From 47edb26bde6473ff8732ba77c6f6138925e0c2b5 Mon Sep 17 00:00:00 2001 From: Francois-Xavier Le Bail Date: Wed, 8 May 2024 16:05:17 +0200 Subject: NFS: Add two length checks This change avoids adding a large number to the packet pointer and overflow it. It also avoids the differences between 32-bit and 64-bit printouts. Example: 32-bit: NFS request xid 1168185174 80 readdirplus fh / 1441792 bytes @ 1585267068834414592 [|nfs] --- 64-bit: NFS request xid 1168185174 80 readdirplus [|nfs] Add a test file. Update a test output accordingly. --- print-nfs.c | 10 ++++++++++ tests/TESTLIST | 1 + tests/nfs-attr-oobr.out | 2 +- tests/nfs_large_credentials_length.out | 1 + tests/nfs_large_credentials_length.pcap | Bin 0 -> 147 bytes 5 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 tests/nfs_large_credentials_length.out create mode 100644 tests/nfs_large_credentials_length.pcap diff --git a/print-nfs.c b/print-nfs.c index 523a0716..b67ec370 100644 --- a/print-nfs.c +++ b/print-nfs.c @@ -432,6 +432,11 @@ parsereq(netdissect_options *ndo, if (length < 2 * sizeof(*dp)) goto trunc; len = GET_BE_U_4(dp + 1); + if (len > length) { + ND_PRINT(" [credentials length %u > %u]", len, length); + nd_print_invalid(ndo); + return NULL; + } rounded_len = roundup2(len, 4); ND_TCHECK_LEN(dp + 2, rounded_len); if (2 * sizeof(*dp) + rounded_len <= length) { @@ -451,6 +456,11 @@ parsereq(netdissect_options *ndo, if (length < 2 * sizeof(*dp)) goto trunc; len = GET_BE_U_4(dp + 1); + if (len > length) { + ND_PRINT(" [verifier length %u > %u]", len, length); + nd_print_invalid(ndo); + return NULL; + } rounded_len = roundup2(len, 4); ND_TCHECK_LEN(dp + 2, rounded_len); if (2 * sizeof(*dp) + rounded_len < length) { diff --git a/tests/TESTLIST b/tests/TESTLIST index dd00127a..0e82ebcd 100644 --- a/tests/TESTLIST +++ b/tests/TESTLIST @@ -836,6 +836,7 @@ macsec-short-valid macsec-short-valid.pcap macsec-short-valid.out -e # NFS tests # fuzzed pcap nfs-write-verf-cookie nfs-write-verf-cookie.pcapng nfs-write-verf-cookie.out -vv +nfs_large_credentials_length nfs_large_credentials_length.pcap nfs_large_credentials_length.out # NFS fuzzed nfs-seg-fault-1 nfs-seg-fault-1.pcapng nfs-seg-fault-1.out diff --git a/tests/nfs-attr-oobr.out b/tests/nfs-attr-oobr.out index f693576b..dc4465cd 100644 --- a/tests/nfs-attr-oobr.out +++ b/tests/nfs-attr-oobr.out @@ -301,5 +301,5 @@ 0x0030: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000 0x0040: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000 0x0050: 3030 00 - 47 1995-08-15 05:27:12.808464432 IP 48.48.48.48.12336 > 48.48.48.48.2049: NFS request xid 3056611558 12308 access [|nfs] + 47 1995-08-15 05:27:12.808464432 IP 48.48.48.48.12336 > 48.48.48.48.2049: NFS request xid 3056611558 12308 access [credentials length 808464432 > 12308] (invalid) [|nfs] 48 1995-08-15 05:27:12.808464432 IP 48.48.48.48.2049 > 48.48.48.48.12336: NFS reply xid 3056611558 reply ok 12308 access [|nfs] diff --git a/tests/nfs_large_credentials_length.out b/tests/nfs_large_credentials_length.out new file mode 100644 index 00000000..31e776d8 --- /dev/null +++ b/tests/nfs_large_credentials_length.out @@ -0,0 +1 @@ + 1 1971-09-12 02:15:12.134350544 IP 255.10.0.1.63476 > 127.0.0.1.2049: NFS request xid 1168185174 80 readdirplus [credentials length 4294967295 > 80] (invalid) [|nfs] diff --git a/tests/nfs_large_credentials_length.pcap b/tests/nfs_large_credentials_length.pcap new file mode 100644 index 00000000..aea79723 Binary files /dev/null and b/tests/nfs_large_credentials_length.pcap differ -- cgit v1.2.3