1/* Kernel module to match suspect packets. */ 2#include <linux/module.h> 3#include <linux/skbuff.h> 4#include <linux/ip.h> 5#include <linux/udp.h> 6#include <linux/tcp.h> 7#include <linux/icmp.h> 8#include <net/checksum.h> 9 10#include <linux/netfilter_ipv4/ip_tables.h> 11 12#define limpk(format, args...) \ 13do { \ 14 if (net_ratelimit()) \ 15 printk("ipt_unclean: %s" format, \ 16 embedded ? "(embedded packet) " : "" , ## args); \ 17} while(0) 18 19enum icmp_error_status 20{ 21 ICMP_MAY_BE_ERROR, 22 ICMP_IS_ERROR, 23 ICMP_NOT_ERROR 24}; 25 26struct icmp_info 27{ 28 size_t min_len, max_len; 29 enum icmp_error_status err; 30 u_int8_t min_code, max_code; 31}; 32 33static int 34check_ip(struct iphdr *iph, size_t length, int embedded); 35 36/* ICMP-specific checks. */ 37static int 38check_icmp(const struct icmphdr *icmph, 39 u_int16_t datalen, 40 unsigned int offset, 41 int more_frags, 42 int embedded) 43{ 44 static struct icmp_info info[] 45 = { [ICMP_ECHOREPLY] 46 = { 8, 65536, ICMP_NOT_ERROR, 0, 0 }, 47 [ICMP_DEST_UNREACH] 48 = { 8 + 28, 65536, ICMP_IS_ERROR, 0, 15 }, 49 [ICMP_SOURCE_QUENCH] 50 = { 8 + 28, 65536, ICMP_IS_ERROR, 0, 0 }, 51 [ICMP_REDIRECT] 52 = { 8 + 28, 65536, ICMP_IS_ERROR, 0, 3 }, 53 [ICMP_ECHO] 54 = { 8, 65536, ICMP_NOT_ERROR, 0, 0 }, 55 /* Router advertisement. */ 56 [9] 57 = { 8, 8 + 255 * 8, ICMP_NOT_ERROR, 0, 0 }, 58 /* Router solicitation. */ 59 [10] 60 = { 8, 8, ICMP_NOT_ERROR, 0, 0 }, 61 [ICMP_TIME_EXCEEDED] 62 = { 8 + 28, 65536, ICMP_IS_ERROR, 0, 1 }, 63 [ICMP_PARAMETERPROB] 64 = { 8 + 28, 65536, ICMP_IS_ERROR, 0, 1 }, 65 [ICMP_TIMESTAMP] 66 = { 20, 20, ICMP_NOT_ERROR, 0, 0 }, 67 [ICMP_TIMESTAMPREPLY] 68 = { 20, 20, ICMP_NOT_ERROR, 0, 0 }, 69 [ICMP_INFO_REQUEST] 70 = { 8, 65536, ICMP_NOT_ERROR, 0, 0 }, 71 [ICMP_INFO_REPLY] 72 = { 8, 65536, ICMP_NOT_ERROR, 0, 0 }, 73 [ICMP_ADDRESS] 74 = { 12, 12, ICMP_NOT_ERROR, 0, 0 }, 75 [ICMP_ADDRESSREPLY] 76 = { 12, 12, ICMP_NOT_ERROR, 0, 0 } }; 77 78 /* Can't do anything if it's a fragment. */ 79 if (offset) 80 return 1; 81 82 /* Must cover type and code. */ 83 if (datalen < 2) { 84 limpk("ICMP len=%u too short\n", datalen); 85 return 0; 86 } 87 88 /* If not embedded. */ 89 if (!embedded) { 90 /* Bad checksum? Don't print, just ignore. */ 91 if (!more_frags 92 && ip_compute_csum((unsigned char *) icmph, datalen) != 0) 93 return 0; 94 95 /* CHECK: Truncated ICMP (even if first fragment). */ 96 if (icmph->type < sizeof(info)/sizeof(struct icmp_info) 97 && info[icmph->type].min_len != 0 98 && datalen < info[icmph->type].min_len) { 99 limpk("ICMP type %u len %u too short\n", 100 icmph->type, datalen); 101 return 0; 102 } 103 104 /* CHECK: Check within known error ICMPs. */ 105 if (icmph->type < sizeof(info)/sizeof(struct icmp_info) 106 && info[icmph->type].err == ICMP_IS_ERROR) { 107 /* CHECK: Embedded packet must be at least 108 length of iph + 8 bytes. */ 109 struct iphdr *inner = (void *)icmph + 8; 110 111 /* datalen > 8 since all ICMP_IS_ERROR types 112 have min length > 8 */ 113 if (datalen - 8 < sizeof(struct iphdr)) { 114 limpk("ICMP