File CVE-2022-38725-Fix-buffer-handling-of-syslog-pa... of Package syslog-ng.27530

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2022-38725-Fix-buffer-handling-of-syslog-parsers.patch of Package syslog-ng.27530

From 0597c1a1a47ff5593a7c6a9d9505195a960383e7 Mon Sep 17 00:00:00 2001
From: Thomas Blume <Thomas.Blume@suse.com>
Date: Tue, 24 Jan 2023 17:21:28 +0100
Subject: [PATCH] CVE-2022-38725 Fix buffer handling of syslog parsers

bsc#1207460
---
 lib/str-format.c                     | 59 +++++++++++++++-------------
 modules/syslogformat/syslog-format.c | 15 ++++---
 2 files changed, 41 insertions(+), 33 deletions(-)

diff --git a/lib/str-format.c b/lib/str-format.c
index 4b9e20613..31182fcda 100644
--- a/lib/str-format.c
+++ b/lib/str-format.c
@@ -303,41 +303,43 @@ scan_day_abbrev(const gchar **buf, gint *left, gint *wday)
 {
   *wday = -1;
 
-  if (*left < 3)
+  const gsize abbrev_length = 3;
+
+  if (*left < abbrev_length)
     return FALSE;
 
   switch (**buf)
     {
     case 'S':
-      if (memcmp(*buf, "Sun", 3) == 0)
+      if (memcmp(*buf, "Sun", abbrev_length) == 0)
         *wday = 0;
-      else if (memcmp(*buf, "Sat", 3) == 0)
+      else if (memcmp(*buf, "Sat", abbrev_length) == 0)
         *wday = 6;
       break;
     case 'M':
-      if (memcmp(*buf, "Mon", 3) == 0)
+      if (memcmp(*buf, "Mon", abbrev_length) == 0)
         *wday = 1;
       break;
     case 'T':
-      if (memcmp(*buf, "Tue", 3) == 0)
+      if (memcmp(*buf, "Tue", abbrev_length) == 0)
         *wday = 2;
-      else if (memcmp(*buf, "Thu", 3) == 0)
+      else if (memcmp(*buf, "Thu", abbrev_length) == 0)
         *wday = 4;
       break;
     case 'W':
-      if (memcmp(*buf, "Wed", 3) == 0)
-        *wday = 3;
+      if (memcmp(*buf, "Wed", abbrev_length) == 0)
+        *wday = abbrev_length;
       break;
     case 'F':
-      if (memcmp(*buf, "Fri", 3) == 0)
+      if (memcmp(*buf, "Fri", abbrev_length) == 0)
         *wday = 5;
       break;
     default:
       return FALSE;
     }
 
-  (*buf) += 3;
-  (*left) -= 3;
+  (*buf) += abbrev_length;
+  (*left) -= abbrev_length;
   return TRUE;
 }
 
@@ -346,57 +348,60 @@ scan_month_abbrev(const gchar **buf, gint *left, gint *mon)
 {
   *mon = -1;
 
-  if (*left < 3)
+  const gsize abbrev_length = 3;
+
+  if (*left < abbrev_length)
+
     return FALSE;
 
