[Packetbeat] rpc fragment bounds checking #47803
Merged
+560
−92
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
botelastic
bot
added
the
needs_team
Contributor
🤖 GitHub commentsJust comment with:
|
Contributor
|
This pull request does not have a backport label.
To fixup this pull request, you need to add the backport labels for the needed
|
nicholasberlin
added
the
Team:Security-Linux Platform
Contributor
|
Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform) |
botelastic
bot
removed
the
needs_team
nicholasberlin
added
backport-8.19
mykola-elastic
approved these changes
Nov 27, 2025
This test caused a crash prior to this PR
pcap captured when running the following:
```bash
nc -l 12049 >/dev/null
```
and in a different shell
```python
import socket, struct, time
dest = ("127.0.0.1", 12049)
frag_header = struct.pack("!I", 0x80000001)
payload = b"\x00"
with socket.create_connection(dest, timeout=5) as sock:
sock.sendall(frag_header + payload)
time.sleep(0.2)
```
Co-authored-by: Mykola Kmet <[email protected]>
nicholasberlin
force-pushed
the
nberlin/rpc_fragment_bounds_checking
branch
2 times, most recently
from
f2ace09 to
9d28242
Compare
- add return for consistency - add failure case unit tests
nicholasberlin
force-pushed
the
nberlin/rpc_fragment_bounds_checking
branch
4 times, most recently
from
54bee27 to
df18985
Compare
nicholasberlin
force-pushed
the
nberlin/rpc_fragment_bounds_checking
branch
from
df18985 to
326fb60
Compare
haesbaert
approved these changes
Dec 2, 2025
Contributor
Author
|
@mykola-elastic I had to push some changes to xdr.go in order to appease the linter's complaints about overflows. Could probably use another once over. Thanks. |
mergify bot
pushed a commit
that referenced
this pull request
Dec 3, 2025
* nfs xdr sanitization
* Add integration test
This test caused a crash prior to this PR
pcap captured when running the following:
```bash
nc -l 12049 >/dev/null
```
and in a different shell
```python
import socket, struct, time
dest = ("127.0.0.1", 12049)
frag_header = struct.pack("!I", 0x80000001)
payload = b"\x00"
with socket.create_connection(dest, timeout=5) as sock:
sock.sendall(frag_header + payload)
time.sleep(0.2)
```
* Add changelog fragment
* Update changelog/fragments/1764181634-rpc_fragment_sanitization.yaml
Co-authored-by: Mykola Kmet <[email protected]>
* review suggestions
- add return for consistency
- add failure case unit tests
* Appease the linter
---------
Co-authored-by: Mykola Kmet <[email protected]>
(cherry picked from commit afbccd1)
mergify bot
pushed a commit
that referenced
this pull request
Dec 3, 2025
* nfs xdr sanitization
* Add integration test
This test caused a crash prior to this PR
pcap captured when running the following:
```bash
nc -l 12049 >/dev/null
```
and in a different shell
```python
import socket, struct, time
dest = ("127.0.0.1", 12049)
frag_header = struct.pack("!I", 0x80000001)
payload = b"\x00"
with socket.create_connection(dest, timeout=5) as sock:
sock.sendall(frag_header + payload)
time.sleep(0.2)
```
* Add changelog fragment
* Update changelog/fragments/1764181634-rpc_fragment_sanitization.yaml
Co-authored-by: Mykola Kmet <[email protected]>
* review suggestions
- add return for consistency
- add failure case unit tests
* Appease the linter
---------
Co-authored-by: Mykola Kmet <[email protected]>
(cherry picked from commit afbccd1)
mergify bot
pushed a commit
that referenced
this pull request
Dec 3, 2025
* nfs xdr sanitization
* Add integration test
This test caused a crash prior to this PR
pcap captured when running the following:
```bash
nc -l 12049 >/dev/null
```
and in a different shell
```python
import socket, struct, time
dest = ("127.0.0.1", 12049)
frag_header = struct.pack("!I", 0x80000001)
payload = b"\x00"
with socket.create_connection(dest, timeout=5) as sock:
