Blame SOURCES/rsyslog-8.24.0-rhbz1658288-imptcp-octet-segfault.patch

ee3a35
From 0381a0de64a5a048c3d48b79055bd9848d0c7fc2 Mon Sep 17 00:00:00 2001
ee3a35
From: PascalWithopf <pwithopf@adiscon.com>
ee3a35
Date: Wed, 19 Apr 2017 13:06:30 +0200
ee3a35
Subject: [PATCH] imptcp: fix Segmentation Fault when octet count is to high
ee3a35
ee3a35
---
ee3a35
 plugins/imptcp/imptcp.c                   | 14 ++++++-
ee3a35
 1 files changed, 12 insertions(+), 2 deletions(-)
ee3a35
ee3a35
diff --git a/plugins/imptcp/imptcp.c b/plugins/imptcp/imptcp.c
ee3a35
index acf0dcd25..b9a4e2fdf 100644
ee3a35
--- a/plugins/imptcp/imptcp.c
ee3a35
+++ b/plugins/imptcp/imptcp.c
ee3a35
@@ -902,7 +902,16 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis,
ee3a35
 
ee3a35
 	if(pThis->inputState == eInOctetCnt) {
ee3a35
 		if(isdigit(c)) {
ee3a35
-			pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
ee3a35
+			if(pThis->iOctetsRemain <= 200000000) {
ee3a35
+				pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
ee3a35
+			} else {
ee3a35
+				errmsg.LogError(0, NO_ERRCODE, "Framing Error in received TCP message: "
ee3a35
+						"frame too large (at least %d%c), change to octet stuffing",
ee3a35
+						pThis->iOctetsRemain, c);
ee3a35
+				pThis->eFraming = TCP_FRAMING_OCTET_STUFFING;
ee3a35
+				pThis->inputState = eInMsg;
ee3a35
+			}
ee3a35
+			*(pThis->pMsg + pThis->iMsg++) = c;
ee3a35
 		} else { /* done with the octet count, so this must be the SP terminator */
ee3a35
 			DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
ee3a35
 			if(c != ' ') {
ee3a35
@@ -911,9 +920,9 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis,
ee3a35
 			}
ee3a35
 			if(pThis->iOctetsRemain < 1) {
ee3a35
 				/* TODO: handle the case where the octet count is 0! */
ee3a35
-				DBGPRINTF("Framing Error: invalid octet count\n");
ee3a35
 				errmsg.LogError(0, NO_ERRCODE, "Framing Error in received TCP message: "
ee3a35
 					    "invalid octet count %d.", pThis->iOctetsRemain);
ee3a35
+				pThis->eFraming = TCP_FRAMING_OCTET_STUFFING;
ee3a35
 			} else if(pThis->iOctetsRemain > iMaxLine) {
ee3a35
 				/* while we can not do anything against it, we can at least log an indication
ee3a35
 				 * that something went wrong) -- rgerhards, 2008-03-14
ee3a35
@@ -924,6 +933,7 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis,
ee3a35
 					        "max msg size is %d, truncating...", pThis->iOctetsRemain, iMaxLine);
ee3a35
 			}
ee3a35
 			pThis->inputState = eInMsg;
ee3a35
+			pThis->iMsg = 0;
ee3a35
 		}
ee3a35
 	} else {
ee3a35
 		assert(pThis->inputState == eInMsg);