-
Notifications
You must be signed in to change notification settings - Fork 5k
[Packetbeat] rpc fragment bounds checking #47803
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
This test caused a crash prior to this PR
pcap captured when running the following:
```bash
nc -l 12049 >/dev/null
```
and in a different shell
```python
import socket, struct, time
dest = ("127.0.0.1", 12049)
frag_header = struct.pack("!I", 0x80000001)
payload = b"\x00"
with socket.create_connection(dest, timeout=5) as sock:
sock.sendall(frag_header + payload)
time.sleep(0.2)
```
🤖 GitHub commentsJust comment with:
|
|
This pull request does not have a backport label.
To fixup this pull request, you need to add the backport labels for the needed
|
|
Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform) |
| # If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added. | ||
| # NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number. | ||
| # Please provide it if you are adding a fragment for a different PR. | ||
| # pr: https://github.com/owner/repo/1234 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
| # pr: https://github.com/owner/repo/1234 | |
| pr: https://github.com/elastic/beats/pull/47803 |
| # OPTIONAL to manually add other issue URLs | ||
| # Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of). | ||
| # If not present is automatically filled by the tooling with the issue linked to the PR number. | ||
| # issue: https://github.com/owner/repo/1234 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does a public issue for this one exist?
| if _, err := xdr.getUInt(); err != nil { | ||
| return err | ||
| } | ||
| } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will adding here return nil be better for consistency?
| v, err := xdr.getUInt() | ||
| require.NoError(t, err) | ||
| assert.Equal(t, uint32(0x800000e0), v) | ||
|
|
||
| v, err = xdr.getUInt() | ||
| require.NoError(t, err) | ||
| assert.Equal(t, uint32(0xb54921ab), v) | ||
|
|
||
| hv, err := xdr.getUHyper() | ||
| require.NoError(t, err) | ||
| assert.Equal(t, uint64(2), hv) | ||
|
|
||
| v, err = xdr.getUInt() | ||
| require.NoError(t, err) | ||
| assert.Equal(t, uint32(4), v) | ||
|
|
||
| str, err := xdr.getString() | ||
| require.NoError(t, err) | ||
| assert.Equal(t, "test string", str) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be nice to add cases when there are errors? Not only happy path
(I guess you did this with the python test and pcap below, right? Asking also about the unit test if it would make sense to add failure scenarios)
Proposed commit message
When the NFS protocol is enabled in Packetbeat, crafted ONC RPC/NFS traffic can cause the application to panic and exit due to unchecked XDR length fields and undersized RPC records. This affects both request and reply parsing paths.
This PR adds bounds checking and ignores malformed fragments via new error propagation.
Checklist
I have made corresponding changes to the documentationI have made corresponding change to the default configuration filesstresstest.shscript to run them under stress conditions and race detector to verify their stability../changelog/fragmentsusing the changelog tool.Author's Checklist
How to test this PR locally
There is a new test included in this PR, could revert the changes of the first commit and run the tests and see things go sideways.