From: Jason Ish Date: Mon, 18 Jul 2022 21:52:40 +0000 (-0600) Subject: rust/nfs: add a maximum number of operations per compound X-Git-Tag: suricata-6.0.7~56 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b8875d4a223762db5efd9976104fa7761b679214;p=thirdparty%2Fsuricata.git rust/nfs: add a maximum number of operations per compound This is a backport of ea1d03f8e38aca376adcb80b1851b97a0816a5e9 by Pierre Chifflier adapted for 6.0.x. > The `count` combinator preallocates a number of bytes. Since the value > is untrusted, this can result in an Out Of Memory allocation. > Use a maximum value, large enough to cover all current implementations. Ticket: #5448 --- diff --git a/rust/src/nfs/nfs4_records.rs b/rust/src/nfs/nfs4_records.rs index 73ac2c8655..9b9af9a586 100644 --- a/rust/src/nfs/nfs4_records.rs +++ b/rust/src/nfs/nfs4_records.rs @@ -20,6 +20,10 @@ use nom::number::streaming::{be_u32, be_u64}; use crate::nfs::types::*; +// Maximum number of operations per compound +// Linux defines NFSD_MAX_OPS_PER_COMPOUND to 16 (tested in Linux 5.15.1). +const NFSD_MAX_OPS_PER_COMPOUND: u32 = 64; + #[derive(Debug,PartialEq)] pub enum Nfs4RequestContent<'a> { PutFH(Nfs4Handle<'a>), @@ -506,7 +510,7 @@ named!(pub parse_nfs4_request_compound, tag_len: be_u32 >> _tag: cond!(tag_len > 0, take!(tag_len)) >> _min_ver: be_u32 - >> ops_cnt: be_u32 + >> ops_cnt: verify!(be_u32, |&v| v <= NFSD_MAX_OPS_PER_COMPOUND) >> commands: count!(parse_request_compound_command, ops_cnt as usize) >> (Nfs4RequestCompoundRecord { commands @@ -905,7 +909,7 @@ named!(pub parse_nfs4_response_compound, status: be_u32 >> tag_len: be_u32 >> _tag: cond!(tag_len > 0, take!(tag_len)) - >> ops_cnt: be_u32 + >> ops_cnt: verify!(be_u32, |&v| v <= NFSD_MAX_OPS_PER_COMPOUND) >> commands: count!(nfs4_res_compound_command, ops_cnt as usize) >> (Nfs4ResponseCompoundRecord { status: status,