diff mbox series

[V4,net-next,5/5] icmp: add response to RFC 8335 PROBE messages

Message ID a30d45c43a24f7b65febe51929e6fe990a904805.1615738432.git.andreas.a.roeseler@gmail.com (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series add support for RFC 8335 PROBE | expand

Checks

Context Check Description
netdev/cover_letter success Link
netdev/fixes_present success Link
netdev/patch_count success Link
netdev/tree_selection success Clearly marked for net-next
netdev/subject_prefix success Link
netdev/cc_maintainers success CCed 5 of 5 maintainers
netdev/source_inline success Was 0 now: 0
netdev/verify_signedoff success Link
netdev/module_param success Was 0 now: 0
netdev/build_32bit fail Errors and warnings before: 3 this patch: 15
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/verify_fixes success Link
netdev/checkpatch warning WARNING: line length of 101 exceeds 80 columns WARNING: line length of 102 exceeds 80 columns WARNING: line length of 105 exceeds 80 columns WARNING: line length of 83 exceeds 80 columns WARNING: line length of 85 exceeds 80 columns WARNING: line length of 89 exceeds 80 columns WARNING: line length of 90 exceeds 80 columns
netdev/build_allmodconfig_warn fail Errors and warnings before: 3 this patch: 15
netdev/header_inline success Link

Commit Message

Andreas Roeseler March 14, 2021, 4:48 p.m. UTC 
Modify the icmp_rcv function to check PROBE messages and call icmp_echo
if a PROBE request is detected.

Modify the existing icmp_echo function to respond ot both ping and PROBE
requests.

This was tested using a custom modification to the iputils package and
wireshark. It supports IPV4 probing by name, ifindex, and probing by
both IPV4 and IPV6 addresses. It currently does not support responding
to probes off the proxy node (see RFC 8335 Section 2).

Signed-off-by: Andreas Roeseler <andreas.a.roeseler@gmail.com>
---
Changes:
v1 -> v2:
 - Reorder variable declarations to follow coding style
 - Switch to functions such as dev_get_by_name and ip_dev_find to lookup
   net devices

v2 -> v3:
Suggested by Willem de Bruijn <willemdebruijn.kernel@gmail.com>
 - Add verification of incoming messages before looking up netdev
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
 - Include net/addrconf.h library for ipv6_dev_find

v3 -> v4:
Suggested by Willem de Bruijn <willemdebruijn.kernel@gmail.com>
 - Use skb_header_pointer to verify fields in incoming message
 - Add check to ensure that extobj_hdr.length is valid
 - Check to ensure object payload is padded with ASCII NULL characters
   when probing by name, as specified by RFC 8335
 - Statically allocate buff using IFNAMSIZ
 - Add rcu blocking around ipv6_dev_find
 - Use __in_dev_get_rcu to access IPV4 addresses of identified
   net_device
 - Remove check for ICMPV6 PROBE types
---
 net/ipv4/icmp.c | 145 +++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 130 insertions(+), 15 deletions(-)

Comments

Willem de Bruijn March 15, 2021, 3:50 p.m. UTC | #1 
On Sun, Mar 14, 2021 at 12:50 PM Andreas Roeseler
<andreas.a.roeseler@gmail.com> wrote:
>
> Modify the icmp_rcv function to check PROBE messages and call icmp_echo
> if a PROBE request is detected.
>
> Modify the existing icmp_echo function to respond ot both ping and PROBE
> requests.
>
> This was tested using a custom modification to the iputils package and
> wireshark. It supports IPV4 probing by name, ifindex, and probing by
> both IPV4 and IPV6 addresses. It currently does not support responding
> to probes off the proxy node (see RFC 8335 Section 2).

If you happen to use github or something similar, if you don't mind
sharing the code, you could clone the iputils repo and publish the
changes. No pressure.

>  net/ipv4/icmp.c | 145 +++++++++++++++++++++++++++++++++++++++++++-----
>  1 file changed, 130 insertions(+), 15 deletions(-)
>
> diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
> index 616e2dc1c8fa..f1530011b7bc 100644
> --- a/net/ipv4/icmp.c
> +++ b/net/ipv4/icmp.c
> @@ -93,6 +93,10 @@
>  #include <net/ip_fib.h>
>  #include <net/l3mdev.h>
>
> +#if IS_ENABLED(CONFIG_IPV6)
> +#include <net/addrconf.h>
> +#endif

I don't think the conditional is needed (?)

>  static bool icmp_echo(struct sk_buff *skb)
>  {
> +       struct icmp_ext_hdr *ext_hdr, _ext_hdr;
> +       struct icmp_ext_echo_iio *iio, _iio;
> +       struct icmp_bxm icmp_param;
> +       struct net_device *dev;
>         struct net *net;
> +       u16 ident_len;
> +       char *buff;
> +       u8 status;
>
>         net = dev_net(skb_dst(skb)->dev);
> -       if (!net->ipv4.sysctl_icmp_echo_ignore_all) {
> -               struct icmp_bxm icmp_param;
> -
> -               icmp_param.data.icmph      = *icmp_hdr(skb);
> -               icmp_param.data.icmph.type = ICMP_ECHOREPLY;
> -               icmp_param.skb             = skb;
> -               icmp_param.offset          = 0;
> -               icmp_param.data_len        = skb->len;
> -               icmp_param.head_len        = sizeof(struct icmphdr);
> -               icmp_reply(&icmp_param, skb);
> -       }
>         /* should there be an ICMP stat for ignored echos? */
> -       return true;
> +       if (net->ipv4.sysctl_icmp_echo_ignore_all)
> +               return true;
> +
> +       icmp_param.data.icmph      = *icmp_hdr(skb);
> +       icmp_param.skb             = skb;
> +       icmp_param.offset          = 0;
> +       icmp_param.data_len        = skb->len;
> +       icmp_param.head_len        = sizeof(struct icmphdr);
> +
> +       if (icmp_param.data.icmph.type == ICMP_ECHO)
> +               goto send_reply;

Is this path now missing

               icmp_param.data.icmph.type = ICMP_ECHOREPLY;

