Skip to content

Commit 7a92344

Browse files
guyharrisinfrastation
authored andcommitted
CVE-2017-13001/NFS: Don't copy more data than is in the file handle.
Also, put the buffer on the stack; no reason to make it static. (65 bytes isn't a lot.) This fixes a buffer over-read discovered by Kamil Frankowicz. Add a test using the capture file supplied by the reporter(s).
1 parent 8512734 commit 7a92344

File tree

4 files changed

+112
-3
lines changed

4 files changed

+112
-3
lines changed

Diff for: print-nfs.c

+7-3
Original file line numberDiff line numberDiff line change
@@ -807,11 +807,15 @@ nfs_printfh(netdissect_options *ndo,
807807

808808
if (sfsname) {
809809
/* file system ID is ASCII, not numeric, for this server OS */
810-
static char temp[NFSX_V3FHMAX+1];
810+
char temp[NFSX_V3FHMAX+1];
811+
u_int stringlen;
811812

812813
/* Make sure string is null-terminated */
813-
strncpy(temp, sfsname, NFSX_V3FHMAX);
814-
temp[sizeof(temp) - 1] = '\0';
814+
stringlen = len;
815+
if (stringlen > NFSX_V3FHMAX)
816+
stringlen = NFSX_V3FHMAX;
817+
strncpy(temp, sfsname, stringlen);
818+
temp[stringlen] = '\0';
815819
/* Remove trailing spaces */
816820
spacep = strchr(temp, ' ');
817821
if (spacep)

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -458,6 +458,7 @@ hoobr_parse_field hoobr_parse_field.pcap hoobr_parse_field.out
458458
hoobr_chdlc_print hoobr_chdlc_print.pcap hoobr_chdlc_print.out
459459
hoobr_lookup_nsap hoobr_lookup_nsap.pcap hoobr_lookup_nsap.out
460460
hoobr_rt6_print hoobr_rt6_print.pcap hoobr_rt6_print.out
461+
hoobr_nfs_printfh hoobr_nfs_printfh.pcap hoobr_nfs_printfh.out
461462

462463
# bad packets from Wilfried Kirsch
463464
slip-bad-direction slip-bad-direction.pcap slip-bad-direction.out -ve

Diff for: tests/hoobr_nfs_printfh.out

+104
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,104 @@
1+
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
2+
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
3+
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
4+
0x0020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
5+
0x0030: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
6+
0x0040: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
7+
0x0050: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
8+
0x0060: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
9+
0x0070: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
10+
0x0080: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
11+
0x0090: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
12+
0x00a0: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
13+
0x00b0: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
14+
0x00c0: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
15+
0x00d0: 3030 3030 3030 3030 3030 3030 000000000000
16+
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
17+
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
18+
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
19+
0x0020: 3030 3030 3030 3030 00000000
20+
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
21+
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
22+
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
23+
0x0020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
24+
0x0030: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
25+
0x0040: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
26+
0x0050: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
27+
0x0060: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
28+
0x0070: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
29+
0x0080: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
30+
0x0090: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
31+
0x00a0: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
32+
0x00b0: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
33+
0x00c0: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
34+
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
35+
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
36+
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
37+
0x0020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
38+
0x0030: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
39+
0x0040: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
40+
0x0050: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
41+
0x0060: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
42+
0x0070: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
43+
0x0080: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
44+
0x0090: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
45+
0x00a0: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
46+
0x00b0: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
47+
0x00c0: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
48+
0x00d0: 3030 3030 3030 3030 3030 3030 000000000000
49+
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
50+
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
51+
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
52+
0x0020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
53+
0x0030: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
54+
0x0040: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
55+
0x0050: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
56+
0x0060: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
57+
0x0070: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
58+
0x0080: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
59+
0x0090: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
60+
0x00a0: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
61+
0x00b0: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
62+
0x00c0: 3030 3030 0000
63+
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
64+
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
65+
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
66+
0x0020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
67+
0x0030: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
68+
0x0040: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
69+
0x0050: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
70+
0x0060: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
71+
0x0070: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
72+
0x0080: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
73+
0x0090: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
74+
0x00a0: 3030 3030 0000
75+
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
76+
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
77+
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
78+
0x0020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
79+
0x0030: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
80+
0x0040: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
81+
0x0050: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
82+
0x0060: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
83+
0x0070: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
84+
0x0080: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
85+
0x0090: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
86+
0x00a0: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
87+
0x00b0: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
88+
0x00c0: 3030 3030 3030 3030 3030 3030 000000000000
89+
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
90+
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
91+
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
92+
0x0020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
93+
0x0030: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
94+
0x0040: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
95+
0x0050: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
96+
0x0060: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
97+
0x0070: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
98+
0x0080: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
99+
0x0090: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
100+
0x00a0: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
101+
0x00b0: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
102+
0x00c0: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
103+
0x00d0: 3030 3030 3030 3030 3030 3030 000000000000
104+
IP 48.48.48.48.12336 > 48.48.48.48.2049: Flags [.U], seq 808464432:808476728, ack 808464432, win 12336, urg 12336, length 12296: NFS request xid 808464432 12292 readlink fh 00000000/808464432

Diff for: tests/hoobr_nfs_printfh.pcap

2.07 KB
Binary file not shown.

0 commit comments

Comments
 (0)