CVE-2017-13001/NFS: Don't copy more data than is in the file handle.

Also, put the buffer on the stack; no reason to make it static. (65 bytes isn't a lot.) This fixes a buffer over-read discovered by Kamil Frankowicz. Add a test using the capture file supplied by the reporter(s).
2024-11-23 10:04:05 +08:00 · 2017-02-19 13:56:12 -08:00 · 2017-02-19 13:56:12 -08:00 · 7a923447fd
commit 7a923447fd
parent 8512734883
4 changed files with 112 additions and 3 deletions
--- a/print-nfs.c
+++ b/print-nfs.c
@ -807,11 +807,15 @@ nfs_printfh(netdissect_options *ndo,

 	if (sfsname) {
 		/* file system ID is ASCII, not numeric, for this server OS */
-		static char temp[NFSX_V3FHMAX+1];
+		char temp[NFSX_V3FHMAX+1];
+		u_int stringlen;

 		/* Make sure string is null-terminated */
-		strncpy(temp, sfsname, NFSX_V3FHMAX);
-		temp[sizeof(temp) - 1] = '\0';
+		stringlen = len;
+		if (stringlen > NFSX_V3FHMAX)
+			stringlen = NFSX_V3FHMAX;
+		strncpy(temp, sfsname, stringlen);
+		temp[stringlen] = '\0';
 		/* Remove trailing spaces */
 		spacep = strchr(temp, ' ');
 		if (spacep)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@ -458,6 +458,7 @@ hoobr_parse_field	hoobr_parse_field.pcap		hoobr_parse_field.out
 hoobr_chdlc_print	hoobr_chdlc_print.pcap		hoobr_chdlc_print.out
 hoobr_lookup_nsap	hoobr_lookup_nsap.pcap		hoobr_lookup_nsap.out
 hoobr_rt6_print		hoobr_rt6_print.pcap		hoobr_rt6_print.out
+hoobr_nfs_printfh	hoobr_nfs_printfh.pcap		hoobr_nfs_printfh.out

 # bad packets from Wilfried Kirsch
 slip-bad-direction	slip-bad-direction.pcap		slip-bad-direction.out	-ve
--- a/tests/hoobr_nfs_printfh.out
+++ b/tests/hoobr_nfs_printfh.out
@ -0,0 +1,104 @@
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0030:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0040:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0050:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0060:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0070:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0080:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0090:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00a0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00b0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00c0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00d0:  3030 3030 3030 3030 3030 3030            000000000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0020:  3030 3030 3030 3030                      00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0030:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0040:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0050:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0060:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0070:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0080:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0090:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00a0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00b0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00c0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0030:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0040:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0050:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0060:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0070:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0080:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0090:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00a0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00b0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00c0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00d0:  3030 3030 3030 3030 3030 3030            000000000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0030:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0040:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0050:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0060:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0070:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0080:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0090:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00a0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00b0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00c0:  3030 3030                                0000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0030:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0040:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0050:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0060:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0070:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0080:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0090:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00a0:  3030 3030                                0000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0030:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0040:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0050:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0060:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0070:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0080:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0090:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00a0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00b0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00c0:  3030 3030 3030 3030 3030 3030            000000000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0020:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0030:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0040:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0050:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0060:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0070:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0080:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0090:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00a0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00b0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00c0:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x00d0:  3030 3030 3030 3030 3030 3030            000000000000
+IP 48.48.48.48.12336 > 48.48.48.48.2049: Flags [.U], seq 808464432:808476728, ack 808464432, win 12336, urg 12336, length 12296: NFS request xid 808464432 12292 readlink fh 00000000/808464432
--- a/tests/hoobr_nfs_printfh.pcap
+++ b/tests/hoobr_nfs_printfh.pcap