From: Victor Julien <vjulien@oisf.net>
Date: Sun, 20 Feb 2022 22:02:13 +0000 (+0100)
Subject: nfs3: enforce more values
X-Git-Tag: suricata-5.0.9~57
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f43129f034b2e071d37845c189ee379711b2d9c;p=thirdparty%2Fsuricata.git

nfs3: enforce more values

Enforce values of a number of u32's that are used as bools or for
really low values.

(cherry picked from commit 5baf94e40ddeb3deab97a897b9da2e93ece4c654)
---

diff --git a/rust/src/nfs/nfs3_records.rs b/rust/src/nfs/nfs3_records.rs
index 7e793402bf..b8920f5f52 100644
--- a/rust/src/nfs/nfs3_records.rs
+++ b/rust/src/nfs/nfs3_records.rs
@@ -1,4 +1,4 @@
-/* Copyright (C) 2017 Open Information Security Foundation
+/* Copyright (C) 2017-2022 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
@@ -47,7 +47,7 @@ pub struct Nfs3ReplyCreate<'a> {
 named!(pub parse_nfs3_response_create<Nfs3ReplyCreate>,
     do_parse!(
         status: be_u32
-        >> handle_has_value: be_u32
+        >> handle_has_value: verify!(be_u32, |v| v <= 1)
         >> handle: cond!(handle_has_value == 1, parse_nfs3_handle)
         >> (
             Nfs3ReplyCreate {
@@ -297,9 +297,9 @@ named!(pub parse_nfs3_response_readdirplus_entry<Nfs3ResponseReaddirplusEntryC>,
         >> name_content: take!(name_len)
         >> _fill_bytes: cond!(name_len % 4 != 0, take!(4 - name_len % 4))
         >> _cookie: take!(8)
-        >> attr_value_follows: be_u32
+        >> attr_value_follows: verify!(be_u32, |v| v <= 1)
         >> _attr: cond!(attr_value_follows==1, take!(84))
-        >> handle_value_follows: be_u32
+        >> handle_value_follows: verify!(be_u32, |v| v <= 1)
         >> handle: cond!(handle_value_follows==1, parse_nfs3_handle)
         >> (
                 Nfs3ResponseReaddirplusEntryC {
@@ -317,7 +317,7 @@ pub struct Nfs3ResponseReaddirplusEntry<'a> {
 
 named!(pub parse_nfs3_response_readdirplus_entry_cond<Nfs3ResponseReaddirplusEntry>,
     do_parse!(
-           value_follows: be_u32
+           value_follows: verify!(be_u32, |v| v <= 1)
         >> entry: cond!(value_follows==1, parse_nfs3_response_readdirplus_entry)
         >> (
             Nfs3ResponseReaddirplusEntry {
@@ -335,7 +335,7 @@ pub struct Nfs3ResponseReaddirplus<'a> {
 named!(pub parse_nfs3_response_readdirplus<Nfs3ResponseReaddirplus>,
     do_parse!(
         status: be_u32
-        >> dir_attr_follows: be_u32
+        >> dir_attr_follows: verify!(be_u32, |v| v <= 1)
         >> _dir_attr: cond!(dir_attr_follows == 1, take!(84))
         >> _verifier: take!(8)
         >> data: rest
@@ -394,8 +394,8 @@ named!(pub parse_nfs3_request_write<Nfs3RequestWrite>,
             handle: parse_nfs3_handle
         >>  offset: be_u64
         >>  count: be_u32
-        >>  stable: be_u32
-        >>  file_len: be_u32
+        >>  stable: verify!(be_u32, |v| v <= 2)
+        >>  file_len: verify!(be_u32, |v| v <= count)
         >>  file_data: rest // likely partial
         >> (
             Nfs3RequestWrite {
@@ -423,10 +423,10 @@ pub struct Nfs3ReplyRead<'a> {
 named!(pub parse_nfs3_reply_read<NfsReplyRead>,
     do_parse!(
             status: be_u32
-        >>  attr_follows: be_u32
+        >>  attr_follows: verify!(be_u32, |v| v <= 1)
         >>  attr_blob: take!(84) // fixed size?
         >>  count: be_u32
-        >>  eof: be_u32
+        >>  eof: verify!(be_u32, |v| v <= 1)
         >>  data_len: be_u32
         >>  data_contents: rest
         >> (