sock.sendall(frag_header + payload)
time.sleep(0.2)
```
* Add changelog fragment
* Update changelog/fragments/1764181634-rpc_fragment_sanitization.yaml
Co-authored-by: Mykola Kmet <[email protected]>
* review suggestions
- add return for consistency
- add failure case unit tests
* Appease the linter
---------
Co-authored-by: Mykola Kmet <[email protected]>
(cherry picked from commit afbccd1)
This was referenced Dec 3, 2025
nicholasberlin
added a commit
that referenced
this pull request
Dec 3, 2025
* nfs xdr sanitization
* Add integration test
This test caused a crash prior to this PR
pcap captured when running the following:
```bash
nc -l 12049 >/dev/null
```
and in a different shell
```python
import socket, struct, time
dest = ("127.0.0.1", 12049)
frag_header = struct.pack("!I", 0x80000001)
payload = b"\x00"
with socket.create_connection(dest, timeout=5) as sock:
sock.sendall(frag_header + payload)
time.sleep(0.2)
```
* Add changelog fragment
* Update changelog/fragments/1764181634-rpc_fragment_sanitization.yaml
* review suggestions
- add return for consistency
- add failure case unit tests
* Appease the linter
---------
(cherry picked from commit afbccd1)
Co-authored-by: Nicholas Berlin <[email protected]>
Co-authored-by: Mykola Kmet <[email protected]>
nicholasberlin
added a commit
that referenced
this pull request
Dec 3, 2025
* nfs xdr sanitization
* Add integration test
This test caused a crash prior to this PR
pcap captured when running the following:
```bash
nc -l 12049 >/dev/null
```
and in a different shell
```python
import socket, struct, time
dest = ("127.0.0.1", 12049)
frag_header = struct.pack("!I", 0x80000001)
payload = b"\x00"
with socket.create_connection(dest, timeout=5) as sock:
sock.sendall(frag_header + payload)
time.sleep(0.2)
```
* Add changelog fragment
* Update changelog/fragments/1764181634-rpc_fragment_sanitization.yaml
* review suggestions
- add return for consistency
- add failure case unit tests
* Appease the linter
---------
(cherry picked from commit afbccd1)
Co-authored-by: Nicholas Berlin <[email protected]>
Co-authored-by: Mykola Kmet <[email protected]>
nicholasberlin
added a commit
that referenced
this pull request
Dec 3, 2025
* nfs xdr sanitization
* Add integration test
This test caused a crash prior to this PR
pcap captured when running the following:
```bash
nc -l 12049 >/dev/null
```
and in a different shell
```python
import socket, struct, time
dest = ("127.0.0.1", 12049)
frag_header = struct.pack("!I", 0x80000001)
payload = b"\x00"
with socket.create_connection(dest, timeout=5) as sock:
sock.sendall(frag_header + payload)
time.sleep(0.2)
```
* Add changelog fragment
* Update changelog/fragments/1764181634-rpc_fragment_sanitization.yaml
* review suggestions
- add return for consistency
- add failure case unit tests
* Appease the linter
---------
(cherry picked from commit afbccd1)
Co-authored-by: Nicholas Berlin <[email protected]>
Co-authored-by: Mykola Kmet <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed commit message
When the NFS protocol is enabled in Packetbeat, crafted ONC RPC/NFS traffic can cause the application to panic and exit due to unchecked XDR length fields and undersized RPC records. This affects both request and reply parsing paths.
This PR adds bounds checking and ignores malformed fragments via new error propagation.
Checklist
I have made corresponding changes to the documentationI have made corresponding change to the default configuration filesstresstest.shscript to run them under stress conditions and race detector to verify their stability../changelog/fragmentsusing the changelog tool.Author's Checklist
How to test this PR locally
There is a new test included in this PR, could revert the changes of the first commit and run the tests and see things go sideways.