feat(net): Check whether ICMP embedded packet is full

qmonnet · qmonnet · commit 683618b3deed · 2025-10-03T00:55:33.000+01:00
Introduce a method to check whether the IP packet embedded inside of an
ICMP Error message is full.

This can be useful for NAT. As part of NAT, we should validate and
update the checksum for the inner IP and transport layers, but it's not
worth updating the checksum if the payload is not complete.

It's delicate to perform all checks required for this verification, and
we can't call the function just from any location, because we need to
access:

- The buffer containing the ICMP header, to extract the optional length
  field to check for the presence of ICMP extensions (this field is not
  exposed as part of the Icmpv4Header),
- The length comsummed when parsing headers for the embedded packet -
  this is the best alternative we have to re-parsing the full IPv6
  header to compute its length,
- The parsed data, in particular the total length (IPv4) or payload
  length (IPv6) and header length (TCP), from the collected headers.

For this reason, we store the result as part of the EmbeddedHeaders
struct, so we can reuse it when necessary.

Signed-off-by: Quentin Monnet &lt;qmo@qmon.net&gt;
diff --git a/net/src/headers/embedded.rs b/net/src/headers/embedded.rs
@@ -34,6 +34,135 @@ pub struct EmbeddedHeaders {
     net: Option<Net>,
     net_ext: ArrayVec<NetExt, MAX_NET_EXTENSIONS>,
     transport: Option<EmbeddedTransport>,
+    full_payload: bool,
+}
+
+impl EmbeddedHeaders {
+    pub fn is_full_payload(&self) -> bool {
+        self.full_payload
+    }
+
+    pub fn check_full_payload(
+        &mut self,
+        buf: &[u8],
+        remaining: usize,
+        headers_size: usize,
+        icmp_length: usize,
+    ) {
+        self.full_payload = false;
+
+        match &mut self.transport {
+            None
+            | Some(EmbeddedTransport::Tcp(TruncatedTcp::PartialHeader(_)))
+            | Some(EmbeddedTransport::Udp(TruncatedUdp::PartialHeader(_))) => {
+                // We couldn't parse the full transport header, of course we don't have the full,
+                // valid payload
+                return;
+            }
+            Some(EmbeddedTransport::Tcp(TruncatedTcp::FullHeader(_)))
+            | Some(EmbeddedTransport::Udp(TruncatedUdp::FullHeader(_))) => {
+                // There's a chance payload is full, keep going
+            }
+        }
+
+        // We want to compare the total size of the original IP packet with the length of the ICMP
+        // payload, knowing that :
+        //
+        // Is size_ip_packet == size_icmp_payload?
+        //
+        // But for IPv6 we don't have the size of the full packet in the header, we need to sum up
+        // the sizes of all headers and it's painful. Instead, let's use the length of data we've
+        // consumed while parsing the ICMP payload. It covers the L3 + L4 headers. The check
+        // becomes:
+        //
+        // Is size_ip_headers + size_ip_payload == size_icmp_payload?
+        //
+        // Where size_ip_headers is the length consumed, minus the length of the transport header.
+        // So in the end, our final check is:
+        //
+        // Is size_headers_parsed - size_transport_header + size_ip_payload == size_icmp_payload?
+
+        // Find the IP payload length
+        let ip_payload_length = match &self.net {
+            None => {
+                return;
+            }
+            Some(Net::Ipv4(ip)) => {
+                let Ok(ipv4_payload_length) = ip.0.payload_len().map(usize::from) else {
+                    return;
+                };
+                ipv4_payload_length
+            }
+            Some(Net::Ipv6(ip)) => {
+                let ipv6_payload_length = ip.0.payload_length;
+                if ipv6_payload_length == 0 {
+                    // IPv6 Jumbogram (RFC 2675) - we can't know the payload length and it's
+                    // unlikely it's all in the ICMP message payload anyway.
+                    return;
+                }
+                ipv6_payload_length as usize
+            }
+        };
+
+        // Find the transport header length
+        let transport_header_length = match &mut self.transport {
+            Some(EmbeddedTransport::Tcp(TruncatedTcp::FullHeader(tcp))) => tcp.header_len().get(),
+            Some(EmbeddedTransport::Udp(TruncatedUdp::FullHeader(_))) => 8,
+            _ => unreachable!(), // Checked at the beginning of the function
+        };
+
+        // Compute the size of the IP headers
+        let Some(size_ip_headers) = headers_size.checked_sub(transport_header_length) else {
+            return;
+        };
+
+        let full_packet_size = size_ip_headers + ip_payload_length;
+
+        if icmp_length > 0 {
+            // ICMP message may optionally contain the length of the embedded piece of the original
+            // IP packet. If this is the case, we just need to check the announced IP packet length
+            // against this value.
+            //
+            // From RFC 4884: The length attribute represents the length of the padded "original
+            // datagram" field.
+            match self.net {
+                Some(Net::Ipv4(_)) => {
+                    if icmp_length < full_packet_size {
+                        // The embedded message is shorter than the original packet
+                        return;
+                    }
+                    if icmp_length > buf.len() {
+                        // Embedded payload is larger than our buffer? Something's wrong
+                        return;
+                    }
+                    let padding_length = icmp_length - full_packet_size;
+                    // ICMPv4: Padding is on 32-bit boundaries
+                    self.full_payload = padding_length < 32
+                        && buf[full_packet_size..icmp_length].iter().all(|b| *b == 0);
+                }
+                Some(Net::Ipv6(_)) => {
+                    if icmp_length < full_packet_size {
+                        // The embedded message is shorter than the original packet
+                        return;
+                    }
+                    if icmp_length > buf.len() {
+                        // Embedded payload is larger than our buffer? Something's wrong
+                        return;
+                    }
+                    let padding_length = icmp_length - full_packet_size;
+                    // ICMPv6: Padding is on 64-bit boundaries
+                    self.full_payload = padding_length < 64
+                        && buf[full_packet_size..icmp_length].iter().all(|b| *b == 0);
+                }
+                None => {
+                    unreachable!() // Checked earlier in the function
+                }
+            }
+        }
+
+        // Check that the full headers + payload are present
+        self.full_payload = full_packet_size == remaining;
+    }
 }
 