error internal way too short\n"); 115 return 0; 116 } 117 if (datalen - 8 < inner->ihl*4 + 8) { 118 limpk("ICMP error internal too short\n"); 119 return 0; 120 } 121 if (!check_ip(inner, datalen - 8, 1)) 122 return 0; 123 } 124 } else { 125 /* CHECK: Can't embed ICMP unless known non-error. */ 126 if (icmph->type >= sizeof(info)/sizeof(struct icmp_info) 127 || info[icmph->type].err != ICMP_NOT_ERROR) { 128 limpk("ICMP type %u not embeddable\n", 129 icmph->type); 130 return 0; 131 } 132 } 133 134 /* CHECK: Invalid ICMP codes. */ 135 if (icmph->type < sizeof(info)/sizeof(struct icmp_info) 136 && (icmph->code < info[icmph->type].min_code 137 || icmph->code > info[icmph->type].max_code)) { 138 limpk("ICMP type=%u code=%u\n", 139 icmph->type, icmph->code); 140 return 0; 141 } 142 143 /* CHECK: Above maximum length. */ 144 if (icmph->type < sizeof(info)/sizeof(struct icmp_info) 145 && info[icmph->type].max_len != 0 146 && datalen > info[icmph->type].max_len) { 147 limpk("ICMP type=%u too long: %u bytes\n", 148 icmph->type, datalen); 149 return 0; 150 } 151 152 switch (icmph->type) { 153 case ICMP_PARAMETERPROB: { 154 /* CHECK: Problem param must be within error packet's 155 * IP header. */ 156 struct iphdr *iph = (void *)icmph + 8; 157 u_int32_t arg = ntohl(icmph->un.gateway); 158 159 if (icmph->code == 0) { 160 /* Code 0 means that upper 8 bits is pointer 161 to problem. */ 162 if ((arg >> 24) >= iph->ihl*4) { 163 limpk("ICMP PARAMETERPROB ptr = %u\n", 164 ntohl(icmph->un.gateway) >> 24); 165 return 0; 166 } 167 arg &= 0x00FFFFFF; 168 } 169 170 /* CHECK: Rest must be zero. */ 171 if (arg) { 172 limpk("ICMP PARAMETERPROB nonzero arg = %u\n", 173 arg); 174 return 0; 175 } 176 break; 177 } 178 179 case ICMP_TIME_EXCEEDED: 180 case ICMP_SOURCE_QUENCH: 181 /* CHECK: Unused must be zero. */ 182 if (icmph->un.gateway != 0) { 183 limpk("ICMP type=%u unused = %u\n", 184 icmph->type, ntohl(icmph->un.gateway)); 185 return 0; 186 } 187 break; 188 } 189 190 return 1; 191} 192 193/* UDP-specific checks. */ 194static int 195check_udp(const struct iphdr *iph, 196 const struct udphdr *udph, 197 u_int16_t datalen, 198 unsigned int offset, 199 int more_frags, 200 int embedded) 201{ 202 /* Can't do anything if it's a fragment. */ 203 if (offset) 204 return 1; 205 206 /* CHECK: Must cover UDP header. */ 207 if (datalen < sizeof(struct udphdr)) { 208 limpk("UDP len=%u too short\n", datalen); 209 return 0; 210 } 211 212 /* Bad checksum? Don't print, just say it's unclean. */ 213 if (!more_frags && !embedded && udph->check 214 && csum_tcpudp_magic(iph->saddr, iph->daddr, datalen, IPPROTO_UDP, 215 csum_partial((char *)udph, datalen, 0)) != 0) 216 return 0; 217 218 /* CHECK: Destination port can't be zero. */ 219 if (!udph->dest) { 220 limpk("UDP zero destination port\n"); 221 return 0; 222 } 223 224 if (!more_frags) { 225 if (!embedded) { 226 /* CHECK: UDP length must match. */ 227 if (ntohs(udph->len) != datalen) { 228 limpk("UDP len too short %u vs %u\n", 229 ntohs(udph->len), datalen); 230 return 0; 231 } 232 } else { 233 /* CHECK: UDP length be >= this truncated pkt. */ 234 if (ntohs(udph->len) < datalen) { 235 limpk("UDP len too long %u vs %u\n", 236 ntohs(udph->len), datalen); 237 return 0; 238 } 239 } 240 } else { 241 /* CHECK: UDP length must be > this frag's length. */ 242 if (ntohs(udph->len) <= datalen) { 243 limpk("UDP fragment len too short %u vs %u\n", 244 ntohs(udph->len), datalen); 245 return 0; 246 } 247 } 248 249 return 1; 250} 251 252#define TH_FIN 0x01 253#define TH_SYN 0x02 254#define TH_RST 0x04 255#define TH_PUSH 0x08 256#define TH_ACK 0x10 257#define TH_URG 0x20 258#define TH_ECE 0x40 259#define TH_CWR 0x80 260 261/* TCP-specific checks. */ 262static int 263check_tcp(const struct iphdr *iph, 264 const struct tcphdr *tcph, 265 u_int16_t datalen, 266 unsigned int offset, 267 int more_frags, 268 int embedded) 269{ 270 u_int8_t *opt = (u_int8_t *)tcph; 271 u_int8_t *endhdr = (u_int8_t *)tcph + tcph->doff * 4; 272 u_int8_t tcpflags; 273 int end_of_options = 0; 274 size_t i; 275 276 /* CHECK: Can't have offset=1: used to override TCP syn-checks. */ 277 /* In fact, this is caught below (offset < 516). */ 278 279 /* Can't do anything if it's a fragment. */ 280 if (offset) 281 return 1; 282 283 /* CHECK: Smaller than minimal TCP hdr. */ 284 if (datalen < sizeof(struct tcphdr)) { 285 if (!embedded) { 286 limpk("Packet length %u < TCP header.\n", datalen); 287 return 0; 288 } 289 /* Must have ports available (datalen >= 8), from 290 check_icmp which set embedded = 1 */ 291 /* CHECK: TCP ports inside ICMP error */ 292 if (!tcph->source || !tcph->dest) { 293 limpk("Zero TCP ports %u/%u.\n", 294 htons(tcph->source), htons(tcph->dest)); 295 return 0; 296 } 297 return 1; 298 } 299 300 /* CHECK: Smaller than actual TCP hdr. */ 301 if (datalen < tcph->doff * 4) { 302 if (!embedded) { 303 limpk("Packet length %u < actual TCP header.\n", 304 datalen); 305 return 0; 306 } else 307 return 1; 308 } 309 310 /* Bad checksum? Don't print, just say it's unclean. */ 311 if (!more_frags && !embedded 312 && csum_tcpudp_magic(iph->saddr, iph->daddr, datalen, IPPROTO_TCP, 313 csum_partial((char *)tcph, datalen, 0)) != 0) 314 return 0; 315 316 /* CHECK: TCP ports non-zero */ 317 if (!tcph->source || !tcph->dest) { 318 limpk("Zero TCP ports %u/%u.\n", 319 htons(tcph->source), htons(tcph->dest)); 320 return 0; 321 } 322 323 /* CHECK: TCP reserved bits zero. */ 324 if(tcp_flag_word(tcph) & TCP_RESERVED_BITS) { 325 limpk("TCP reserved bits not zero\n"); 326 return 0; 327 } 328 329 /* CHECK: TCP flags. */ 330 tcpflags = (((u_int8_t *)tcph)[13] & ~(TH_ECE|TH_CWR)); 331 if (tcpflags != TH_SYN 332 && tcpflags != (TH_SYN|TH_ACK) 333 && tcpflags != TH_RST 334 && tcpflags != (TH_RST|TH_ACK) 335 && tcpflags != (TH_RST|TH_ACK|TH_PUSH) 336 && tcpflags != (TH_FIN|TH_ACK) 337 && tcpflags != TH_ACK 338 && tcpflags != (TH_ACK|TH_PUSH) 339 && tcpflags != (TH_ACK|TH_URG) 340 && tcpflags != (TH_ACK|TH_URG|TH_PUSH) 341 && tcpflags != (TH_FIN|TH_ACK|TH_PUSH) 342 && tcpflags != (TH_FIN|TH_ACK|TH_URG) 343 && tcpflags != (TH_FIN|TH_ACK|TH_URG|TH_PUSH)) { 344 