From 1255a67fdec2fc44cd49b6ea8c463f4319910812 Mon Sep 17 00:00:00 2001 From: Jiri Vymazal Date: Wed, 27 Feb 2019 11:57:49 +0100 Subject: [PATCH] Enlarged msg offset types for bigger structured messages using a large enough (dozens of kBs) structured message it is possible to overflow the signed short type which leads to rsyslog crash. --- runtime/msg.c | 12 ++++++------ runtime/msg.h | 8 ++++---- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/runtime/msg.c b/runtime/msg.c index b82c38b9ee..96306bbeab 100644 --- a/runtime/msg.c +++ b/runtime/msg.c @@ -839,7 +839,7 @@ msgBaseConstruct(smsg_t **ppThis) pM->iFacility = LOG_INVLD; pM->iLenPROGNAME = -1; pM->offAfterPRI = 0; - pM->offMSG = -1; + pM->offMSG = 0; pM->iProtocolVersion = 0; pM->msgFlags = 0; pM->iLenRawMsg = 0; @@ -2167,7 +2167,7 @@ MsgSetFlowControlType(smsg_t * const pMsg, flowControl_t eFlowCtl) * rgerhards, 2009-06-16 */ rsRetVal -MsgSetAfterPRIOffs(smsg_t * const pMsg, short offs) +MsgSetAfterPRIOffs(smsg_t * const pMsg, uint32_t offs) { assert(pMsg != NULL); pMsg->offAfterPRI = offs; @@ -2819,12 +2819,12 @@ void MsgSetHOSTNAME(smsg_t *pThis, const uchar* pszHOSTNAME, const int lenHOSTNA * (exactly by one). This can happen if we have a message that does not * contain any MSG part. */ -void MsgSetMSGoffs(smsg_t * const pMsg, short offs) +void MsgSetMSGoffs(smsg_t * const pMsg, uint32_t offs) { ISOBJ_TYPE_assert(pMsg, msg); pMsg->offMSG = offs; - if(offs > pMsg->iLenRawMsg) { - assert(offs - 1 == pMsg->iLenRawMsg); + if(offs > (uint32_t)pMsg->iLenRawMsg) { + assert((int)offs - 1 == pMsg->iLenRawMsg); pMsg->iLenMSG = 0; } else { pMsg->iLenMSG = pMsg->iLenRawMsg - offs; @@ -2920,7 +2920,7 @@ MsgSetRawMsg(smsg_t *const pThis, const char*const pszRawMsg, const size_t lenMs memcpy(pThis->pszRawMsg, pszRawMsg, pThis->iLenRawMsg); pThis->pszRawMsg[pThis->iLenRawMsg] = '\0'; /* this also works with truncation! */ /* correct other information */ - if(pThis->iLenRawMsg > pThis->offMSG) + if((uint32_t)pThis->iLenRawMsg > pThis->offMSG) pThis->iLenMSG += deltaSize; else pThis->iLenMSG = 0; diff --git a/runtime/msg.h b/runtime/msg.h index 74439275b1..722cca6e8a 100644 --- a/runtime/msg.h +++ b/runtime/msg.h @@ -67,8 +67,8 @@ struct msg { sbool bParseSuccess; /* set to reflect state of last executed higher level parser */ unsigned short iSeverity;/* the severity */ unsigned short iFacility;/* Facility code */ - short offAfterPRI; /* offset, at which raw message WITHOUT PRI part starts in pszRawMsg */ - short offMSG; /* offset at which the MSG part starts in pszRawMsg */ + uint32_t offAfterPRI; /* offset, at which raw message WITHOUT PRI part starts in pszRawMsg */ + uint32_t offMSG; /* offset at which the MSG part starts in pszRawMsg */ short iProtocolVersion;/* protocol version of message received 0 - legacy, 1 syslog-protocol) */ int msgFlags; /* flags associated with this message */ int iLenRawMsg; /* length of raw message */ @@ -194,8 +194,8 @@ void MsgSetRcvFromStr(smsg_t *const pMsg, const uchar* pszRcvFrom, const int, pr rsRetVal MsgSetRcvFromIP(smsg_t *pMsg, prop_t*); rsRetVal MsgSetRcvFromIPStr(smsg_t *const pThis, const uchar *psz, const int len, prop_t **ppProp); void MsgSetHOSTNAME(smsg_t *pMsg, const uchar* pszHOSTNAME, const int lenHOSTNAME); -rsRetVal MsgSetAfterPRIOffs(smsg_t *pMsg, short offs); -void MsgSetMSGoffs(smsg_t *pMsg, short offs); +rsRetVal MsgSetAfterPRIOffs(smsg_t *pMsg, uint32_t offs); +void MsgSetMSGoffs(smsg_t *pMsg, uint32_t offs); void MsgSetRawMsgWOSize(smsg_t *pMsg, char* pszRawMsg); void ATTR_NONNULL() MsgSetRawMsg(smsg_t *const pThis, const char*const pszRawMsg, const size_t lenMsg); rsRetVal MsgReplaceMSG(smsg_t *pThis, const uchar* pszMSG, int lenMSG);