Overview

File 0001-imptcp-fix-Segmentation-Fault-when-octet-count-is-to.patch of Package rsyslog.10269

From 9a3e0d83c174de6b9bb7994e4e18783bef8de670 Mon Sep 17 00:00:00 2001
From: PascalWithopf <pwithopf@adiscon.com>
Date: Wed, 19 Apr 2017 13:06:30 +0200
Subject: [PATCH] imptcp: fix Segmentation Fault when octet count is to high

(cherry picked from commit 0381a0de64a5a048c3d48b79055bd9848d0c7fc2)
---
 plugins/imptcp/imptcp.c                   | 14 ++++++++--
 tests/imptcp-msg-truncation-on-number.sh  | 37 +++++++++++++++++++++++++
 tests/imptcp-msg-truncation-on-number2.sh | 45 +++++++++++++++++++++++++++++++
 3 files changed, 94 insertions(+), 2 deletions(-)
 create mode 100755 tests/imptcp-msg-truncation-on-number.sh
 create mode 100755 tests/imptcp-msg-truncation-on-number2.sh

diff --git a/plugins/imptcp/imptcp.c b/plugins/imptcp/imptcp.c
index 1d46e1c97..f7fb54cf8 100644
--- a/plugins/imptcp/imptcp.c
+++ b/plugins/imptcp/imptcp.c
@@ -873,7 +873,16 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis,
 
