pf tests: Test CVE-2019-5598

Verify that pf correctly drops inconsistent ICMP packets (i.e. where the
IP src/dst do not match the IP src/dst in the ICMP packet.

3 files changed, 234 insertions, 2 deletions

diff --git a/tests/sys/netpfil/pf/CVE-2019-5598.py b/tests/sys/netpfil/pf/CVE-2019-5598.py
new file mode 100644
index 000000000000..648b8ef9d6f0
--- /dev/null
+++ b/tests/sys/netpfil/pf/CVE-2019-5598.py
@@ -0,0 +1,130 @@
+#!/usr/local/bin/python2.7
+
+import argparse
+import scapy.all as sp
+import sys
+from sniffer import Sniffer
+
+def check_icmp_error(args, packet):
+	ip = packet.getlayer(sp.IP)
+	if not ip:
+		return False
+	if ip.dst != args.to[0]:
+		return False
+
+	icmp = packet.getlayer(sp.ICMP)
+	if not icmp:
+		return False
+	if icmp.type != 3 or icmp.code != 3:
+		return False
+
+	return True
+
+def main():
+	parser = argparse.ArgumentParser("CVE-2019-icmp.py",
+		description="CVE-2019-icmp test tool")
+	parser.add_argument('--sendif', nargs=1,
+		required=True,
+		help='The interface through which the packet will be sent')
+	parser.add_argument('--recvif', nargs=1,
+		required=True,
+		help='The interface on which to check for the packet')
+	parser.add_argument('--src', nargs=1,
+		required=True,
+		help='The source IP address')
+	parser.add_argument('--to', nargs=1,
+		required=True,
+		help='The destination IP address')
+
+	args = parser.parse_args()
+
+        # Send the allowed packet to establish state
+        udp = sp.Ether() / \
+            sp.IP(src=args.src[0], dst=args.to[0]) / \
+            sp.UDP(dport=53, sport=1234)
+        sp.sendp(udp, iface=args.sendif[0], verbose=False)
+
+	# Start sniffing on recvif
+	sniffer = Sniffer(args, check_icmp_error)
+
+	# Send the bad error packet
+	icmp_reachable = sp.Ether() / \
+            sp.IP(src=args.src[0], dst=args.to[0]) / \
+	    sp.ICMP(type=3, code=3) / \
+	    sp.IP(src="4.3.2.1", dst="1.2.3.4") / \
+	    sp.UDP(dport=53, sport=1234)
+	sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False)
+
+	sniffer.join()
+	if sniffer.foundCorrectPacket:
+		sys.exit(1)
+
+	sys.exit(0)
+
+if __name__ == '__main__':
+	main()
+#!/usr/local/bin/python2.7
+
+import argparse
+import scapy.all as sp
+import sys
+from sniffer import Sniffer
+
+def check_icmp_error(args, packet):
+	ip = packet.getlayer(sp.IP)
+	if not ip:
+		return False
+	if ip.dst != args.to[0]:
+		return False
+
+	icmp = packet.getlayer(sp.ICMP)
+	if not icmp:
+		return False
+	if icmp.type != 3 or icmp.code != 3:
+		return False
+
+	return True
+
+def main():
+	parser = argparse.ArgumentParser("CVE-2019-icmp.py",
+		description="CVE-2019-icmp test tool")
+	parser.add_argument('--sendif', nargs=1,
+		required=True,
+		help='The interface through which the packet will be sent')
+	parser.add_argument('--recvif', nargs=1,
+		required=True,
+		help='The interface on which to check for the packet')
+	parser.add_argument('--src', nargs=1,
+		required=True,
+		help='The source IP address')
+	parser.add_argument('--to', nargs=1,
+		required=True,
+		help='The destination IP address')
+
+	args = parser.parse_args()
+
+        # Send the allowed packet to establish state
+        udp = sp.Ether() / \
+            sp.IP(src=args.src[0], dst=args.to[0]) / \
+            sp.UDP(dport=53, sport=1234)
+        sp.sendp(udp, iface=args.sendif[0], verbose=False)
+
+	# Start sniffing on recvif
+	sniffer = Sniffer(args, check_icmp_error)
+
+	# Send the bad error packet
+	icmp_reachable = sp.Ether() / \
+            sp.IP(src=args.src[0], dst=args.to[0]) / \
+	    sp.ICMP(type=3, code=3) / \
+	    sp.IP(src=args.src[0], dst=args.to[0]) / \
+	    sp.UDP(dport=53, sport=1234)
+	sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False)
+
+	sniffer.join()
+	if sniffer.foundCorrectPacket:
+		sys.exit(1)
+
+	sys.exit(0)
+
+if __name__ == '__main__':
+	main()
diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile
index 84a40a16699c..bf2510b9c02b 100644
--- a/tests/sys/netpfil/pf/Makefile
+++ b/tests/sys/netpfil/pf/Makefile
@@ -16,15 +16,18 @@ ATF_TESTS_SH+=	anchor \
 		route_to \
 		synproxy \
 		set_skip \
-		pfsync
+		pfsync	\
+		icmp
 
