[Bug 3464] New: openbsd-compat - sys_tun_infilter - off-by-one

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Jul 14 17:24:54 AEST 2022


            Bug ID: 3464
           Summary: openbsd-compat - sys_tun_infilter - off-by-one
           Product: Portable OpenSSH
           Version: v9.0p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: shm at digitalsun.pl

Created attachment 3603
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3603&action=edit
patch for the issue

If tun forwarding is active, in case when ip packet is just plain ip
packet (header only), sys_tun_infilter rejects that and takes tunnel
down. It seems to be mistake in the openbsd-compat/port-net.c:

sys_tun_infilter(struct ssh *ssh, struct Channel *c, char *buf, int
#if defined(SSH_TUN_PREPEND_AF)
       if (len <= sizeof(iph) || len > sizeof(rbuf) - 4)

In the line above length of the packet is checked, but if len ==
sizeof(iph) it's refused as well, which is likely an off-by-one

How to reproduce it:

We've got two machines
A - and B -

We connect from A to B with tun forwarding and assign IPs as above.

>From machine A we issue following command:
hping3 -0 -H 255 -c 1 -D

And the tunnel is down due to sys_tun_infilter failure (because it
sends naked ip header.

In the attachment I sent simple patch to fix that. Please verify if I
don't missed anything.

You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list