Skip to content

net: ICMPv4 echo reply packets do not use default values in the IP header #13147

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
aurel32 opened this issue Feb 7, 2019 · 3 comments
Closed

net: ICMPv4 echo reply packets do not use default values in the IP header #13147

aurel32 opened this issue Feb 7, 2019 · 3 comments
Assignees
@tbursztyka
Labels
area: Conformance Conformance tests area: Networking bug The issue is a bug, or the PR is fixing a bug

Comments

@aurel32
Copy link
Collaborator

aurel32 commented Feb 7, 2019

Describe the bug

The ICMPv4 echo reply packets are build by reusing the echo request packet, only changing a few fields of the IP header. This means some fields of the outbound packet are taken from the inboud packet instead of using the default values from the interface, and most notably the TTL, flags and fragment offset. It might be safer to create a new packet using net_ipv4_create() and icmpv4_create() and copying only the payload.

To Reproduce
Send an ICMP echo request packet with a given TTL different than 64 (the default value in Zephyr). See how the echo reply packet comes back with the same TTL (if on the same subnet or lower if it goes through a router). Use a different TTL and observe how the echo reply packet use that different TTL.

Expected behavior
The echo reply packet should use the default IP header values and not the one from the inbound packet.

Impact
Conformance issue. It also means that the IP header sent by the board for ICMPv4 packets can partially be controlled by the inbound packet. It might have security impacts.
@aurel32 aurel32 added bug The issue is a bug, or the PR is fixing a bug area: Networking area: Conformance Conformance tests labels Feb 7, 2019
@tbursztyka
Copy link
Collaborator

It's because clone sets the same attributes to the cloned pkt as the original one.

It's just a matter to reset the ttl of the reply. Note that net_ipv4_create and net_icmpv4_create are used, it can work in both situation overwriting or not.

will send a patch, directly part of #12989

@tbursztyka tbursztyka self-assigned this Feb 8, 2019
@aurel32
Copy link
Collaborator Author

aurel32 commented Feb 8, 2019

Thanks this commit indeed fixes the issue. Now I wonder why not just copy the payload to avoid this kind of issue, like it is already done for IPv6?

@tbursztyka
Copy link
Collaborator

In IPv6 it made sens to avoid cloning due to the fact option headers should not be present in the reply. In icmpv4 it's all the same (beside the ip src/dst addr, the icmp type and the ttl obviously): using cloning was a little bit simpler. (one clone vs net_pkt_alloc_with_buffer + net_pkt_copy).
Ok a really tiny bit simpler :)

tbursztyka pushed a commit to tbursztyka/zephyr that referenced this issue Feb 12, 2019
net/icmpv4: Do not reuse echo request ttl for the echo reply
e9aee78 
net_pkt_clone_new() sets the same attributes of the original packet to
the cloned one.

Fixes zephyrproject-rtos#13147

Signed-off-by: Tomasz Bursztyka <[email protected]>
@nashif nashif closed this as completed in 40167ad Feb 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tbursztyka tbursztyka

Labels
area: Conformance Conformance tests area: Networking bug The issue is a bug, or the PR is fixing a bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tbursztyka @aurel32