From 9f0fe9563366f62a71d34c92229da3432ec5cf0e Mon Sep 17 00:00:00 2001 From: Peter Haag Date: Sun, 1 Apr 2018 10:30:25 +0200 Subject: [PATCH] Fix nfdump crashes, when feeded with garbage input. Issue #104 --- ChangeLog | 4 ++++ bin/nfdump.c | 6 +++++- bin/nffile_inline.c | 7 +++++-- bin/nfx.c | 1 + 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index b56d561..794f26a 100755 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2018-04-01 +- Add program exit in nfx.c after panic with correupt data file +- Add missing size check when reading nfdump 1.5.x common record blocks + 2018-02-11 - Add missing json output format in nfdump help text - Add missing -v option in nfreplay help text diff --git a/bin/nfdump.c b/bin/nfdump.c index 3333d47..8c0e224 100644 --- a/bin/nfdump.c +++ b/bin/nfdump.c @@ -542,7 +542,11 @@ int v1_map_done = 0; exit(255); } } - ConvertCommonV0((void *)record_ptr, (common_record_t *)ConvertBuffer); + if ( !ConvertCommonV0((void *)record_ptr, (common_record_t *)ConvertBuffer) ) { + LogError("Corrupt data file. Unable to decode at %s line %d\n", __FILE__, __LINE__); + exit(255); + + } flow_record = (common_record_t *)ConvertBuffer; dbg_printf("Converted type %u to %u record\n", CommonRecordV0Type, CommonRecordType); case CommonRecordType: { diff --git a/bin/nffile_inline.c b/bin/nffile_inline.c index d7c532e..4514001 100755 --- a/bin/nffile_inline.c +++ b/bin/nffile_inline.c @@ -38,7 +38,7 @@ static inline void AppendToBuffer(nffile_t *nffile, void *record, size_t require static inline void CopyV6IP(uint32_t *dst, uint32_t *src); -static inline void ConvertCommonV0(void *record, common_record_t *flow_record); +static inline int ConvertCommonV0(void *record, common_record_t *flow_record); static inline void ExpandRecord_v2(common_record_t *input_record, extension_info_t *extension_info, exporter_info_record_t *exporter_info, master_record_t *output_record ); @@ -75,11 +75,13 @@ static inline void CopyV6IP(uint32_t *dst, uint32_t *src) { dst[3] = src[3]; } // End of CopyV6IP -static inline void ConvertCommonV0(void *record, common_record_t *flow_record) { +static inline int ConvertCommonV0(void *record, common_record_t *flow_record) { common_record_v0_t *flow_record_v0 = (common_record_v0_t *)record; // copy v0 common record memcpy((void *)flow_record, record, COMMON_RECORDV0_DATA_SIZE); + if ( flow_record_v0->size <= COMMON_RECORDV0_DATA_SIZE ) + return 0; memcpy((void *)flow_record->data, (void *)flow_record_v0->data, flow_record_v0->size - COMMON_RECORDV0_DATA_SIZE); // fix record differences @@ -89,6 +91,7 @@ common_record_v0_t *flow_record_v0 = (common_record_v0_t *)record; flow_record->exporter_sysid = flow_record_v0->exporter_sysid; flow_record->reserved = 0; + return 1; } // End of ConvertCommonV0 /* diff --git a/bin/nfx.c b/bin/nfx.c index 7069280..6b538ee 100755 --- a/bin/nfx.c +++ b/bin/nfx.c @@ -542,6 +542,7 @@ int i, extension_size, max_elements; int id = map->ex_id[i]; if ( id > Max_num_extensions ) { printf("PANIC! - Verify map id %i: ERROR: element id %i out of range [%i]!\n", map->map_id, id, Max_num_extensions); + exit(255); } extension_size += extension_descriptor[id].size; i++;