NFS: Add two length checks

fxlb · fxlb · commit c5c912ad34a8 · 2024-05-08T21:18:25.000+02:00
This change avoids adding a large number to the packet pointer and overflow it. It also avoids the differences between 32-bit and 64-bit printouts. Example: 32-bit: NFS request xid 1168185174 80 readdirplus fh / 1441792 bytes @ 1585267068834414592 [|nfs] --- 64-bit: NFS request xid 1168185174 80 readdirplus [|nfs] Add a test file. Update a test output accordingly. (cherry picked from commit 47edb26)
diff --git a/print-nfs.c b/print-nfs.c
@@ -434,6 +434,11 @@ parsereq(netdissect_options *ndo,
 	if (length < 2 * sizeof(*dp))
 		goto trunc;
 	len = GET_BE_U_4(dp + 1);
+	if (len > length) {
+		ND_PRINT(" [credentials length %u > %u]", len, length);
+		nd_print_invalid(ndo);
+		return NULL;
+	}
 	rounded_len = roundup2(len, 4);
 	ND_TCHECK_LEN(dp + 2, rounded_len);
 	if (2 * sizeof(*dp) + rounded_len <= length) {
@@ -453,6 +458,11 @@ parsereq(netdissect_options *ndo,
 		if (length < 2 * sizeof(*dp))
 			goto trunc;
 		len = GET_BE_U_4(dp + 1);
+		if (len > length) {
+			ND_PRINT(" [verifier length %u > %u]", len, length);
+			nd_print_invalid(ndo);
+			return NULL;
+		}
 		rounded_len = roundup2(len, 4);
 		ND_TCHECK_LEN(dp + 2, rounded_len);
 		if (2 * sizeof(*dp) + rounded_len < length) {
diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -766,6 +766,7 @@ macsec-short-valid   macsec-short-valid.pcap   macsec-short-valid.out   -e
 # NFS tests
 # fuzzed pcap
 nfs-write-verf-cookie nfs-write-verf-cookie.pcapng nfs-write-verf-cookie.out -vv
+nfs_large_credentials_length nfs_large_credentials_length.pcap nfs_large_credentials_length.out
 
 # NFS fuzzed
 nfs-seg-fault-1  nfs-seg-fault-1.pcapng  nfs-seg-fault-1.out
diff --git a/tests/nfs-attr-oobr.out b/tests/nfs-attr-oobr.out
@@ -301,5 +301,5 @@
 	0x0030:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
 	0x0040:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
 	0x0050:  3030                                     00
-   47  1995-08-15 05:27:12.808464432 IP 48.48.48.48.12336 > 48.48.48.48.2049: NFS request xid 3056611558 12308 access [|nfs]
+   47  1995-08-15 05:27:12.808464432 IP 48.48.48.48.12336 > 48.48.48.48.2049: NFS request xid 3056611558 12308 access [credentials length 808464432 > 12308] (invalid) [|nfs]
    48  1995-08-15 05:27:12.808464432 IP 48.48.48.48.2049 > 48.48.48.48.12336: NFS reply xid 3056611558 reply ok 12308 access [|nfs]
diff --git a/tests/nfs_large_credentials_length.out b/tests/nfs_large_credentials_length.out
@@ -0,0 +1 @@
+    1  1971-09-12 02:15:12.134350544 IP 255.10.0.1.63476 > 127.0.0.1.2049: NFS request xid 1168185174 80 readdirplus [credentials length 4294967295 > 80] (invalid) [|nfs]
diff --git a/tests/nfs_large_credentials_length.pcap b/tests/nfs_large_credentials_length.pcap

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+ 1 1971-09-12 02:15:12.134350544 IP 255.10.0.1.63476 > 127.0.0.1.2049: NFS request xid 1168185174 80 readdirplus [credentials length 4294967295 > 80] (invalid) [\|nfs]`