Fix nfdump crashes, when feeded with garbage input. Issue #104

phaag · Apr 1, 2018 · 9f0fe95 · 9f0fe95
1 parent 27f62a5
commit 9f0fe95
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 3 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,7 @@
+2018-04-01
+- Add program exit in nfx.c after panic with correupt data file
+- Add missing size check when reading nfdump 1.5.x common record blocks
+
 2018-02-11
 - Add missing json output format in nfdump help text
 - Add missing -v option in nfreplay help text

diff --git a/bin/nfdump.c b/bin/nfdump.c
@@ -542,7 +542,11 @@ int	v1_map_done = 0;
 							exit(255);
 						}
 					}
-					ConvertCommonV0((void *)record_ptr, (common_record_t *)ConvertBuffer);
+					if ( !ConvertCommonV0((void *)record_ptr, (common_record_t *)ConvertBuffer) ) {
+						LogError("Corrupt data file. Unable to decode at %s line %d\n", __FILE__, __LINE__);
+						exit(255);
+
+					}
 					flow_record = (common_record_t *)ConvertBuffer;
 					dbg_printf("Converted type %u to %u record\n", CommonRecordV0Type, CommonRecordType);
 				case CommonRecordType: {

diff --git a/bin/nffile_inline.c b/bin/nffile_inline.c
@@ -38,7 +38,7 @@ static inline void AppendToBuffer(nffile_t *nffile, void *record, size_t require
 
 static inline void CopyV6IP(uint32_t *dst, uint32_t *src);
 
-static inline void ConvertCommonV0(void *record, common_record_t *flow_record);
+static inline int ConvertCommonV0(void *record, common_record_t *flow_record);
 
 static inline void ExpandRecord_v2(common_record_t *input_record, extension_info_t *extension_info, exporter_info_record_t *exporter_info, master_record_t *output_record );
 
@@ -75,11 +75,13 @@ static inline void CopyV6IP(uint32_t *dst, uint32_t *src) {
 	dst[3] = src[3];
 } // End of CopyV6IP
 
-static inline void ConvertCommonV0(void *record, common_record_t *flow_record) {
+static inline int ConvertCommonV0(void *record, common_record_t *flow_record) {
 common_record_v0_t *flow_record_v0 = (common_record_v0_t *)record;
 
 	// copy v0 common record
 	memcpy((void *)flow_record, record, COMMON_RECORDV0_DATA_SIZE);
+	if ( flow_record_v0->size <= COMMON_RECORDV0_DATA_SIZE ) 
+		return 0;
 	memcpy((void *)flow_record->data, (void *)flow_record_v0->data, flow_record_v0->size - COMMON_RECORDV0_DATA_SIZE);
 
 	// fix record differences
@@ -89,6 +91,7 @@ common_record_v0_t *flow_record_v0 = (common_record_v0_t *)record;
 	flow_record->exporter_sysid = flow_record_v0->exporter_sysid;
 	flow_record->reserved 		= 0;
 
+	return 1;
 } // End of ConvertCommonV0
 
 /*

diff --git a/bin/nfx.c b/bin/nfx.c
@@ -542,6 +542,7 @@ int i, extension_size, max_elements;
 		int id = map->ex_id[i];
 		if ( id > Max_num_extensions ) {
 			printf("PANIC! - Verify map id %i: ERROR: element id %i out of range [%i]!\n", map->map_id, id, Max_num_extensions);
+			exit(255);
 		}
 		extension_size += extension_descriptor[id].size;
 		i++;