CVE-2017-13005/NFS: Add two bounds checks before fetching data

author Francois-Xavier Le Bail <[email protected]>

Thu, 23 Feb 2017 15:50:18 +0000 (16:50 +0100)

committer Denis Ovsienko <[email protected]>

Wed, 13 Sep 2017 11:25:44 +0000 (12:25 +0100)
author Francois-Xavier Le Bail <[email protected]>
Thu, 23 Feb 2017 15:50:18 +0000 (16:50 +0100)
committer Denis Ovsienko <[email protected]>
Wed, 13 Sep 2017 11:25:44 +0000 (12:25 +0100)
diff --git a/print-nfs.c b/print-nfs.c

index f3e8666e75f81cfc36b6ade10fbf66ca91af4ef3..4fd9c3f7dc5e4253e8eab6933751489c5e9afa24 100644 (file)
--- a/print-nfs.c
+++ b/print-nfs.c
@@ -899,7 +899,11 @@ xid_map_enter(netdissect_options *ndo,
                 UNALIGNED_MEMCPY(&xmep->client, &ip6->ip6_src, sizeof(ip6->ip6_src));
                 UNALIGNED_MEMCPY(&xmep->server, &ip6->ip6_dst, sizeof(ip6->ip6_dst));
         }
+       if (!ND_TTEST(rp->rm_call.cb_proc))
+               return (0);
         xmep->proc = EXTRACT_32BITS(&rp->rm_call.cb_proc);
+       if (!ND_TTEST(rp->rm_call.cb_vers))
+               return (0);
         xmep->vers = EXTRACT_32BITS(&rp->rm_call.cb_vers);
         return (1);
  }
diff --git a/tests/TESTLIST b/tests/TESTLIST

index 9ea944d484b4d1f6f31f0ddcae4477060e54abca..cf6d2a6832e153a043f818b78485a1d88de9bb21 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -461,6 +461,7 @@ hoobr_lookup_nsap   hoobr_lookup_nsap.pcap          hoobr_lookup_nsap.out
  hoobr_rt6_print                hoobr_rt6_print.pcap            hoobr_rt6_print.out
  hoobr_nfs_printfh      hoobr_nfs_printfh.pcap          hoobr_nfs_printfh.out
  hoobr_aodv_extension   hoobr_aodv_extension.pcap       hoobr_aodv_extension.out
+hoobr_nfs_xid_map_enter hoobr_nfs_xid_map_enter.pcap    hoobr_nfs_xid_map_enter.out
  
  # bad packets from Wilfried Kirsch
  slip-bad-direction     slip-bad-direction.pcap         slip-bad-direction.out  -ve
diff --git a/tests/hoobr_nfs_xid_map_enter.out b/tests/hoobr_nfs_xid_map_enter.out

new file mode 100644 (file)

index 0000000..0629063
--- /dev/null
+++ b/tests/hoobr_nfs_xid_map_enter.out
@@ -0,0 +1,41 @@
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0030:  30                                       0
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0030:  30                                       0
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0030:  30                                       0
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0030:  30                                       0
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0030:  30                                       0
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0030:  30                                       0
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0030:  30                                       0
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0030:  30                                       0
+IP 48.48.48.48.12336 > 48.48.48.48.2049: NFS request xid 808464432 12308 [|nfs]
diff --git a/tests/hoobr_nfs_xid_map_enter.pcap b/tests/hoobr_nfs_xid_map_enter.pcap

new file mode 100644 (file)

index 0000000..7f94730

Binary files /dev/null and b/tests/hoobr_nfs_xid_map_enter.pcap differ
author	Francois-Xavier Le Bail <[email protected]>
	Thu, 23 Feb 2017 15:50:18 +0000 (16:50 +0100)
committer	Denis Ovsienko <[email protected]>
	Wed, 13 Sep 2017 11:25:44 +0000 (12:25 +0100)
print-nfs.c		patch \| blob \| history
tests/TESTLIST		patch \| blob \| history
tests/hoobr_nfs_xid_map_enter.out	[new file with mode: 0644]	patch \| blob
tests/hoobr_nfs_xid_map_enter.pcap	[new file with mode: 0644]	patch \| blob