> +       if (!net->ipv4.sysctl_icmp_echo_enable_probe)
> +               return true;
> +       /* We currently only support probing interfaces on the proxy node
> +        * Check to ensure L-bit is set
> +        */
> +       if (!(ntohs(icmp_param.data.icmph.un.echo.sequence) & 1))
> +               return true;
> +       /* Clear status bits in reply message */
> +       icmp_param.data.icmph.un.echo.sequence &= htons(0xFF00);
> +       icmp_param.data.icmph.type = ICMP_EXT_ECHOREPLY;
> +       ext_hdr = skb_header_pointer(skb, 0, sizeof(_ext_hdr), &_ext_hdr);
> +       iio = skb_header_pointer(skb, sizeof(_ext_hdr), sizeof(_iio), &_iio);
> +       if (!ext_hdr || !iio)
> +               goto send_mal_query;
> +       if (ntohs(iio->extobj_hdr.length) <= sizeof(iio->extobj_hdr))
> +               goto send_mal_query;
> +       ident_len = ntohs(iio->extobj_hdr.length) - sizeof(iio->extobj_hdr);
> +       status = 0;
> +       dev = NULL;
> +       switch (iio->extobj_hdr.class_type) {
> +       case EXT_ECHO_CTYPE_NAME:
> +               if (ident_len >= IFNAMSIZ)
> +                       goto send_mal_query;
> +               buff = kcalloc(IFNAMSIZ, sizeof(char), GFP_KERNEL);
> +               if (!buff)
> +                       return -ENOMEM;
> +               memcpy(buff, &iio->ident.name, ident_len);
> +               /* RFC 8335 2.1 If the Object Payload would not otherwise terminate
> +                * on a 32-bit boundary, it MUST be padded with ASCII NULL characters
> +                */
> +               if (ident_len % sizeof(u32) != 0) {
> +                       u8 i;
> +
> +                       for (i = ident_len; i % sizeof(u32) != 0; i++) {
> +                               if (buff[i] != '\0')
> +                                       goto send_mal_query;

Memory leak. IFNAMSIZ is small enough that you can use on-stack allocation

Also, I think you can ignore if there are non-zero bytes beyond the
len. We need to safely parse to avoid integrity bugs in the kernel.
Beyond that, it's fine to be strict about what you send, liberal what
you accept.

> +                       }
> +               }
> +               dev = dev_get_by_name(net, buff);
> +               kfree(buff);
> +               break;
> +       case EXT_ECHO_CTYPE_INDEX:
> +               if (ident_len != sizeof(iio->ident.ifindex))
> +                       goto send_mal_query;
> +               dev = dev_get_by_index(net, ntohl(iio->ident.ifindex));
> +               break;
> +       case EXT_ECHO_CTYPE_ADDR:
> +               if (ident_len != sizeof(iio->ident.addr.ctype3_hdr) + iio->ident.addr.ctype3_hdr.addrlen)
> +                       goto send_mal_query;
> +               switch (ntohs(iio->ident.addr.ctype3_hdr.afi)) {
> +               case ICMP_AFI_IP:
> +                       if (ident_len != sizeof(iio->ident.addr.ctype3_hdr) + sizeof(struct in_addr))
> +                               goto send_mal_query;
> +                       dev = ip_dev_find(net, iio->ident.addr.ip_addr.ipv4_addr.s_addr);
> +                       break;
> +#if IS_ENABLED(CONFIG_IPV6)
> +               case ICMP_AFI_IP6:
> +                       if (ident_len != sizeof(iio->ident.addr.ctype3_hdr) + sizeof(struct in6_addr))
> +                               goto send_mal_query;
> +                       rcu_read_lock();
> +                       dev = ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
> +                       if (dev)
> +                               dev_hold(dev);
> +                       rcu_read_unlock();
> +                       break;
> +#endif
> +               default:
> +                       goto send_mal_query;
> +               }
> +               break;
> +       default:
> +               goto send_mal_query;
> +       }
> +       if (!dev) {
> +               icmp_param.data.icmph.code = ICMP_EXT_NO_IF;
> +               goto send_reply;
> +       }
> +       /* Fill bits in reply message */
> +       if (dev->flags & IFF_UP)
> +               status |= EXT_ECHOREPLY_ACTIVE;
> +       if (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)->ifa_list)
> +               status |= EXT_ECHOREPLY_IPV4;
> +       if (!list_empty(&dev->ip6_ptr->addr_list))
> +               status |= EXT_ECHOREPLY_IPV6;
> +       dev_put(dev);
> +       icmp_param.data.icmph.un.echo.sequence |= htons(status);
> +send_reply:
> +       icmp_reply(&icmp_param, skb);
> +               return true;
> +send_mal_query:
> +       icmp_param.data.icmph.code = ICMP_EXT_MAL_QUERY;
> +       goto send_reply;
>  }
>
>  /*
> @@ -1088,6 +1192,11 @@ int icmp_rcv(struct sk_buff *skb)
>         icmph = icmp_hdr(skb);
>
>         ICMPMSGIN_INC_STATS(net, icmph->type);
> +
> +       /* Check for ICMP Extended Echo (PROBE) messages */
> +       if (icmph->type == ICMP_EXT_ECHO)
> +               goto probe;
> +
>         /*
>          *      18 is the highest 'known' ICMP type. Anything else is a mystery
>          *
> @@ -1097,7 +1206,6 @@ int icmp_rcv(struct sk_buff *skb)
>         if (icmph->type > NR_ICMP_TYPES)
>                 goto error;
>
> -
>         /*
>          *      Parse the ICMP message
>          */
> @@ -1123,7 +1231,7 @@ int icmp_rcv(struct sk_buff *skb)
>         }
>
>         success = icmp_pointers[icmph->type].handler(skb);
> -
> +success_check:
>         if (success)  {
>                 consume_skb(skb);
>                 return NET_RX_SUCCESS;
> @@ -1137,6 +1245,12 @@ int icmp_rcv(struct sk_buff *skb)
>  error:
>         __ICMP_INC_STATS(net, ICMP_MIB_INERRORS);
>         goto drop;
> +probe:
> +       /* We can't use icmp_pointers[].handler() because it is an array of
> +        * size NR_ICMP_TYPES + 1 (19 elements) and PROBE has code 42.
> +        */
> +       success = icmp_echo(skb);
> +       goto success_check;

just make this a branch instead of
Andreas Roeseler March 15, 2021, 7:09 p.m. UTC | #2 
On Mon, 2021-03-15 at 11:50 -0400, Willem de Bruijn wrote:
> On Sun, Mar 14, 2021 at 12:50 PM Andreas Roeseler
> <andreas.a.roeseler@gmail.com> wrote:
> > 
> > Modify the icmp_rcv function to check PROBE messages and call
> > icmp_echo
> > if a PROBE request is detected.
> > 
> > Modify the existing icmp_echo function to respond ot both ping and
> > PROBE
> > requests.
> > 
> > This was tested using a custom modification to the iputils package
> > and
> > wireshark. It supports IPV4 probing by name, ifindex, and probing
> > by
> > both IPV4 and IPV6 addresses. It currently does not support
> > responding
> > to probes off the proxy node (see RFC 8335 Section 2).
> 
> If you happen to use github or something similar, if you don't mind
> sharing the code, you could clone the iputils repo and publish the
> changes. No pressure.