   switch (**buf)
     {
     case 'J':
-      if (memcmp(*buf, "Jan", 3) == 0)
+      if (memcmp(*buf, "Jan", abbrev_length) == 0)
         *mon = 0;
-      else if (memcmp(*buf, "Jun", 3) == 0)
+      else if (memcmp(*buf, "Jun", abbrev_length) == 0)
         *mon = 5;
-      else if (memcmp(*buf, "Jul", 3) == 0)
+      else if (memcmp(*buf, "Jul", abbrev_length) == 0)
         *mon = 6;
       break;
     case 'F':
-      if (memcmp(*buf, "Feb", 3) == 0)
+      if (memcmp(*buf, "Feb", abbrev_length) == 0)
         *mon = 1;
       break;
     case 'M':
-      if (memcmp(*buf, "Mar", 3) == 0)
+      if (memcmp(*buf, "Mar", abbrev_length) == 0)
         *mon = 2;
-      else if (memcmp(*buf, "May", 3) == 0)
+      else if (memcmp(*buf, "May", abbrev_length) == 0)
         *mon = 4;
       break;
     case 'A':
-      if (memcmp(*buf, "Apr", 3) == 0)
-        *mon = 3;
-      else if (memcmp(*buf, "Aug", 3) == 0)
+      if (memcmp(*buf, "Apr", abbrev_length) == 0)
+        *mon = abbrev_length;
+      else if (memcmp(*buf, "Aug", abbrev_length) == 0)
         *mon = 7;
       break;
     case 'S':
-      if (memcmp(*buf, "Sep", 3) == 0)
+      if (memcmp(*buf, "Sep", abbrev_length) == 0)
         *mon = 8;
       break;
     case 'O':
-      if (memcmp(*buf, "Oct", 3) == 0)
+      if (memcmp(*buf, "Oct", abbrev_length) == 0)
         *mon = 9;
       break;
     case 'N':
-      if (memcmp(*buf, "Nov",3 ) == 0)
+      if (memcmp(*buf, "Nov",abbrev_length ) == 0)
         *mon = 10;
       break;
     case 'D':
-      if (memcmp(*buf, "Dec", 3) == 0)
+      if (memcmp(*buf, "Dec", abbrev_length) == 0)
         *mon = 11;
       break;
     default:
       return FALSE;
     }
 
-  (*buf) += 3;
-  (*left) -= 3;
+  (*buf) += abbrev_length;
+  (*left) -= abbrev_length;
   return TRUE;
 }
 
diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c
index 9f894b462..d89ee7537 100644
--- a/modules/syslogformat/syslog-format.c
+++ b/modules/syslogformat/syslog-format.c
@@ -201,7 +201,7 @@ log_msg_parse_seq(LogMessage *self, const guchar **data, gint *length)
 
   /* if the next char is not space, then we may try to read a date */
 
-  if (*src != ' ')
+  if (!left || *src != ' ')
     return FALSE;
 
   log_msg_set_value(self, cisco_seqid, (gchar *) *data, *length - left - 1);
@@ -223,6 +223,9 @@ log_msg_parse_date(LogMessage *self, const guchar **data, gint *length, guint pa
 
   cached_g_current_time(&now);
 
+  if (!left)
+    return;
+
   if ((parse_flags & LP_SYSLOG_PROTOCOL) == 0)
     {
       /* Cisco timestamp extensions, the first '*' indicates that the clock is
@@ -276,7 +279,7 @@ log_msg_parse_date(LogMessage *self, const guchar **data, gint *length, guint pa
               src++;
               left--;
             }
-          while (isdigit(*src))
+          while (*length > 0 && isdigit(*src))
             {
               src++;
               left--;
@@ -321,7 +324,7 @@ log_msg_parse_date(LogMessage *self, const guchar **data, gint *length, guint pa
           if (!scan_pix_timestamp((const gchar **) &src, &left, &tm))
             goto error;
 
-          if (*src == ':')
+          if (left && *src == ':')
             {
               src++;
               left--;
@@ -679,7 +682,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF
       open_sd++;
       do
         {
-          if (!isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"')
+          if (!left || !isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"')
             goto error;
           /* read sd_id */
           pos = 0;
@@ -713,7 +716,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF
           strcpy(sd_value_name, logmsg_sd_prefix);
           /* this strcat is safe, as sd_id_name is at most 32 chars */
           strncpy(sd_value_name + logmsg_sd_prefix_len, sd_id_name, sizeof(sd_value_name) - logmsg_sd_prefix_len);
-          if (*src == ']')
+          if (left && *src == ']')
             {
               log_msg_set_value_by_name(self, sd_value_name, "", 0);
             }
@@ -730,7 +733,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF
               else
                 goto error;
 
-              if (!isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"')
+              if (!left || !isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"')
                 goto error;
 
               /* read sd-param */
-- 
2.39.0

Places

File CVE-2022-38725-Fix-buffer-handling-of-syslog-parsers.patch of Package syslog-ng.27530

Places