diff options
| author |   Klement Sekera <ksekera@cisco.com> | 2019-05-16 14:35:46 +0200 |
|---|---|---|
| committer |   Ole Trøan <otroan@employees.org> | 2019-05-20 12:13:11 +0000 |
| commit | 3a343d42d7bd90753ea6ed48fe750a7a209b1ddf (patch) | |
| tree | ba831c36c69365d67a2d20d7a6d447b831a1b88e /test | |
| parent | b388e1a50603a07e20007141221ca4f4a18ab698 (diff) | |
reassembly: prevent long chain attack
limit max # of fragments to 3 per packet by default
add API option to configure the limit at runtime
Change-Id: Ie4b9507bf5c6095b9a5925972b37fe0032f4f9e8
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Diffstat (limited to 'test')
| -rw-r--r-- | test/framework.py | 13 | ||||
| -rw-r--r-- | test/test_ipip.py | 10 | ||||
| -rw-r--r-- | test/test_reassembly.py | 72 |
3 files changed, 95 insertions, 0 deletions
diff --git a/test/framework.py b/test/framework.py index 47de2c4d967..201892aea27 100644 --- a/test/framework.py +++ b/test/framework.py @@ -1000,6 +1000,19 @@ class VppTestCase(unittest.TestCase): if pkt.haslayer(ICMPv6EchoReply): self.assert_checksum_valid(pkt, 'ICMPv6EchoReply', 'cksum') + def get_packet_counter(self, counter): + if counter.startswith("/"): + counter_value = self.statistics.get_counter(counter) + else: + counters = self.vapi.cli("sh errors").split('\n') + counter_value = -1 + for i in range(1, len(counters) - 1): + results = counters[i].split() + if results[1] == counter: + counter_value = int(results[0]) + break + return counter_value + def assert_packet_counter_equal(self, counter, expected_value): if counter.startswith("/"): counter_value = self.statistics.get_counter(counter) diff --git a/test/test_ipip.py b/test/test_ipip.py index 16f83694b20..e5b9092a431 100644 --- a/test/test_ipip.py +++ b/test/test_ipip.py @@ -160,6 +160,11 @@ class TestIPIP(VppTestCase): sw_if_index=self.pg1.sw_if_index, enable_ip4=1) + self.vapi.ip_reassembly_set(timeout_ms=1000, max_reassemblies=1000, + max_reassembly_length=1000, + expire_walk_interval_ms=10000, + is_ip6=0) + # Send lots of fragments, verify reassembled packet frags, p4_reply = self.generate_ip4_frags(3131, 1400) f = [] @@ -415,6 +420,11 @@ class TestIPIP6(VppTestCase): sw_if_index=self.pg1.sw_if_index, enable_ip6=1) + self.vapi.ip_reassembly_set(timeout_ms=1000, max_reassemblies=1000, + max_reassembly_length=1000, + expire_walk_interval_ms=10000, + is_ip6=1) + # Send lots of fragments, verify reassembled packet before_cnt = self.statistics.get_counter( '/err/ipip6-input/packets decapsulated') diff --git a/test/test_reassembly.py b/test/test_reassembly.py index f57c14c1cf5..05877fad66d 100644 --- a/test/test_reassembly.py +++ b/test/test_reassembly.py @@ -83,6 +83,7 @@ class TestIPReassemblyMixin(object): is_ip6 = 1 if scapy_ip_family == IPv6 else 0 self.vapi.ip_reassembly_set(timeout_ms=1000, max_reassemblies=0, + max_reassembly_length=1000, expire_walk_interval_ms=10000, is_ip6=is_ip6) @@ -183,6 +184,7 @@ class TestIPReassemblyMixin(object): is_ip6 = 1 if scapy_ip_family == IPv6 else 0 self.vapi.ip_reassembly_set(timeout_ms=0, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=10000, is_ip6=is_ip6) @@ -229,9 +231,11 @@ class TestIPv4Reassembly(TestIPReassemblyMixin, VppTestCase): self.vapi.ip_reassembly_enable_disable( sw_if_index=self.src_if.sw_if_index, enable_ip4=True) self.vapi.ip_reassembly_set(timeout_ms=0, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=10) self.sleep(.25) self.vapi.ip_reassembly_set(timeout_ms=1000000, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=10000) def tearDown(self): @@ -301,6 +305,37 @@ class TestIPv4Reassembly(TestIPReassemblyMixin, VppTestCase): stream = self.