From 95ec0c76b4ee758012bc6c282c5299baee5ae451 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Thu, 3 Jan 2019 16:28:30 +0100
Subject: [PATCH] journal-remote: set a limit on the number of fields in a
 message

Existing use of E2BIG is replaced with ENOBUFS (entry too long), and E2BIG is
reused for the new error condition (too many fields).

This matches the change done for systemd-journald, hence forming the second
part of the fix for CVE-2018-16865
(https://bugzilla.redhat.com/show_bug.cgi?id=1653861).

Resolves: #1657792
---
 src/journal-remote/journal-remote-parse.c |  2 +-
 src/journal-remote/journal-remote-write.c |  3 +++
 src/journal-remote/journal-remote.c       | 14 ++++++++++++--
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/src/journal-remote/journal-remote-parse.c b/src/journal-remote/journal-remote-parse.c
index 64089da19..53f4e3612 100644
--- a/src/journal-remote/journal-remote-parse.c
+++ b/src/journal-remote/journal-remote-parse.c
@@ -107,7 +107,7 @@ static int get_line(RemoteSource *source, char **line, size_t *size) {
                 source->scanned = source->filled;
                 if (source->scanned >= DATA_SIZE_MAX) {
                         log_error("Entry is bigger than %u bytes.", DATA_SIZE_MAX);
-                        return -E2BIG;
+                        return -ENOBUFS;
                 }
 
                 if (source->passive_fd)
diff --git a/src/journal-remote/journal-remote-write.c b/src/journal-remote/journal-remote-write.c
index 99820fa7b..99920e62c 100644
--- a/src/journal-remote/journal-remote-write.c
+++ b/src/journal-remote/journal-remote-write.c
@@ -22,6 +22,9 @@
 #include "journal-remote.h"
 
 int iovw_put(struct iovec_wrapper *iovw, void* data, size_t len) {
+        if (iovw->count >= ENTRY_FIELD_COUNT_MAX)
+                return -E2BIG;
+
         if (!GREEDY_REALLOC(iovw->iovec, iovw->size_bytes, iovw->count + 1))
                 return log_oom();
 
diff --git a/src/journal-remote/journal-remote.c b/src/journal-remote/journal-remote.c
index a455fb6bd..e65daf6a0 100644
--- a/src/journal-remote/journal-remote.c
+++ b/src/journal-remote/journal-remote.c
@@ -524,11 +524,18 @@ static int process_http_upload(
                         break;
                 else if (r < 0) {
                         log_warning("Failed to process data for connection %p", connection);
-                        if (r == -E2BIG)
+                        if (r == -ENOBUFS)
                                 return mhd_respondf(connection,
                                                     MHD_HTTP_REQUEST_ENTITY_TOO_LARGE,
                                                     "Entry is too large, maximum is %u bytes.\n",
                                                     DATA_SIZE_MAX);
+
+                        else if (r == -E2BIG)
+                                return mhd_respondf(connection,
+                                                    MHD_HTTP_REQUEST_ENTITY_TOO_LARGE,
+                                                    "Entry with more fields than the maximum of %u\n",
+                                                    ENTRY_FIELD_COUNT_MAX);
+
                         else
                                 return mhd_respondf(connection,
                                                     MHD_HTTP_UNPROCESSABLE_ENTITY,
@@ -1043,7 +1050,10 @@ static int handle_raw_source(sd_event_source *event,
                 log_debug("%zu active sources remaining", s->active);
                 return 0;
         } else if (r == -E2BIG) {
-                log_notice_errno(E2BIG, "Entry too big, skipped");
+                log_notice_errno(E2BIG, "Entry with too many fields, skipped");
+                return 1;
+        } else if (r == -ENOBUFS) {
+                log_notice_errno(ENOBUFS, "Entry too big, skipped");
                 return 1;
         } else if (r == -EAGAIN) {
                 return 0;