[Bug 3464] New: openbsd-compat - sys_tun_infilter - off-by-one

[bugzilla-daemon at mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=3464

            Bug ID: 3464
           Summary: openbsd-compat - sys_tun_infilter - off-by-one
           Product: Portable OpenSSH
           Version: v9.0p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: shm at digitalsun.pl

Created attachment 3603
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3603&action=edit
patch for the issue

If tun forwarding is active, in case when ip packet is just plain ip
packet (header only), sys_tun_infilter rejects that and takes tunnel
down. It seems to be mistake in the openbsd-compat/port-net.c:


sys_tun_infilter(struct ssh *ssh, struct Channel *c, char *buf, int
_len)
[...]
#if defined(SSH_TUN_PREPEND_AF)
       if (len <= sizeof(iph) || len > sizeof(rbuf) - 4)
[...]

In the line above length of the packet is checked, but if len ==
sizeof(iph) it's refused as well, which is likely an off-by-one
mistake.

How to reproduce it:

We've got two machines
A - 1.1.1.1 and B - 2.2.2.2

We connect from A to B with tun forwarding and assign IPs as above.

>From machine A we issue following command:
hping3 -0 -H 255 -c 1 -D 2.2.2.2

And the tunnel is down due to sys_tun_infilter failure (because it
sends naked ip header.

In the attachment I sent simple patch to fix that. Please verify if I
don't missed anything.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.