Closed mfontanini closed 7 years ago
mfontanini
commented
8 years ago Another thing is, this seems to be re-computing the checksum for that bogus ICMP extension and then altering the original packet buffer (which alters the ICMP payload). This ends up breaking some logic we have to match ICMP TTL expired responses, since the original packet is different from the response.
Shouldn't checksum computations be stored on the fields rather than on the underlying packet buffer?
pellegre
commented
8 years ago Hi Matias,
given that compliant applications are suppose to set the length field maybe is safe to remove that piece of code?
about the checksum, it should work as any other layer, values should be preserved from the original raw data until the "Craft" method is called.
in your case I see a 0x4141 value, which belongs to the original raw data. when do you see that value changing? maybe something is calling "Craft" after parsing the packet?
mfontanini
commented
8 years ago I think it's fairly common that the length field is not set, so I guess computing the checksum is the best way to be safe.
Regarding the original raw data being changed, you can test it doing this:
First generate the input pcap using scapy:
wrpcap('/tmp/input.pcap', Ether() / IP() / ICMP(type='time-exceeded') / IP() / UDP(dport=1, sport=2) / ('A' * 180))Then this small snippet to parse the file:
#include <crafter.h>
#include <tins/tins.h>
using namespace Crafter;
bool callback(const Tins::PDU& pdu) {
const auto& buffer = pdu.rfind_pdu<Tins::RawPDU>().payload();
printf("Raw: ");
for (size_t i = 0; i < buffer.size(); ++i) {
printf("%02x", buffer[i]);
}
printf("\n");
Packet pkt;
pkt.PacketFromLinkLayer(buffer.data(), buffer.size(), DLT_EN10MB);
printf("Parsed: ");
for (size_t i = 0; i < pkt.GetSize(); ++i) {
printf("%02x", pkt.GetRawPtr()[i]);
}
printf("\n");
return true;
}
int main(int argc, char* argv[]) {
Tins::FileSniffer sniffer(argv[1]);
sniffer.set_extract_raw_pdus(true);
sniffer.sniff_loop(callback);
}This prints:
Raw: ffffffffffff0000000000000800450000ec0001000040017c0e7f0000017f0000010b00f3cf00000000450000d00001000040117c1a7f0000017f0000010002000100bc0f80414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141
Parsed: ffffffffffff0000000000000800450000ec0001000040017c0e7f0000017f0000010b0025e200200000450000d00001000040117c1a7f0000017f0000010002000100bc0f804141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141419145004c0000414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141As you can see, where there should be a bunch of 0x41s, there's a 9145004c0000, that's where the checksum would be. The thing is, it looks like this modifies the internal buffer, but not the fields, since the fields still show the original value.
pellegre
commented
8 years ago got it now... is the internal buffer. I'll check out what's going on.
thanks :+1:
mfontanini
commented
8 years ago Cool, thank you!
oliviertilmans
commented
7 years ago As I ran into a similar bug, I eventually fixed this.
Your reported internal buffer corruption was due to pkt.GetRawPtr() (instead of pkt.GetBuffer()) which trigger a packet (re)crafting (and incidentally in your case since the packet was incorrectly parsed, it was incorrectly recrafted).
mfontanini
commented
7 years ago Alright, thanks! I'll change the code to use GetBuffer rather than GetRawPtr. It's kind of misleading that it crafts the packet, as I'd expect it to just return a raw pointer. There should probably be at least a comment about that before the method definition.
oliviertilmans
commented
7 years ago IIRC there's a note in the header file but not very clear --- I wasn't aware of that API difference either before looking into your issue... I'll explicit that in the next change/fix I push in the lib.
So, by generating a packet like this using scapy:
If you then parse it using libcrafter, you get:
As you see, this is parsing part of the ICMP payload as ICMP extensions. I tracked this down to
ICMP::ParseLayerDatawhich does this:Reading the RFC, it seems like this is a special case for non-compliant ICMP extensions that might be implemented before the RFC (referring to packets that contain ICMP extensions but not the length field).
I guess this should at least check if any valid extensions are found after that (e.g. the length field makes sense or even better, compute the checksum and make sure it matches) and otherwise, just parse the whole payload as a
RawLayer.