limpk("TCP flags bad: %u\n", tcpflags); 345 return 0; 346 } 347 348 for (i = sizeof(struct tcphdr); i < tcph->doff * 4; ) { 349 switch (opt[i]) { 350 case 0: 351 end_of_options = 1; 352 i++; 353 break; 354 case 1: 355 i++; 356 break; 357 default: 358 /* CHECK: options after EOO. */ 359 if (end_of_options) { 360 limpk("TCP option %u after end\n", 361 opt[i]); 362 return 0; 363 } 364 /* CHECK: options at tail. */ 365 else if (i+1 >= tcph->doff * 4) { 366 limpk("TCP option %u at tail\n", 367 opt[i]); 368 return 0; 369 } 370 /* CHECK: zero-length options. */ 371 else if (opt[i+1] == 0) { 372 limpk("TCP option %u 0 len\n", 373 opt[i]); 374 return 0; 375 } 376 /* CHECK: oversize options. */ 377 else if (&opt[i] + opt[i+1] > endhdr) { 378 limpk("TCP option %u at %Zu too long\n", 379 (unsigned int) opt[i], i); 380 return 0; 381 } 382 /* Move to next option */ 383 i += opt[i+1]; 384 } 385 } 386 387 return 1; 388} 389 390/* Returns 1 if ok */ 391/* Standard IP checks. */ 392static int 393check_ip(struct iphdr *iph, size_t length, int embedded) 394{ 395 u_int8_t *opt = (u_int8_t *)iph; 396 u_int8_t *endhdr = (u_int8_t *)iph + iph->ihl * 4; 397 int end_of_options = 0; 398 void *protoh; 399 size_t datalen; 400 unsigned int i; 401 unsigned int offset; 402 403 /* Should only happen for local outgoing raw-socket packets. */ 404 /* CHECK: length >= ip header. */ 405 if (length < sizeof(struct iphdr) || length < iph->ihl * 4) { 406 limpk("Packet length %Zu < IP header.\n", length); 407 return 0; 408 } 409 410 offset = ntohs(iph->frag_off) & IP_OFFSET; 411 protoh = (void *)iph + iph->ihl * 4; 412 datalen = length - iph->ihl * 4; 413 414 /* CHECK: Embedded fragment. */ 415 if (embedded && offset) { 416 limpk("Embedded fragment.\n"); 417 return 0; 418 } 419 420 for (i = sizeof(struct iphdr); i < iph->ihl * 4; ) { 421 switch (opt[i]) { 422 case 0: 423 end_of_options = 1; 424 i++; 425 break; 426 case 1: 427 i++; 428 break; 429 default: 430 /* CHECK: options after EOO. */ 431 if (end_of_options) { 432 limpk("IP option %u after end\n", 433 opt[i]); 434 return 0; 435 } 436 /* CHECK: options at tail. */ 437 else if (i+1 >= iph->ihl * 4) { 438 limpk("IP option %u at tail\n", 439 opt[i]); 440 return 0; 441 } 442 /* CHECK: zero-length or one-length options. */ 443 else if (opt[i+1] < 2) { 444 limpk("IP option %u %u len\n", 445 opt[i], opt[i+1]); 446 return 0; 447 } 448 /* CHECK: oversize options. */ 449 else if (&opt[i] + opt[i+1] > endhdr) { 450 limpk("IP option %u at %u too long\n", 451 opt[i], i); 452 return 0; 453 } 454 /* Move to next option */ 455 i += opt[i+1]; 456 } 457 } 458 459 /* Fragment checks. */ 460 461 /* CHECK: More fragments, but doesn't fill 8-byte boundary. */ 462 if ((ntohs(iph->frag_off) & IP_MF) 463 && (ntohs(iph->tot_len) % 8) != 0) { 464 limpk("Truncated fragment %u long.\n", ntohs(iph->tot_len)); 465 return 0; 466 } 467 468 /* CHECK: Oversize fragment a-la Ping of Death. */ 469 if (offset * 8 + datalen > 65535) { 470 limpk("Oversize fragment to %u.