Merge branch 'ip_offset-patch' into v1.1.2.1-forkv1.1.2.1-fork

3 files changed, 291 insertions, 1 deletions

diff --git a/libnet/sample/Makefile.am b/libnet/sample/Makefile.am
index 05cccbb..87b76a7 100644
--- a/libnet/sample/Makefile.am
+++ b/libnet/sample/Makefile.am
@@ -14,7 +14,7 @@ noinst_PROGRAMS = arp cdp dhcp_discover get_addr icmp_timestamp icmp_unreach \
                   smurf dot1x dns rpc_tcp rpc_udp mpls icmp_timeexceed \
                   fddi_tcp1 fddi_tcp2 tring_tcp1 tring_tcp2 icmp_redirect \
                   bgp4_hdr bgp4_open bgp4_update bgp4_notification gre \
-                  synflood6_frag tftp ip_link ip_raw sebek
+                  synflood6_frag tftp ip_link ip_raw sebek test_ipv4 test_ipv6_icmpv4
 
 arp_SOURCES             = arp.c
 cdp_SOURCES             = cdp.c
@@ -59,5 +59,7 @@ gre_SOURCES		= gre.c
 ip_raw_SOURCES          = ip_raw.c
 ip_link_SOURCES		= ip_link.c
 sebek_SOURCES           = sebek.c
+test_ipv4_SOURCES       = test_ipv4.c
+test_ipv6_icmpv4_SOURCES = test_ipv6_icmpv4.c
 
