| From ebd06c37d4311db9851f4d3fdd023de3dd590de0 Mon Sep 17 00:00:00 2001 |
| From: Filipe Brandenburger <filbranden@google.com> |
| Date: Thu, 10 Jan 2019 14:53:33 -0800 |
| Subject: [PATCH] journal: fix out-of-bounds read CVE-2018-16866 |
| |
| The original code didn't account for the fact that strchr() would match on the |
| '\0' character, making it read past the end of the buffer if no non-whitespace |
| character was present. |
| |
| This bug was introduced in commit ec5ff4445cca6a which was first released in |
| systemd v221 and later fixed in commit 8595102d3ddde6 which was released in |
| v240, so versions in the range [v221, v240) are affected. |
| |
| Patch backported from systemd-stable at f005e73d3723d62a39be661931fcb6347119b52b |
| also includes a change from systemd master which removes a heap buffer overflow |
| a6aadf4ae0bae185dc4c414d492a4a781c80ffe5. |
| |
| CVE: CVE-2018-16866 |
| Upstream-Status: Backport |
| Signed-off-by: Marcus Cooper <marcusc@axis.com> |
| --- |
| src/journal/journald-syslog.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c |
| index 9dea116722..809b318c06 100644 |
| --- a/src/journal/journald-syslog.c |
| +++ b/src/journal/journald-syslog.c |
| @@ -194,7 +194,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) |
| e = l; |
| l--; |
| |
| - if (p[l-1] == ']') { |
| + if (l > 0 && p[l-1] == ']') { |
| size_t k = l-1; |
| |
| for (;;) { |
| @@ -219,7 +219,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) |
| if (t) |
| *identifier = t; |
| |
| - if (strchr(WHITESPACE, p[e])) |
| + if (p[e] != '\0' && strchr(WHITESPACE, p[e])) |
| e++; |
| *buf = p + e; |
| return e; |
| -- |
| 2.11.0 |
| |