Should I include the link to the github repo in the patch?

> 
> >  net/ipv4/icmp.c | 145 +++++++++++++++++++++++++++++++++++++++++++-
> > ----
> >  1 file changed, 130 insertions(+), 15 deletions(-)
> > 
> > diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
> > index 616e2dc1c8fa..f1530011b7bc 100644
> > --- a/net/ipv4/icmp.c
> > +++ b/net/ipv4/icmp.c
> > @@ -93,6 +93,10 @@
> >  #include <net/ip_fib.h>
> >  #include <net/l3mdev.h>
> > 
> > +#if IS_ENABLED(CONFIG_IPV6)
> > +#include <net/addrconf.h>
> > +#endif
> 
> I don't think the conditional is needed (?)
> 
> >  static bool icmp_echo(struct sk_buff *skb)
> >  {
> > +       struct icmp_ext_hdr *ext_hdr, _ext_hdr;
> > +       struct icmp_ext_echo_iio *iio, _iio;
> > +       struct icmp_bxm icmp_param;
> > +       struct net_device *dev;
> >         struct net *net;
> > +       u16 ident_len;
> > +       char *buff;
> > +       u8 status;
> > 
> >         net = dev_net(skb_dst(skb)->dev);
> > -       if (!net->ipv4.sysctl_icmp_echo_ignore_all) {
> > -               struct icmp_bxm icmp_param;
> > -
> > -               icmp_param.data.icmph      = *icmp_hdr(skb);
> > -               icmp_param.data.icmph.type = ICMP_ECHOREPLY;
> > -               icmp_param.skb             = skb;
> > -               icmp_param.offset          = 0;
> > -               icmp_param.data_len        = skb->len;
> > -               icmp_param.head_len        = sizeof(struct
> > icmphdr);
> > -               icmp_reply(&icmp_param, skb);
> > -       }
> >         /* should there be an ICMP stat for ignored echos? */
> > -       return true;
> > +       if (net->ipv4.sysctl_icmp_echo_ignore_all)
> > +               return true;
> > +
> > +       icmp_param.data.icmph      = *icmp_hdr(skb);
> > +       icmp_param.skb             = skb;
> > +       icmp_param.offset          = 0;
> > +       icmp_param.data_len        = skb->len;
> > +       icmp_param.head_len        = sizeof(struct icmphdr);
> > +
> > +       if (icmp_param.data.icmph.type == ICMP_ECHO)
> > +               goto send_reply;
> 
> Is this path now missing
> 
>                icmp_param.data.icmph.type = ICMP_ECHOREPLY;
> 
> > +       if (!net->ipv4.sysctl_icmp_echo_enable_probe)
> > +               return true;
> > +       /* We currently only support probing interfaces on the
> > proxy node
> > +        * Check to ensure L-bit is set
> > +        */
> > +       if (!(ntohs(icmp_param.data.icmph.un.echo.sequence) & 1))
> > +               return true;
> > +       /* Clear status bits in reply message */
> > +       icmp_param.data.icmph.un.echo.sequence &= htons(0xFF00);
> > +       icmp_param.data.icmph.type = ICMP_EXT_ECHOREPLY;
> > +       ext_hdr = skb_header_pointer(skb, 0, sizeof(_ext_hdr),
> > &_ext_hdr);
> > +       iio = skb_header_pointer(skb, sizeof(_ext_hdr),
> > sizeof(_iio), &_iio);
> > +       if (!ext_hdr || !iio)
> > +               goto send_mal_query;
> > +       if (ntohs(iio->extobj_hdr.length) <= sizeof(iio-
> > >extobj_hdr))
> > +               goto send_mal_query;
> > +       ident_len = ntohs(iio->extobj_hdr.length) - sizeof(iio-
> > >extobj_hdr);
> > +       status = 0;
> > +       dev = NULL;
> > +       switch (iio->extobj_hdr.class_type) {
> > +       case EXT_ECHO_CTYPE_NAME:
> > +               if (ident_len >= IFNAMSIZ)
> > +                       goto send_mal_query;
> > +               buff = kcalloc(IFNAMSIZ, sizeof(char), GFP_KERNEL);
> > +               if (!buff)
> > +                       return -ENOMEM;
> > +               memcpy(buff, &iio->ident.name, ident_len);
> > +               /* RFC 8335 2.1 If the Object Payload would not
> > otherwise terminate
> > +                * on a 32-bit boundary, it MUST be padded with
> > ASCII NULL characters
> > +                */
> > +               if (ident_len % sizeof(u32) != 0) {
> > +                       u8 i;
> > +
> > +                       for (i = ident_len; i % sizeof(u32) != 0;
> > i++) {
> > +                               if (buff[i] != '\0')
> > +                                       goto send_mal_query;
> 
> Memory leak. IFNAMSIZ is small enough that you can use on-stack
> allocation
> 
> Also, I think you can ignore if there are non-zero bytes beyond the
> len. We need to safely parse to avoid integrity bugs in the kernel.
> Beyond that, it's fine to be strict about what you send, liberal what
> you accept.

This checks that the incoming request is padded to the nearest 32-bit
boundary by ASCII NULL characters, as specified by RFC 8335

