222746 – ipfw: tcpdatalen does not exactly match IPv6 packets.

Bug 222746 - ipfw: tcpdatalen does not exactly match IPv6 packets.

Summary: ipfw: tcpdatalen does not exactly match IPv6 packets.

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Andrey V. Elsukov

URL:
Keywords:	patch

Depends on:
Blocks:

Reported:	2017-10-03 06:01 UTC by Tatsuki Makino
Modified:	2017-10-31 11:36 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
patch for CURRENT (1006 bytes, patch) 2017-10-03 06:01 UTC, Tatsuki Makino	no flags	Details \| Diff
patch for CURRENT (783 bytes, patch) 2017-10-04 04:08 UTC, Tatsuki Makino	no flags	Details \| Diff
patch for CURRENT (864 bytes, patch) 2017-10-05 04:42 UTC, Tatsuki Makino	no flags	Details \| Diff
Proposed patch for tcplen (1.94 KB, patch) 2017-10-18 15:09 UTC, Andrey V. Elsukov	no flags	Details \| Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tatsuki Makino 2017-10-03 06:01:02 UTC

Created attachment 186874 [details]
patch for CURRENT

tcpdatalen rule option does not match IPv6 packets correctly because code for IPv6 is not implemented.

# ipfw show 3100
03100    1819    135800 count log logamount 1000 tcp from any to any { tcpflags syn or tcpflags rst } tcpdatalen 32768-65535 // signed negative number range

The size of 1819 packets was over 32768 bytes, but the total was 135800 bytes.

tested on
# uname -a
FreeBSD T2.test 10.4-PRERELEASE FreeBSD 10.4-PRERELEASE #0 r324142M: Sun Oct  1 01:25:30 UTC 2017     root@T2.test:/usr/obj/usr/src/sys/GENERIC  amd64

A patch needs to be tested by people who know them well.

Comment 1 Tatsuki Makino 2017-10-04 04:08:13 UTC

Created attachment 186894 [details]
patch for CURRENT

attachment 186874 [details] reused the variable iplen. But iplen overflows when ip6_plen is greater than 65495.
The new patch does not use the sum of header size and payload size.

Comment 2 Andrey V. Elsukov freebsd_committer

2017-10-04 08:09:05 UTC

(In reply to Tatsuki Makino from comment #1)
> Created attachment 186894 [details]
> patch for CURRENT
> 
> attachment 186874 [details] reused the variable iplen. But iplen overflows
> when ip6_plen is greater than 65495.
> The new patch does not use the sum of header size and payload size.

You need to handle the case when ip6_plen == 0.

Comment 3 Tatsuki Makino 2017-10-05 04:42:19 UTC

Created attachment 186915 [details]
patch for CURRENT

(In reply to Andrey V. Elsukov from comment #2)

Thank you.
I made a new one. How about this one?

Comment 4 Andrey V. Elsukov freebsd_committer

2017-10-18 15:09:36 UTC

Created attachment 187283 [details]
Proposed patch for tcplen

Can you test this patch instead?

Comment 5 Tatsuki Makino 2017-10-24 01:04:17 UTC

(In reply to Andrey V. Elsukov from comment #4)

attachment 187283 [details] can be applied to stable/10.
I am using it on the following uname -a.
FreeBSD T2.test 10.4-STABLE FreeBSD 10.4-STABLE #0 r324782M: Fri Oct 20 02:30:37 UTC 2017     root@T2.test:/usr/obj/usr/src/sys/GENERIC  amd64
It works as expected.

Comment 6 commit-hook freebsd_committer

2017-10-24 08:39:26 UTC

A commit references this bug:

Author: ae
Date: Tue Oct 24 08:39:06 UTC 2017
New revision: 324947
URL: https://svnweb.freebsd.org/changeset/base/324947

Log:
  Add IPv6 support for O_TCPDATALEN opcode.

  PR:		222746
  MFC after:	1 week

Changes:
  head/sys/netpfil/ipfw/ip_fw2.c

Comment 7 commit-hook freebsd_committer

2017-10-31 11:34:01 UTC

A commit references this bug:

Author: ae
Date: Tue Oct 31 10:31:47 UTC 2017
New revision: 325229
URL: https://svnweb.freebsd.org/changeset/base/325229

Log:
  MFC r324947:
    Add IPv6 support for O_TCPDATALEN opcode.

    PR:		222746

Changes:
_U  stable/11/
  stable/11/sys/netpfil/ipfw/ip_fw2.c

Comment 8 commit-hook freebsd_committer

2017-10-31 11:34:06 UTC

A commit references this bug:

Author: ae
Date: Tue Oct 31 11:09:39 UTC 2017
New revision: 325230
URL: https://svnweb.freebsd.org/changeset/base/325230

Log:
  MFC r324947:
    Add IPv6 support for O_TCPDATALEN opcode.

    PR:		222746

Changes:
_U  stable/10/
  stable/10/sys/netpfil/ipfw/ip_fw2.c

Comment 9 Andrey V. Elsukov freebsd_committer

2017-10-31 11:36:41 UTC

Fixed in head/, stable/11 and stable/10. Thanks!