Index: /trunk/src/VBox/NetworkServices/NAT/pxping.c =================================================================== --- /trunk/src/VBox/NetworkServices/NAT/pxping.c (revision 49616) +++ /trunk/src/VBox/NetworkServices/NAT/pxping.c (revision 49617) @@ -946,4 +946,9 @@ } + + /* + * Is this a reply to one of our pings? + */ + ip_addr_copy(target_ip, iph->src); mapped = pxremap_inbound_ip4(&target_ip, &target_ip); @@ -971,4 +976,9 @@ sys_mutex_unlock(&pxping->lock); + + + /* + * Rewrite headers and forward to guest. + */ /* rewrite ICMP echo header */ @@ -1018,4 +1028,9 @@ icmph = (struct icmp_echo_hdr *)(pollmgr_udpbuf + IP_HLEN); + /* + * Inner IP datagram is not checked by the kernel and may be + * anything, possibly malicious. + */ + oipoff = IP_HLEN + ICMP_HLEN; oiplen = iplen - oipoff; /* NB: truncated length, not IPH_LEN(oiph) */ @@ -1073,12 +1088,16 @@ DPRINTF2(("%s: ping %s id 0x%x seq %d", __func__, addrstr, ntohs(id), ntohs(seq))); - } - - if (ICMPH_TYPE(icmph) == ICMP_DUR) { - DPRINTF2((" unreachable (code %d)\n", ICMPH_CODE(icmph))); - } - else { - DPRINTF2((" time exceeded\n")); - } + if (ICMPH_TYPE(icmph) == ICMP_DUR) { + DPRINTF2((" unreachable (code %d)\n", ICMPH_CODE(icmph))); + } + else { + DPRINTF2((" time exceeded\n")); + } + } + + + /* + * Is the inner (failed) datagram one of our pings? + */ ip_addr_copy(target_ip, oiph->dest); /* inner (failed) */ @@ -1103,4 +1122,11 @@ sys_mutex_unlock(&pxping->lock); + + + /* + * Rewrite both inner and outer headers and forward to guest. + * Note that the checksum of the outer ICMP error message is + * preserved by the changes we do to inner headers. + */ ip_addr_copy(error_ip, iph->src); /* node that reports the error */ @@ -1130,6 +1156,4 @@ sum = FOLD_U32T(sum); IPH_CHKSUM_SET(oiph, ~sum); - - /* keep outer ICMP error header: checksum not affected by the above */ /* rewrite outer IP header */