1 #! /bin/sh /usr/share/dpatch/dpatch-run
2 ## CVE-2016-6254.dpatch by Florian Forster <octo@collectd.org>
3 ##
4 ## DP: network plugin: Fix heap overflow in parse_packet().
5 ## DP:
6 ## DP: Emilien Gaspar has identified a heap overflow in parse_packet(), the
7 ## DP: function used by the network plugin to parse incoming network packets.
8 ## DP:
9 ## DP: This is a vulnerability in collectd, though the scope is not clear at
10 ## DP: this point. At the very least specially crafted network packets can be
11 ## DP: used to crash the daemon. We can't rule out a potential remote code
12 ## DP: execution though.
13 ## DP:
14 ## DP: Fixes: CVE-2016-6254
15 ## DP:
16 ## DP: Upstream commit:
17 ## DP: https://github.com/collectd/collectd/commit/b589096
19 @DPATCH@
21 diff a/src/network.c b/src/network.c
22 --- a/src/network.c
23 +++ b/src/network.c
24 @@ -1430,6 +1430,7 @@
25 printed_ignore_warning = 1;
26 }
27 buffer = ((char *) buffer) + pkg_length;
28 + buffer_size -= (size_t) pkg_length;
29 continue;
30 }
31 #endif /* HAVE_LIBGCRYPT */
32 @@ -1457,6 +1458,7 @@
33 printed_ignore_warning = 1;
34 }
35 buffer = ((char *) buffer) + pkg_length;
36 + buffer_size -= (size_t) pkg_length;
37 continue;
38 }
39 #endif /* HAVE_LIBGCRYPT */
40 @@ -1598,6 +1600,7 @@
41 DEBUG ("network plugin: parse_packet: Unknown part"
42 " type: 0x%04hx", pkg_type);
43 buffer = ((char *) buffer) + pkg_length;
44 + buffer_size -= (size_t) pkg_length;
45 }
46 } /* while (buffer_size > sizeof (part_header_t)) */