File: /usr/src/linux/net/ipv4/netfilter/ipt_unclean.c
1 /* Kernel module to match suspect packets. */
2 #include <linux/module.h>
3 #include <linux/skbuff.h>
4 #include <linux/ip.h>
5 #include <linux/udp.h>
6 #include <linux/tcp.h>
7 #include <linux/icmp.h>
8 #include <net/checksum.h>
9
10 #include <linux/netfilter_ipv4/ip_tables.h>
11
12 #define limpk(format, args...) \
13 do { \
14 if (net_ratelimit()) \
15 printk("ipt_unclean: %s" format, \
16 embedded ? "(embedded packet) " : "" , ## args); \
17 } while(0)
18
19 enum icmp_error_status
20 {
21 ICMP_MAY_BE_ERROR,
22 ICMP_IS_ERROR,
23 ICMP_NOT_ERROR
24 };
25
26 struct icmp_info
27 {
28 size_t min_len, max_len;
29 enum icmp_error_status err;
30 u_int8_t min_code, max_code;
31 };
32
33 static int
34 check_ip(struct iphdr *iph, size_t length, int embedded);
35
36 /* ICMP-specific checks. */
37 static int
38 check_icmp(const struct icmphdr *icmph,
39 u_int16_t datalen,
40 unsigned int offset,
41 int more_frags,
42 int embedded)
43 {
44 static struct icmp_info info[]
45 = { [ICMP_ECHOREPLY]
46 = { 8, 65536, ICMP_NOT_ERROR, 0, 0 },
47 [ICMP_DEST_UNREACH]
48 = { 8 + 28, 65536, ICMP_IS_ERROR, 0, 15 },
49 [ICMP_SOURCE_QUENCH]
50 = { 8 + 28, 65536, ICMP_IS_ERROR, 0, 0 },
51 [ICMP_REDIRECT]
52 = { 8 + 28, 65536, ICMP_IS_ERROR, 0, 3 },
53 [ICMP_ECHO]
54 = { 8, 65536, ICMP_NOT_ERROR, 0, 0 },
55 /* Router advertisement. */
56 [9]
57 = { 8, 8 + 255 * 8, ICMP_NOT_ERROR, 0, 0 },
58 /* Router solicitation. */
59 [10]
60 = { 8, 8, ICMP_NOT_ERROR, 0, 0 },
61 [ICMP_TIME_EXCEEDED]
62 = { 8 + 28, 65536, ICMP_IS_ERROR, 0, 1 },
63 [ICMP_PARAMETERPROB]
64 = { 8 + 28, 65536, ICMP_IS_ERROR, 0, 1 },
65 [ICMP_TIMESTAMP]
66 = { 20, 20, ICMP_NOT_ERROR, 0, 0 },
67 [ICMP_TIMESTAMPREPLY]
68 = { 20, 20, ICMP_NOT_ERROR, 0, 0 },
69 [ICMP_INFO_REQUEST]
70 = { 8, 65536, ICMP_NOT_ERROR, 0, 0 },
71 [ICMP_INFO_REPLY]
72 = { 8, 65536, ICMP_NOT_ERROR, 0, 0 },
73 [ICMP_ADDRESS]
74 = { 12, 12, ICMP_NOT_ERROR, 0, 0 },
75 [ICMP_ADDRESSREPLY]
76 = { 12, 12, ICMP_NOT_ERROR, 0, 0 } };
77
78 /* Can't do anything if it's a fragment. */
79 if (offset)
80 return 1;
81
82 /* Must cover type and code. */
83 if (datalen < 2) {
84 limpk("ICMP len=%u too short\n", datalen);
85 return 0;
86 }
87
88 /* If not embedded. */
89 if (!embedded) {
90 /* Bad checksum? Don't print, just ignore. */
91 if (!more_frags
92 && ip_compute_csum((unsigned char *) icmph, datalen) != 0)
93 return 0;
94
95 /* CHECK: Truncated ICMP (even if first fragment). */
96 if (icmph->type < sizeof(info)/sizeof(struct icmp_info)
97 && info[icmph->type].min_len != 0
98 && datalen < info[icmph->type].min_len) {
99 limpk("ICMP type %u len %u too short\n",
100 icmph->type, datalen);
101 return 0;
102 }
103
104 /* CHECK: Check within known error ICMPs. */
105 if (icmph->type < sizeof(info)/sizeof(struct icmp_info)
106 && info[icmph->type].err == ICMP_IS_ERROR) {
107 /* CHECK: Embedded packet must be at least
108 length of iph + 8 bytes. */
109 struct iphdr *inner = (void *)icmph + 8;
110
111 /* datalen > 8 since all ICMP_IS_ERROR types
112 have min length > 8 */
