Re: [patch] tcpdump segfault on malformed nfs packet

Stuart Henderson Wed, 14 Oct 2015 04:00:34 -0700

On 2015/10/12 12:54, Kevin Reay wrote:
> Small fix to tcpdump nfs packet printing. Crash occurs when
> printing nfs request filename of malformed packet.
> 
> parsefn() now passes snapend to filename print function
> (attempting to print packet data so NULL isn't right). Also
> check return value from fn_printn() and handle truncation.
> 
> Behavior now matches upstream Linux version when parsing
> malformed packet.
> 
> From upstream fix Git commit
> 6191f36146f5d286304e9b6e893477fe509d83ab
> 
> I can provide pcap files that trigger crash if required.
> 
> 
> Index: print-nfs.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/tcpdump/print-nfs.c,v
> retrieving revision 1.19
> diff -u -p -r1.19 print-nfs.c
> --- print-nfs.c       16 Jan 2015 06:40:21 -0000      1.19
> +++ print-nfs.c       12 Oct 2015 18:37:06 -0000
> @@ -381,9 +381,11 @@ parsefn(register const u_int32_t *dp)
>       cp = (u_char *)dp;
>       /* Update 32-bit pointer (NFS filenames padded to 32-bit boundaries) */
>       dp += ((len + 3) & ~3) / sizeof(*dp);
> -     /* XXX seems like we should be checking the length */
>       putchar('"');
> -     (void) fn_printn(cp, len, NULL);
> +     if (fn_printn(cp, len, snapend)) {
> +             putchar('"');
> +             goto trunc;
> +     }
>       putchar('"');
>  
>       return (dp);
> 
>


OK with me

Re: [patch] tcpdump segfault on malformed nfs packet

Reply via email to