__class__.fragments_200 super(TestIPv4Reassembly, self).test_random(family, stream) + def test_long_fragment_chain(self): + """ long fragment chain """ + + error_cnt_str = \ + "/err/ip4-reassembly-feature/fragment chain too long (drop)" + + error_cnt = self.get_packet_counter(error_cnt_str) + + self.vapi.ip_reassembly_set(timeout_ms=100, max_reassemblies=1000, + max_reassembly_length=3, + expire_walk_interval_ms=50) + + p1 = (Ether(dst=self.src_if.local_mac, src=self.src_if.remote_mac) / + IP(id=1000, src=self.src_if.remote_ip4, + dst=self.dst_if.remote_ip4) / + UDP(sport=1234, dport=5678) / + Raw("X" * 1000)) + p2 = (Ether(dst=self.src_if.local_mac, src=self.src_if.remote_mac) / + IP(id=1001, src=self.src_if.remote_ip4, + dst=self.dst_if.remote_ip4) / + UDP(sport=1234, dport=5678) / + Raw("X" * 1000)) + frags = fragment_rfc791(p1, 200) + fragment_rfc791(p2, 500) + + self.pg_enable_capture() + self.src_if.add_stream(frags) + self.pg_start() + + self.dst_if.get_capture(1) + self.assert_packet_counter_equal(error_cnt_str, error_cnt + 1) + def test_5737(self): """ fragment length + ip header size > 65535 """ self.vapi.cli("clear errors") @@ -504,6 +539,7 @@ class TestIPv4Reassembly(TestIPReassemblyMixin, VppTestCase): if len(frags_400) > 1) self.vapi.ip_reassembly_set(timeout_ms=100, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=50) self.pg_enable_capture() @@ -565,9 +601,11 @@ class TestIPv6Reassembly(TestIPReassemblyMixin, VppTestCase): self.vapi.ip_reassembly_enable_disable( sw_if_index=self.src_if.sw_if_index, enable_ip6=True) self.vapi.ip_reassembly_set(timeout_ms=0, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=10, is_ip6=1) self.sleep(.25) self.vapi.ip_reassembly_set(timeout_ms=1000000, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=10000, is_ip6=1) self.logger.debug(self.vapi.ppcli("show ip6-reassembly details")) self.logger.debug(self.vapi.ppcli("show buffers")) @@ -647,6 +685,32 @@ class TestIPv6Reassembly(TestIPReassemblyMixin, VppTestCase): ] super(TestIPv6Reassembly, self).test_duplicates(family, fragments) + def test_long_fragment_chain(self): + """ long fragment chain """ + + error_cnt_str = \ + "/err/ip6-reassembly-feature/fragment chain too long (drop)" + + error_cnt = self.get_packet_counter(error_cnt_str) + + self.vapi.ip_reassembly_set(timeout_ms=100, max_reassemblies=1000, + max_reassembly_length=3, + expire_walk_interval_ms=50, is_ip6=1) + + p = (Ether(dst=self.src_if.local_mac, src=self.src_if.remote_mac) / + IPv6(src=self.src_if.remote_ip6, + dst=self.dst_if.remote_ip6) / + UDP(sport=1234, dport=5678) / + Raw("X" * 1000)) + frags = fragment_rfc8200(p, 1, 300) + fragment_rfc8200(p, 2, 500) + + self.pg_enable_capture() + self.src_if.add_stream(frags) + self.pg_start() + + self.dst_if.get_capture(1) + self.assert_packet_counter_equal(error_cnt_str, error_cnt + 1) + def test_overlap1(self): """ overlapping fragments case #1 (differs from IP test case)""" @@ -741,9 +805,11 @@ class TestIPv6Reassembly(TestIPReassemblyMixin, VppTestCase): if len(frags_400) > 1) self.vapi.ip_reassembly_set(timeout_ms=100, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=50) self.vapi.ip_reassembly_set(timeout_ms=100, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=50, is_ip6=1) self.pg_enable_capture() @@ -865,9 +931,11 @@ class TestIPv4ReassemblyLocalNode(VppTestCase): """ Test setup - force timeout on existing reassemblies """ super(TestIPv4ReassemblyLocalNode, self).setUp() self.vapi.ip_reassembly_set(timeout_ms=0, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=10) self.sleep(.25) self.vapi.ip_reassembly_set(timeout_ms=1000000, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=10000) def tearDown(self): @@ -996,13 +1064,17 @@ class TestFIFReassembly(VppTestCase): sw_if_index=self.dst_if.sw_if_index, enable_ip4=True, enable_ip6=True) self.vapi.ip_reassembly_set(timeout_ms=0, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=10) self.vapi.ip_reassembly_set(timeout_ms=0, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=10, is_ip6=1) self.sleep(.25) self.vapi.ip_reassembly_set(timeout_ms=1000000, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=10000) self.vapi.ip_reassembly_set(timeout_ms=1000000, max_reassemblies=1000, + max_reassembly_length=1000, expire_walk_interval_ms=10000, is_ip6=1) def tearDown(self): |