From: Guy Harris <guy@alum.mit.edu>
Date: Sun, 19 Feb 2017 21:56:12 +0000 (-0800)
Subject: CVE-2017-13001/NFS: Don't copy more data than is in the file handle.
X-Git-Tag: tcpdump-4.99-bp~1940
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/7a923447fd49a069a0fd3b6c3547438ab5ee2123

CVE-2017-13001/NFS: Don't copy more data than is in the file handle.

Also, put the buffer on the stack; no reason to make it static.  (65
bytes isn't a lot.)

This fixes a buffer over-read discovered by Kamil Frankowicz.

Add a test using the capture file supplied by the reporter(s).
---

diff --git a/print-nfs.c b/print-nfs.c
index ef64d13a..f3e8666e 100644
--- a/print-nfs.c
+++ b/print-nfs.c
@@ -807,11 +807,15 @@ nfs_printfh(netdissect_options *ndo,
 
 	if (sfsname) {
 		/* file system ID is ASCII, not numeric, for this server OS */
-		static char temp[NFSX_V3FHMAX+1];
+		char temp[NFSX_V3FHMAX+1];
+		u_int stringlen;
 
 		/* Make sure string is null-terminated */
-		strncpy(temp, sfsname, NFSX_V3FHMAX);
-		temp[sizeof(temp) - 1] = '\0';
+		stringlen = len;
+		if (stringlen > NFSX_V3FHMAX)
+			stringlen = NFSX_V3FHMAX;
+		strncpy(temp, sfsname, stringlen);
+		temp[stringlen] = '\0';
 		/* Remove trailing spaces */
 		spacep = strchr(temp, ' ');
 		if (spacep)
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 548af8f3..5d164a6b 100644
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -458,6 +458,7 @@ hoobr_parse_field	hoobr_parse_field.pcap		hoobr_parse_field.out
 hoobr_chdlc_print	hoobr_chdlc_print.pcap		hoobr_chdlc_print.out
 hoobr_lookup_nsap	hoobr_lookup_nsap.pcap		hoobr_lookup_nsap.out
 hoobr_rt6_print		hoobr_rt6_print.pcap		hoobr_rt6_print.out
+hoobr_nfs_printfh	hoobr_nfs_printfh.pcap		hoobr_nfs_printfh.out
 
 # bad packets from Wilfried Kirsch
 slip-bad-direction	slip-bad-direction.pcap		slip-bad-direction.out	-ve
diff --git a/tests/hoobr_nfs_printfh.out b/tests/hoobr_nfs_printfh.out
new file mode 100644
index 00000000..8082b86b
--- /dev/null
+++ b/tests/hoobr_nfs_printfh.out
@@ -0,0 +1,104 @@
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0030:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0040:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0050:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0060:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0070:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0080:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0090:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00a0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00b0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00c0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00d0:  3030 3030 3030 3030 3030 3030            000000000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0020:  3030 3030 3030 3030                      00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0030:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0040:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0050:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0060:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0070:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0080:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0090:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00a0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00b0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00c0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0030:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0040:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0050:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0060:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0070:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0080:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0090:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00a0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00b0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00c0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00d0:  3030 3030 3030 3030 3030 3030            000000000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0030:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0040:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0050:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0060:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0070:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0080:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0090:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00a0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00b0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00c0:  3030 3030                                0000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0030:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0040:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0050:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0060:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0070:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0080:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0090:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00a0:  3030 3030                                0000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0030:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0040:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0050:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0060:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0070:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0080:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0090:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00a0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00b0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00c0:  3030 3030 3030 3030 3030 3030            000000000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0030:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0040:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0050:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0060:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0070:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0080:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0090:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00a0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00b0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00c0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00d0:  3030 3030 3030 3030 3030 3030            000000000000
+IP 48.48.48.48.12336 > 48.48.48.48.2049: Flags [.U], seq 808464432:808476728, ack 808464432, win 12336, urg 12336, length 12296: NFS request xid 808464432 12292 readlink fh 00000000/808464432
diff --git a/tests/hoobr_nfs_printfh.pcap b/tests/hoobr_nfs_printfh.pcap
new file mode 100644
index 00000000..ed9abbe8
Binary files /dev/null and b/tests/hoobr_nfs_printfh.pcap differ