1*d39d5ee2SKristof Provost#!/usr/bin/env python3 2*d39d5ee2SKristof Provost# 3*d39d5ee2SKristof Provost# SPDX-License-Identifier: ISC 4*d39d5ee2SKristof Provost# 5*d39d5ee2SKristof Provost# Copyright (c) 2012-2021 Alexander Bluhm <bluhm@openbsd.org> 6*d39d5ee2SKristof Provost# 7*d39d5ee2SKristof Provost# Permission to use, copy, modify, and distribute this software for any 8*d39d5ee2SKristof Provost# purpose with or without fee is hereby granted, provided that the above 9*d39d5ee2SKristof Provost# copyright notice and this permission notice appear in all copies. 10*d39d5ee2SKristof Provost# 11*d39d5ee2SKristof Provost# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12*d39d5ee2SKristof Provost# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13*d39d5ee2SKristof Provost# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14*d39d5ee2SKristof Provost# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15*d39d5ee2SKristof Provost# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16*d39d5ee2SKristof Provost# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17*d39d5ee2SKristof Provost# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18*d39d5ee2SKristof Provost 19*d39d5ee2SKristof Provostfrom fragcommon import * 20*d39d5ee2SKristof Provostfrom itertools import chain 21*d39d5ee2SKristof Provost 22*d39d5ee2SKristof Provost# index boundary 4096 | 23*d39d5ee2SKristof Provost# |--------------| 24*d39d5ee2SKristof Provost# .... 25*d39d5ee2SKristof Provost# |--------------| 26*d39d5ee2SKristof Provost# |--------------| 27*d39d5ee2SKristof Provost# ....----| 28*d39d5ee2SKristof Provost# |XXXX-----| 29*d39d5ee2SKristof Provost# |--------------| 30*d39d5ee2SKristof Provost 31*d39d5ee2SKristof Provost# this should trigger "fragment requeue limit exceeded" log in kernel 32*d39d5ee2SKristof Provost 33*d39d5ee2SKristof Provostdef send(src, dst, send_if, recv_if): 34*d39d5ee2SKristof Provost pid = os.getpid() 35*d39d5ee2SKristof Provost eid = pid & 0xffff 36*d39d5ee2SKristof Provost payload = b"ABCDEFGHIJKLMNOP" 37*d39d5ee2SKristof Provost dummy = b"01234567" 38*d39d5ee2SKristof Provost fragsize = 64 39*d39d5ee2SKristof Provost boundary = 4096 40*d39d5ee2SKristof Provost fragnum= int(boundary / fragsize) 41*d39d5ee2SKristof Provost packet = sp.IP(src=src, dst=dst)/ \ 42*d39d5ee2SKristof Provost sp.ICMP(type='echo-request', id=eid)/ \ 43*d39d5ee2SKristof Provost (int((boundary + boundary) / len(payload)) * payload) 44*d39d5ee2SKristof Provost frag = [] 45*d39d5ee2SKristof Provost fid = pid & 0xffff 46*d39d5ee2SKristof Provost for i in chain(range(fragnum - 1), range(fragnum, fragnum + fragnum - 1)): 47*d39d5ee2SKristof Provost frag.append(sp.IP(src=src, dst=dst, proto=1, id=fid, 48*d39d5ee2SKristof Provost frag=(i * fragsize) >> 3, flags='MF') / 49*d39d5ee2SKristof Provost bytes(packet)[20 + i * fragsize:20 + (i + 1) * fragsize]) 50*d39d5ee2SKristof Provost frag.append(sp.IP(src=src, dst=dst, proto=1, id=fid, 51*d39d5ee2SKristof Provost frag=(boundary + boundary - fragsize) >> 3) / 52*d39d5ee2SKristof Provost bytes(packet)[20 + boundary + boundary - fragsize:]) 53*d39d5ee2SKristof Provost frag.append(sp.IP(src=src, dst=dst, proto=1, id=fid, 54*d39d5ee2SKristof Provost frag=(boundary - 8) >> 3, flags='MF')/ 55*d39d5ee2SKristof Provost (dummy + bytes(packet)[20 + boundary:20 + boundary + 8])) 56*d39d5ee2SKristof Provost frag.append(sp.IP(src=src, dst=dst, proto=1, id=fid, 57*d39d5ee2SKristof Provost frag=(boundary - fragsize) >> 3, flags='MF') / 58*d39d5ee2SKristof Provost bytes(packet)[20 + boundary - fragsize:20 + boundary]) 59*d39d5ee2SKristof Provost eth = [] 60*d39d5ee2SKristof Provost for f in frag: 61*d39d5ee2SKristof Provost eth.append(sp.Ether() / f) 62*d39d5ee2SKristof Provost 63*d39d5ee2SKristof Provost if os.fork() == 0: 64*d39d5ee2SKristof Provost time.sleep(1) 65*d39d5ee2SKristof Provost for e in eth: 66*d39d5ee2SKristof Provost sp.sendp(e, iface=send_if) 67*d39d5ee2SKristof Provost time.sleep(0.001) 68*d39d5ee2SKristof Provost os._exit(0) 69*d39d5ee2SKristof Provost 70*d39d5ee2SKristof Provost ans = sp.sniff(iface=recv_if, timeout=10, filter= 71*d39d5ee2SKristof Provost "ip and src " + dst + " and dst " + src + " and icmp") 72*d39d5ee2SKristof Provost for a in ans: 73*d39d5ee2SKristof Provost if a and a.type == ETH_P_IP and \ 74*d39d5ee2SKristof Provost a.payload.proto == 1 and \ 75*d39d5ee2SKristof Provost a.payload.frag == 0 and \ 76*d39d5ee2SKristof Provost sp.icmptypes[a.payload.payload.type] == 'echo-reply': 77*d39d5ee2SKristof Provost id = a.payload.payload.id 78*d39d5ee2SKristof Provost print("id=%#x" % (id)) 79*d39d5ee2SKristof Provost if id != eid: 80*d39d5ee2SKristof Provost print("WRONG ECHO REPLY ID") 81*d39d5ee2SKristof Provost sys.exit(2) 82*d39d5ee2SKristof Provost print("ECHO REPLY") 83*d39d5ee2SKristof Provost sys.exit(1) 84*d39d5ee2SKristof Provost sys.exit(0) 85*d39d5ee2SKristof Provost 86*d39d5ee2SKristof Provostif __name__ == '__main__': 87*d39d5ee2SKristof Provost main(send) 88