Skip to content

security: improve IPv4 packet validation#344

Open
hongkongkiwi wants to merge 4 commits intoexpressvpn:mainfrom
hongkongkiwi:fix-pr13-packet-v2
Open

security: improve IPv4 packet validation#344
hongkongkiwi wants to merge 4 commits intoexpressvpn:mainfrom
hongkongkiwi:fix-pr13-packet-v2

Conversation

@hongkongkiwi
Copy link

@hongkongkiwi hongkongkiwi commented Jan 28, 2026

Summary

Enhanced IPv4 packet validation with comprehensive security checks:

Changes

  • Minimum packet size: Rejects packets smaller than 20 bytes (IPv4 header minimum)
  • IP version check: Only accepts IPv4, rejects IPv6 packets
  • Header length validation: IHL must be 5-15 (20-60 bytes)
  • Total length consistency: Ensures packet length matches declared length
  • Address filtering: Rejects loopback (127.x.x.x), reserved (0.x.x.x), and limited broadcast (255.255.255.255)
  • Test coverage: Added comprehensive test cases for all validation rules

Files Changed

  • lightway-core/src/utils.rs: Enhanced ipv4_is_valid_packet() function

Security Impact

Prevents various packet-based attacks:

  • Truncated packet attacks
  • Invalid header length attacks
  • Loopback/reserved address spoofing
  • Broadcast storms

@hongkongkiwi
security: improve IPv4 packet validation
486fa20 
Add comprehensive validation for incoming IPv4 packets:
- Check minimum packet size (20 bytes header)
- Validate IP version is 4
- Validate header length field (IHL) is at least 5 and doesn't exceed packet size
- Validate total length field is reasonable
- Skip loopback (127.x.x.x) and reserved (0.x.x.x) source/destination addresses

These checks prevent various packet-based attacks including:
- Truncated packet attacks
- Invalid header length attacks
- Loopback/reserved address spoofing

Also adds test cases for the new validation logic.
@hongkongkiwi
security: also reject limited broadcast destination in IPv4 validation
cd2a623 
Reject packets with destination 255.255.255.255 to prevent potential
broadcast storms or abuse. This is in addition to the existing checks
for loopback (127.x.x.x) and reserved (0.x.x.x) addresses.
@hongkongkiwi
security: document fragment cache limits
7bdbce4 
Add documentation noting that production deployments should consider
lowering the default max entries (65535) to limit memory consumption
from fragmented packet attacks.
@hongkongkiwi
security: fix IPv4 validation tests per CodeRabbit review
ff29d7a 
- Fix v6_not_supported test case to use 24-byte buffer starting with 0x60
  (previously only 1 byte, which tested minimum size instead of version check)
- Fix test packet total_length byte order (was 0x1c, 0x00 -> now 0x00, 0x1c)
- Add docstring to ipv4_is_valid_packet function to improve coverage
@hongkongkiwi hongkongkiwi requested a review from a team as a code owner January 28, 2026 01:58
@hongkongkiwi hongkongkiwi mentioned this pull request Jan 28, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hongkongkiwi