ip: enhance ip header validation #177
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rjarry
requested changes
Mar 8, 2025
986f1b0 to
cb4bb6c
Compare
f6605fa to
014e671
Compare
The current code assumes that the hardware performs the following checks: - The packet length is sufficient to accommodate the minimum length of the IP header. - The IP version is set to 4. - The IP header length field is large enough to accommodate the minimum legal IP datagram length. However, these assumptions are incorrect, at least with the tap driver. The following packets can be created using scapy: > p_badversion = Ether(dst='f0:0d:ac:dc:00:00', src='ba:d0:ca:ca:00:00')/IP(version=5, src='172.16.0.2', dst='172.16.1.2') > p_badihl = Ether(dst='f0:0d:ac:dc:00:00', src='ba:d0:ca:ca:00:00')/IP(src='172.16.0.2', dst='172.16.1.2', ihl=3) > p_truncated = Ether(dst='f0:0d:ac:dc:00:00', src='ba:d0:ca:ca:00:00')/IP(src='172.16.0.2', dst='172.16.1.2')[:14+10] If the correct routes are configured, grout will forward these packets instead of discarding them, in violation of RFC1812. So software validation is required for these fields. The next commit will use packet type to not checking check IP version and IHL. Fixes: 5f5de2c ("ip4_lookup: comply with rfc1812") Signed-off-by: Maxime Leroy <maxime@leroys.fr>
014e671 to
5c9d980
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The current code assumes that the hardware performs the following checks:
However, these assumptions are incorrect, at least with the tap driver. The following packets can be created using Scapy:
If the correct routes are configured, grout will forward these packets instead of discarding them, in violation of RFC1812.
The DPDK driver can provide hardware information about the checksum (which is already used to validate the IP checksum) and packet type. There are two packet types for IPv4:
When one of these flags is set, it indicates that the IHL and version of the packet are valid. Otherwise, software validation is necessary.
As for the packet length requirement to accommodate the minimum legal IP datagram length (20 bytes), there is no guarantee that the hardware will validate it. Therefore, this validation must be performed in software.
Fixes: 5f5de2c ("ip4_lookup: comply with rfc1812")