> 
> > +                       }
> > +               }
> > +               dev = dev_get_by_name(net, buff);
> > +               kfree(buff);
> > +               break;
> > +       case EXT_ECHO_CTYPE_INDEX:
> > +               if (ident_len != sizeof(iio->ident.ifindex))
> > +                       goto send_mal_query;
> > +               dev = dev_get_by_index(net, ntohl(iio-
> > >ident.ifindex));
> > +               break;
> > +       case EXT_ECHO_CTYPE_ADDR:
> > +               if (ident_len != sizeof(iio->ident.addr.ctype3_hdr)
> > + iio->ident.addr.ctype3_hdr.addrlen)
> > +                       goto send_mal_query;
> > +               switch (ntohs(iio->ident.addr.ctype3_hdr.afi)) {
> > +               case ICMP_AFI_IP:
> > +                       if (ident_len != sizeof(iio-
> > >ident.addr.ctype3_hdr) + sizeof(struct in_addr))
> > +                               goto send_mal_query;
> > +                       dev = ip_dev_find(net, iio-
> > >ident.addr.ip_addr.ipv4_addr.s_addr);
> > +                       break;
> > +#if IS_ENABLED(CONFIG_IPV6)
> > +               case ICMP_AFI_IP6:
> > +                       if (ident_len != sizeof(iio-
> > >ident.addr.ctype3_hdr) + sizeof(struct in6_addr))
> > +                               goto send_mal_query;
> > +                       rcu_read_lock();
> > +                       dev = ipv6_dev_find(net, &iio-
> > >ident.addr.ip_addr.ipv6_addr, dev);
> > +                       if (dev)
> > +                               dev_hold(dev);
> > +                       rcu_read_unlock();
> > +                       break;
> > +#endif
> > +               default:
> > +                       goto send_mal_query;
> > +               }
> > +               break;
> > +       default:
> > +               goto send_mal_query;
> > +       }
> > +       if (!dev) {
> > +               icmp_param.data.icmph.code = ICMP_EXT_NO_IF;
> > +               goto send_reply;
> > +       }
> > +       /* Fill bits in reply message */
> > +       if (dev->flags & IFF_UP)
> > +               status |= EXT_ECHOREPLY_ACTIVE;
> > +       if (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)-
> > >ifa_list)
> > +               status |= EXT_ECHOREPLY_IPV4;
> > +       if (!list_empty(&dev->ip6_ptr->addr_list))
> > +               status |= EXT_ECHOREPLY_IPV6;
> > +       dev_put(dev);
> > +       icmp_param.data.icmph.un.echo.sequence |= htons(status);
> > +send_reply:
> > +       icmp_reply(&icmp_param, skb);
> > +               return true;
> > +send_mal_query:
> > +       icmp_param.data.icmph.code = ICMP_EXT_MAL_QUERY;
> > +       goto send_reply;
> >  }
> > 
> >  /*
> > @@ -1088,6 +1192,11 @@ int icmp_rcv(struct sk_buff *skb)
> >         icmph = icmp_hdr(skb);
> > 
> >         ICMPMSGIN_INC_STATS(net, icmph->type);
> > +
> > +       /* Check for ICMP Extended Echo (PROBE) messages */
> > +       if (icmph->type == ICMP_EXT_ECHO)
> > +               goto probe;
> > +
> >         /*
> >          *      18 is the highest 'known' ICMP type. Anything else
> > is a mystery
> >          *
> > @@ -1097,7 +1206,6 @@ int icmp_rcv(struct sk_buff *skb)
> >         if (icmph->type > NR_ICMP_TYPES)
> >                 goto error;
> > 
> > -
> >         /*
> >          *      Parse the ICMP message
> >          */
> > @@ -1123,7 +1231,7 @@ int icmp_rcv(struct sk_buff *skb)
> >         }
> > 
> >         success = icmp_pointers[icmph->type].handler(skb);
> > -
> > +success_check:
> >         if (success)  {
> >                 consume_skb(skb);
> >                 return NET_RX_SUCCESS;
> > @@ -1137,6 +1245,12 @@ int icmp_rcv(struct sk_buff *skb)
> >  error:
> >         __ICMP_INC_STATS(net, ICMP_MIB_INERRORS);
> >         goto drop;
> > +probe:
> > +       /* We can't use icmp_pointers[].handler() because it is an
> > array of
> > +        * size NR_ICMP_TYPES + 1 (19 elements) and PROBE has code
> > 42.
> > +        */
> > +       success = icmp_echo(skb);
> > +       goto success_check;
> 
> just make this a branch instead of

Could you clarify this comment? Do you mean move this code to the
section where we check for PROBE messages instead of jumping to probe
and then jumping to success_check?
Willem de Bruijn March 15, 2021, 7:34 p.m. UTC | #3 
On Mon, Mar 15, 2021 at 3:10 PM Andreas Roeseler
<andreas.a.roeseler@gmail.com> wrote:
>
> On Mon, 2021-03-15 at 11:50 -0400, Willem de Bruijn wrote:
> > On Sun, Mar 14, 2021 at 12:50 PM Andreas Roeseler
> > <andreas.a.roeseler@gmail.com> wrote:
> > >
> > > Modify the icmp_rcv function to check PROBE messages and call
> > > icmp_echo
> > > if a PROBE request is detected.
> > >
> > > Modify the existing icmp_echo function to respond ot both ping and
> > > PROBE
> > > requests.
> > >
> > > This was tested using a custom modification to the iputils package
> > > and
> > > wireshark. It supports IPV4 probing by name, ifindex, and probing
> > > by
> > > both IPV4 and IPV6 addresses. It currently does not support
> > > responding
> > > to probes off the proxy node (see RFC 8335 Section 2).
> >
> > If you happen to use github or something similar, if you don't mind
> > sharing the code, you could clone the iputils repo and publish the
> > changes. No pressure.
>
> Should I include the link to the github repo in the patch?

If you don't mind, please do. It can serve as example for others to
use the feature, too.

