| From dd8483a4beb6f61521d8b32c726523bbea21cd92 Mon Sep 17 00:00:00 2001 |
| From: Florian Forster <octo@collectd.org> |
| Date: Tue, 19 Jul 2016 10:00:37 +0200 |
| Subject: [PATCH] network plugin: Fix heap overflow in parse_packet(). |
| |
| Emilien Gaspar has identified a heap overflow in parse_packet(), the |
| function used by the network plugin to parse incoming network packets. |
| |
| This is a vulnerability in collectd, though the scope is not clear at |
| this point. At the very least specially crafted network packets can be |
| used to crash the daemon. We can't rule out a potential remote code |
| execution though. |
| |
| Fixes: CVE-2016-6254 |
| |
| cherry picked from upstream commit b589096f |
| |
| Upstream Status: Backport |
| |
| Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com> |
| --- |
| src/network.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| diff --git a/src/network.c b/src/network.c |
| index 551bd5c..cb979b2 100644 |
| --- a/src/network.c |
| +++ b/src/network.c |
| @@ -1444,6 +1444,7 @@ static int parse_packet (sockent_t *se, /* {{{ */ |
| printed_ignore_warning = 1; |
| } |
| buffer = ((char *) buffer) + pkg_length; |
| + buffer_size -= (size_t) pkg_length; |
| continue; |
| } |
| #endif /* HAVE_LIBGCRYPT */ |
| @@ -1471,6 +1472,7 @@ static int parse_packet (sockent_t *se, /* {{{ */ |
| printed_ignore_warning = 1; |
| } |
| buffer = ((char *) buffer) + pkg_length; |
| + buffer_size -= (size_t) pkg_length; |
| continue; |
| } |
| #endif /* HAVE_LIBGCRYPT */ |
| @@ -1612,6 +1614,7 @@ static int parse_packet (sockent_t *se, /* {{{ */ |
| DEBUG ("network plugin: parse_packet: Unknown part" |
| " type: 0x%04hx", pkg_type); |
| buffer = ((char *) buffer) + pkg_length; |
| + buffer_size -= (size_t) pkg_length; |
| } |
| } /* while (buffer_size > sizeof (part_header_t)) */ |
| |
| -- |
| 2.7.4 |
| |