113 if (datalen - 8 < sizeof(struct iphdr)) {
114 limpk("ICMP error internal way too short\n");
115 return 0;
116 }
117 if (datalen - 8 < inner->ihl*4 + 8) {
118 limpk("ICMP error internal too short\n");
119 return 0;
120 }
121 if (!check_ip(inner, datalen - 8, 1))
122 return 0;
123 }
124 } else {
125 /* CHECK: Can't embed ICMP unless known non-error. */
126 if (icmph->type >= sizeof(info)/sizeof(struct icmp_info)
127 || info[icmph->type].err != ICMP_NOT_ERROR) {
128 limpk("ICMP type %u not embeddable\n",
129 icmph->type);
130 return 0;
131 }
132 }
133
134 /* CHECK: Invalid ICMP codes. */
135 if (icmph->type < sizeof(info)/sizeof(struct icmp_info)
136 && (icmph->code < info[icmph->type].min_code
137 || icmph->code > info[icmph->type].max_code)) {
138 limpk("ICMP type=%u code=%u\n",
139 icmph->type, icmph->code);
140 return 0;
141 }
142
143 /* CHECK: Above maximum length. */
144 if (icmph->type < sizeof(info)/sizeof(struct icmp_info)
145 && info[icmph->type].max_len != 0
146 && datalen > info[icmph->type].max_len) {
147 limpk("ICMP type=%u too long: %u bytes\n",
148 icmph->type, datalen);
149 return 0;
150 }
151
152 switch (icmph->type) {
153 case ICMP_PARAMETERPROB: {
154 /* CHECK: Problem param must be within error packet's
155 * IP header. */
156 struct iphdr *iph = (void *)icmph + 8;
157 u_int32_t arg = ntohl(icmph->un.gateway);
158
159 if (icmph->code == 0) {
160 /* Code 0 means that upper 8 bits is pointer
161 to problem. */
162 if ((arg >> 24) >= iph->ihl*4) {
163 limpk("ICMP PARAMETERPROB ptr = %u\n",
164 ntohl(icmph->un.gateway) >> 24);
165 return 0;
166 }
167 arg &= 0x00FFFFFF;
168 }
169
170 /* CHECK: Rest must be zero. */
171 if (arg) {
172 limpk("ICMP PARAMETERPROB nonzero arg = %u\n",
173 arg);
174 return 0;
175 }
176 break;
177 }
178
179 case ICMP_TIME_EXCEEDED:
180 case ICMP_SOURCE_QUENCH:
181 /* CHECK: Unused must be zero. */
182 if (icmph->un.gateway != 0) {
183 limpk("ICMP type=%u unused = %u\n",
184 icmph->type, ntohl(icmph->un.gateway));
185 return 0;
186 }
187 break;
188 }
189
190 return 1;
191 }
192
193 /* UDP-specific checks. */
194 static int
195 check_udp(const struct iphdr *iph,
196 const struct udphdr *udph,
197 u_int16_t datalen,
198 unsigned int offset,
199 int more_frags,
200 int embedded)
201 {
202 /* Can't do anything if it's a fragment. */
203 if (offset)
204 return 1;
205
206 /* CHECK: Must cover UDP header. */
207 if (datalen < sizeof(struct udphdr)) {
208 limpk("UDP len=%u too short\n", datalen);
209 return 0;
210 }
211
212 /* Bad checksum? Don't print, just say it's unclean. */
213 /* FIXME: SRC ROUTE packets won't match checksum --RR */
214 if (!more_frags && !embedded
215 && csum_tcpudp_magic(iph->saddr, iph->daddr, datalen, IPPROTO_UDP,
216 csum_partial((char *)udph, datalen, 0)) != 0)
217 return 0;
218
219 /* CHECK: Ports can't be zero. */
220 if (!udph->source || !udph->dest) {
221 limpk("UDP zero ports %u/%u\n",
222 ntohs(udph->source), ntohs(udph->dest));
223 return 0;
224 }
225
226 if (!more_frags) {
227 if (!embedded) {
228 /* CHECK: UDP length must match. */
229 if (ntohs(udph->len) != datalen) {
