Skip to content

Commit b45a9a1

Browse files
fxlbinfrastation
authored andcommitted
CVE-2017-13005/NFS: Add two bounds checks before fetching data
This fixes a buffer over-read discovered by Kamil Frankowicz. Add a test using the capture file supplied by the reporter(s).
1 parent 35d146b commit b45a9a1

File tree

4 files changed

+46
-0
lines changed

4 files changed

+46
-0
lines changed

Diff for: print-nfs.c

+4
Original file line numberDiff line numberDiff line change
@@ -899,7 +899,11 @@ xid_map_enter(netdissect_options *ndo,
899899
UNALIGNED_MEMCPY(&xmep->client, &ip6->ip6_src, sizeof(ip6->ip6_src));
900900
UNALIGNED_MEMCPY(&xmep->server, &ip6->ip6_dst, sizeof(ip6->ip6_dst));
901901
}
902+
if (!ND_TTEST(rp->rm_call.cb_proc))
903+
return (0);
902904
xmep->proc = EXTRACT_32BITS(&rp->rm_call.cb_proc);
905+
if (!ND_TTEST(rp->rm_call.cb_vers))
906+
return (0);
903907
xmep->vers = EXTRACT_32BITS(&rp->rm_call.cb_vers);
904908
return (1);
905909
}

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -461,6 +461,7 @@ hoobr_lookup_nsap hoobr_lookup_nsap.pcap hoobr_lookup_nsap.out
461461
hoobr_rt6_print hoobr_rt6_print.pcap hoobr_rt6_print.out
462462
hoobr_nfs_printfh hoobr_nfs_printfh.pcap hoobr_nfs_printfh.out
463463
hoobr_aodv_extension hoobr_aodv_extension.pcap hoobr_aodv_extension.out
464+
hoobr_nfs_xid_map_enter hoobr_nfs_xid_map_enter.pcap hoobr_nfs_xid_map_enter.out
464465

465466
# bad packets from Wilfried Kirsch
466467
slip-bad-direction slip-bad-direction.pcap slip-bad-direction.out -ve

Diff for: tests/hoobr_nfs_xid_map_enter.out

+41
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
2+
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
3+
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
4+
0x0020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
5+
0x0030: 30 0
6+
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
7+
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
8+
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
9+
0x0020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
10+
0x0030: 30 0
11+
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
12+
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
13+
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
14+
0x0020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
15+
0x0030: 30 0
16+
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
17+
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
18+
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
19+
0x0020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
20+
0x0030: 30 0
21+
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
22+
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
23+
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
24+
0x0020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
25+
0x0030: 30 0
26+
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
27+
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
28+
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
29+
0x0020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
30+
0x0030: 30 0
31+
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
32+
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
33+
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
34+
0x0020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
35+
0x0030: 30 0
36+
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
37+
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
38+
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
39+
0x0020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
40+
0x0030: 30 0
41+
IP 48.48.48.48.12336 > 48.48.48.48.2049: NFS request xid 808464432 12308 [|nfs]

Diff for: tests/hoobr_nfs_xid_map_enter.pcap

1.02 KB
Binary file not shown.

0 commit comments

Comments
 (0)