0 to build a new one + * @return protocol tag value on success, -1 on error + */ +libnet_ptag_t +libnet_build_icmpv6_echo(u_int8_t type, u_int8_t code, u_int16_t sum, +u_int16_t id, u_int16_t seq, u_int8_t *payload, u_int32_t payload_s, +libnet_t *l, libnet_ptag_t ptag); + +/** + * Builds an IP version 6 RFC 2463 Internet Control Message Protocol (ICMP) + * parameter problem header + * @param type type of ICMP packet (should be ICMP6_PARAMPB) + * @param code code of ICMP packet (should be ICMP6_PARAMPROB_HEADER or ICMP6_PARAMPROB_NEXTHEADER or ICMP6_PARAMPROB_OPTION) + * @param sum checksum (0 for libnet to autofill) + * @param pointer number + * @param payload optional payload or NULL + * @param payload_s payload length or 0 + * @param l pointer to a libnet context + * @param ptag protocol tag to modify an existing header, 0 to build a new one + * @return protocol tag value on success, -1 on error + */ +libnet_ptag_t +libnet_build_icmpv6_parampb(u_int8_t type, u_int8_t code, u_int16_t sum, +u_int32_t pointer, u_int8_t *payload, u_int32_t payload_s, +libnet_t *l, libnet_ptag_t ptag); + +/** + * Builds an IP version 6 RFC 2463 Internet Control Message Protocol (ICMP) + * time exceeded header + * @param type type of ICMP packet (should be ICMP6_TIMXCEED) + * @param code code of ICMP packet (should be ICMP6_TIMXCEED_TRANSIT or ICMP6_TIMXCEED_REASSEMBLY) + * @param sum checksum (0 for libnet to autofill) + * @param unused number + * @param payload optional payload or NULL + * @param payload_s payload length or 0 + * @param l pointer to a libnet context + * @param ptag protocol tag to modify an existing header, 0 to build a new one + * @return protocol tag value on success, -1 on error + */ +libnet_ptag_t +libnet_build_icmpv6_timxceed(u_int8_t type, u_int8_t code, u_int16_t sum, +u_int32_t unused, u_int8_t *payload, u_int32_t payload_s, +libnet_t *l, libnet_ptag_t ptag); + +/** + * Builds an IP version 6 RFC 2463 Internet Control Message Protocol (ICMP) + * destination unreachable header + * @param type type of ICMP packet (should be ICMP6_UNREACH) + * @param code code of ICMP packet (should be ICMP6_UNREACH_NOROUTE or ICMP6_UNREACH_ADMIN or ICMP6_UNREACH_ADDR or ICMP6_UNREACH_NOTNEIGHBOR or ICMP6_UNREACH_PORT) + * @param sum checksum (0 for libnet to autofill) + * @param unused number that must be zero. + * @param payload optional payload or NULL + * @param payload_s payload length or 0 + * @param l pointer to a libnet context + * @param ptag protocol tag to modify an existing header, 0 to build a new one + * @return protocol tag value on success, -1 on error + */ +libnet_ptag_t +libnet_build_icmpv6_unreach(u_int8_t type, u_int8_t code, u_int16_t sum, +u_int32_t unused, u_int8_t *payload, u_int32_t payload_s, +libnet_t *l, libnet_ptag_t ptag); + +/** + * Builds an IP version 6 RFC 2463 Internet Control Message Protocol (ICMP) + * packet too big header + * @param type type of ICMP packet (should be ICMP6_TOOBIG) + * @param