 	if(pThis->inputState == eInOctetCnt) {
 		if(isdigit(c)) {
-			pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+			if(pThis->iOctetsRemain <= 200000000) {
+				pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+			} else {
+				errmsg.LogError(0, NO_ERRCODE, "Framing Error in received TCP message: "
+						"frame too large (at least %d%c), change to octet stuffing",
+						pThis->iOctetsRemain, c);
+				pThis->eFraming = TCP_FRAMING_OCTET_STUFFING;
+				pThis->inputState = eInMsg;
+			}
+			*(pThis->pMsg + pThis->iMsg++) = c;
 		} else { /* done with the octet count, so this must be the SP terminator */
 			DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
 			if(c != ' ') {
@@ -882,9 +891,9 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis,
 			}
 			if(pThis->iOctetsRemain < 1) {
 				/* TODO: handle the case where the octet count is 0! */
-				DBGPRINTF("Framing Error: invalid octet count\n");
 				errmsg.LogError(0, NO_ERRCODE, "Framing Error in received TCP message: "
 					    "invalid octet count %d.", pThis->iOctetsRemain);
+				pThis->eFraming = TCP_FRAMING_OCTET_STUFFING;
 			} else if(pThis->iOctetsRemain > iMaxLine) {
 				/* while we can not do anything against it, we can at least log an indication
 				 * that something went wrong) -- rgerhards, 2008-03-14
@@ -895,6 +904,7 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis,
 					        "max msg size is %d, truncating...", pThis->iOctetsRemain, iMaxLine);
 			}
 			pThis->inputState = eInMsg;
+			pThis->iMsg = 0;
 		}
 	} else {
 		assert(pThis->inputState == eInMsg);
diff --git a/tests/imptcp-msg-truncation-on-number.sh b/tests/imptcp-msg-truncation-on-number.sh
new file mode 100755
index 000000000..e46486bdf
--- /dev/null
+++ b/tests/imptcp-msg-truncation-on-number.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+# addd 2017-03-01 by RGerhards, released under ASL 2.0
+
+. $srcdir/diag.sh init
+. $srcdir/diag.sh generate-conf
+. $srcdir/diag.sh add-conf '
+$MaxMessageSize 128
+global(processInternalMessages="on")
+module(load="../plugins/imptcp/.libs/imptcp")
+input(type="imptcp" port="13514")
+
+action(type="omfile" file="rsyslog.out.log")
+
+'
+. $srcdir/diag.sh startup
+. $srcdir/diag.sh tcpflood -m1 -M "\"<120> 2011-03-01T11:22:12Z host tag: this is a way too long message that has to be truncatedtest1 test2 test3 test4 test5 ab
+9876543210 cdefghijklmn test8 test9 test10 test11 test12 test13 test14 test15 kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk tag: testtestetstetstetstetstetsstetstetsytetestetste\""
+. $srcdir/diag.sh shutdown-when-empty
+. $srcdir/diag.sh wait-shutdown
+
+grep "Framing Error.*change to octet stuffing" rsyslog.out.log > /dev/null
+if [ $? -ne 0 ]; then
+        echo
+        echo "FAIL: expected error message from imptcp truncation not found. rsyslog.out.log is:"
+        cat rsyslog.out.log
+        . $srcdir/diag.sh error-exit 1
+fi
+
+grep " 9876543210 cdefghijklmn test8 test9 test10 test11 test12 test13 test14 test15 kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk tag: testtestets" rsyslog.out.log > /dev/null
+if [ $? -ne 0 ]; then
+        echo
+        echo "FAIL: expected error message from imptcp truncation not found. rsyslog.out.log is:"
+        cat rsyslog.out.log
+        . $srcdir/diag.sh error-exit 1
+fi
+
+. $srcdir/diag.sh exit
diff --git a/tests/imptcp-msg-truncation-on-number2.sh b/tests/imptcp-msg-truncation-on-number2.sh
new file mode 100755
index 000000000..15c5aab15
--- /dev/null
+++ b/tests/imptcp-msg-truncation-on-number2.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+# addd 2017-03-01 by RGerhards, released under ASL 2.0
+
+. $srcdir/diag.sh init
+. $srcdir/diag.sh generate-conf
+. $srcdir/diag.sh add-conf '
+$MaxMessageSize 128
+global(processInternalMessages="on")
+module(load="../plugins/imptcp/.libs/imptcp")
+input(type="imptcp" port="13514" ruleset="ruleset1")
+
+template(name="templ1" type="string" string="%rawmsg%\n")
+ruleset(name="ruleset1") {
+	action(type="omfile" file="rsyslog.out.log" template="templ1")
+}
+
+'
+. $srcdir/diag.sh startup
+. $srcdir/diag.sh tcpflood -m2 -M "\"41 <120> 2011-03-01T11:22:12Z host msgnum:1\""
+. $srcdir/diag.sh tcpflood -m1 -M "\"214000000000 <120> 2011-03-01T11:22:12Z host msgnum:1\""
+. $srcdir/diag.sh tcpflood -m1 -M "\"41 <120> 2011-03-01T11:22:12Z host msgnum:1\""
+. $srcdir/diag.sh tcpflood -m1 -M "\"214000000000 <120> 2011-03-01T11:22:12Z host msgnum:1\""
+. $srcdir/diag.sh tcpflood -m1 -M "\"41 <120> 2011-03-01T11:22:12Z host msgnum:1\""
+. $srcdir/diag.sh tcpflood -m1 -M "\"2000000010 <120> 2011-03-01T11:22:12Z host msgnum:1\""
+. $srcdir/diag.sh tcpflood -m1 -M "\"4000000000 <120> 2011-03-01T11:22:12Z host msgnum:1\""
+. $srcdir/diag.sh tcpflood -m1 -M "\"0 <120> 2011-03-01T11:22:12Z host msgnum:1\""
+. $srcdir/diag.sh shutdown-when-empty
+. $srcdir/diag.sh wait-shutdown
+
+echo '<120> 2011-03-01T11:22:12Z host msgnum:1
+<120> 2011-03-01T11:22:12Z host msgnum:1
+214000000000 <120> 2011-03-01T11:22:12Z host msgnum:1
+<120> 2011-03-01T11:22:12Z host msgnum:1
+214000000000 <120> 2011-03-01T11:22:12Z host msgnum:1
+<120> 2011-03-01T11:22:12Z host msgnum:1
+2000000010 <120> 2011-03-01T11:22:12Z host msgnum:1
+4000000000 <120> 2011-03-01T11:22:12Z host msgnum:1
+<120> 2011-03-01T11:22:12Z host msgnum:1' | cmp rsyslog.out.log
+if [ ! $? -eq 0 ]; then
+  echo "invalid response generated, rsyslog.out.log is:"
+  cat rsyslog.out.log
+  . $srcdir/diag.sh error-exit  1
+fi;
+
+. $srcdir/diag.sh exit
-- 
2.16.4
openSUSE Build Service is sponsored by
Places