From d7b0e40ff0fbf1e6bb203592dd6af1165e563ca4 Mon Sep 17 00:00:00 2001 From: Pavel Odintsov Date: Fri, 13 Dec 2024 21:29:43 +0300 Subject: [PATCH] Added sanity check in Netflow v9 code to avoid reading outside of our memory region. Reported by Evgeny Shtanov Closes: #1029 --- src/netflow_plugin/netflow_v9_collector.cpp | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/src/netflow_plugin/netflow_v9_collector.cpp b/src/netflow_plugin/netflow_v9_collector.cpp index b9833fd5..f6bcf45f 100644 --- a/src/netflow_plugin/netflow_v9_collector.cpp +++ b/src/netflow_plugin/netflow_v9_collector.cpp @@ -1580,18 +1580,22 @@ bool process_netflow_packet_v9(const uint8_t* packet, return false; } + // Check that we have enough space in packet to read flowset header + if (offset + sizeof(netflow9_flowset_header_common_t) > packet_length) { + logger << log4cpp::Priority::ERROR + << "Flowset is too short: we do not have space for flowset header. " + << "Netflow v9 packet agent IP:" << client_addres_in_string_format + << " flowset number: " << flowset_number << " offset: " << offset << " packet_length: " << packet_length; + return false; + } + + // Now we can safely read flowset header const netflow9_flowset_header_common_t* flowset = (const netflow9_flowset_header_common_t*)(packet + offset); uint32_t flowset_id = ntohs(flowset->flowset_id); uint32_t flowset_length = ntohs(flowset->length); - /* - * Yes, this is a near duplicate of the short packet check - * above, but this one validates the flowset length from in - * the packet before we pass it to the flowset-specific - * handlers below. - */ - + // One more check to ensure that we have enough space in packet to read whole flowset if (offset + flowset_length > packet_length) { logger << log4cpp::Priority::ERROR << "We tried to read from address outside Netflow's packet flowset agent IP: " << client_addres_in_string_format << " flowset number: " << flowset_number