>
> >
> > >  net/ipv4/icmp.c | 145 +++++++++++++++++++++++++++++++++++++++++++-
> > > ----
> > >  1 file changed, 130 insertions(+), 15 deletions(-)
> > >
> > > diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
> > > index 616e2dc1c8fa..f1530011b7bc 100644
> > > --- a/net/ipv4/icmp.c
> > > +++ b/net/ipv4/icmp.c
> > > @@ -93,6 +93,10 @@
> > >  #include <net/ip_fib.h>
> > >  #include <net/l3mdev.h>
> > >
> > > +#if IS_ENABLED(CONFIG_IPV6)
> > > +#include <net/addrconf.h>
> > > +#endif
> >
> > I don't think the conditional is needed (?)
> >
> > >  static bool icmp_echo(struct sk_buff *skb)
> > >  {
> > > +       struct icmp_ext_hdr *ext_hdr, _ext_hdr;
> > > +       struct icmp_ext_echo_iio *iio, _iio;
> > > +       struct icmp_bxm icmp_param;
> > > +       struct net_device *dev;
> > >         struct net *net;
> > > +       u16 ident_len;
> > > +       char *buff;
> > > +       u8 status;
> > >
> > >         net = dev_net(skb_dst(skb)->dev);
> > > -       if (!net->ipv4.sysctl_icmp_echo_ignore_all) {
> > > -               struct icmp_bxm icmp_param;
> > > -
> > > -               icmp_param.data.icmph      = *icmp_hdr(skb);
> > > -               icmp_param.data.icmph.type = ICMP_ECHOREPLY;
> > > -               icmp_param.skb             = skb;
> > > -               icmp_param.offset          = 0;
> > > -               icmp_param.data_len        = skb->len;
> > > -               icmp_param.head_len        = sizeof(struct
> > > icmphdr);
> > > -               icmp_reply(&icmp_param, skb);
> > > -       }
> > >         /* should there be an ICMP stat for ignored echos? */
> > > -       return true;
> > > +       if (net->ipv4.sysctl_icmp_echo_ignore_all)
> > > +               return true;
> > > +
> > > +       icmp_param.data.icmph      = *icmp_hdr(skb);
> > > +       icmp_param.skb             = skb;
> > > +       icmp_param.offset          = 0;
> > > +       icmp_param.data_len        = skb->len;
> > > +       icmp_param.head_len        = sizeof(struct icmphdr);
> > > +
> > > +       if (icmp_param.data.icmph.type == ICMP_ECHO)
> > > +               goto send_reply;
> >
> > Is this path now missing
> >
> >                icmp_param.data.icmph.type = ICMP_ECHOREPLY;
> >
> > > +       if (!net->ipv4.sysctl_icmp_echo_enable_probe)
> > > +               return true;
> > > +       /* We currently only support probing interfaces on the
> > > proxy node
> > > +        * Check to ensure L-bit is set
> > > +        */
> > > +       if (!(ntohs(icmp_param.data.icmph.un.echo.sequence) & 1))
> > > +               return true;
> > > +       /* Clear status bits in reply message */
> > > +       icmp_param.data.icmph.un.echo.sequence &= htons(0xFF00);
> > > +       icmp_param.data.icmph.type = ICMP_EXT_ECHOREPLY;
> > > +       ext_hdr = skb_header_pointer(skb, 0, sizeof(_ext_hdr),
> > > &_ext_hdr);
> > > +       iio = skb_header_pointer(skb, sizeof(_ext_hdr),
> > > sizeof(_iio), &_iio);
> > > +       if (!ext_hdr || !iio)
> > > +               goto send_mal_query;
> > > +       if (ntohs(iio->extobj_hdr.length) <= sizeof(iio-
> > > >extobj_hdr))
> > > +               goto send_mal_query;
> > > +       ident_len = ntohs(iio->extobj_hdr.length) - sizeof(iio-
> > > >extobj_hdr);
> > > +       status = 0;
> > > +       dev = NULL;
> > > +       switch (iio->extobj_hdr.class_type) {
> > > +       case EXT_ECHO_CTYPE_NAME:
> > > +               if (ident_len >= IFNAMSIZ)
> > > +                       goto send_mal_query;
> > > +               buff = kcalloc(IFNAMSIZ, sizeof(char), GFP_KERNEL);
> > > +               if (!buff)
> > > +                       return -ENOMEM;
> > > +               memcpy(buff, &iio->ident.name, ident_len);
> > > +               /* RFC 8335 2.1 If the Object Payload would not
> > > otherwise terminate
> > > +                * on a 32-bit boundary, it MUST be padded with
> > > ASCII NULL characters
> > > +                */
> > > +               if (ident_len % sizeof(u32) != 0) {
> > > +                       u8 i;
> > > +
> > > +                       for (i = ident_len; i % sizeof(u32) != 0;
> > > i++) {
> > > +                               if (buff[i] != '\0')
> > > +                                       goto send_mal_query;
> >
> > Memory leak. IFNAMSIZ is small enough that you can use on-stack
> > allocation
> >
> > Also, I think you can ignore if there are non-zero bytes beyond the
> > len. We need to safely parse to avoid integrity bugs in the kernel.
> > Beyond that, it's fine to be strict about what you send, liberal what
> > you accept.
>
> This checks that the incoming request is padded to the nearest 32-bit
> boundary by ASCII NULL characters, as specified by RFC 8335

Right. The question is whether you need to be strict in enforcing
that. Perhaps the RFC states that explicitly. Else, it's up to your
interpretation. I suggested the robustness principle, which is
commonly employed in such instances.