 impl ParseWith for EmbeddedHeaders {
diff --git a/net/src/icmp4/mod.rs b/net/src/icmp4/mod.rs
@@ -130,13 +130,35 @@ impl Icmp4 {
         })
     }
 
+    fn payload_length(&self, buf: &[u8]) -> usize {
+        // See RFC 4884. Icmpv4Type::Redirect does not get an optional length field.
+        match self.icmp_type() {
+            Icmpv4Type::DestinationUnreachable(_)
+            | Icmpv4Type::TimeExceeded(_)
+            | Icmpv4Type::ParameterProblem(_) => {
+                let payload_length = buf[4];
+                payload_length as usize * 4
+            }
+            _ => 0,
+        }
+    }
+
     pub(crate) fn parse_payload(&self, cursor: &mut Reader) -> Option<EmbeddedHeaders> {
         if !self.is_error_message() {
             return None;
         }
-        let (headers, consumed) =
+        let (mut headers, consumed) =
             EmbeddedHeaders::parse_with(EmbeddedIpVersion::Ipv4, cursor.inner).ok()?;
         cursor.consume(consumed).ok()?;
+
+        // Mark whether the payload of the embedded IP packet is full
+        headers.check_full_payload(
+            &cursor.inner[cursor.inner.len() - cursor.remaining as usize..],
+            cursor.remaining as usize,
+            consumed.get() as usize,
+            self.payload_length(cursor.inner),
+        );
+
         Some(headers)
     }
 }
diff --git a/net/src/icmp6/mod.rs b/net/src/icmp6/mod.rs
@@ -65,13 +65,35 @@ impl Icmp6 {
         })
     }
 
+    fn payload_length(&self, buf: &[u8]) -> usize {
+        // See RFC 4884.
+        match self.icmp_type() {
+            Icmpv6Type::DestinationUnreachable(_)
+            | Icmpv6Type::TimeExceeded(_)
+            | Icmpv6Type::ParameterProblem(_) => {
+                let payload_length = buf[3];
+                payload_length as usize * 8
+            }
+            _ => 0,
+        }
+    }
+
     pub(crate) fn parse_payload(&self, cursor: &mut Reader) -> Option<EmbeddedHeaders> {
         if !self.is_error_message() {
             return None;
         }
-        let (headers, consumed) =
+        let (mut headers, consumed) =
             EmbeddedHeaders::parse_with(EmbeddedIpVersion::Ipv6, cursor.inner).ok()?;
         cursor.consume(consumed).ok()?;
+
+        // Mark whether the payload of the embedded IP packet is full
+        headers.check_full_payload(
+            &cursor.inner[cursor.inner.len() - cursor.remaining as usize..],
+            cursor.remaining as usize,
+            consumed.get() as usize,
+            self.payload_length(cursor.inner),
+        );
+
         Some(headers)
     }
 }
