search

els0r / goProbe

High-performance IP packet metadata aggregation and efficient storage and querying of flows
GNU General Public License v2.0
12 stars 4 forks source link

goProbe crashes when encountering specific IPv6 packet #310

Closed els0r closed 5 months ago

els0r commented 6 months ago

Seen on one of the hosts in the sensor fleet:

cat goProbe.panic.20240501-120652.bak
panic: runtime error: slice bounds out of range [:44] with capacity 42

goroutine 388 [running]:
github.com/els0r/goProbe/pkg/capture.ParsePacketV6({0x7f41e17a95e8?, 0x2b600000002?, 0xff00?})
    /usr/src/packages/src/osco/observability/pkg/OSAGtmi/goProbe/pkg/capture/flow.go:179 +0x19f
github.com/els0r/goProbe/pkg/capture.(*Capture).process.func1()
    /usr/src/packages/src/osco/observability/pkg/OSAGtmi/goProbe/pkg/capture/capture.go:313 +0x12e
created by github.com/els0r/goProbe/pkg/capture.(*Capture).process in goroutine 32
    /usr/src/packages/src/osco/observability/pkg/OSAGtmi/goProbe/pkg/capture/capture.go:239 +0x96

Occurs during dport assignment: https://github.com/els0r/goProbe/blob/main/pkg/capture/flow.go#L179. It appears the packet data doesn't match the assumptions made about an IPv6 packets.

From https://pkg.go.dev/golang.org/x/net/ipv6:

const (
    Version   = 6  // protocol version
    HeaderLen = 40 // header length
)

DoD

fako1024 commented 6 months ago

Assessment on the affected system shows that this is caused by a Bogus IPv6 packet as expected (in this case: incorrect / invalid IP protocol ID):

# tcpdump -ni any -c 10 "(ip6 and length < 44) or (length < 19) "
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
14:46:20.286223 peth1 M   IP6 version error: 5 != 6
14:46:20.286223 peth1 M   IP6 version error: 5 != 6
14:46:20.286223 peth1 M   IP6 version error: 5 != 6
14:46:20.286223 peth1 M   IP6 version error: 5 != 6
14:46:20.286223 peth1 M   IP6 version error: 5 != 6
14:46:20.286223 peth1 M   IP6 version error: 5 != 6
14:46:20.286223 peth1 M   IP6 version error: 5 != 6
14:46:20.286223 peth1 M   IP6 version error: 5 != 6
14:46:20.286240 peth1 M   IP6 version error: 5 != 6
14:46:20.286240 peth1 M   IP6 version error: 5 != 6
10 packets captured
115 packets received by filter
0 packets dropped by kernel

A packet dump has been obtained and will be added to the testing facilities (after sanitization).