[patch] tcpdump segfault on malformed nfs packet

Kevin Reay Mon, 12 Oct 2015 12:00:17 -0700

Small fix to tcpdump nfs packet printing. Crash occurs when
printing nfs request filename of malformed packet.


parsefn() now passes snapend to filename print function
(attempting to print packet data so NULL isn't right). Also
check return value from fn_printn() and handle truncation.

Behavior now matches upstream Linux version when parsing
malformed packet.

>From upstream fix Git commit
6191f36146f5d286304e9b6e893477fe509d83ab

I can provide pcap files that trigger crash if required.


Index: print-nfs.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-nfs.c,v
retrieving revision 1.19
diff -u -p -r1.19 print-nfs.c
--- print-nfs.c 16 Jan 2015 06:40:21 -0000      1.19
+++ print-nfs.c 12 Oct 2015 18:37:06 -0000
@@ -381,9 +381,11 @@ parsefn(register const u_int32_t *dp)
        cp = (u_char *)dp;
        /* Update 32-bit pointer (NFS filenames padded to 32-bit boundaries) */
        dp += ((len + 3) & ~3) / sizeof(*dp);
-       /* XXX seems like we should be checking the length */
        putchar('"');
-       (void) fn_printn(cp, len, NULL);
+       if (fn_printn(cp, len, snapend)) {
+               putchar('"');
+               goto trunc;
+       }
        putchar('"');
 
        return (dp);

[patch] tcpdump segfault on malformed nfs packet

Reply via email to