230 limpk("UDP len too short %u vs %u\n",
231 ntohs(udph->len), datalen);
232 return 0;
233 }
234 } else {
235 /* CHECK: UDP length be >= this truncated pkt. */
236 if (ntohs(udph->len) < datalen) {
237 limpk("UDP len too long %u vs %u\n",
238 ntohs(udph->len), datalen);
239 return 0;
240 }
241 }
242 } else {
243 /* CHECK: UDP length must be > this frag's length. */
244 if (ntohs(udph->len) <= datalen) {
245 limpk("UDP fragment len too short %u vs %u\n",
246 ntohs(udph->len), datalen);
247 return 0;
248 }
249 }
250
251 return 1;
252 }
253
254 #define TH_FIN 0x01
255 #define TH_SYN 0x02
256 #define TH_RST 0x04
257 #define TH_PUSH 0x08
258 #define TH_ACK 0x10
259 #define TH_URG 0x20
260
261 /* TCP-specific checks. */
262 static int
263 check_tcp(const struct iphdr *iph,
264 const struct tcphdr *tcph,
265 u_int16_t datalen,
266 unsigned int offset,
267 int more_frags,
268 int embedded)
269 {
270 u_int8_t *opt = (u_int8_t *)tcph;
271 u_int8_t *endhdr = (u_int8_t *)tcph + tcph->doff * 4;
272 u_int8_t tcpflags;
273 int end_of_options = 0;
274 size_t i;
275
276 /* CHECK: Can't have offset=1: used to override TCP syn-checks. */
277 /* In fact, this is caught below (offset < 516). */
278
279 /* Can't do anything if it's a fragment. */
280 if (offset)
281 return 1;
282
283 /* CHECK: Smaller than minimal TCP hdr. */
284 if (datalen < sizeof(struct tcphdr)) {
285 if (!embedded) {
286 limpk("Packet length %u < TCP header.\n", datalen);
287 return 0;
288 }
289 /* Must have ports available (datalen >= 8), from
290 check_icmp which set embedded = 1 */
291 /* CHECK: TCP ports inside ICMP error */
292 if (!tcph->source || !tcph->dest) {
293 limpk("Zero TCP ports %u/%u.\n",
294 htons(tcph->source), htons(tcph->dest));
295 return 0;
296 }
297 return 1;
298 }
299
300 /* CHECK: Smaller than actual TCP hdr. */
301 if (datalen < tcph->doff * 4) {
302 if (!embedded) {
303 limpk("Packet length %u < actual TCP header.\n",
304 datalen);
305 return 0;
306 } else
307 return 1;
308 }
309
310 /* Bad checksum? Don't print, just say it's unclean. */
311 /* FIXME: SRC ROUTE packets won't match checksum --RR */
312 if (!more_frags && !embedded
313 && csum_tcpudp_magic(iph->saddr, iph->daddr, datalen, IPPROTO_TCP,
314 csum_partial((char *)tcph, datalen, 0)) != 0)
315 return 0;
316
317 /* CHECK: TCP ports non-zero */
318 if (!tcph->source || !tcph->dest) {
319 limpk("Zero TCP ports %u/%u.\n",
320 htons(tcph->source), htons(tcph->dest));
321 return 0;
322 }
323
324 /* CHECK: TCP reserved bits zero. */
325 if(tcp_flag_word(tcph) & TCP_RESERVED_BITS) {
326 limpk("TCP reserved bits not zero\n");
327 return 0;
328 }
329
330 /* CHECK: TCP flags. */
331 tcpflags = ((u_int8_t *)tcph)[13];
332 if (tcpflags != TH_SYN
333 && tcpflags != (TH_SYN|TH_ACK)
334 && tcpflags != (TH_RST|TH_ACK)
335 && tcpflags != (TH_RST|TH_ACK|TH_PUSH)
336 && tcpflags != (TH_FIN|TH_ACK)
337 && tcpflags != TH_ACK
338 && tcpflags != (TH_ACK|TH_PUSH)
339 && tcpflags != (TH_ACK|TH_URG)
340 && tcpflags != (TH_ACK|TH_URG|TH_PUSH)
341 && tcpflags != (TH_FIN|TH_ACK|TH_PUSH)
342 && tcpflags != (TH_FIN|TH_ACK|TH_URG)