> >
> > > +                       }
> > > +               }
> > > +               dev = dev_get_by_name(net, buff);
> > > +               kfree(buff);
> > > +               break;
> > > +       case EXT_ECHO_CTYPE_INDEX:
> > > +               if (ident_len != sizeof(iio->ident.ifindex))
> > > +                       goto send_mal_query;
> > > +               dev = dev_get_by_index(net, ntohl(iio-
> > > >ident.ifindex));
> > > +               break;
> > > +       case EXT_ECHO_CTYPE_ADDR:
> > > +               if (ident_len != sizeof(iio->ident.addr.ctype3_hdr)
> > > + iio->ident.addr.ctype3_hdr.addrlen)
> > > +                       goto send_mal_query;
> > > +               switch (ntohs(iio->ident.addr.ctype3_hdr.afi)) {
> > > +               case ICMP_AFI_IP:
> > > +                       if (ident_len != sizeof(iio-
> > > >ident.addr.ctype3_hdr) + sizeof(struct in_addr))
> > > +                               goto send_mal_query;
> > > +                       dev = ip_dev_find(net, iio-
> > > >ident.addr.ip_addr.ipv4_addr.s_addr);
> > > +                       break;
> > > +#if IS_ENABLED(CONFIG_IPV6)
> > > +               case ICMP_AFI_IP6:
> > > +                       if (ident_len != sizeof(iio-
> > > >ident.addr.ctype3_hdr) + sizeof(struct in6_addr))
> > > +                               goto send_mal_query;
> > > +                       rcu_read_lock();
> > > +                       dev = ipv6_dev_find(net, &iio-
> > > >ident.addr.ip_addr.ipv6_addr, dev);
> > > +                       if (dev)
> > > +                               dev_hold(dev);
> > > +                       rcu_read_unlock();
> > > +                       break;
> > > +#endif
> > > +               default:
> > > +                       goto send_mal_query;
> > > +               }
> > > +               break;
> > > +       default:
> > > +               goto send_mal_query;
> > > +       }
> > > +       if (!dev) {
> > > +               icmp_param.data.icmph.code = ICMP_EXT_NO_IF;
> > > +               goto send_reply;
> > > +       }
> > > +       /* Fill bits in reply message */
> > > +       if (dev->flags & IFF_UP)
> > > +               status |= EXT_ECHOREPLY_ACTIVE;
> > > +       if (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)-
> > > >ifa_list)
> > > +               status |= EXT_ECHOREPLY_IPV4;
> > > +       if (!list_empty(&dev->ip6_ptr->addr_list))
> > > +               status |= EXT_ECHOREPLY_IPV6;
> > > +       dev_put(dev);
> > > +       icmp_param.data.icmph.un.echo.sequence |= htons(status);
> > > +send_reply:
> > > +       icmp_reply(&icmp_param, skb);
> > > +               return true;
> > > +send_mal_query:
> > > +       icmp_param.data.icmph.code = ICMP_EXT_MAL_QUERY;
> > > +       goto send_reply;
> > >  }
> > >
> > >  /*
> > > @@ -1088,6 +1192,11 @@ int icmp_rcv(struct sk_buff *skb)
> > >         icmph = icmp_hdr(skb);
> > >
> > >         ICMPMSGIN_INC_STATS(net, icmph->type);
> > > +
> > > +       /* Check for ICMP Extended Echo (PROBE) messages */
> > > +       if (icmph->type == ICMP_EXT_ECHO)
> > > +               goto probe;
> > > +
> > >         /*
> > >          *      18 is the highest 'known' ICMP type. Anything else
> > > is a mystery
> > >          *
> > > @@ -1097,7 +1206,6 @@ int icmp_rcv(struct sk_buff *skb)
> > >         if (icmph->type > NR_ICMP_TYPES)
> > >                 goto error;
> > >
> > > -
> > >         /*
> > >          *      Parse the ICMP message
> > >          */
> > > @@ -1123,7 +1231,7 @@ int icmp_rcv(struct sk_buff *skb)
> > >         }
> > >
> > >         success = icmp_pointers[icmph->type].handler(skb);
> > > -
> > > +success_check:
> > >         if (success)  {
> > >                 consume_skb(skb);
> > >                 return NET_RX_SUCCESS;
> > > @@ -1137,6 +1245,12 @@ int icmp_rcv(struct sk_buff *skb)
> > >  error:
> > >         __ICMP_INC_STATS(net, ICMP_MIB_INERRORS);
> > >         goto drop;
> > > +probe:
> > > +       /* We can't use icmp_pointers[].handler() because it is an
> > > array of
> > > +        * size NR_ICMP_TYPES + 1 (19 elements) and PROBE has code
> > > 42.
> > > +        */
> > > +       success = icmp_echo(skb);
> > > +       goto success_check;
> >
> > just make this a branch instead of
>
> Could you clarify this comment? Do you mean move this code to the
> section where we check for PROBE messages instead of jumping to probe
> and then jumping to success_check?

Exactly
Andreas Roeseler March 18, 2021, 3:11 a.m. UTC | #4 
On Mon, 2021-03-15 at 04:35 +0800, kernel test robot wrote:
> Hi Andreas,
> 
> [FYI, it's a private test report for your RFC patch.]
> [auto build test ERROR on net-next/master]
> 
> url:    
> https://github.com/0day-ci/linux/commits/Andreas-Roeseler/add-support-for-RFC-8335-PROBE/20210315-005052
> base:   
> https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git 6f
> 1629093399303bf19d6fcd5144061d1e25ec23
> config: mips-allmodconfig (attached as .config)
> compiler: mips-linux-gcc (GCC) 9.3.0
> reproduce (this is a W=1 build):
>         wget 
> https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross
>  -O ~/bin/make.cross
>         chmod +x ~/bin/make.cross
>         # 
> https://github.com/0day-ci/linux/commit/54d9928f1734e7b3511b945a2ce912b931a07776
>         git remote add linux-review https://github.com/0day-ci/linux
>         git fetch --no-tags linux-review Andreas-Roeseler/add-
> support-for-RFC-8335-PROBE/20210315-005052
>         git checkout 54d9928f1734e7b3511b945a2ce912b931a07776
>         # save the attached .config to linux build tree
>         COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0
> make.cross ARCH=mips 
> 
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp@intel.com>
> 
> All errors (new ones prefixed by >>):
> 
>    mips-linux-ld: net/ipv4/icmp.o: in function `icmp_echo':
> > > icmp.c:(.text.icmp_echo+0x658): undefined reference to
> > > `ipv6_dev_find'
> 
> ---
> 0-DAY CI Kernel Test Service, Intel Corporation
> https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

I'm still learning the ropes of kernel development and I was wondering
if someone could help me figure out what is causing this error.

The file compiles when compiling with allyesconfig or olddefconfig, but
it cannot find the ipv6_dev_find() function when compiling with
allmodconfig and returns the error seen above. I am including
<include/net/addrconf.h> which declares ipv6_dev_find(), and the
function is defined and exported using EXPORT_SYMBOL in
<net/ipv6/addrconf.c>. I've tried declaring the function via extern in
<include/net/icmp.h> and in <net/ipv4/icmp.c>, but neither have
resolved the error and checkpatch.pl explicitly warns against using
extern calls in .c files.

Is there something that I'm not understanding about compiling kernel
components modularly? How do I avoid this error?
David Miller March 18, 2021, 3:19 a.m. UTC | #5 
From: Andreas Roeseler <andreas.a.roeseler@gmail.com>
Date: Wed, 17 Mar 2021 22:11:47 -0500

> On Mon, 2021-03-15 at 04:35 +0800, kernel test robot wrote:
> Is there something that I'm not understanding about compiling kernel
> components modularly? How do I avoid this error?

> 
You cannot reference module exported symbols from statically linked code.
y
David Ahern March 18, 2021, 3:24 a.m. UTC | #6 
On 3/17/21 9:19 PM, David Miller wrote:
> From: Andreas Roeseler <andreas.a.roeseler@gmail.com>
> Date: Wed, 17 Mar 2021 22:11:47 -0500
> 
>> On Mon, 2021-03-15 at 04:35 +0800, kernel test robot wrote:
>> Is there something that I'm not understanding about compiling kernel
>> components modularly? How do I avoid this error?
> 
>>
> You cannot reference module exported symbols from statically linked code.
> y
> 

Look at ipv6_stub to see how it exports IPv6 functions for v4 code.
There are a few examples under net/ipv4.
Andreas Roeseler March 20, 2021, 4:01 p.m. UTC | #7 
On Wed, 2021-03-17 at 21:24 -0600, David Ahern wrote:
> On 3/17/21 9:19 PM, David Miller wrote:
> > From: Andreas Roeseler <andreas.a.roeseler@gmail.com>
> > Date: Wed, 17 Mar 2021 22:11:47 -0500
> > 
> > > On Mon, 2021-03-15 at 04:35 +0800, kernel test robot wrote:
> > > Is there something that I'm not understanding about compiling
> > > kernel
> > > components modularly? How do I avoid this error?
> > 
> > > 
> > You cannot reference module exported symbols from statically linked
> > code.
> > y
> > 
> 
> Look at ipv6_stub to see how it exports IPv6 functions for v4 code.
> There are a few examples under net/ipv4.

