1 Star 0 Fork 38

huyab/rsyslog

forked from src-openEuler/rsyslog 
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
克隆/下载
bugfix-CVE-2022-24903.patch 2.41 KB
一键复制 编辑 原始数据 按行查看 历史
zw0402 提交于 2022-05-23 15:27 . bugfix:fix CVE-2022-24903
From 66c63027b95dce0fcfe50fa8baf2366ac83b340d Mon Sep 17 00:00:00 2001
From: Rainer Gerhards <[email protected]>
Date: Fri, 22 Apr 2022 09:49:46 +0200
Subject: [PATCH] net bugfix: potential buffer overrun
Conflict:NA
Reference:https://github.com/rsyslog/rsyslog/commit/89955b0bcb1ff105e1374aad7e0e993faa6a038f
---
contrib/imhttp/imhttp.c | 4 +++-
plugins/imptcp/imptcp.c | 4 +++-
runtime/tcps_sess.c | 4 +++-
3 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/contrib/imhttp/imhttp.c b/contrib/imhttp/imhttp.c
index f09260b..95704af 100644
--- a/contrib/imhttp/imhttp.c
+++ b/contrib/imhttp/imhttp.c
@@ -487,7 +487,9 @@ processOctetMsgLen(const instanceConf_t *const inst, struct conn_wrkr_s *connWrk
connWrkr->parseState.iOctetsRemain = connWrkr->parseState.iOctetsRemain * 10 + ch - '0';
}
// temporarily save this character into the message buffer
- connWrkr->pMsg[connWrkr->iMsg++] = ch;
+ if(connWrkr->iMsg + 1 < s_iMaxLine) {
+ connWrkr->pMsg[connWrkr->iMsg++] = ch;
+ }
} else {
const char *remoteAddr = "";
if (connWrkr->propRemoteAddr) {
diff --git a/plugins/imptcp/imptcp.c b/plugins/imptcp/imptcp.c
index cdd29d4..e47a7c9 100644
--- a/plugins/imptcp/imptcp.c
+++ b/plugins/imptcp/imptcp.c
@@ -1107,7 +1107,9 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis,
if(pThis->iOctetsRemain <= 200000000) {
pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
}
- *(pThis->pMsg + pThis->iMsg++) = c;
+ if(pThis->iMsg < iMaxLine) {
+ *(pThis->pMsg + pThis->iMsg++) = c;
+ }
} else { /* done with the octet count, so this must be the SP terminator */
DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
prop.GetString(pThis->peerName, &propPeerName, &lenPeerName);
diff --git a/runtime/tcps_sess.c b/runtime/tcps_sess.c
index b12d873..0831192 100644
--- a/runtime/tcps_sess.c
+++ b/runtime/tcps_sess.c
@@ -389,7 +389,9 @@ processDataRcvd(tcps_sess_t *pThis,
if(pThis->iOctetsRemain <= 200000000) {
pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
}
- *(pThis->pMsg + pThis->iMsg++) = c;
+ if(pThis->iMsg < iMaxLine) {
+ *(pThis->pMsg + pThis->iMsg++) = c;
+ }
} else { /* done with the octet count, so this must be the SP terminator */
DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
prop.GetString(pThis->fromHost, &propPeerName, &lenPeerName);
--
2.27.0
Loading...
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/huyab/rsyslog.git
[email protected]:huyab/rsyslog.git
huyab
rsyslog
rsyslog
master

搜索帮助