From patchwork Wed Feb 17 13:22:07 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Huw Davies X-Patchwork-Id: 8339471 Return-Path: X-Original-To: patchwork-selinux@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 9711BC0553 for ; Wed, 17 Feb 2016 14:15:45 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id D44B3203A4 for ; Wed, 17 Feb 2016 14:15:44 +0000 (UTC) Received: from emvm-gh1-uea08.nsa.gov (emvm-gh1-uea08.nsa.gov [63.239.67.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4D3C3203A1 for ; Wed, 17 Feb 2016 14:15:42 +0000 (UTC) X-TM-IMSS-Message-ID: <12a8127800026c70@nsa.gov> Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1) id 12a8127800026c70 ; Wed, 17 Feb 2016 09:08:41 -0500 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u1HE8srA023445; Wed, 17 Feb 2016 09:08:54 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u1HE7ZAd230431 for ; Wed, 17 Feb 2016 09:07:35 -0500 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u1HE7YSl022614 for ; Wed, 17 Feb 2016 09:07:35 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1BsAgCXfcRWfoO9+9heGQEBAg8BAQEBhEm4BIQBBxeFdoIRAQEBAQEBEgEBFjOEdEMBATcBgRwiEogZAas2hScBBIp5BpFKC0CBJ5cInEyOR4JXDRmBSGqHKiWBEgEBAQ X-IPAS-Result: A1BsAgCXfcRWfoO9+9heGQEBAg8BAQEBhEm4BIQBBxeFdoIRAQEBAQEBEgEBFjOEdEMBATcBgRwiEogZAas2hScBBIp5BpFKC0CBJ5cInEyOR4JXDRmBSGqHKiWBEgEBAQ X-IronPort-AV: E=Sophos;i="5.22,460,1449550800"; d="scan'208";a="5206530" Received: from emvm-gh1-uea08.nsa.gov ([10.208.42.193]) by goalie.tycho.ncsc.mil with ESMTP; 17 Feb 2016 09:07:27 -0500 X-TM-IMSS-Message-ID: <127d6a0900025380@nsa.gov> Received: from mail.codeweavers.com (mail.codeweavers.com [216.251.189.131]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 DHE-RSA-AES128-SHA (128/128)) id 127d6a0900025380 ; Wed, 17 Feb 2016 08:22:05 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=codeweavers.com; s=6377696661; h=Message-Id:Date:Subject:Cc:To:From; bh=EXfQD2BCLpcyNoCXYaOEr0eDusn6l3bAqOCXMIPZhvw=; b=CduBx0Cb0lneTRpVdz52PdLn6JYUbCtieyeHYneFUjmG8gU1jxgXNKa9Yz7v42MuWsDoGOxiCbJADuDolBErb9DOB+IX7NKz1QsmeT1jpSHLbZNa6EUxmpZOWa5UmVXEdnTVOjwgZHgjz1jLu2Q+4N3v22zM/QYAtcvW55Vk6xw=; Received: from merlot.physics.ox.ac.uk ([163.1.241.98]) by mail.codeweavers.com with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from ) id 1aW23f-0008Ni-Sx; Wed, 17 Feb 2016 07:22:21 -0600 Received: from daviesh by merlot.physics.ox.ac.uk with local (Exim 4.71) (envelope-from ) id 1aW23a-0002lL-9p; Wed, 17 Feb 2016 13:22:14 +0000 From: Huw Davies To: netdev@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov Subject: [RFC PATCH v3 17/19] calipso: Add validation of CALIPSO option. Date: Wed, 17 Feb 2016 13:22:07 +0000 Message-Id: <1455715329-9601-18-git-send-email-huw@codeweavers.com> X-Mailer: git-send-email 2.7.0 X-Spam-Score: -2.9 X-TM-AS-MML: disable X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP We check lengths, checksum and the DOI. We leave checking of the level and categories for the socket layer. Signed-off-by: Huw Davies --- include/net/calipso.h | 6 ++++++ net/ipv6/calipso.c | 42 ++++++++++++++++++++++++++++++++++++++++++ net/ipv6/exthdrs.c | 27 +++++++++++++++++++++++++++ 3 files changed, 75 insertions(+) diff --git a/include/net/calipso.h b/include/net/calipso.h