code code of ICMP packet (should be 0) + * @param sum checksum (0 for libnet to autofill) + * @param MTU. + * @param payload optional payload or NULL + * @param payload_s payload length or 0 + * @param l pointer to a libnet context + * @param ptag protocol tag to modify an existing header, 0 to build a new one + * @return protocol tag value on success, -1 on error + */ +libnet_ptag_t +libnet_build_icmpv6_toobig(u_int8_t type, u_int8_t code, u_int16_t sum, +u_int32_t mtu, u_int8_t *payload, u_int32_t payload_s, +libnet_t *l, libnet_ptag_t ptag); + +/** + * Builds an IP version 6 RFC 2463 Internet Control Message Protocol (ICMP) + * redirect message header + * @param type type of ICMP packet (should be ICMP6_REDIRECT) + * @param code code of ICMP packet (should be 0) + * @param sum checksum (0 for libnet to autofill) + * @param unused. + * @param target ipv6 address + * @param destination ipv6 address + * @param payload optional payload or NULL + * @param payload_s payload length or 0 + * @param l pointer to a libnet context + * @param ptag protocol tag to modify an existing header, 0 to build a new one + * @return protocol tag value on success, -1 on error + */ +libnet_ptag_t +libnet_build_icmpv6_redirect(u_int8_t type, u_int8_t code, u_int16_t sum, +u_int32_t unused, struct libnet_in6_addr, struct libnet_in6_addr, +u_int8_t *payload, u_int32_t payload_s, libnet_t *l, libnet_ptag_t ptag); + + +/** * Builds an RFC 1112 Internet Group Memebership Protocol (IGMP) header. * @param type packet type * @param code packet code (should be 0) @@ -1924,6 +2045,16 @@ void libnet_diag_dump_hex(u_int8_t *packet, u_int32_t len, int swap, FILE *stream); +/** + * [Diagnostic] + * Function returns in raw format the contents the packet associated + * to the libnet handle. + * @param libnet handle. + * @return buffer with contents of the packet in raw format + */ +char * +libnet_dump_packet(libnet_t *); + /* * [Internal] */ ==== //depot/projects/soc2006/clem1_ipv6vulns/libnet/include/libnet/libnet-headers.h#2 (text+ko) ==== @@ -63,7 +63,13 @@ #define LIBNET_ICMPV4_TIMXCEED_H 0x08 /**< ICMP_TIMXCEED header: 8 bytes */ #define LIBNET_ICMPV4_REDIRECT_H 0x08 /**< ICMP_REDIRECT header: 8 bytes */ #define LIBNET_ICMPV4_TS_H 0x14 /**< ICMP_TIMESTAMP headr:20 bytes */ -#define LIBNET_ICMPV6_H 0x08 /**< ICMP6 header base: 8 bytes */ +#define LIBNET_ICMPV6_H 0x04 /**< ICMP6 header base: 4 bytes */ +#define LIBNET_ICMPV6_ECHO_H 0x08 /**< ICMPV6_ECHO header: 8 bytes */ +#define LIBNET_ICMPV6_TIMXCEED_H 0x08 /**< ICMPV6_TIMXCEED header: 8 bytes */ +#define LIBNET_ICMPV6_PARAMPB_H 0x08 /**< ICMPV6_PARAMPB header: 8 bytes */ +#define LIBNET_ICMPV6_UNREACH_H 0x08 /**< ICMPV6_UNREACH header: 8 bytes */ +#define LIBNET_ICMPV6_TOOBIG_H 0x08 /**< ICMPV6_TOOBIG header: 8 bytes */ +#define LIBNET_ICMPV6_REDIRECT_H 0x28 /**< ICMPV6_REDIRECT header: 40 bytes */ #define LIBNET_IGMP_H 0x08 /**< IGMP header: 8 bytes */ #define LIBNET_IPV4_H 0x14 /**< IPv4 header: 20 bytes */ #define LIBNET_IPV6_H 0x28 /**< IPv6 header: 40 bytes */ @@ -489,6 +495,9 @@ #ifndef ETHERTYPE_IP #define ETHERTYPE_IP 0x0800 /* IP protocol */ #endif +#ifndef ETHERTYPE_IPV6 +#define ETHERTYPE_IPV6 0x86dd /* IPV6 protocol */ +#endif #ifndef ETHERTYPE_ARP #define ETHERTYPE_ARP 0x0806 /* addr. resolution protocol */ #endif @@ -820,20 +829,132 @@ #ifndef ICMP6_PKTTOOBIG #define ICMP6_PKTTOOBIG 2 #endif +#ifndef ICMP6_TOOBIG +#define ICMP6_TOOBIG 2 +#endif #ifndef ICMP6_TIMXCEED #define ICMP6_TIMXCEED 3 #endif #ifndef ICMP6_PARAMPROB #define ICMP6_PARAMPROB 4 #endif +#ifndef ICMP6_MLQUERY +#define ICMP6_MLQUERY 130 +#endif +#ifndef ICMP6_MLREPORT +#define ICMP6_MLREPORT 131 +#endif +#ifndef ICMP6_MLDONE +#define ICMP6_MLDONE 132 +#endif +#ifndef ICMP6_NEIGHBORSO +#define ICMP6_NEIGHBORSO 135 +#endif +#ifndef ICMP6_NEIGHBORADV +#define ICMP6_NEIGHBORADV 136 +#endif +#ifndef ICMP6_ROUTERSO +#define ICMP6_ROUTEURSO 133 +#endif +#ifndef ICMP6_ROUTERADV +#define ICMP6_ROUTERADV 134 +#endif +#ifndef ICMP6_WRUQUERY +#define ICMP6_WRUQUERY 139 +#endif +#ifndef ICMP6_WRUREPLY +#define ICMP6_WRUREPLY 140 +#endif +#ifndef ICMP6_REDIRECT +#define ICMP6_REDIRECT 137 +#endif u_int8_t icmp_code; /* ICMP code */ - u_int16_t icmp_sum; /* ICMP Checksum */ - u_int16_t id; /* ICMP id */ - u_int16_t seq; /* ICMP sequence number */ +#ifndef ICMP6_UNREACH_NOROUTE +#define ICMP6_UNREACH_NOROUTE 0 +#endif +#ifndef ICMP6_UNREACH_ADMIN +#define ICMP6_UNREACH_ADMIN 1 +#endif +#ifndef ICMP6_UNREACH_NOTNEIGHBOR +#define ICMP6_UNREACH_NOTNEIGHBOR 2 +#endif +#ifndef ICMP6_UNREACH_ADDR +#define ICMP6_UNREACH_ADDR 3 +#endif +#ifndef ICMP6_UNREACH_PORT +#define ICMP6_UNREACH_PORT 4 +#endif +#ifndef ICMP6_TIMXCEED_TRANSIT +#define ICMP6_TIMXCEED_TRANSIT 0 +#endif +#ifndef ICMP6_TIMXCEED_REASSEMBLY +#define ICMP6_TIMXCEED_REASSEMBLY 1 +#endif +#ifndef ICMP6_PARAMPROB_HEADER +#define ICMP6_PARAMPROB_HEADER 0 +#endif +#ifndef ICMP6_PARAMPROB_NEXTHEADER +#define ICMP6_PARAMPROB_NEXTHEADER 1 +#endif +#ifndef ICMP6_PARAMPROB_OPTION +#define ICMP6_PARAMPROB_OPTION 2 +#endif +#ifndef ICMP6_WRUQUERY_IPV6 +#define ICMP6_WRUQUERY_IPV6 0 +#endif +#ifndef ICMP6_WRUQUERY_FQDN +#define ICMP6_WRUQUERY_FQDN 1 +#endif +#ifndef ICMP6_WRUQUERY_IPV4 +#define ICMP6_WRUQUERY_IPV4 2 +#endif +#ifndef ICMP6_WRUREPLY_SUCCESS +#define ICMP6_WRUREPLY_SUCCESS 0 +#endif +#ifndef ICMP6_WRUREPLY_REFUSED +#define ICMP6_WRUREPLY_REFUSED 1 +#endif +#ifndef ICMP6_WRUREPLY_UNKNOWN +#define ICMP6_WRUREPLY_UNKNOWN 2 +#endif +#ifndef ICMP6_REDIRECT_ONLINK +#define ICMP6_REDIRECT_ONLINK 0 +#endif +#ifndef ICMP6_REDIRECT_ROUTER +#define ICMP6_REDIRECT_ROUTER 1 +#endif + u_int16_t icmp_sum; /* ICMP Checksum */ + union{ + struct { + u_int16_t id; /* ICMP id */ + u_int16_t seq; /* ICMP sequence number */ + }echo; +#undef icmp_id +#undef icmp_seq +#define icmp_id hun.echo.id +#define icmp_seq hun.echo.seq + u_int32_t pointer; /* ICMP pointer */ +#undef icmp_pointer +#define icmp_pointer hun.pointer + u_int32_t unused; /* ICMP unused bytes in TIMEEXCEED, DEST UNREACH and REDIRECT */ +#undef icmp_unused +#define icmp_unused hun.unused + u_int32_t mtu; /* ICMP mtu (TOOBIG) */ +#undef icmp_mtu +#define icmp_mtu hun.mtu + }hun; + union{ + struct { + struct libnet_in6_addr target, dst; + } redir; +#undef icmp_target +#define icmp_target dun.redir.target +#undef icmp_dst +#define icmp_dst dun.redir.dst + }dun; }; - /* * ICMP header * Internet Control Message Protocol ==== //depot/projects/soc2006/clem1_ipv6vulns/libnet/include/libnet/libnet-structures.h#2 (text+ko) ==== @@ -146,6 +146,19 @@ #define LIBNET_PBLOCK_IPV6_DESTOPTS_H 0x3d /* IPv6 dest opts header */ #define LIBNET_PBLOCK_IPV6_HBHOPTS_H 0x3e /* IPv6 hop/hop opts header */ #define LIBNET_PBLOCK_SEBEK_H 0x3f /* Sebek header */ +#define LIBNET_PBLOCK_ICMPV6_H 0x40 /* ICMP6 header */ +#define LIBNET_PBLOCK_ICMPV6_ECHO_H 0x41 /* ICMP6 echo header */ +#define LIBNET_PBLOCK_ICMPV6_TOOBIG_H 0x42 /* ICMP6 pkt too big header */ +#define LIBNET_PBLOCK_ICMPV6_TIMXCEED_H 0x43 /* ICMP6 time exceeded header */ +#define LIBNET_PBLOCK_ICMPV6_PARAMPB_H 0x44 /* ICMP6 parameter problem header */ +#define LIBNET_PBLOCK_ICMPV6_ROUTERSO_H 0x45 /* ICMP6 router solicitation header */ +#define LIBNET_PBLOCK_ICMPV6_ROUTERADV_H 0x46 /* ICMP6 router advertisement header */ +#define LIBNET_PBLOCK_ICMPV6_NEIGHBORSO_H 0x47 /* ICMP6 neighbor solicitation header */ +#define LIBNET_PBLOCK_ICMPV6_NEIGHBORADV_H 0x48 /* ICMP6 neighbor advertisement header */ +#define LIBNET_PBLOCK_ICMPV6_REDIRECT_H 0x49 /* ICMP6 redirect message header */ +#define LIBNET_PBLOCK_ICMPV6_MULTICAST_H 0x4a /* ICMP6 multicast group management header */ +#define LIBNET_PBLOCK_ICMPV6_WRU_H 0x4b /* ICMP6 Who Are You name lookup header */ +#define LIBNET_PBLOCK_ICMPV6_UNREACH_H 0x4c /* ICMP6 destination unreach packet */ u_int8_t flags; /* control flags */ #define LIBNET_PBLOCK_DO_CHECKSUM 0x01 /* needs a checksum */ libnet_ptag_t ptag; /* protocol block tag */ ==== //depot/projects/soc2006/clem1_ipv6vulns/libnet/src/Makefile.am#2 (text+ko) ==== @@ -24,7 +24,8 @@ libnet_build_ethernet.c \ libnet_build_fddi.c \ libnet_build_gre.c \ - libnet_build_icmp.c \ + libnet_build_icmpv4.c \ + libnet_build_icmpv6.c \ libnet_build_igmp.c \ libnet_build_ip.c \ libnet_build_ipsec.c \ ==== //depot/projects/soc2006/clem1_ipv6vulns/libnet/src/Makefile.in#2 (text+ko) ==== @@ -125,7 +125,8 @@ libnet_build_ethernet.c \ libnet_build_fddi.c \ libnet_build_gre.c \ - libnet_build_icmp.c \ + libnet_build_icmpv4.c \ + libnet_build_icmpv6.c \ libnet_build_igmp.c \ libnet_build_ip.c \ libnet_build_ipsec.c \ ==== //depot/projects/soc2006/clem1_ipv6vulns/libnet/src/libnet_checksum.c#2 (text+ko) ==== @@ -44,7 +44,6 @@ int sum; sum = 0; - while (len > 1) { sum += *addr++; @@ -123,11 +122,12 @@ * and overlay a header structure to yank out the version. */ iph_p = (struct libnet_ipv4_hdr *)buf; + if (iph_p && iph_p->ip_v == 6) { - ip6h_p = (struct libnet_ipv6_hdr *)buf; + ip6h_p = (struct libnet_ipv6_hdr *)buf; is_ipv6 = 1; - ip_hl = 40; + ip_hl = LIBNET_IPV6_H; } else { @@ -199,10 +199,10 @@ break; } case IPPROTO_ICMP: + case IPPROTO_ICMP6: { struct libnet_icmpv4_hdr *icmph_p = (struct libnet_icmpv4_hdr *)(buf + ip_hl); - icmph_p->icmp_sum = 0; if (is_ipv6) { ==== //depot/projects/soc2006/clem1_ipv6vulns/libnet/src/libnet_internal.c#2 (text+ko) ==== @@ -307,4 +307,38 @@ } return ("unreachable code"); } + +char * +libnet_dump_packet(libnet_t *l) +{ + u_int32_t size = 1500, curr = 0, n, a = 0; + libnet_pblock_t *p; + char *pkt; + + pkt = (char *)malloc(size); + + if (pkt == NULL) + { + return (NULL); + } + + for (p = l->pblock_end; p; p = p->prev) + { + curr += p->b_len; + if (curr > size) + { + pkt = realloc(pkt, curr + size); + if (pkt == NULL) + { + return (NULL); + } + size += curr; + } + for(n = 0; n < p->b_len; n++) + { + pkt[a++] = p->buf[n]; + } + } + return (pkt); +} /* EOF */ ==== //depot/projects/soc2006/clem1_ipv6vulns/libnet/src/libnet_pblock.c#2 (text+ko) ==== @@ -389,7 +389,37 @@ { if ((q->flags) & LIBNET_PBLOCK_DO_CHECKSUM) { - int offset = (l->total_size + l->aligner) - q->ip_offset; + int offset; + if (l->injection_type != LIBNET_LINK) + { + offset = (l->total_size + l->aligner) - q->ip_offset; + } + else + { + offset = l->aligner; + switch(l->pblock_end->type){ + case LIBNET_PBLOCK_ETH_H: + offset += LIBNET_ETH_H; + break; + case LIBNET_PBLOCK_TOKEN_RING_H: + offset += LIBNET_TOKEN_RING_H; + break; + case LIBNET_PBLOCK_FDDI_H: + offset += LIBNET_FDDI_H; + break; + case LIBNET_PBLOCK_802_1Q_H: + offset += LIBNET_802_1Q_H; + break; + case LIBNET_PBLOCK_ISL_H: + offset += LIBNET_ISL_H; + break; + case LIBNET_PBLOCK_802_3_H: + offset += LIBNET_802_3_H; + break; + default: + break; + } + } c = libnet_do_checksum(l, *packet + offset, libnet_pblock_p2p(q->type), q->h_len); if (c == -1) @@ -472,6 +502,20 @@ case LIBNET_PBLOCK_ICMPV4_REDIRECT_H: case LIBNET_PBLOCK_ICMPV4_TS_H: return (IPPROTO_ICMP); + case LIBNET_PBLOCK_ICMPV6_H: + case LIBNET_PBLOCK_ICMPV6_ECHO_H: + case LIBNET_PBLOCK_ICMPV6_PARAMPB_H: + case LIBNET_PBLOCK_ICMPV6_TIMXCEED_H: + case LIBNET_PBLOCK_ICMPV6_TOOBIG_H: + case LIBNET_PBLOCK_ICMPV6_UNREACH_H: + case LIBNET_PBLOCK_ICMPV6_WRU_H: + case LIBNET_PBLOCK_ICMPV6_MULTICAST_H: + case LIBNET_PBLOCK_ICMPV6_REDIRECT_H: + case LIBNET_PBLOCK_ICMPV6_NEIGHBORADV_H: + case LIBNET_PBLOCK_ICMPV6_NEIGHBORSO_H: + case LIBNET_PBLOCK_ICMPV6_ROUTERADV_H: + case LIBNET_PBLOCK_ICMPV6_ROUTERSO_H: + return (IPPROTO_ICMP6); case LIBNET_PBLOCK_IGMP_H: return (IPPROTO_IGMP); case LIBNET_PBLOCK_IPV4_H: ==== //depot/projects/soc2006/clem1_ipv6vulns/libnet/src/libnet_resolve.c#2 (text+ko) ==== @@ -411,4 +411,10 @@ return (buf); } +u_int8_t * +libnet_mac2eth(int8_t *s) +{ + int len = 6; + return libnet_hex_aton(s, &len); +} /* EOF */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200606231756.k5NHuoWY037912>