343 && tcpflags != (TH_FIN|TH_ACK|TH_URG|TH_PUSH)) {
344 limpk("TCP flags bad: %u\n", tcpflags);
345 return 0;
346 }
347
348 for (i = sizeof(struct tcphdr); i < tcph->doff * 4; ) {
349 switch (opt[i]) {
350 case 0:
351 end_of_options = 1;
352 i++;
353 break;
354 case 1:
355 i++;
356 break;
357 default:
358 /* CHECK: options after EOO. */
359 if (end_of_options) {
360 limpk("TCP option %u after end\n",
361 opt[i]);
362 return 0;
363 }
364 /* CHECK: options at tail. */
365 else if (i+1 >= tcph->doff * 4) {
366 limpk("TCP option %u at tail\n",
367 opt[i]);
368 return 0;
369 }
370 /* CHECK: zero-length options. */
371 else if (opt[i+1] == 0) {
372 limpk("TCP option %u 0 len\n",
373 opt[i]);
374 return 0;
375 }
376 /* CHECK: oversize options. */
377 else if (&opt[i] + opt[i+1] > endhdr) {
378 limpk("TCP option %u at %Zu too long\n",
379 (unsigned int) opt[i], i);
380 return 0;
381 }
382 /* Move to next option */
383 i += opt[i+1];
384 }
385 }
386
387 return 1;
388 }
389
390 /* Returns 1 if ok */
391 /* Standard IP checks. */
392 static int
393 check_ip(struct iphdr *iph, size_t length, int embedded)
394 {
395 u_int8_t *opt = (u_int8_t *)iph;
396 u_int8_t *endhdr = (u_int8_t *)iph + iph->ihl * 4;
397 int end_of_options = 0;
398 void *protoh;
399 size_t datalen;
400 unsigned int i;
401 unsigned int offset;
402
403 /* Should only happen for local outgoing raw-socket packets. */
404 /* CHECK: length >= ip header. */
405 if (length < sizeof(struct iphdr) || length < iph->ihl * 4) {
406 limpk("Packet length %Zu < IP header.\n", length);
407 return 0;
408 }
409
410 offset = ntohs(iph->frag_off) & IP_OFFSET;
411 protoh = (void *)iph + iph->ihl * 4;
412 datalen = length - iph->ihl * 4;
413
414 /* CHECK: Embedded fragment. */
415 if (embedded && offset) {
416 limpk("Embedded fragment.\n");
417 return 0;
418 }
419
420 for (i = sizeof(struct iphdr); i < iph->ihl * 4; ) {
421 switch (opt[i]) {
422 case 0:
423 end_of_options = 1;
424 i++;
425 break;
426 case 1:
427 i++;
428 break;
429 default:
430 /* CHECK: options after EOO. */
431 if (end_of_options) {
432 limpk("IP option %u after end\n",
433 opt[i]);
434 return 0;
435 }
436 /* CHECK: options at tail. */
437 else if (i+1 >= iph->ihl * 4) {
438 limpk("IP option %u at tail\n",
439 opt[i]);
440 return 0;
441 }
442 /* CHECK: zero-length or one-length options. */
443 else if (opt[i+1] < 2) {
444 limpk("IP option %u %u len\n",
445 opt[i], opt[i+1]);
446 return 0;
447 }
448 /* CHECK: oversize options. */
449 else if (&opt[i] + opt[i+1] > endhdr) {
450 limpk("IP option %u at %u too long\n",
451 opt[i], i);
452 return 0;
453 }
454 /* Move to next option */
455 i += opt[i+1];
456 }
457 }
458
459 /* Fragment checks. */
460
461 /* CHECK: More fragments, but doesn't fill 8-byte boundary. */
462 if ((ntohs(iph->frag_off) & IP_MF)
463 && (ntohs(iph->tot_len) % 8) != 0) {
464 limpk("Truncated fragment %u long.\n", ntohs(iph->tot_len));
465 return 0;
466 }
467
468 /* CHECK: Oversize fragment a-la Ping of Death. */
469 if (offset * 8 + datalen > 65535) {
470 limpk("Oversize fragment to %u.\n", offset * 8);
