Attachment 943575 Details for Bug 1142373 – patch to fix the flaw in sysklogd

[patch] patch to fix the flaw in sysklogd

sysklogd-1.5_CVE-2014-3634.diff (text/plain), 2.71 KB, created by Vincent Danen on 2014-10-02 21:03:34 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Vincent Danen

Created: 2014-10-02 21:03:34 UTC

Size: 2.71 KB

patch

obsolete

>From 43797330e75d7d4687b7ae6926a996c3c85c2679 Mon Sep 17 00:00:00 2001
>From: mancha <mancha1 AT zoho DOT com>
>Date: Wed, 1 Oct 2014
>Subject: CVE-2014-3634
>
>Rainer Gerhards, rsyslog project leader, discovered an issue in rsyslogd
>where invalid priority values can trigger DoS and potentially RCE.
>
>As he describes, the cause of the problem identified in rsyslog also
>exists in sysklogd (from which rsyslogd was forked) and stems from the
>way LOG_NFACILITIES and LOG_FACMASK get used.
>
>In sysklog's case, priority values up to 1023 (with facility values up to
>127) can propagate through code making f_pmask array overreads of up
>to 104 bytes within the filed structure possible. Though not sufficient
>to reach unallocated memory (there are still 544 bytes in the filed
>structure beyond the end of f_pmask), incorrect access of fields at
>higher positions of the filed structure definition can cause unexpected
>behavior including potential message mis-classification and loss.
>
>This patch imposes a restriction on PRI message parts and requires they
>be properly-delimited priority value strings that have non-negative
>numerical values not exceeding 191. As before, sysklogd allows zero
>padding in the priority value string to support RFC-non-compliant loggers
>that issue PRIs such as <0091>. Messages with malformed PRI parts are
>logged with priority USER.NOTICE.
>
>I would like to thank Rainer for his initial report and analysis and 
>subsequent coordination.
>
>---
> syslogd.c |   25 +++++++++++++++++++------
> 1 file changed, 19 insertions(+), 6 deletions(-)
>
>--- a/syslogd.c
>+++ b/syslogd.c
>@@ -632,6 +632,8 @@ int funix[MAXFUNIX] = { -1, };
> #define TABLE_ALLPRI    0xFF    /* Value to indicate all priorities in f_pmask */
> #define	LOG_MARK	LOG_MAKEPRI(LOG_NFACILITIES, 0)	/* mark "facility" */
> 
>+#define MAX_PRI		191	/* Maximum Priority per RFC 3164 */
>+
> /*
>  * Flags to logmsg().
>  */
>@@ -1491,23 +1493,34 @@ void printline(hname, msg)
> 	register char *p, *q;
> 	register unsigned char c;
> 	char line[MAXLINE + 1];
>-	int pri;
>+	unsigned int pri;       	// Valid Priority values are 0-191
>+	int prilen=0;			// Track Priority value string len
>+	int msglen;
> 
> 	/* test for special codes */
>+	msglen=strlen(msg);
> 	pri = DEFUPRI;
> 	p = msg;
> 
> 	if (*p == '<') {
> 		pri = 0;
>-		while (isdigit(*++p))
>-		{
>-		   pri = 10 * pri + (*p - '0');
>+		while (--msglen > 0 && isdigit((unsigned char)*++p) &&
>+		      			pri <= MAX_PRI) {
>+			pri = 10 * pri + (*p - '0');
>+			prilen++;
> 		}
>-		if (*p == '>')
>+		if (*p == '>' && prilen)
> 			++p;
>+		else {
>+			pri = DEFUPRI;
>+			p = msg;
>+		}
> 	}
>-	if (pri &~ (LOG_FACMASK|LOG_PRIMASK))
>+
>+	if ((pri &~ (LOG_FACMASK|LOG_PRIMASK)) || (pri > MAX_PRI)) {
> 		pri = DEFUPRI;
>+		p = msg;
>+	}
> 
> 	memset (line, 0, sizeof(line));
> 	q = line;

Actions: View | Diff

Attachments on bug 1142373: 938140 | 938141 | 938142 | 938143 | 938229 | 943495 | 943496 | 943575 | 943701 | 943702