Thanks for the advice. I've been able to make some progress but I still
have some questions that I have been unable to find online.

What steps are required to include a function into the ipv6_stub
struct? I've added the declaration of the function to the struct, but
when I attempt to call it using <ipv6_stub->ipv6_dev_find()> the kernel
locks up. Additionally, a typo in the declaration isn't flagged during
compilation. Are there other places where I need to edit the ipv6_stub
struct or include various headers? The examples I have looked at are
<fib_semantics.c>, <nexthop.c>, and <udp.c> in the <net/ipv4> folder
and they don't seem to do anything on the caller side of ipv6_stub, so
I think I am not adding the function to ipv6_stub properly. I have been
able to call other functions that currently exist in ipv6_stub, but not
the one I  am attempting to add, so am I missing a step?

I've noticed that some functions such as <ipv6_route_input> aren't
exported using EXPORT_SYMBOL when it is defined in
<net/ipv6/af_inet6.c>, but it is still loaded into ipv6_stub. How can
this be? Is there a different way to include symbols into ipv6_stub
based on whether or not they are explicitly exported using
EXPORT_SYMBOL?
David Ahern March 20, 2021, 4:43 p.m. UTC | #8 
On 3/20/21 10:01 AM, Andreas Roeseler wrote:
> On Wed, 2021-03-17 at 21:24 -0600, David Ahern wrote:
>> On 3/17/21 9:19 PM, David Miller wrote:
>>> From: Andreas Roeseler <andreas.a.roeseler@gmail.com>
>>> Date: Wed, 17 Mar 2021 22:11:47 -0500
>>>
>>>> On Mon, 2021-03-15 at 04:35 +0800, kernel test robot wrote:
>>>> Is there something that I'm not understanding about compiling
>>>> kernel
>>>> components modularly? How do I avoid this error?
>>>
>>>>
>>> You cannot reference module exported symbols from statically linked
>>> code.
>>> y
>>>
>>
>> Look at ipv6_stub to see how it exports IPv6 functions for v4 code.
>> There are a few examples under net/ipv4.
> 
> Thanks for the advice. I've been able to make some progress but I still
> have some questions that I have been unable to find online.
> 
> What steps are required to include a function into the ipv6_stub
> struct? I've added the declaration of the function to the struct, but
> when I attempt to call it using <ipv6_stub->ipv6_dev_find()> the kernel
> locks up. Additionally, a typo in the declaration isn't flagged during
> compilation. Are there other places where I need to edit the ipv6_stub
> struct or include various headers? The examples I have looked at are
> <fib_semantics.c>, <nexthop.c>, and <udp.c> in the <net/ipv4> folder
> and they don't seem to do anything on the caller side of ipv6_stub, so
> I think I am not adding the function to ipv6_stub properly. I have been
> able to call other functions that currently exist in ipv6_stub, but not
> the one I  am attempting to add, so am I missing a step?

you probably did not add the default in net/ipv6/addrconf_core.c.

> 
> I've noticed that some functions such as <ipv6_route_input> aren't
> exported using EXPORT_SYMBOL when it is defined in
> <net/ipv6/af_inet6.c>, but it is still loaded into ipv6_stub. How can
> this be? Is there a different way to include symbols into ipv6_stub
> based on whether or not they are explicitly exported using
> EXPORT_SYMBOL?
> 

take a look at 1aefd3de7bc6 as an example of how to add a new stub.
diff mbox series

Patch

diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 616e2dc1c8fa..f1530011b7bc 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -93,6 +93,10 @@ 
 #include <net/ip_fib.h>
 #include <net/l3mdev.h>
 
+#if IS_ENABLED(CONFIG_IPV6)
+#include <net/addrconf.h>
+#endif
+
 /*
  *	Build xmit assembly blocks
  */
@@ -971,7 +975,7 @@  static bool icmp_redirect(struct sk_buff *skb)
 }
 
 /*
- *	Handle ICMP_ECHO ("ping") requests.
+ *	Handle ICMP_ECHO ("ping") and ICMP_EXT_ECHO ("PROBE") requests.
  *
  *	RFC 1122: 3.2.2.6 MUST have an echo server that answers ICMP echo
  *		  requests.
@@ -979,27 +983,127 @@  static bool icmp_redirect(struct sk_buff *skb)
  *		  included in the reply.
  *	RFC 1812: 4.3.3.6 SHOULD have a config option for silently ignoring
  *		  echo requests, MUST have default=NOT.
+ *	RFC 8335: 8 MUST have a config option to enable/disable ICMP
+ *		  Extended Echo Functionality, MUST be disabled by default
  *	See also WRT handling of options once they are done and working.
  */
 
 static bool icmp_echo(struct sk_buff *skb)
 {
+	struct icmp_ext_hdr *ext_hdr, _ext_hdr;
+	struct icmp_ext_echo_iio *iio, _iio;
+	struct icmp_bxm icmp_param;
+	struct net_device *dev;
 	struct net *net;
+	u16 ident_len;
+	char *buff;
+	u8 status;
 
