1From 4b8dc56ca8eaeac4c8751a305eb7eeefab8dc89d Mon Sep 17 00:00:00 2001 2From: Laszlo Varady <laszlo.varady@protonmail.com> 3Date: Sun, 21 Aug 2022 18:44:28 +0200 4Subject: [PATCH 3/8] syslogformat: fix reading cisco sequence id out of bounds 5MIME-Version: 1.0 6Content-Type: text/plain; charset=UTF-8 7Content-Transfer-Encoding: 8bit 8 9CVE: CVE-2022-38725 10 11Upstream-Status: Backport 12[https://github.com/syslog-ng/syslog-ng/commit/4b8dc56ca8eaeac4c8751a305eb7eeefab8dc89d] 13 14Signed-off-by: László Várady <laszlo.varady@protonmail.com> 15 16Signed-off-by: Yogita Urade <yogita.urade@windriver.com> 17--- 18 modules/syslogformat/syslog-format.c | 2 +- 19 .../syslogformat/tests/test_syslog_format.c | 32 +++++++++++++++++++ 20 2 files changed, 33 insertions(+), 1 deletion(-) 21 22diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c 23index 872cc1d71..a3d48d6f2 100644 24--- a/modules/syslogformat/syslog-format.c 25+++ b/modules/syslogformat/syslog-format.c 26@@ -207,7 +207,7 @@ log_msg_parse_cisco_sequence_id(LogMessage *self, const guchar **data, gint *len 27 28 /* if the next char is not space, then we may try to read a date */ 29 30- if (*src != ' ') 31+ if (!left || *src != ' ') 32 return; 33 34 log_msg_set_value(self, handles.cisco_seqid, (gchar *) *data, *length - left - 1); 35diff --git a/modules/syslogformat/tests/test_syslog_format.c b/modules/syslogformat/tests/test_syslog_format.c 36index b247fe3c5..d0f5b4043 100644 37--- a/modules/syslogformat/tests/test_syslog_format.c 38+++ b/modules/syslogformat/tests/test_syslog_format.c 39@@ -70,3 +70,35 @@ Test(syslog_format, parser_should_not_spin_on_non_zero_terminated_input, .timeou 40 msg_format_options_destroy(&parse_options); 41 log_msg_unref(msg); 42 } 43+ 44+Test(syslog_format, cisco_sequence_id_non_zero_termination) 45+{ 46+ const gchar *data = "<189>65536: "; 47+ gsize data_length = strlen(data); 48+ 49+ msg_format_options_init(&parse_options, cfg); 50+ LogMessage *msg = msg_format_construct_message(&parse_options, (const guchar *) data, data_length); 51+ 52+ gsize problem_position; 53+ cr_assert(syslog_format_handler(&parse_options, msg, (const guchar *) data, data_length, &problem_position)); 54+ cr_assert_str_eq(log_msg_get_value_by_name(msg, ".SDATA.meta.sequenceId", NULL), "65536"); 55+ 56+ msg_format_options_destroy(&parse_options); 57+ log_msg_unref(msg); 58+} 59+ 60+Test(syslog_format, minimal_non_zero_terminated_numeric_message_is_parsed_as_program_name) 61+{ 62+ const gchar *data = "<189>65536"; 63+ gsize data_length = strlen(data); 64+ 65+ msg_format_options_init(&parse_options, cfg); 66+ LogMessage *msg = msg_format_construct_message(&parse_options, (const guchar *) data, data_length); 67+ 68+ gsize problem_position; 69+ cr_assert(syslog_format_handler(&parse_options, msg, (const guchar *) data, data_length, &problem_position)); 70+ cr_assert_str_eq(log_msg_get_value_by_name(msg, "PROGRAM", NULL), "65536"); 71+ 72+ msg_format_options_destroy(&parse_options); 73+ log_msg_unref(msg); 74+} 75-- 762.34.1 77 78