Skip to content

Commit

Permalink
Fixed DoS vulnerability in sFlow v5 plugin which caused crash of Fast…
Browse files Browse the repository at this point in the history
…NetMon with specially crafted packet. Reported by Evgeny Shtanov aka @Klavishnik
  • Loading branch information
pavel-odintsov committed Dec 12, 2024
1 parent a813f7d commit 5164a29
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 0 deletions.
3 changes: 3 additions & 0 deletions src/libsflow/libsflow.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@
// We need it for sanity checks
const uint32_t max_udp_packet_size = 65535;

// We need to limit number of samples by reasonable number
const int32_t max_sflow_sample_number = 256;

enum class sflow_sample_type_t : unsigned int {
FLOW_SAMPLE = 1,
COUNTER_SAMPLE = 2,
Expand Down
10 changes: 10 additions & 0 deletions src/sflow_plugin/sflow_collector.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -515,6 +515,16 @@ void parse_sflow_v5_packet(const uint8_t* payload_ptr, unsigned int payload_leng
return;
}

// As we're going to allocate memory using this value as number of elements
// we need to ensure that we capped it by reasonable value
if (sflow_header_accessor.get_datagram_samples_count() > max_sflow_sample_number) {
logger << log4cpp::Priority::ERROR << plugin_log_prefix
<< "Number of sFlow samples in packet " << sflow_header_accessor.get_datagram_samples_count()
<< " exceeds allowed maximum value " << max_sflow_sample_number;
sflow_bad_packets++;
return;
}

std::vector<sample_tuple_t> samples_vector;
samples_vector.reserve(sflow_header_accessor.get_datagram_samples_count());

Expand Down

0 comments on commit 5164a29

Please sign in to comment.