index 38dbb47..85404e2 100644 --- a/include/net/calipso.h +++ b/include/net/calipso.h @@ -65,6 +65,7 @@ struct calipso_doi { #ifdef CONFIG_NETLABEL int __init calipso_init(void); void calipso_exit(void); +bool calipso_validate(const struct sk_buff *skb, const unsigned char *option); #else static inline int __init calipso_init(void) { @@ -74,6 +75,11 @@ static inline int __init calipso_init(void) static inline void calipso_exit(void) { } +static inline bool calipso_validate(const struct sk_buff *skb, + const unsigned char *option) +{ + return true; +} #endif /* CONFIG_NETLABEL */ #endif /* _CALIPSO_H */ diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c index fa371a8..b8bcf9f 100644 --- a/net/ipv6/calipso.c +++ b/net/ipv6/calipso.c @@ -321,6 +321,48 @@ doi_walk_return: } /** + * calipso_validate - Validate a CALIPSO option + * @skb: the packet + * @option: the start of the option + * + * Description: + * This routine is called to validate a CALIPSO option. + * If the option is valid then a zero value is returned. If the + * option is invalid then a non-zero value is returned and + * representing the offset to the offending portion of the option. + * + * The caller should have already checked that the length of the + * option (including the TLV header) is >= 10 and that the catmap + * length is consistent with the option length. + * + * We leave checks on the level and categories to the socket layer. + */ +bool calipso_validate(const struct sk_buff *skb, const unsigned char *option) +{ + struct calipso_doi *doi_def; + int ret_val; + u16 crc, len = option[1] + 2; + static const u8 zero[2]; + + /* The original CRC runs over the option including the TLV header + * with the CRC-16 field (at offset 8) zeroed out. */ + crc = crc_ccitt(0xffff, option, 8); + crc = crc_ccitt(crc, zero, sizeof(zero)); + if (len > 10) + crc = crc_ccitt(crc, option + 10, len - 10); + crc = ~crc; + if (option[8] != (crc & 0xff) || option[9] != ((crc >> 8) & 0xff)) + return false; + + rcu_read_lock(); + doi_def = calipso_doi_search(get_unaligned_be32(option + 2)); + ret_val = !!doi_def; + rcu_read_unlock(); + + return ret_val; +} + +/** * calipso_map_cat_hton - Perform a category mapping from host to network * @doi_def: the DOI definition * @secattr: the security attributes diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c index d5fd3e7..0f69cab 100644 --- a/net/ipv6/exthdrs.c +++ b/net/ipv6/exthdrs.c @@ -43,6 +43,7 @@ #include #include #include +#include #if IS_ENABLED(CONFIG_IPV6_MIP6) #include #endif @@ -603,6 +604,28 @@ drop: return false; } +/* CALIPSO RFC 5570 */ + +static bool ipv6_hop_calipso(struct sk_buff *skb, int optoff) +{ + const unsigned char *nh = skb_network_header(skb); + + if (nh[optoff + 1] < 8) + goto drop; + + if (nh[optoff + 6] * 4 + 8 > nh[optoff + 1]) + goto drop; + + if (!calipso_validate(skb, nh + optoff)) + goto drop; + + return true; + +drop: + kfree_skb(skb); + return false; +} + static const struct tlvtype_proc tlvprochopopt_lst[] = { { .type = IPV6_TLV_ROUTERALERT, @@ -612,6 +635,10 @@ static const struct tlvtype_proc tlvprochopopt_lst[] = { .type = IPV6_TLV_JUMBO, .func = ipv6_hop_jumbo, }, + { + .type = IPV6_TLV_CALIPSO, + .func = ipv6_hop_calipso, + }, { -1, } };