 ${PACKAGE}FILES+=	utils.subr \
 			echo_inetd.conf \
 			sniffer.py \
 			pft_ping.py \
-			CVE-2019-5597.py
+			CVE-2019-5597.py \
+			CVE-2019-5598.py
 
 ${PACKAGE}FILESMODE_pft_ping.py=	0555
 ${PACKAGE}FILESMODE_CVE-2019-5597.py=	0555
+${PACKAGE}FILESMODE_CVE-2019-5598.py=	0555
 
 .include <bsd.test.mk>
diff --git a/tests/sys/netpfil/pf/icmp.sh b/tests/sys/netpfil/pf/icmp.sh
new file mode 100755
index 000000000000..5cc1a769c799
--- /dev/null
+++ b/tests/sys/netpfil/pf/icmp.sh
@@ -0,0 +1,99 @@
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "cve_2019_5598" "cleanup"
+cve_2019_5598_head()
+{
+	atf_set descr 'Test CVE-2019-5598'
+	atf_set require.user root
+	atf_set require.progs scapy
+}
+
+cve_2019_5598_body()
+{
+	pft_init
+
+	epair_in=$(vnet_mkepair)
+	epair_out=$(vnet_mkepair)
+	ifconfig ${epair_in}a 192.0.2.1/24 up
+	ifconfig ${epair_out}a up
+
+	vnet_mkjail alcatraz ${epair_in}b ${epair_out}b
+	jexec alcatraz ifconfig ${epair_in}b 192.0.2.2/24 up
+	jexec alcatraz ifconfig ${epair_out}b 198.51.100.2/24 up
+	jexec alcatraz sysctl net.inet.ip.forwarding=1
+	jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05
+	jexec alcatraz route add default 198.51.100.3
+	route add -net 198.51.100.0/24 192.0.2.2
+
+	jexec alcatraz pfctl -e
+	pft_set_rules alcatraz "block all" \
+		"pass in proto udp to 198.51.100.3 port 53" \
+		"pass out proto udp to 198.51.100.3 port 53"
+
+	atf_check -s exit:0 $(atf_get_srcdir)/CVE-2019-icmp.py \
+		--sendif ${epair_in}a \
+		--recvif ${epair_out}a \
+		--src 192.0.2.1 \
+		--to 198.51.100.3
+}
+
+cve_2019_5598_cleanup()
+{
+	pft_cleanup
+}
+
+atf_init_test_cases()
+{
+	atf_add_test_case "cve_2019_5598"
+}
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "cve_2019_5598" "cleanup"
+cve_2019_5598_head()
+{
+	atf_set descr 'Test CVE-2019-5598'
+	atf_set require.user root
+	atf_set require.progs scapy
+}
+
+cve_2019_5598_body()
+{
+	pft_init
+
+	epair_in=$(vnet_mkepair)
+	epair_out=$(vnet_mkepair)
+	ifconfig ${epair_in}a 192.0.2.1/24 up
+	ifconfig ${epair_out}a up
+
+	vnet_mkjail alcatraz ${epair_in}b ${epair_out}b
+	jexec alcatraz ifconfig ${epair_in}b 192.0.2.2/24 up
+	jexec alcatraz ifconfig ${epair_out}b 198.51.100.2/24 up
+	jexec alcatraz sysctl net.inet.ip.forwarding=1
+	jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05
+	route add -net 198.51.100.0/24 192.0.2.2
+
+	jexec alcatraz pfctl -e
+	pft_set_rules alcatraz "block all" \
+		"pass in proto udp to 198.51.100.3 port 53" \
+		"pass out proto udp to 198.51.100.3 port 53"
+
+	atf_check -s exit:0 $(atf_get_srcdir)/CVE-2019-icmp.py \
+		--sendif ${epair_in}a \
+		--recvif ${epair_out}a \
+		--src 192.0.2.1 \
+		--to 198.51.100.3
+}
+
+cve_2019_5598_cleanup()
+{
+	pft_cleanup
+}
+
+atf_init_test_cases()
+{
+	atf_add_test_case "cve_2019_5598"
+}