Source code: eBPF-Package-Repository/connection-limit/connection_limit.bpf.c
Description:
While reviewing the XDP program (_xdp_limit_conn), I noticed that the code directly parses the packet as an IPv4 header without checking the Ethernet protocol type. This can lead to misparsing non-IPv4 packets.
/* Check if its valid ethernet packet */
if (data + sizeof(struct ethhdr)+ 1 > data_end)
return XDP_PASS;
/* Check if its valid ip packet */
struct iphdr *iph = (struct iphdr *)(data + sizeof(struct ethhdr));
There is no validation of eth->h_proto before this cast.
Question:
- Would it be appropriate to add an explicit EtherType check before parsing, for example:
if (ethhdr->h_proto != ETH_P_IP)
return XDP_PASS;
to ensure that only IPv4 packets are interpreted as struct iphdr, and non-IPv4 are passed right away?
- Whether the program is designed to run in an environment where only IPv4 packets reach this stage
Source code:
eBPF-Package-Repository/connection-limit/connection_limit.bpf.cDescription:
While reviewing the XDP program (_xdp_limit_conn), I noticed that the code directly parses the packet as an IPv4 header without checking the Ethernet protocol type. This can lead to misparsing non-IPv4 packets.
There is no validation of
eth->h_protobefore this cast.Question:
to ensure that only IPv4 packets are interpreted as struct iphdr, and non-IPv4 are passed right away?