From 26aa550bd246079b26366627fecbbe7d6e30dabd Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Thu, 12 Nov 2020 12:27:41 +0100 Subject: [PATCH 1/3] - Fix to connect() to UDP destinations, default turned on, this lowers vulnerability to ICMP side channels. --- services/outside_network.c | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/services/outside_network.c b/services/outside_network.c index 41a1d83f1..cef76053c 100644 --- a/services/outside_network.c +++ b/services/outside_network.c @@ -1115,13 +1115,23 @@ select_ifport(struct outside_network* outnet, struct pending* pend, my_if = ub_random_max(outnet->rnd, num_if); pif = &ifs[my_if]; #ifndef DISABLE_EXPLICIT_PORT_RANDOMISATION - my_port = ub_random_max(outnet->rnd, pif->avail_total); - if(my_port < pif->inuse) { - /* port already open */ - pend->pc = pif->out[my_port]; - verbose(VERB_ALGO, "using UDP if=%d port=%d", - my_if, pend->pc->number); - break; + if(1) { + /* if we connect() we cannot reuse fds for a port */ + if(pif->inuse >= pif->avail_total) { + log_err("failed to find an open port, drop msg"); + return 0; + } + my_port = pif->inuse + ub_random_max(outnet->rnd, + pif->avail_total - pif->inuse); + } else { + my_port = ub_random_max(outnet->rnd, pif->avail_total); + if(my_port < pif->inuse) { + /* port already open */ + pend->pc = pif->out[my_port]; + verbose(VERB_ALGO, "using UDP if=%d port=%d", + my_if, pend->pc->number); + break; + } } /* try to open new port, if fails, loop to try again */ log_assert(pif->inuse < pif->maxout); @@ -1138,6 +1148,17 @@ select_ifport(struct outside_network* outnet, struct pending* pend, if(fd != -1) { verbose(VERB_ALGO, "opened UDP if=%d port=%d", my_if, portno); + if(1) { + /* connect() to the destination */ + if(connect(fd, (struct sockaddr*)&pend->addr, + pend->addrlen) < 0) { + log_err_addr("udp connect failed", + strerror(errno), &pend->addr, + pend->addrlen); + sock_close(fd); + return 0; + } + } /* grab fd */ pend->pc = outnet->unused_fds; outnet->unused_fds = pend->pc->next; From 48b40b305a946c590a005a1923070b95b5b61c3c Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Thu, 12 Nov 2020 12:28:10 +0100 Subject: [PATCH 2/3] Changelog note. --- doc/Changelog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index 47fcd9178..e9b8649fd 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +12 November 2020: Wouter + - Fix to connect() to UDP destinations, default turned on, + this lowers vulnerability to ICMP side channels. + 10 November 2020: Wouter - Fix #341: fixing a possible memory leak. - Fix memory leak after fix for possible memory leak failure. From b891fe113ca9d9a2a19552531d8e91b8dcf02164 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Thu, 12 Nov 2020 13:36:37 +0100 Subject: [PATCH 3/3] - Retry for interfaces with unused ports if possible. --- doc/Changelog | 1 + services/outside_network.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index e9b8649fd..613d14cb7 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,7 @@ 12 November 2020: Wouter - Fix to connect() to UDP destinations, default turned on, this lowers vulnerability to ICMP side channels. + - Retry for interfaces with unused ports if possible. 10 November 2020: Wouter - Fix #341: fixing a possible memory leak. diff --git a/services/outside_network.c b/services/outside_network.c index cef76053c..d184da545 100644 --- a/services/outside_network.c +++ b/services/outside_network.c @@ -1118,6 +1118,9 @@ select_ifport(struct outside_network* outnet, struct pending* pend, if(1) { /* if we connect() we cannot reuse fds for a port */ if(pif->inuse >= pif->avail_total) { + tries++; + if(tries < MAX_PORT_RETRY) + continue; log_err("failed to find an open port, drop msg"); return 0; }