Skip to content

[Packetbeat] rpc fragment bounds checking #47803

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[Packetbeat] rpc fragment bounds checking #47803

wants to merge 3 commits into from
+339 −86

Conversation

@nicholasberlin
Copy link
Contributor

@nicholasberlin nicholasberlin commented Nov 26, 2025

Proposed commit message

When the NFS protocol is enabled in Packetbeat, crafted ONC RPC/NFS traffic can cause the application to panic and exit due to unchecked XDR length fields and undersized RPC records. This affects both request and reply parsing paths.

This PR adds bounds checking and ignores malformed fragments via new error propagation.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
  • I have added an entry in ./changelog/fragments using the changelog tool.

Author's Checklist

  • Thoroughly examine this PR because the first commit is a directly applied external patch. I examined it very closely myself, but more harsh scrutiny would be appreciated.

How to test this PR locally

There is a new test included in this PR, could revert the changes of the first commit and run the tests and see things go sideways.

@nicholasberlin
nfs xdr sanitization
9688bd7
@nicholasberlin
Add integration test
f3c63e9 
This test caused a crash prior to this PR
pcap captured when running the following:
```bash
nc -l 12049 >/dev/null
```
and in a different shell
```python
import socket, struct, time

dest = ("127.0.0.1", 12049)
frag_header = struct.pack("!I", 0x80000001)
payload = b"\x00"

with socket.create_connection(dest, timeout=5) as sock:
    sock.sendall(frag_header + payload)
    time.sleep(0.2)
```
@nicholasberlin
Add changelog fragment
a9345e5
@nicholasberlin nicholasberlin requested a review from a team as a code owner November 26, 2025 20:32
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Nov 26, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Nov 26, 2025

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@mergify
Copy link
Contributor

mergify bot commented Nov 26, 2025

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @nicholasberlin? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

@nicholasberlin nicholasberlin added the Team:Security-Linux Platform Linux Platform Team in Security Solution label Nov 26, 2025
@elasticmachine
Copy link
Contributor

elasticmachine commented Nov 26, 2025

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Nov 26, 2025
@nicholasberlin nicholasberlin added backport-8.19 Automated backport to the 8.19 branch backport-9.1 Automated backport to the 9.1 branch backport-9.2 Automated backport to the 9.2 branch labels Nov 26, 2025
mykola-elastic
mykola-elastic reviewed Nov 27, 2025
View reviewed changes
changelog/fragments/1764181634-rpc_fragment_sanitization.yaml
# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
# Please provide it if you are adding a fragment for a different PR.
# pr: https://github.com/owner/repo/1234
Copy link
Contributor

@mykola-elastic mykola-elastic Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# pr: https://github.com/owner/repo/1234
pr: https://github.com/elastic/beats/pull/47803

mykola-elastic
mykola-elastic reviewed Nov 27, 2025
View reviewed changes
changelog/fragments/1764181634-rpc_fragment_sanitization.yaml
# OPTIONAL to manually add other issue URLs
# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
# If not present is automatically filled by the tooling with the issue linked to the PR number.
# issue: https://github.com/owner/repo/1234
Copy link
Contributor

@mykola-elastic mykola-elastic Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does a public issue for this one exist?

mykola-elastic
mykola-elastic reviewed Nov 27, 2025
View reviewed changes
packetbeat/protos/nfs/nfs4.go
if _, err := xdr.getUInt(); err != nil {
return err
}
}
Copy link
Contributor

@mykola-elastic mykola-elastic Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will adding here return nil be better for consistency?

mykola-elastic
mykola-elastic reviewed Nov 27, 2025
View reviewed changes
packetbeat/protos/nfs/xdr_test.go
Comment on lines +40 to +58
v, err := xdr.getUInt()
require.NoError(t, err)
assert.Equal(t, uint32(0x800000e0), v)

v, err = xdr.getUInt()
require.NoError(t, err)
assert.Equal(t, uint32(0xb54921ab), v)

hv, err := xdr.getUHyper()
require.NoError(t, err)
assert.Equal(t, uint64(2), hv)

v, err = xdr.getUInt()
require.NoError(t, err)
assert.Equal(t, uint32(4), v)

str, err := xdr.getString()
require.NoError(t, err)
assert.Equal(t, "test string", str)
Copy link
Contributor

@mykola-elastic mykola-elastic Nov 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be nice to add cases when there are errors? Not only happy path

(I guess you did this with the python test and pcap below, right? Asking also about the unit test if it would make sense to add failure scenarios)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@mykola-elastic mykola-elastic mykola-elastic approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@nicholasberlin nicholasberlin

Labels

backport-8.19 Automated backport to the 8.19 branch backport-9.1 Automated backport to the 9.1 branch backport-9.2 Automated backport to the 9.2 branch bug bugfix Team:Security-Linux Platform Linux Platform Team in Security Solution

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nicholasberlin @elasticmachine @mykola-elastic