search

delian / node-netflowv9

NetFlow Version 9 library for Node.JS
GNU General Public License v2.0
42 stars 14 forks source link

Fix out-of-range error when v9 packet contains padding #20

Closed prvak closed 6 years ago

prvak commented 6 years ago

I am getting netflow packets that are causing out-of-range error. They are coming from a Mikrotik router.

After some digging it appears that the Padding field's bytes are not included in the Length field (despite what documentation says) and the example is inconsistent with the padding description. Or maybe I misunderstand the description? screenshot from 2018-10-22 17-34-56

In any case the library should not crash regardless of the netflow packet content and the fix is pretty simple.

Failing example.js:

var NetFlowV9 = require('./netflowv9');
var buffer = Buffer.from('00090001165061ec3872f9de00006a7c000000000100002d16501f6616501f6600000001000000200001000000000000e000000102c000000000e0000001000000323556', 'hex');
var result = NetFlowV9.prototype.nfPktDecode(buffer, {});
console.log(result);

Output of the example above:

$ node example.js
internal/buffer.js:53
  throw new ERR_OUT_OF_RANGE(type || 'offset',
  ^

RangeError [ERR_OUT_OF_RANGE]: The value of "offset" is out of range. It must be >= 0 and <= 1. Received 2
    at boundsError (internal/buffer.js:53:9)
    at Buffer.readUInt16BE (internal/buffer.js:219:5)
    at EventEmitter.nf9PktDecode (./js/nf9/nf9decode.js:162:23)
    at EventEmitter.nfPktDecode (./netflowv9.js:33:25)

Output of the example after this PR:

{ header:
   { version: 9,
     count: 1,
     uptime: 374366700,
     seconds: 947059166,
     sequence: 27260,
     sourceId: 0 },
  flows: [] }
delian commented 6 years ago

Give me a bit of time to fix that

Delian

On Mon, Oct 22, 2018 at 6:05 PM Michal Mašek notifications@github.com wrote:

I am getting netflow packets that are causing out-of-range error. They are coming from a Mikrotik router.

After some digging it appears that the Padding field's bytes are not included in the Length field (despite what documentation says https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html) and the example is inconsistent with the padding description. Or maybe I misunderstand the description? [image: screenshot from 2018-10-22 17-34-56] https://user-images.githubusercontent.com/2436340/47302471-db852100-d621-11e8-9f22-c7e1ce9ec962.png

In any case the library should not crash regardless of the netflow packet content and the fix is pretty simple.

Failing example.js:

var NetFlowV9 = require('./netflowv9');var buffer = Buffer.from('00090001165061ec3872f9de00006a7c000000000100002d16501f6616501f6600000001000000200001000000000000e000000102c000000000e0000001000000323556', 'hex');var result = NetFlowV9.prototype.nfPktDecode(buffer, {});console.log(result);

Output of the example above:

$ node example.js internal/buffer.js:53 throw new ERR_OUT_OF_RANGE(type || 'offset', ^

RangeError [ERR_OUT_OF_RANGE]: The value of "offset" is out of range. It must be >= 0 and <= 1. Received 2 at boundsError (internal/buffer.js:53:9) at Buffer.readUInt16BE (internal/buffer.js:219:5) at EventEmitter.nf9PktDecode (./js/nf9/nf9decode.js:162:23) at EventEmitter.nfPktDecode (./netflowv9.js:33:25)

Output of the example after this PR:

{ header: { version: 9, count: 1, uptime: 374366700, seconds: 947059166, sequence: 27260, sourceId: 0 }, flows: [] }

You can view, comment on, or merge this pull request online at:

https://github.com/delian/node-netflowv9/pull/20 Commit Summary

  • Fix out-of-range error when v9 packet contains padding

File Changes

Patch Links:

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/delian/node-netflowv9/pull/20, or mute the thread https://github.com/notifications/unsubscribe-auth/AAG7ZnoaSspsIdjUBiasR2suJ0-8WVQIks5uney5gaJpZM4Xzqfm .

delian commented 6 years ago

This one now should be fixed (in version 0.2.16). Please check

Delian

On Tue, Oct 23, 2018 at 3:47 PM Delian Delchev delian.delchev@gmail.com wrote:

Give me a bit of time to fix that

Delian

On Mon, Oct 22, 2018 at 6:05 PM Michal Mašek notifications@github.com wrote:

I am getting netflow packets that are causing out-of-range error. They are coming from a Mikrotik router.

After some digging it appears that the Padding field's bytes are not included in the Length field (despite what documentation says https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html) and the example is inconsistent with the padding description. Or maybe I misunderstand the description? [image: screenshot from 2018-10-22 17-34-56] https://user-images.githubusercontent.com/2436340/47302471-db852100-d621-11e8-9f22-c7e1ce9ec962.png

In any case the library should not crash regardless of the netflow packet content and the fix is pretty simple.

Failing example.js:

var NetFlowV9 = require('./netflowv9');var buffer = Buffer.from('00090001165061ec3872f9de00006a7c000000000100002d16501f6616501f6600000001000000200001000000000000e000000102c000000000e0000001000000323556', 'hex');var result = NetFlowV9.prototype.nfPktDecode(buffer, {});console.log(result);

Output of the example above:

$ node example.js internal/buffer.js:53 throw new ERR_OUT_OF_RANGE(type || 'offset', ^

RangeError [ERR_OUT_OF_RANGE]: The value of "offset" is out of range. It must be >= 0 and <= 1. Received 2 at boundsError (internal/buffer.js:53:9) at Buffer.readUInt16BE (internal/buffer.js:219:5) at EventEmitter.nf9PktDecode (./js/nf9/nf9decode.js:162:23) at EventEmitter.nfPktDecode (./netflowv9.js:33:25)

Output of the example after this PR:

{ header: { version: 9, count: 1, uptime: 374366700, seconds: 947059166, sequence: 27260, sourceId: 0 }, flows: [] }

You can view, comment on, or merge this pull request online at:

https://github.com/delian/node-netflowv9/pull/20 Commit Summary

  • Fix out-of-range error when v9 packet contains padding

File Changes

Patch Links:

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/delian/node-netflowv9/pull/20, or mute the thread https://github.com/notifications/unsubscribe-auth/AAG7ZnoaSspsIdjUBiasR2suJ0-8WVQIks5uney5gaJpZM4Xzqfm .

prvak commented 6 years ago

Looks good, thanks! I'll close this PR.