NFS: Add two length checks

This change avoids adding a large number to the packet pointer and
overflow it.

It also avoids the differences between 32-bit and 64-bit printouts.

Example:
32-bit:
NFS request xid 1168185174 80 readdirplus fh / 1441792 bytes @ 1585267068834414592 [|nfs]
---
64-bit:
NFS request xid 1168185174 80 readdirplus [|nfs]

Add a test file.
Update a test output accordingly.

(cherry picked from commit 47edb26bde6473ff8732ba77c6f6138925e0c2b5)

diff --git a/print-nfs.c b/print-nfs.c
index bbce49536f2acf653179c742e85bccc4d324c534..8ac5d4759b8dd2ce217e8bc7ecbe99ddc86c413f 100644 (file)
--- a/print-nfs.c
+++ b/print-nfs.c
@@ -434,6 +434,11 @@ parsereq(netdissect_options *ndo,
        if (length < 2 * sizeof(*dp))
                goto trunc;
        len = GET_BE_U_4(dp + 1);
+       if (len > length) {
+               ND_PRINT(" [credentials length %u > %u]", len, length);
+               nd_print_invalid(ndo);
+               return NULL;
+       }
        rounded_len = roundup2(len, 4);
        ND_TCHECK_LEN(dp + 2, rounded_len);
        if (2 * sizeof(*dp) + rounded_len <= length) {
@@ -453,6 +458,11 @@ parsereq(netdissect_options *ndo,
                if (length < 2 * sizeof(*dp))
                        goto trunc;
                len = GET_BE_U_4(dp + 1);
+               if (len > length) {
+                       ND_PRINT(" [verifier length %u > %u]", len, length);
+                       nd_print_invalid(ndo);
+                       return NULL;
+               }
                rounded_len = roundup2(len, 4);
                ND_TCHECK_LEN(dp + 2, rounded_len);
                if (2 * sizeof(*dp) + rounded_len < length) {

diff --git a/tests/TESTLIST b/tests/TESTLIST
index 2fc0f68ac09c0d429a7fc0e95e9b6bc5be551f4d..5c85b7e94598dee77f2a4f3107064670ee109e56 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -766,6 +766,7 @@ macsec-short-valid   macsec-short-valid.pcap   macsec-short-valid.out   -e
 # NFS tests
 # fuzzed pcap
 nfs-write-verf-cookie nfs-write-verf-cookie.pcapng nfs-write-verf-cookie.out -vv
+nfs_large_credentials_length nfs_large_credentials_length.pcap nfs_large_credentials_length.out
 
 # NFS fuzzed
 nfs-seg-fault-1  nfs-seg-fault-1.pcapng  nfs-seg-fault-1.out

diff --git a/tests/nfs-attr-oobr.out b/tests/nfs-attr-oobr.out
index f693576b63720884d266929d4615ea99e7c1e479..dc4465cd173ae9975aa20884e501fa2e22f28183 100644 (file)
--- a/tests/nfs-attr-oobr.out
+++ b/tests/nfs-attr-oobr.out
@@ -301,5 +301,5 @@
        0x0030:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
        0x0040:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
        0x0050:  3030                                     00
-   47  1995-08-15 05:27:12.808464432 IP 48.48.48.48.12336 > 48.48.48.48.2049: NFS request xid 3056611558 12308 access [|nfs]
+   47  1995-08-15 05:27:12.808464432 IP 48.48.48.48.12336 > 48.48.48.48.2049: NFS request xid 3056611558 12308 access [credentials length 808464432 > 12308] (invalid) [|nfs]
    48  1995-08-15 05:27:12.808464432 IP 48.48.48.48.2049 > 48.48.48.48.12336: NFS reply xid 3056611558 reply ok 12308 access [|nfs]

diff --git a/tests/nfs_large_credentials_length.out b/tests/nfs_large_credentials_length.out
new file mode 100644 (file)
index 0000000..31e776d
--- /dev/null
+++ b/tests/nfs_large_credentials_length.out
@@ -0,0 +1 @@
+    1  1971-09-12 02:15:12.134350544 IP 255.10.0.1.63476 > 127.0.0.1.2049: NFS request xid 1168185174 80 readdirplus [credentials length 4294967295 > 80] (invalid) [|nfs]

diff --git a/tests/nfs_large_credentials_length.pcap b/tests/nfs_large_credentials_length.pcap
new file mode 100644 (file)
index 0000000..aea7972
Binary files /dev/null and b/tests/nfs_large_credentials_length.pcap differ