master

分支 (7)

标签 (3)

管理

管理

master

openEuler-20.03-LTS-SP1

openEuler-20.03-LTS-Next

openEuler-20.03-LTS

openEuler-20.09

openEuler1.0-base

openEuler1.0

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

wireshark
/
CVE-2020-13164.patch

From e6e98eab8e5e0bbc982cfdc808f2469d7cab6c5a Mon Sep 17 00:00:00 2001
From: Gerald Combs <[email protected]>
Date: Tue, 14 Apr 2020 17:10:44 -0700
Subject: [PATCH] NFS: Add filesystem cycle detection.

Detect cycles and large depths when snooping full names.

Bug: 16476
Change-Id: I4cddf3d6e6c58d1d382a3ea3b3ed09644562c352
Reviewed-on: https://code.wireshark.org/review/36847
Reviewed-by: Gerald Combs <[email protected]>
Petri-Dish: Gerald Combs <[email protected]>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <[email protected]>
(cherry picked from commit fc6763989c7a7c4e4b0522b12b955e5a285d388a)
Reviewed-on: https://code.wireshark.org/review/36855
---
 epan/dissectors/packet-nfs.c | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/epan/dissectors/packet-nfs.c b/epan/dissectors/packet-nfs.c
index 715ee82..60aff65 100644
--- a/epan/dissectors/packet-nfs.c
+++ b/epan/dissectors/packet-nfs.c
@@ -20,6 +20,7 @@
 #include <epan/prefs.h>
 #include <epan/exceptions.h>
 #include <epan/expert.h>
+#include <epan/proto_data.h>
 #include <epan/to_str.h>
 #include <epan/decode_as.h>
 #include <epan/crc16-tvb.h>
@@ -899,6 +900,7 @@ static expert_field ei_nfs_not_vnx_file = EI_INIT;
 static expert_field ei_protocol_violation = EI_INIT;
 static expert_field ei_nfs_too_many_bitmaps = EI_INIT;
 static expert_field ei_nfs4_stateid_deprecated = EI_INIT;
+static expert_field ei_nfs_file_system_cycle = EI_INIT;

 static const true_false_string tfs_read_write = { "Read", "Write" };

@@ -936,6 +938,7 @@ typedef struct nfs_name_snoop {
 	unsigned char *parent;
 	int	       full_name_len;
 	char	      *full_name;
+	gboolean       fs_cycle;
 } nfs_name_snoop_t;

 typedef struct nfs_name_snoop_key {
@@ -1199,9 +1202,10 @@ nfs_name_snoop_add_fh(int xid, tvbuff_t *tvb, int fh_offset, int fh_length)
 	g_hash_table_replace(nfs_name_snoop_matched, key, nns);
 }

+#define NFS_MAX_FS_DEPTH 100

 static void
-nfs_full_name_snoop(nfs_name_snoop_t *nns, int *len, char **name, char **pos)
+nfs_full_name_snoop(packet_info *pinfo, nfs_name_snoop_t *nns, int *len, char **name, char **pos)
 {
 	nfs_name_snoop_t     *parent_nns = NULL;
 	nfs_name_snoop_key_t  key;
@@ -1230,13 +1234,22 @@ nfs_full_name_snoop(nfs_name_snoop_t *nns, int *len, char **name, char **pos)
 	parent_nns = (nfs_name_snoop_t *)g_hash_table_lookup(nfs_name_snoop_matched, &key);

 	if (parent_nns) {
-		nfs_full_name_snoop(parent_nns, len, name, pos);
+		unsigned fs_depth = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, proto_nfs, 0));
+		if (++fs_depth >= NFS_MAX_FS_DEPTH) {
+			nns->fs_cycle = TRUE;
+			return;
+		}
+		p_add_proto_data(pinfo->pool, pinfo, proto_nfs, 0, GUINT_TO_POINTER(fs_depth));
+
+		nfs_full_name_snoop(pinfo, parent_nns, len, name, pos);
 		if (*name) {
 			/* make sure components are '/' separated */
 			*pos += g_snprintf(*pos, (*len+1) - (gulong)(*pos-*name), "%s%s",
 					   ((*pos)[-1] != '/')?"/":"", nns->name);
 			DISSECTOR_ASSERT((*pos-*name) <= *len);
 		}
+		fs_depth--;
+		p_add_proto_data(pinfo->pool, pinfo, proto_nfs, 0, GUINT_TO_POINTER(fs_depth));
 		return;
 	}

@@ -1278,7 +1291,7 @@ nfs_name_snoop_fh(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int fh_of
 				char *name = NULL, *pos = NULL;
 				int len = 0;

-				nfs_full_name_snoop(nns, &len, &name, &pos);
+				nfs_full_name_snoop(pinfo, nns, &len, &name, &pos);
 				if (name) {
 					nns->full_name = name;
 					nns->full_name_len = len;
@@ -1330,6 +1343,10 @@ nfs_name_snoop_fh(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int fh_of
 			}
 			PROTO_ITEM_SET_GENERATED(fh_item);
 		}
+
+		if (nns->fs_cycle) {
+			proto_tree_add_expert(tree, pinfo, &ei_nfs_file_system_cycle, tvb, 0, 0);
+		}
 	}
 }

@@ -14236,6 +14253,7 @@ proto_register_nfs(void)
 			"Per RFCs 3530 and 5661 an attribute mask is required but was not provided.", EXPFILL }},
 		{ &ei_nfs_too_many_bitmaps, { "nfs.too_many_bitmaps", PI_PROTOCOL, PI_NOTE, "Too many bitmap array items", EXPFILL }},
 		{ &ei_nfs4_stateid_deprecated, { "nfs.stateid.deprecated", PI_PROTOCOL, PI_WARN, "State ID deprecated in CLOSE responses [RFC7530 16.2.5]", EXPFILL }},
+		{ &ei_nfs_file_system_cycle, { "nfs.file_system_cycle", PI_PROTOCOL, PI_WARN, "Possible file system cycle detected", EXPFILL }},
 	};

 	module_t *nfs_module;
--
2.7.4