 LDADD 			= $(top_srcdir)/src/libnet.la
diff --git a/libnet/sample/test_ipv4.c b/libnet/sample/test_ipv4.c
new file mode 100644
index 0000000..cf1646b
--- /dev/null
+++ b/libnet/sample/test_ipv4.c
@@ -0,0 +1,165 @@
+/*
+ * Regression test for bugs in ipv4 ip_offset and h_len handling, such as
+ *   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=418975
+ *
+ * Copyright (c) 2009 Sam Roberts <sroberts@wurldtech.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+#if (HAVE_CONFIG_H)
+#include "../include/config.h"
+#endif
+#include "./libnet_test.h"
+
+#include <assert.h>
+
+static void print_pblocks(libnet_t* l)
+{
+    libnet_pblock_t* p = l->protocol_blocks;
+
+    while(p) {
+        /* h_len is header length for checksumming? "chksum length"? */
+        printf("  tag %d flags %d type %20s/%#x buf %p b_len %2u h_len %2u ip_offset %2u, copied %2u\n",
+                p->ptag, p->flags,
+                libnet_diag_dump_pblock_type(p->type), p->type,
+                p->buf, p->b_len, p->h_len, p->ip_offset, p->copied);
+        p = p->next;
+    }
+    printf("  link_offset %d aligner %d total_size %u nblocks %d\n",
+            l->link_offset, l->aligner, l->total_size, l->n_pblocks);
+
+}
+
+static int build_ipv4(libnet_t* l, libnet_ptag_t ip_ptag, int payload_s)
+{
+    u_long src_ip = 0xf101f1f1;
+    u_long dst_ip = 0xf102f1f1;
+    u_int8_t* payload = malloc(payload_s);
+    assert(payload);
+    memset(payload, '\x00', payload_s);
+
+    ip_ptag = libnet_build_ipv4(
+        LIBNET_IPV4_H + payload_s,                  /* length */
+        0,                                          /* TOS */
+        0xbbbb,                                     /* IP ID */
+        0,                                          /* IP Frag */
+        0xcc,                                      /* TTL */
+        IPPROTO_UDP,                                /* protocol */
+        0,                                          /* checksum */
+        src_ip,                                     /* source IP */
+        dst_ip,                                     /* destination IP */
+        payload,                                    /* payload */
+        payload_s,                                  /* payload size */
+        l,                                          /* libnet handle */
+        ip_ptag);                                   /* libnet id */
+
+    assert(ip_ptag > 0);
+
+    free(payload);
+
+    return ip_ptag;
+}
+
+int
+main(int argc, char *argv[])
+{
+    libnet_t *l;
+    int r;
+    char *device = "eth0";
+    u_int8_t enet_src[6] = {0x11, 0x11, 0x11, 0x11, 0x11, 0x11};
+    u_int8_t enet_dst[6] = {0x22, 0x22, 0x22, 0x22, 0x22, 0x22};
+    char errbuf[LIBNET_ERRBUF_SIZE];
+    libnet_ptag_t ip_ptag = 0;
+    libnet_ptag_t eth_ptag = 0;
+    int pkt1_payload = 10;
+    u_int8_t* pkt1 = NULL;
+    u_int32_t pkt1_sz = 0;
+    struct libnet_ipv4_hdr* h1;
+    int pkt2_payload = 2;
+    u_int8_t* pkt2 = NULL;
+    u_int32_t pkt2_sz = 0;
+    struct libnet_ipv4_hdr* h2;
+
+
+
+    l = libnet_init( LIBNET_LINK, device, errbuf);
+
+    assert(l);
+
+    /* Bug is triggered when rebuilding the ipv4 blocks with smaller payload.
+     * If change in payload size is larger than 20 (iph) + 14 (ether) +
+     * aligner, it will cause checksum to be written into the unallocated
+     * memory before the packet, possibly corrupting glib's memory allocation
+     * structures.
+     */
+
+    printf("Packet 1:\n");
+
+    ip_ptag = build_ipv4(l, ip_ptag, pkt1_payload);
+
+    eth_ptag = libnet_build_ethernet(
+        enet_dst,                                      /* ethernet destination */
+        enet_src,                                      /* ethernet source */
+        ETHERTYPE_IP,                               /* protocol type */
+        NULL,                                       /* payload */
+        0,                                          /* payload size */
+        l,                                          /* libnet handle */
+        0);                                         /* libnet id */
+    assert(eth_ptag > 0);
+
+    r = libnet_pblock_coalesce(l, &pkt1, &pkt1_sz);
+    assert(r >= 0);
+
+    print_pblocks(l);
+
+    libnet_diag_dump_hex(pkt1, 14, 0, stdout);
+    libnet_diag_dump_hex(pkt1+14, pkt1_sz-14, 0, stdout);
+
+    printf("Packet 2:\n");
+
+    ip_ptag = build_ipv4(l, ip_ptag, pkt2_payload);
+
+    r = libnet_pblock_coalesce(l, &pkt2, &pkt2_sz);
+    assert(r >= 0);
+
+    print_pblocks(l);
+
+    libnet_diag_dump_hex(pkt2, 14, 0, stdout);
+    libnet_diag_dump_hex(pkt2+14, pkt2_sz-14, 0, stdout);
+
+    /* Packets should differ only in the total length and cksum. */
+    h1 = (struct libnet_ipv4_hdr*) (pkt1+14);
+    h2 = (struct libnet_ipv4_hdr*) (pkt2+14);
+
+    assert(h1->ip_len == htons(20+pkt1_payload));
+    assert(h2->ip_len == htons(20+pkt2_payload));
+
+    h1->ip_len = h2->ip_len = 0x5555;
+    h1->ip_sum = h2->ip_sum = 0x6666;
+
+    assert(memcmp(pkt1, pkt2, 14 + 20) == 0);
+
+    return (EXIT_SUCCESS);
+}
+
diff --git a/libnet/sample/test_ipv6_icmpv4.c b/libnet/sample/test_ipv6_icmpv4.c
new file mode 100644
index 0000000..b3dcd67
--- /dev/null
+++ b/libnet/sample/test_ipv6_icmpv4.c
@@ -0,0 +1,123 @@
+/*
+ * Regression test for bugs such as reported in:
+ *   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=418975
+ *
+ * Copyright (c) 2009 Sam Roberts <sroberts@wurldtech.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+#if (HAVE_CONFIG_H)
+#include "../include/config.h"
+#endif
+#include "./libnet_test.h"
+
+#include <assert.h>
+
+#include <netinet/in.h>
+
+static void print_pblocks(libnet_t* l)
+{
+    libnet_pblock_t* p = l->protocol_blocks;
+
+    while(p) {
+        /* h_len is header length for checksumming? "chksum length"? */
+        printf("  tag %d flags %d type %20s/%#x buf %p b_len %2u h_len %2u ip_offset %2u, copied %2u\n",
+                p->ptag, p->flags,
+                libnet_diag_dump_pblock_type(p->type), p->type,
+                p->buf, p->b_len, p->h_len, p->ip_offset, p->copied);
+        p = p->next;
+    }
+    printf("  link_offset %d aligner %d total_size %u nblocks %d\n",
+            l->link_offset, l->aligner, l->total_size, l->n_pblocks);
+
+}
+
+int
+main(int argc, char *argv[])
+{
+    libnet_t *l;
+    int r;
+    char *device = "eth0";
+    struct libnet_ether_addr *mac_address;
+    struct in6_addr src_ip;
+    struct libnet_in6_addr dst_ip;
+    char errbuf[LIBNET_ERRBUF_SIZE];
+    libnet_ptag_t icmp_ptag = 0;
+    libnet_ptag_t ipv6_ptag = 0;
+    char payload[24] = { 0 };
+
+    memset(&src_ip, 0x66, sizeof(src_ip));
+
+    l = libnet_init( LIBNET_RAW6, device, errbuf);
+
+    assert(l);
+
+    mac_address = libnet_get_hwaddr(l);
+    assert(mac_address);
+
+    dst_ip = libnet_name2addr6(l, "::1" /* BCAST_ADDR - defined where? */, LIBNET_DONT_RESOLVE);
+
+    memcpy(payload,src_ip.s6_addr,16);
+    payload[16] = 2; /* 2 for Target Link-layer Address */
+    payload[17] = 1; /* The length of the option */
+    memcpy(payload+18,mac_address->ether_addr_octet, 6);
+
+    /* 0x2000: RSO */
+    icmp_ptag = libnet_build_icmpv4_echo(
+            136,0,0,0x2000,0,
+            (u_int8_t *)payload,sizeof(payload), l, LIBNET_PTAG_INITIALIZER);
+    assert(icmp_ptag);
+
+    ipv6_ptag = libnet_build_ipv6(
+            0, 0,
+            LIBNET_ICMPV6_H + sizeof(payload), // ICMPV6_H == ICMPV4_H, luckily
+            IPPROTO_ICMP6,
+            255,
+            *(struct libnet_in6_addr*)&src_ip,
+            dst_ip,
+            NULL, 0,
+            l, 0);
+    assert(icmp_ptag);
+
+    print_pblocks(l);
+
+    {
+       u_int8_t* pkt1 = NULL;
+       u_int32_t pkt1_sz = 0;
+       r = libnet_pblock_coalesce(l, &pkt1, &pkt1_sz);
+       assert(r >= 0);
+
+       libnet_diag_dump_hex(pkt1, LIBNET_IPV6_H, 0, stdout);
+       libnet_diag_dump_hex(pkt1+LIBNET_IPV6_H, pkt1_sz-LIBNET_IPV6_H, 0, stdout);
+
+       free(pkt1);
+       pkt1 = NULL;
+    }
+
+    r = libnet_write(l);
+    assert(r >= 0);
+
+    return (EXIT_SUCCESS);
+}
+