xref: /OK3568_Linux_fs/yocto/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-0003.patch (revision 4882a59341e53eb6f0b4789bf948001014eff981)

From 4b8dc56ca8eaeac4c8751a305eb7eeefab8dc89d Mon Sep 17 00:00:00 2001
From: Laszlo Varady <laszlo.varady@protonmail.com>
Date: Sun, 21 Aug 2022 18:44:28 +0200
Subject: [PATCH 3/8] syslogformat: fix reading cisco sequence id out of bounds
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE: CVE-2022-38725

Upstream-Status: Backport
[https://github.com/syslog-ng/syslog-ng/commit/4b8dc56ca8eaeac4c8751a305eb7eeefab8dc89d]

Signed-off-by: László Várady <laszlo.varady@protonmail.com>

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
 modules/syslogformat/syslog-format.c          |  2 +-
 .../syslogformat/tests/test_syslog_format.c   | 32 +++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c
index 872cc1d71..a3d48d6f2 100644
--- a/modules/syslogformat/syslog-format.c
+++ b/modules/syslogformat/syslog-format.c
@@ -207,7 +207,7 @@ log_msg_parse_cisco_sequence_id(LogMessage *self, const guchar **data, gint *len

   /* if the next char is not space, then we may try to read a date */

-  if (*src != ' ')
+  if (!left || *src != ' ')
     return;

   log_msg_set_value(self, handles.cisco_seqid, (gchar *) *data, *length - left - 1);
diff --git a/modules/syslogformat/tests/test_syslog_format.c b/modules/syslogformat/tests/test_syslog_format.c
index b247fe3c5..d0f5b4043 100644
--- a/modules/syslogformat/tests/test_syslog_format.c
+++ b/modules/syslogformat/tests/test_syslog_format.c
@@ -70,3 +70,35 @@ Test(syslog_format, parser_should_not_spin_on_non_zero_terminated_input, .timeou
   msg_format_options_destroy(&parse_options);
   log_msg_unref(msg);
 }
+
+Test(syslog_format, cisco_sequence_id_non_zero_termination)
+{
+  const gchar *data = "<189>65536: ";
+  gsize data_length = strlen(data);
+
+  msg_format_options_init(&parse_options, cfg);
+  LogMessage *msg = msg_format_construct_message(&parse_options, (const guchar *) data, data_length);
+
+  gsize problem_position;
+  cr_assert(syslog_format_handler(&parse_options, msg, (const guchar *) data, data_length, &problem_position));
+  cr_assert_str_eq(log_msg_get_value_by_name(msg, ".SDATA.meta.sequenceId", NULL), "65536");
+
+  msg_format_options_destroy(&parse_options);
+  log_msg_unref(msg);
+}
+
+Test(syslog_format, minimal_non_zero_terminated_numeric_message_is_parsed_as_program_name)
+{
+  const gchar *data = "<189>65536";
+  gsize data_length = strlen(data);
+
+  msg_format_options_init(&parse_options, cfg);
+  LogMessage *msg = msg_format_construct_message(&parse_options, (const guchar *) data, data_length);
+
+  gsize problem_position;
+  cr_assert(syslog_format_handler(&parse_options, msg, (const guchar *) data, data_length, &problem_position));
+  cr_assert_str_eq(log_msg_get_value_by_name(msg, "PROGRAM", NULL), "65536");
+
+  msg_format_options_destroy(&parse_options);
+  log_msg_unref(msg);
+}
--
2.34.1