Bug 3464 - openbsd-compat - sys_tun_infilter - off-by-one
Summary: openbsd-compat - sys_tun_infilter - off-by-one
Status: NEW
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 9.0p1
Hardware: Other Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-07-14 17:24 AEST by Mateusz Kocielski
Modified: 2022-10-04 21:56 AEDT (History)
1 user (show)

See Also:

Attachments
patch for the issue (513 bytes, patch)
2022-07-14 17:24 AEST, Mateusz Kocielski 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mateusz Kocielski 2022-07-14 17:24:54 AEST 
Created attachment 3603 [details]
patch for the issue

If tun forwarding is active, in case when ip packet is just plain ip packet (header only), sys_tun_infilter rejects that and takes tunnel down. It seems to be mistake in the openbsd-compat/port-net.c:


sys_tun_infilter(struct ssh *ssh, struct Channel *c, char *buf, int _len)
[...]
#if defined(SSH_TUN_PREPEND_AF)
       if (len <= sizeof(iph) || len > sizeof(rbuf) - 4)
[...]

In the line above length of the packet is checked, but if len == sizeof(iph) it's refused as well, which is likely an off-by-one mistake.

How to reproduce it:

We've got two machines
A - 1.1.1.1 and B - 2.2.2.2

We connect from A to B with tun forwarding and assign IPs as above.

From machine A we issue following command:
hping3 -0 -H 255 -c 1 -D 2.2.2.2

And the tunnel is down due to sys_tun_infilter failure (because it sends naked ip header.

In the attachment I sent simple patch to fix that. Please verify if I don't missed anything.