[9.2](backport #47803) [Packetbeat] rpc fragment bounds checking #47896
+560
−92
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* nfs xdr sanitization
* Add integration test
This test caused a crash prior to this PR
pcap captured when running the following:
```bash
nc -l 12049 >/dev/null
```
and in a different shell
```python
import socket, struct, time
dest = ("127.0.0.1", 12049)
frag_header = struct.pack("!I", 0x80000001)
payload = b"\x00"
with socket.create_connection(dest, timeout=5) as sock:
sock.sendall(frag_header + payload)
time.sleep(0.2)
```
* Add changelog fragment
* Update changelog/fragments/1764181634-rpc_fragment_sanitization.yaml
Co-authored-by: Mykola Kmet <[email protected]>
* review suggestions
- add return for consistency
- add failure case unit tests
* Appease the linter
---------
Co-authored-by: Mykola Kmet <[email protected]>
(cherry picked from commit afbccd1)
mergify
bot
requested review from
belimawr and
rdner
and removed request for
a team
botelastic
bot
added
the
needs_team
Contributor
🤖 GitHub commentsJust comment with:
|
github-actions
bot
added
bug
bugfix
Team:Security-Linux Platform
botelastic
bot
removed
the
needs_team
Contributor
|
Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform) |
nicholasberlin
approved these changes
Dec 3, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed commit message
When the NFS protocol is enabled in Packetbeat, crafted ONC RPC/NFS traffic can cause the application to panic and exit due to unchecked XDR length fields and undersized RPC records. This affects both request and reply parsing paths.
This PR adds bounds checking and ignores malformed fragments via new error propagation.
Checklist
I have made corresponding changes to the documentationI have made corresponding change to the default configuration filesstresstest.shscript to run them under stress conditions and race detector to verify their stability../changelog/fragmentsusing the changelog tool.Author's Checklist
How to test this PR locally
There is a new test included in this PR, could revert the changes of the first commit and run the tests and see things go sideways.
This is an automatic backport of pull request #47803 done by [Mergify](https://mergify.com).