\n", offset * 8); 471 return 0; 472 } 473 474 /* CHECK: DF set and offset or MF set. */ 475 if ((ntohs(iph->frag_off) & IP_DF) 476 && (offset || (ntohs(iph->frag_off) & IP_MF))) { 477 limpk("DF set and offset=%u, MF=%u.\n", 478 offset, ntohs(iph->frag_off) & IP_MF); 479 return 0; 480 } 481 482 /* CHECK: Zero-sized fragments. */ 483 if ((offset || (ntohs(iph->frag_off) & IP_MF)) 484 && datalen == 0) { 485 limpk("Zero size fragment offset=%u\n", offset); 486 return 0; 487 } 488 489 /* Note: we can have even middle fragments smaller than this: 490 consider a large packet passing through a 600MTU then 491 576MTU link: this gives a fragment of 24 data bytes. But 492 everyone packs fragments largest first, hence a fragment 493 can't START before 576 - MAX_IP_HEADER_LEN. */ 494 495 /* Used to be min-size 576: I recall Alan Cox saying ax25 goes 496 down to 128 (576 taken from RFC 791: All hosts must be 497 prepared to accept datagrams of up to 576 octets). Use 128 498 here. */ 499#define MIN_LIKELY_MTU 128 500 /* CHECK: Min size of first frag = 128. */ 501 if ((ntohs(iph->frag_off) & IP_MF) 502 && offset == 0 503 && ntohs(iph->tot_len) < MIN_LIKELY_MTU) { 504 limpk("First fragment size %u < %u\n", ntohs(iph->tot_len), 505 MIN_LIKELY_MTU); 506 return 0; 507 } 508 509 /* CHECK: Min offset of frag = 128 - IP hdr len. */ 510 if (offset && offset * 8 < MIN_LIKELY_MTU - iph->ihl * 4) { 511 limpk("Fragment starts at %u < %u\n", offset * 8, 512 MIN_LIKELY_MTU - iph->ihl * 4); 513 return 0; 514 } 515 516 /* CHECK: Protocol specification non-zero. */ 517 if (iph->protocol == 0) { 518 limpk("Zero protocol\n"); 519 return 0; 520 } 521 522 /* Per-protocol checks. */ 523 switch (iph->protocol) { 524 case IPPROTO_ICMP: 525 return check_icmp(protoh, datalen, offset, 526 (ntohs(iph->frag_off) & IP_MF), 527 embedded); 528 529 case IPPROTO_UDP: 530 return check_udp(iph, protoh, datalen, offset, 531 (ntohs(iph->frag_off) & IP_MF), 532 embedded); 533 534 case IPPROTO_TCP: 535 return check_tcp(iph, protoh, datalen, offset, 536 (ntohs(iph->frag_off) & IP_MF), 537 embedded); 538 default: 539 /* Ignorance is bliss. */ 540 return 1; 541 } 542} 543 544static int 545match(const struct sk_buff *skb, 546 const struct net_device *in, 547 const struct net_device *out, 548 const void *matchinfo, 549 int offset, 550 const void *hdr, 551 u_int16_t datalen, 552 int *hotdrop) 553{ 554 return !check_ip(skb->nh.iph, skb->len, 0); 555} 556 557/* Called when user tries to insert an entry of this type. */ 558static int 559checkentry(const char *tablename, 560 const struct ipt_ip *ip, 561 void *matchinfo, 562 unsigned int matchsize, 563 unsigned int hook_mask) 564{ 565 if (matchsize != IPT_ALIGN(0)) 566 return 0; 567 568 return 1; 569} 570 571static struct ipt_match unclean_match 572= { { NULL, NULL }, "unclean", &match, &checkentry, NULL, THIS_MODULE }; 573 574static int __init init(void) 575{ 576 return ipt_register_match(&unclean_match); 577} 578 579static void __exit fini(void) 580{ 581 ipt_unregister_match(&unclean_match); 582} 583 584module_init(init); 585module_exit(fini); 586MODULE_LICENSE("GPL"); 587