From 1255a67fdec2fc44cd49b6ea8c463f4319910812 Mon Sep 17 00:00:00 2001

From: Jiri Vymazal <jvymazal@redhat.com>

Date: Wed, 27 Feb 2019 11:57:49 +0100

Subject: [PATCH] Enlarged msg offset types for bigger structured messages

using a large enough (dozens of kBs) structured message

it is possible to overflow the signed short type which leads

to rsyslog crash.

---

 runtime/msg.c | 12 ++++++------

 runtime/msg.h |  8 ++++----

 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/runtime/msg.c b/runtime/msg.c

index b82c38b9ee..96306bbeab 100644

--- a/runtime/msg.c

+++ b/runtime/msg.c

@@ -839,7 +839,7 @@ msgBaseConstruct(smsg_t **ppThis)

 	pM->iFacility = LOG_INVLD;

 	pM->iLenPROGNAME = -1;

 	pM->offAfterPRI = 0;

-	pM->offMSG = -1;

+	pM->offMSG = 0;

 	pM->iProtocolVersion = 0;

 	pM->msgFlags = 0;

 	pM->iLenRawMsg = 0;

@@ -2167,7 +2167,7 @@ MsgSetFlowControlType(smsg_t * const pMsg, flowControl_t eFlowCtl)

  * rgerhards, 2009-06-16

  */

 rsRetVal

-MsgSetAfterPRIOffs(smsg_t * const pMsg, short offs)

+MsgSetAfterPRIOffs(smsg_t * const pMsg, uint32_t offs)

 {

 	assert(pMsg != NULL);

 	pMsg->offAfterPRI = offs;

@@ -2819,12 +2819,12 @@ void MsgSetHOSTNAME(smsg_t *pThis, const uchar* pszHOSTNAME, const int lenHOSTNA

  * (exactly by one). This can happen if we have a message that does not

  * contain any MSG part.

  */

-void MsgSetMSGoffs(smsg_t * const pMsg, short offs)

+void MsgSetMSGoffs(smsg_t * const pMsg, uint32_t offs)

 {

 	ISOBJ_TYPE_assert(pMsg, msg);

 	pMsg->offMSG = offs;

-	if(offs > pMsg->iLenRawMsg) {

-		assert(offs - 1 == pMsg->iLenRawMsg);

+	if(offs > (uint32_t)pMsg->iLenRawMsg) {

+		assert((int)offs - 1 == pMsg->iLenRawMsg);

 		pMsg->iLenMSG = 0;

 	} else {

 		pMsg->iLenMSG = pMsg->iLenRawMsg - offs;

@@ -2920,7 +2920,7 @@ MsgSetRawMsg(smsg_t *const pThis, const char*const pszRawMsg, const size_t lenMs

 	memcpy(pThis->pszRawMsg, pszRawMsg, pThis->iLenRawMsg);

 	pThis->pszRawMsg[pThis->iLenRawMsg] = '\0'; /* this also works with truncation! */

 	/* correct other information */

-	if(pThis->iLenRawMsg > pThis->offMSG)

+	if((uint32_t)pThis->iLenRawMsg > pThis->offMSG)

 		pThis->iLenMSG += deltaSize;

 	else

 		pThis->iLenMSG = 0;

diff --git a/runtime/msg.h b/runtime/msg.h

index 74439275b1..722cca6e8a 100644

--- a/runtime/msg.h

+++ b/runtime/msg.h

@@ -67,8 +67,8 @@ struct msg {

 	sbool	bParseSuccess;	/* set to reflect state of last executed higher level parser */

 	unsigned short	iSeverity;/* the severity  */

 	unsigned short	iFacility;/* Facility code */

-	short	offAfterPRI;	/* offset, at which raw message WITHOUT PRI part starts in pszRawMsg */

-	short	offMSG;		/* offset at which the MSG part starts in pszRawMsg */

+	uint32_t offAfterPRI;	/* offset, at which raw message WITHOUT PRI part starts in pszRawMsg */

+	uint32_t offMSG;		/* offset at which the MSG part starts in pszRawMsg */

 	short	iProtocolVersion;/* protocol version of message received 0 - legacy, 1 syslog-protocol) */

 	int	msgFlags;	/* flags associated with this message */

 	int	iLenRawMsg;	/* length of raw message */

@@ -194,8 +194,8 @@ void MsgSetRcvFromStr(smsg_t *const pMsg, const uchar* pszRcvFrom, const int, pr

 rsRetVal MsgSetRcvFromIP(smsg_t *pMsg, prop_t*);

 rsRetVal MsgSetRcvFromIPStr(smsg_t *const pThis, const uchar *psz, const int len, prop_t **ppProp);

 void MsgSetHOSTNAME(smsg_t *pMsg, const uchar* pszHOSTNAME, const int lenHOSTNAME);

-rsRetVal MsgSetAfterPRIOffs(smsg_t *pMsg, short offs);

-void MsgSetMSGoffs(smsg_t *pMsg, short offs);

+rsRetVal MsgSetAfterPRIOffs(smsg_t *pMsg, uint32_t offs);

+void MsgSetMSGoffs(smsg_t *pMsg, uint32_t offs);

 void MsgSetRawMsgWOSize(smsg_t *pMsg, char* pszRawMsg);

 void ATTR_NONNULL() MsgSetRawMsg(smsg_t *const pThis, const char*const pszRawMsg, const size_t lenMsg);

 rsRetVal MsgReplaceMSG(smsg_t *pThis, const uchar* pszMSG, int lenMSG);