Code

network plugin: Fix heap overflow in parse_packet().
authorFlorian Forster <octo@collectd.org>
Tue, 19 Jul 2016 08:00:37 +0000 (10:00 +0200)
committerFlorian Forster <octo@collectd.org>
Thu, 21 Jul 2016 05:47:37 +0000 (07:47 +0200)
Emilien Gaspar has identified a heap overflow in parse_packet(), the
function used by the network plugin to parse incoming network packets.

This is a vulnerability in collectd, though the scope is not clear at
this point. At the very least specially crafted network packets can be
used to crash the daemon. We can't rule out a potential remote code
execution though.

Fixes: CVE-2016-6254
src/network.c

index 0ee6ed0b9834f96a9ad1cd885657c0e5f9719c89..5c7761d36faa0d0cdc03fb53bb65ae1ed7e388d6 100644 (file)
@@ -1435,6 +1435,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
                                printed_ignore_warning = 1;
                        }
                        buffer = ((char *) buffer) + pkg_length;
+                       buffer_size -= (size_t) pkg_length;
                        continue;
                }
 #endif /* HAVE_LIBGCRYPT */
@@ -1462,6 +1463,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
                                printed_ignore_warning = 1;
                        }
                        buffer = ((char *) buffer) + pkg_length;
+                       buffer_size -= (size_t) pkg_length;
                        continue;
                }
 #endif /* HAVE_LIBGCRYPT */
@@ -1603,6 +1605,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
                        DEBUG ("network plugin: parse_packet: Unknown part"
                                        " type: 0x%04hx", pkg_type);
                        buffer = ((char *) buffer) + pkg_length;
+                       buffer_size -= (size_t) pkg_length;
                }
        } /* while (buffer_size > sizeof (part_header_t)) */