 	net = dev_net(skb_dst(skb)->dev);
-	if (!net->ipv4.sysctl_icmp_echo_ignore_all) {
-		struct icmp_bxm icmp_param;
-
-		icmp_param.data.icmph	   = *icmp_hdr(skb);
-		icmp_param.data.icmph.type = ICMP_ECHOREPLY;
-		icmp_param.skb		   = skb;
-		icmp_param.offset	   = 0;
-		icmp_param.data_len	   = skb->len;
-		icmp_param.head_len	   = sizeof(struct icmphdr);
-		icmp_reply(&icmp_param, skb);
-	}
 	/* should there be an ICMP stat for ignored echos? */
-	return true;
+	if (net->ipv4.sysctl_icmp_echo_ignore_all)
+		return true;
+
+	icmp_param.data.icmph	   = *icmp_hdr(skb);
+	icmp_param.skb		   = skb;
+	icmp_param.offset	   = 0;
+	icmp_param.data_len	   = skb->len;
+	icmp_param.head_len	   = sizeof(struct icmphdr);
+
+	if (icmp_param.data.icmph.type == ICMP_ECHO)
+		goto send_reply;
+	if (!net->ipv4.sysctl_icmp_echo_enable_probe)
+		return true;
+	/* We currently only support probing interfaces on the proxy node
+	 * Check to ensure L-bit is set
+	 */
+	if (!(ntohs(icmp_param.data.icmph.un.echo.sequence) & 1))
+		return true;
+	/* Clear status bits in reply message */
+	icmp_param.data.icmph.un.echo.sequence &= htons(0xFF00);
+	icmp_param.data.icmph.type = ICMP_EXT_ECHOREPLY;
+	ext_hdr = skb_header_pointer(skb, 0, sizeof(_ext_hdr), &_ext_hdr);
+	iio = skb_header_pointer(skb, sizeof(_ext_hdr), sizeof(_iio), &_iio);
+	if (!ext_hdr || !iio)
+		goto send_mal_query;
+	if (ntohs(iio->extobj_hdr.length) <= sizeof(iio->extobj_hdr))
+		goto send_mal_query;
+	ident_len = ntohs(iio->extobj_hdr.length) - sizeof(iio->extobj_hdr);
+	status = 0;
+	dev = NULL;
+	switch (iio->extobj_hdr.class_type) {
+	case EXT_ECHO_CTYPE_NAME:
+		if (ident_len >= IFNAMSIZ)
+			goto send_mal_query;
+		buff = kcalloc(IFNAMSIZ, sizeof(char), GFP_KERNEL);
+		if (!buff)
+			return -ENOMEM;
+		memcpy(buff, &iio->ident.name, ident_len);
+		/* RFC 8335 2.1 If the Object Payload would not otherwise terminate
+		 * on a 32-bit boundary, it MUST be padded with ASCII NULL characters
+		 */
+		if (ident_len % sizeof(u32) != 0) {
+			u8 i;
+
+			for (i = ident_len; i % sizeof(u32) != 0; i++) {
+				if (buff[i] != '\0')
+					goto send_mal_query;
+			}
+		}
+		dev = dev_get_by_name(net, buff);
+		kfree(buff);
+		break;
+	case EXT_ECHO_CTYPE_INDEX:
+		if (ident_len != sizeof(iio->ident.ifindex))
+			goto send_mal_query;
+		dev = dev_get_by_index(net, ntohl(iio->ident.ifindex));
+		break;
+	case EXT_ECHO_CTYPE_ADDR:
+		if (ident_len != sizeof(iio->ident.addr.ctype3_hdr) + iio->ident.addr.ctype3_hdr.addrlen)
+			goto send_mal_query;
+		switch (ntohs(iio->ident.addr.ctype3_hdr.afi)) {
+		case ICMP_AFI_IP:
+			if (ident_len != sizeof(iio->ident.addr.ctype3_hdr) + sizeof(struct in_addr))
+				goto send_mal_query;
+			dev = ip_dev_find(net, iio->ident.addr.ip_addr.ipv4_addr.s_addr);
+			break;
+#if IS_ENABLED(CONFIG_IPV6)
+		case ICMP_AFI_IP6:
+			if (ident_len != sizeof(iio->ident.addr.ctype3_hdr) + sizeof(struct in6_addr))
+				goto send_mal_query;
+			rcu_read_lock();
+			dev = ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
+			if (dev)
+				dev_hold(dev);
+			rcu_read_unlock();
+			break;
+#endif
+		default:
+			goto send_mal_query;
+		}
+		break;
+	default:
+		goto send_mal_query;
+	}
+	if (!dev) {
+		icmp_param.data.icmph.code = ICMP_EXT_NO_IF;
+		goto send_reply;
+	}
+	/* Fill bits in reply message */
+	if (dev->flags & IFF_UP)
+		status |= EXT_ECHOREPLY_ACTIVE;
+	if (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)->ifa_list)
+		status |= EXT_ECHOREPLY_IPV4;
+	if (!list_empty(&dev->ip6_ptr->addr_list))
+		status |= EXT_ECHOREPLY_IPV6;
+	dev_put(dev);
+	icmp_param.data.icmph.un.echo.sequence |= htons(status);
+send_reply:
+	icmp_reply(&icmp_param, skb);
+		return true;
+send_mal_query:
+	icmp_param.data.icmph.code = ICMP_EXT_MAL_QUERY;
+	goto send_reply;
 }
 
 /*
@@ -1088,6 +1192,11 @@  int icmp_rcv(struct sk_buff *skb)
 	icmph = icmp_hdr(skb);
 
 	ICMPMSGIN_INC_STATS(net, icmph->type);
+
+	/* Check for ICMP Extended Echo (PROBE) messages */
+	if (icmph->type == ICMP_EXT_ECHO)
+		goto probe;
+
 	/*
 	 *	18 is the highest 'known' ICMP type. Anything else is a mystery
 	 *
@@ -1097,7 +1206,6 @@  int icmp_rcv(struct sk_buff *skb)
 	if (icmph->type > NR_ICMP_TYPES)
 		goto error;
 
-
 	/*
 	 *	Parse the ICMP message
 	 */
@@ -1123,7 +1231,7 @@  int icmp_rcv(struct sk_buff *skb)
 	}
 
 	success = icmp_pointers[icmph->type].handler(skb);
-
+success_check:
 	if (success)  {
 		consume_skb(skb);
 		return NET_RX_SUCCESS;
@@ -1137,6 +1245,12 @@  int icmp_rcv(struct sk_buff *skb)
 error:
 	__ICMP_INC_STATS(net, ICMP_MIB_INERRORS);
 	goto drop;
+probe:
+	/* We can't use icmp_pointers[].handler() because it is an array of
+	 * size NR_ICMP_TYPES + 1 (19 elements) and PROBE has code 42.
+	 */
+	success = icmp_echo(skb);
+	goto success_check;
 }
 
 static bool ip_icmp_error_rfc4884_validate(const struct sk_buff *skb, int off)
@@ -1340,6 +1454,7 @@  static int __net_init icmp_sk_init(struct net *net)
 
 	/* Control parameters for ECHO replies. */
 	net->ipv4.sysctl_icmp_echo_ignore_all = 0;
+	net->ipv4.sysctl_icmp_echo_enable_probe = 0;
 	net->ipv4.sysctl_icmp_echo_ignore_broadcasts = 1;
 
 	/* Control parameter - ignore bogus broadcast responses? */