471 return 0;
472 }
473
474 /* CHECK: DF set and offset or MF set. */
475 if ((ntohs(iph->frag_off) & IP_DF)
476 && (offset || (ntohs(iph->frag_off) & IP_MF))) {
477 limpk("DF set and offset=%u, MF=%u.\n",
478 offset, ntohs(iph->frag_off) & IP_MF);
479 return 0;
480 }
481
482 /* CHECK: Zero-sized fragments. */
483 if ((offset || (ntohs(iph->frag_off) & IP_MF))
484 && datalen == 0) {
485 limpk("Zero size fragment offset=%u\n", offset);
486 return 0;
487 }
488
489 /* Note: we can have even middle fragments smaller than this:
490 consider a large packet passing through a 600MTU then
491 576MTU link: this gives a fragment of 24 data bytes. But
492 everyone packs fragments largest first, hence a fragment
493 can't START before 576 - MAX_IP_HEADER_LEN. */
494
495 /* Used to be min-size 576: I recall Alan Cox saying ax25 goes
496 down to 128 (576 taken from RFC 791: All hosts must be
497 prepared to accept datagrams of up to 576 octets). Use 128
498 here. */
499 #define MIN_LIKELY_MTU 128
500 /* CHECK: Min size of first frag = 128. */
501 if ((ntohs(iph->frag_off) & IP_MF)
502 && offset == 0
503 && ntohs(iph->tot_len) < MIN_LIKELY_MTU) {
504 limpk("First fragment size %u < %u\n", ntohs(iph->tot_len),
505 MIN_LIKELY_MTU);
506 return 0;
507 }
508
509 /* CHECK: Min offset of frag = 128 - IP hdr len. */
510 if (offset && offset * 8 < MIN_LIKELY_MTU - iph->ihl * 4) {
511 limpk("Fragment starts at %u < %u\n", offset * 8,
512 MIN_LIKELY_MTU - iph->ihl * 4);
513 return 0;
514 }
515
516 /* CHECK: Protocol specification non-zero. */
517 if (iph->protocol == 0) {
518 limpk("Zero protocol\n");
519 return 0;
520 }
521
522 /* Per-protocol checks. */
523 switch (iph->protocol) {
524 case IPPROTO_ICMP:
525 return check_icmp(protoh, datalen, offset,
526 (ntohs(iph->frag_off) & IP_MF),
527 embedded);
528
529 case IPPROTO_UDP:
530 return check_udp(iph, protoh, datalen, offset,
531 (ntohs(iph->frag_off) & IP_MF),
532 embedded);
533
534 case IPPROTO_TCP:
535 return check_tcp(iph, protoh, datalen, offset,
536 (ntohs(iph->frag_off) & IP_MF),
537 embedded);
538 default:
539 /* Ignorance is bliss. */
540 return 1;
541 }
542 }
543
544 static int
545 match(const struct sk_buff *skb,
546 const struct net_device *in,
547 const struct net_device *out,
548 const void *matchinfo,
549 int offset,
550 const void *hdr,
551 u_int16_t datalen,
552 int *hotdrop)
553 {
554 return !check_ip(skb->nh.iph, skb->len, 0);
555 }
556
557 /* Called when user tries to insert an entry of this type. */
558 static int
559 checkentry(const char *tablename,
560 const struct ipt_ip *ip,
561 void *matchinfo,
562 unsigned int matchsize,
563 unsigned int hook_mask)
564 {
565 if (matchsize != IPT_ALIGN(0))
566 return 0;
567
568 return 1;
569 }
570
571 static struct ipt_match unclean_match
572 = { { NULL, NULL }, "unclean", &match, &checkentry, NULL, THIS_MODULE };
573
574 static int __init init(void)
575 {
576 return ipt_register_match(&unclean_match);
577 }
578
579 static void __exit fini(void)
580 {
581 ipt_unregister_match(&unclean_match);
582 }
583
584 module_init(init);
585 module_exit(fini);
586