mirror of https://github.com/M66B/NetGuard.git
Native check packet lengths, check ICMP type
This commit is contained in:
parent
146fc7bde7
commit
d62e20ef34
|
@ -670,7 +670,7 @@ int check_sessions(const struct arguments *args) {
|
||||||
inet_ntop(AF_INET6, &i->saddr.ip6, source, sizeof(source));
|
inet_ntop(AF_INET6, &i->saddr.ip6, source, sizeof(source));
|
||||||
inet_ntop(AF_INET6, &i->daddr.ip6, dest, sizeof(dest));
|
inet_ntop(AF_INET6, &i->daddr.ip6, dest, sizeof(dest));
|
||||||
}
|
}
|
||||||
log_android(ANDROID_LOG_INFO, "ICMP idle %d/%d sec stop %d from %s to %s",
|
log_android(ANDROID_LOG_WARN, "ICMP idle %d/%d sec stop %d from %s to %s",
|
||||||
now - i->time, timeout, i->stop, dest, source);
|
now - i->time, timeout, i->stop, dest, source);
|
||||||
|
|
||||||
if (close(i->socket))
|
if (close(i->socket))
|
||||||
|
@ -712,7 +712,7 @@ int check_sessions(const struct arguments *args) {
|
||||||
// Check session timeout
|
// Check session timeout
|
||||||
int timeout = get_udp_timeout(u);
|
int timeout = get_udp_timeout(u);
|
||||||
if (u->state == UDP_ACTIVE && u->time + timeout < now) {
|
if (u->state == UDP_ACTIVE && u->time + timeout < now) {
|
||||||
log_android(ANDROID_LOG_INFO, "UDP idle %d/%d sec state %d from %s/%u to %s/%u",
|
log_android(ANDROID_LOG_WARN, "UDP idle %d/%d sec state %d from %s/%u to %s/%u",
|
||||||
now - u->time, timeout, u->state,
|
now - u->time, timeout, u->state,
|
||||||
source, ntohs(u->source), dest, ntohs(u->dest));
|
source, ntohs(u->source), dest, ntohs(u->dest));
|
||||||
u->state = UDP_FINISHING;
|
u->state = UDP_FINISHING;
|
||||||
|
@ -1509,6 +1509,11 @@ void handle_ip(const struct arguments *args, const uint8_t *pkt, const size_t le
|
||||||
// Get protocol, addresses & payload
|
// Get protocol, addresses & payload
|
||||||
uint8_t version = (*pkt) >> 4;
|
uint8_t version = (*pkt) >> 4;
|
||||||
if (version == 4) {
|
if (version == 4) {
|
||||||
|
if (length < sizeof(struct iphdr)) {
|
||||||
|
log_android("IP4 packet too short length %d", length);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
struct iphdr *ip4hdr = (struct iphdr *) pkt;
|
struct iphdr *ip4hdr = (struct iphdr *) pkt;
|
||||||
|
|
||||||
protocol = ip4hdr->protocol;
|
protocol = ip4hdr->protocol;
|
||||||
|
@ -1537,6 +1542,11 @@ void handle_ip(const struct arguments *args, const uint8_t *pkt, const size_t le
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else if (version == 6) {
|
else if (version == 6) {
|
||||||
|
if (length < sizeof(struct ip6_hdr)) {
|
||||||
|
log_android("IP6 packet too short length %d", length);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
struct ip6_hdr *ip6hdr = (struct ip6_hdr *) pkt;
|
struct ip6_hdr *ip6hdr = (struct ip6_hdr *) pkt;
|
||||||
|
|
||||||
// Skip extension headers
|
// Skip extension headers
|
||||||
|
@ -1581,6 +1591,11 @@ void handle_ip(const struct arguments *args, const uint8_t *pkt, const size_t le
|
||||||
uint16_t sport = 0;
|
uint16_t sport = 0;
|
||||||
uint16_t dport = 0;
|
uint16_t dport = 0;
|
||||||
if (protocol == IPPROTO_ICMP || protocol == IPPROTO_ICMPV6) {
|
if (protocol == IPPROTO_ICMP || protocol == IPPROTO_ICMPV6) {
|
||||||
|
if (length - (payload - pkt) < sizeof(struct icmp)) {
|
||||||
|
log_android(ANDROID_LOG_WARN, "ICMP packet too short");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
struct icmp *icmp = (struct icmp *) payload;
|
struct icmp *icmp = (struct icmp *) payload;
|
||||||
|
|
||||||
// http://lwn.net/Articles/443051/
|
// http://lwn.net/Articles/443051/
|
||||||
|
@ -1588,6 +1603,11 @@ void handle_ip(const struct arguments *args, const uint8_t *pkt, const size_t le
|
||||||
dport = ntohs(icmp->icmp_id);
|
dport = ntohs(icmp->icmp_id);
|
||||||
|
|
||||||
} else if (protocol == IPPROTO_UDP) {
|
} else if (protocol == IPPROTO_UDP) {
|
||||||
|
if (length - (payload - pkt) < sizeof(struct udphdr)) {
|
||||||
|
log_android(ANDROID_LOG_WARN, "UDP packet too short");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
struct udphdr *udp = (struct udphdr *) payload;
|
struct udphdr *udp = (struct udphdr *) payload;
|
||||||
|
|
||||||
sport = ntohs(udp->source);
|
sport = ntohs(udp->source);
|
||||||
|
@ -1596,6 +1616,11 @@ void handle_ip(const struct arguments *args, const uint8_t *pkt, const size_t le
|
||||||
// TODO checksum (IPv6)
|
// TODO checksum (IPv6)
|
||||||
}
|
}
|
||||||
else if (protocol == IPPROTO_TCP) {
|
else if (protocol == IPPROTO_TCP) {
|
||||||
|
if (length - (payload - pkt) < sizeof(struct tcphdr)) {
|
||||||
|
log_android(ANDROID_LOG_WARN, "TCP packet too short");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
struct tcphdr *tcp = (struct tcphdr *) payload;
|
struct tcphdr *tcp = (struct tcphdr *) payload;
|
||||||
|
|
||||||
sport = ntohs(tcp->source);
|
sport = ntohs(tcp->source);
|
||||||
|
@ -1721,6 +1746,12 @@ jboolean handle_icmp(const struct arguments *args,
|
||||||
struct icmp *icmp = (struct icmp *) payload;
|
struct icmp *icmp = (struct icmp *) payload;
|
||||||
size_t icmplen = length - (payload - pkt);
|
size_t icmplen = length - (payload - pkt);
|
||||||
|
|
||||||
|
if (icmp->icmp_type != ICMP_ECHO) {
|
||||||
|
log_android(ANDROID_LOG_WARN, "ICMP type %d code %d not supported",
|
||||||
|
icmp->icmp_type, icmp->icmp_code);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
// Search session
|
// Search session
|
||||||
struct icmp_session *cur = icmp_session;
|
struct icmp_session *cur = icmp_session;
|
||||||
while (cur != NULL &&
|
while (cur != NULL &&
|
||||||
|
|
Loading…
Reference in New Issue