CVE-2017-13001/NFS: Don't copy more data than is in the file handle.

Also, put the buffer on the stack; no reason to make it static.  (65
bytes isn't a lot.)

This fixes a buffer over-read discovered by Kamil Frankowicz.

Add a test using the capture file supplied by the reporter(s).

diff --git a/print-nfs.c b/print-nfs.c
index ef64d13ab23e80963a4b4ef32459096197f65091..f3e8666e75f81cfc36b6ade10fbf66ca91af4ef3 100644 (file)
--- a/print-nfs.c
+++ b/print-nfs.c
@@ -807,11 +807,15 @@ nfs_printfh(netdissect_options *ndo,
 
        if (sfsname) {
                /* file system ID is ASCII, not numeric, for this server OS */
-               static char temp[NFSX_V3FHMAX+1];
+               char temp[NFSX_V3FHMAX+1];
+               u_int stringlen;
 
                /* Make sure string is null-terminated */
-               strncpy(temp, sfsname, NFSX_V3FHMAX);
-               temp[sizeof(temp) - 1] = '\0';
+               stringlen = len;
+               if (stringlen > NFSX_V3FHMAX)
+                       stringlen = NFSX_V3FHMAX;
+               strncpy(temp, sfsname, stringlen);
+               temp[stringlen] = '\0';
                /* Remove trailing spaces */
                spacep = strchr(temp, ' ');
                if (spacep)

diff --git a/tests/TESTLIST b/tests/TESTLIST
index 548af8f30bd79d8d8d06ea8e568a2e0739246830..5d164a6bf293ec6815940da11c43a4f0aad08cd5 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -458,6 +458,7 @@ hoobr_parse_field   hoobr_parse_field.pcap          hoobr_parse_field.out
 hoobr_chdlc_print      hoobr_chdlc_print.pcap          hoobr_chdlc_print.out
 hoobr_lookup_nsap      hoobr_lookup_nsap.pcap          hoobr_lookup_nsap.out
 hoobr_rt6_print                hoobr_rt6_print.pcap            hoobr_rt6_print.out
+hoobr_nfs_printfh      hoobr_nfs_printfh.pcap          hoobr_nfs_printfh.out
 
 # bad packets from Wilfried Kirsch
 slip-bad-direction     slip-bad-direction.pcap         slip-bad-direction.out  -ve

diff --git a/tests/hoobr_nfs_printfh.out b/tests/hoobr_nfs_printfh.out
new file mode 100644 (file)
index 0000000..8082b86
--- /dev/null
+++ b/tests/hoobr_nfs_printfh.out
@@ -0,0 +1,104 @@
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0030:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0040:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0050:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0060:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0070:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0080:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0090:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x00a0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x00b0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x00c0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x00d0:  3030 3030 3030 3030 3030 3030            000000000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0020:  3030 3030 3030 3030                      00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0030:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0040:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0050:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0060:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0070:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0080:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0090:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x00a0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x00b0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x00c0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0030:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0040:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0050:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0060:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0070:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0080:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0090:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x00a0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x00b0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x00c0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x00d0:  3030 3030 3030 3030 3030 3030            000000000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0030:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0040:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0050:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0060:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0070:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0080:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0090:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x00a0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x00b0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x00c0:  3030 3030                                0000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0030:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0040:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0050:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0060:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0070:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0080:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0090:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x00a0:  3030 3030                                0000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0030:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0040:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0050:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0060:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0070:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0080:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0090:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x00a0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x00b0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x00c0:  3030 3030 3030 3030 3030 3030            000000000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0030:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0040:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0050:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0060:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0070:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0080:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0090:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x00a0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x00b0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x00c0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x00d0:  3030 3030 3030 3030 3030 3030            000000000000
+IP 48.48.48.48.12336 > 48.48.48.48.2049: Flags [.U], seq 808464432:808476728, ack 808464432, win 12336, urg 12336, length 12296: NFS request xid 808464432 12292 readlink fh 00000000/808464432

diff --git a/tests/hoobr_nfs_printfh.pcap b/tests/hoobr_nfs_printfh.pcap
new file mode 100644 (file)
index 0000000..ed9abbe
Binary files /dev/null and b/tests/hoobr_nfs_printfh.pcap differ