Skip to content
Permalink
Browse files

CVE-2017-13005/NFS: Add two bounds checks before fetching data

This fixes a buffer over-read discovered by Kamil Frankowicz.

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information...
fxlb authored and infrastation committed Feb 23, 2017
1 parent 35d146b commit b45a9a167ca6a3ef2752ae9d48d56ac14b001bfd
Showing with 46 additions and 0 deletions.
  1. +4 −0 print-nfs.c
  2. +1 −0 tests/TESTLIST
  3. +41 −0 tests/hoobr_nfs_xid_map_enter.out
  4. BIN tests/hoobr_nfs_xid_map_enter.pcap
@@ -899,7 +899,11 @@ xid_map_enter(netdissect_options *ndo,
UNALIGNED_MEMCPY(&xmep->client, &ip6->ip6_src, sizeof(ip6->ip6_src));
UNALIGNED_MEMCPY(&xmep->server, &ip6->ip6_dst, sizeof(ip6->ip6_dst));
}
if (!ND_TTEST(rp->rm_call.cb_proc))
return (0);
xmep->proc = EXTRACT_32BITS(&rp->rm_call.cb_proc);
if (!ND_TTEST(rp->rm_call.cb_vers))
return (0);
xmep->vers = EXTRACT_32BITS(&rp->rm_call.cb_vers);
return (1);
}
@@ -461,6 +461,7 @@ hoobr_lookup_nsap hoobr_lookup_nsap.pcap hoobr_lookup_nsap.out
hoobr_rt6_print hoobr_rt6_print.pcap hoobr_rt6_print.out
hoobr_nfs_printfh hoobr_nfs_printfh.pcap hoobr_nfs_printfh.out
hoobr_aodv_extension hoobr_aodv_extension.pcap hoobr_aodv_extension.out
hoobr_nfs_xid_map_enter hoobr_nfs_xid_map_enter.pcap hoobr_nfs_xid_map_enter.out

# bad packets from Wilfried Kirsch
slip-bad-direction slip-bad-direction.pcap slip-bad-direction.out -ve
@@ -0,0 +1,41 @@
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0030: 30 0
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0030: 30 0
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0030: 30 0
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0030: 30 0
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0030: 30 0
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0030: 30 0
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0030: 30 0
30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
0x0000: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0x0030: 30 0
IP 48.48.48.48.12336 > 48.48.48.48.2049: NFS request xid 808464432 12308 [|nfs]
Binary file not shown.

0 comments on commit b45a9a1

Please sign in to comment.
You can’t perform that action at this time.