diff options
| author | Francois-Xavier Le Bail <devel.fx.lebail@orange.fr> | 2024-05-08 16:05:17 +0200 |
|---|---|---|
| committer | Francois-Xavier Le Bail <devel.fx.lebail@orange.fr> | 2024-05-08 21:18:25 +0200 |
| commit | c5c912ad34a88dcf5878be64b36daa535c5265f9 (patch) | |
| tree | a1117881e1073532fa0c8db201af8bdbe66096fb | |
| parent | 4966c764d28afc1cc99a4565946e356d19ce0635 (diff) | |
| download | tcpdump-upstream-tcpdump-4.99.tar.gz | |
NFS: Add two length checksupstream-tcpdump-4.99
This change avoids adding a large number to the packet pointer and
overflow it.
It also avoids the differences between 32-bit and 64-bit printouts.
Example:
32-bit:
NFS request xid 1168185174 80 readdirplus fh / 1441792 bytes @ 1585267068834414592 [|nfs]
---
64-bit:
NFS request xid 1168185174 80 readdirplus [|nfs]
Add a test file.
Update a test output accordingly.
(cherry picked from commit 47edb26bde6473ff8732ba77c6f6138925e0c2b5)
| -rw-r--r-- | print-nfs.c | 10 | ||||
| -rw-r--r-- | tests/TESTLIST | 1 | ||||
| -rw-r--r-- | tests/nfs-attr-oobr.out | 2 | ||||
| -rw-r--r-- | tests/nfs_large_credentials_length.out | 1 | ||||
| -rw-r--r-- | tests/nfs_large_credentials_length.pcap | bin | 0 -> 147 bytes |
5 files changed, 13 insertions, 1 deletions
diff --git a/print-nfs.c b/print-nfs.c index bbce4953..8ac5d475 100644 --- a/print-nfs.c +++ b/print-nfs.c @@ -434,6 +434,11 @@ parsereq(netdissect_options *ndo, if (length < 2 * sizeof(*dp)) goto trunc; len = GET_BE_U_4(dp + 1); + if (len > length) { + ND_PRINT(" [credentials length %u > %u]", len, length); + nd_print_invalid(ndo); + return NULL; + } rounded_len = roundup2(len, 4); ND_TCHECK_LEN(dp + 2, rounded_len); if (2 * sizeof(*dp) + rounded_len <= length) { @@ -453,6 +458,11 @@ parsereq(netdissect_options *ndo, if (length < 2 * sizeof(*dp)) goto trunc; len = GET_BE_U_4(dp + 1); + if (len > length) { + ND_PRINT(" [verifier length %u > %u]", len, length); + nd_print_invalid(ndo); + return NULL; + } rounded_len = roundup2(len, 4); ND_TCHECK_LEN(dp + 2, rounded_len); if (2 * sizeof(*dp) + rounded_len < length) { diff --git a/tests/TESTLIST b/tests/TESTLIST index 2fc0f68a..5c85b7e9 100644 --- a/tests/TESTLIST +++ b/tests/TESTLIST @@ -766,6 +766,7 @@ macsec-short-valid macsec-short-valid.pcap macsec-short-valid.out -e # NFS tests # fuzzed pcap nfs-write-verf-cookie nfs-write-verf-cookie.pcapng nfs-write-verf-cookie.out -vv +nfs_large_credentials_length nfs_large_credentials_length.pcap nfs_large_credentials_length.out # NFS fuzzed nfs-seg-fault-1 nfs-seg-fault-1.pcapng nfs-seg-fault-1.out diff --git a/tests/nfs-attr-oobr.out b/tests/nfs-attr-oobr.out index f693576b..dc4465cd 100644 --- a/tests/nfs-attr-oobr.out +++ b/tests/nfs-attr-oobr.out @@ -301,5 +301,5 @@ 0x0030: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000 0x0040: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000 0x0050: 3030 00 - 47 1995-08-15 05:27:12.808464432 IP 48.48.48.48.12336 > 48.48.48.48.2049: NFS request xid 3056611558 12308 access [|nfs] + 47 1995-08-15 05:27:12.808464432 IP 48.48.48.48.12336 > 48.48.48.48.2049: NFS request xid 3056611558 12308 access [credentials length 808464432 > 12308] (invalid) [|nfs] 48 1995-08-15 05:27:12.808464432 IP 48.48.48.48.2049 > 48.48.48.48.12336: NFS reply xid 3056611558 reply ok 12308 access [|nfs] diff --git a/tests/nfs_large_credentials_length.out b/tests/nfs_large_credentials_length.out new file mode 100644 index 00000000..31e776d8 --- /dev/null +++ b/tests/nfs_large_credentials_length.out @@ -0,0 +1 @@ + 1 1971-09-12 02:15:12.134350544 IP 255.10.0.1.63476 > 127.0.0.1.2049: NFS request xid 1168185174 80 readdirplus [credentials length 4294967295 > 80] (invalid) [|nfs] diff --git a/tests/nfs_large_credentials_length.pcap b/tests/nfs_large_credentials_length.pcap Binary files differnew file mode 100644 index 00000000..aea79723 --- /dev/null +++ b/tests/nfs_large_credentials_length.pcap |