Added sanity check in IPFIX code to avoid reading outside of our memo…

…ry region. Reported by Evgeny Shtanov Closes: #1030
pavel-odintsov · Dec 13, 2024 · e9c64a8 · e9c64a8
1 parent d7b0e40
commit e9c64a8
Showing 1 changed file with 11 additions and 8 deletions.
diff --git a/src/netflow_plugin/ipfix_collector.cpp b/src/netflow_plugin/ipfix_collector.cpp
@@ -1578,19 +1578,22 @@ bool process_ipfix_packet(const uint8_t* packet,
             return false;
         }
 
+        // Check that we have enough space in packet to read flowset header
+        if (offset + sizeof(ipfix_flowset_header_common_t) > ipfix_packet_length) {
+            logger << log4cpp::Priority::ERROR
+                   << "Flowset is too short: we do not have space for flowset header. "
+                   << "IPFIX packet agent IP:" << client_addres_in_string_format
+                   << " flowset number: " << flowset_number << " offset: " << offset << " packet_length: " << ipfix_packet_length;
+            return false;
+        }
+
         const ipfix_flowset_header_common_t* flowset = (const ipfix_flowset_header_common_t*)(packet + offset);
 
         uint32_t flowset_id     = ntohs(flowset->flowset_id);
         uint32_t flowset_length = ntohs(flowset->length);
 
-        /*
-         * Yes, this is a near duplicate of the short packet check
-         * above, but this one validates the flowset length from in
-         * the packet before we pass it to the flowset-specific
-         * handlers below.
-         */
-
-        if (offset + flowset_length > ipfix_packet_length) {
+        // One more check to ensure that we have enough space in packet to read whole flowset
+	if (offset + flowset_length > ipfix_packet_length) {
             logger << log4cpp::Priority::ERROR
                    << "We tried to read from address outside IPFIX packet flowset agent IP: " << client_addres_in_string_format;
             return false;