valeriyvdovin / rpms / systemd

Forked from rpms/systemd 4 years ago
Clone

Blame SOURCES/0668-journal-remote-set-a-limit-on-the-number-of-fields-i.patch

23b3cf
From 95ec0c76b4ee758012bc6c282c5299baee5ae451 Mon Sep 17 00:00:00 2001
23b3cf
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
23b3cf
Date: Thu, 3 Jan 2019 16:28:30 +0100
23b3cf
Subject: [PATCH] journal-remote: set a limit on the number of fields in a
23b3cf
 message
23b3cf
23b3cf
Existing use of E2BIG is replaced with ENOBUFS (entry too long), and E2BIG is
23b3cf
reused for the new error condition (too many fields).
23b3cf
23b3cf
This matches the change done for systemd-journald, hence forming the second
23b3cf
part of the fix for CVE-2018-16865
23b3cf
(https://bugzilla.redhat.com/show_bug.cgi?id=1653861).
23b3cf
23b3cf
Resolves: #1657792
23b3cf
---
23b3cf
 src/journal-remote/journal-remote-parse.c |  2 +-
23b3cf
 src/journal-remote/journal-remote-write.c |  3 +++
23b3cf
 src/journal-remote/journal-remote.c       | 14 ++++++++++++--
23b3cf
 3 files changed, 16 insertions(+), 3 deletions(-)
23b3cf
23b3cf
diff --git a/src/journal-remote/journal-remote-parse.c b/src/journal-remote/journal-remote-parse.c
23b3cf
index 64089da19..53f4e3612 100644
23b3cf
--- a/src/journal-remote/journal-remote-parse.c
23b3cf
+++ b/src/journal-remote/journal-remote-parse.c
23b3cf
@@ -107,7 +107,7 @@ static int get_line(RemoteSource *source, char **line, size_t *size) {
23b3cf
                 source->scanned = source->filled;
23b3cf
                 if (source->scanned >= DATA_SIZE_MAX) {
23b3cf
                         log_error("Entry is bigger than %u bytes.", DATA_SIZE_MAX);
23b3cf
-                        return -E2BIG;
23b3cf
+                        return -ENOBUFS;
23b3cf
                 }
23b3cf
 
23b3cf
                 if (source->passive_fd)
23b3cf
diff --git a/src/journal-remote/journal-remote-write.c b/src/journal-remote/journal-remote-write.c
23b3cf
index 99820fa7b..99920e62c 100644
23b3cf
--- a/src/journal-remote/journal-remote-write.c
23b3cf
+++ b/src/journal-remote/journal-remote-write.c
23b3cf
@@ -22,6 +22,9 @@
23b3cf
 #include "journal-remote.h"
23b3cf
 
23b3cf
 int iovw_put(struct iovec_wrapper *iovw, void* data, size_t len) {
23b3cf
+        if (iovw->count >= ENTRY_FIELD_COUNT_MAX)
23b3cf
+                return -E2BIG;
23b3cf
+
23b3cf
         if (!GREEDY_REALLOC(iovw->iovec, iovw->size_bytes, iovw->count + 1))
23b3cf
                 return log_oom();
23b3cf
 
23b3cf
diff --git a/src/journal-remote/journal-remote.c b/src/journal-remote/journal-remote.c
23b3cf
index a455fb6bd..e65daf6a0 100644
23b3cf
--- a/src/journal-remote/journal-remote.c
23b3cf
+++ b/src/journal-remote/journal-remote.c
23b3cf
@@ -524,11 +524,18 @@ static int process_http_upload(
23b3cf
                         break;
23b3cf
                 else if (r < 0) {
23b3cf
                         log_warning("Failed to process data for connection %p", connection);
23b3cf
-                        if (r == -E2BIG)
23b3cf
+                        if (r == -ENOBUFS)
23b3cf
                                 return mhd_respondf(connection,
23b3cf
                                                     MHD_HTTP_REQUEST_ENTITY_TOO_LARGE,
23b3cf
                                                     "Entry is too large, maximum is %u bytes.\n",
23b3cf
                                                     DATA_SIZE_MAX);
23b3cf
+
23b3cf
+                        else if (r == -E2BIG)
23b3cf
+                                return mhd_respondf(connection,
23b3cf
+                                                    MHD_HTTP_REQUEST_ENTITY_TOO_LARGE,
23b3cf
+                                                    "Entry with more fields than the maximum of %u\n",
23b3cf
+                                                    ENTRY_FIELD_COUNT_MAX);
23b3cf
+
23b3cf
                         else
23b3cf
                                 return mhd_respondf(connection,
23b3cf
                                                     MHD_HTTP_UNPROCESSABLE_ENTITY,
23b3cf
@@ -1043,7 +1050,10 @@ static int handle_raw_source(sd_event_source *event,
23b3cf
                 log_debug("%zu active sources remaining", s->active);
23b3cf
                 return 0;
23b3cf
         } else if (r == -E2BIG) {
23b3cf
-                log_notice_errno(E2BIG, "Entry too big, skipped");
23b3cf
+                log_notice_errno(E2BIG, "Entry with too many fields, skipped");
23b3cf
+                return 1;
23b3cf
+        } else if (r == -ENOBUFS) {
23b3cf
+                log_notice_errno(ENOBUFS, "Entry too big, skipped");
23b3cf
                 return 1;
23b3cf
         } else if (r == -EAGAIN) {
23b3cf
                 return 0;