#! /bin/sh /usr/share/dpatch/dpatch-run
## CVE-2016-6254.dpatch by Florian Forster <octo@collectd.org>
##
## DP: network plugin: Fix heap overflow in parse_packet().
## DP:
## DP: Emilien Gaspar has identified a heap overflow in parse_packet(), the
## DP: function used by the network plugin to parse incoming network packets.
## DP:
## DP: This is a vulnerability in collectd, though the scope is not clear at
## DP: this point. At the very least specially crafted network packets can be
## DP: used to crash the daemon. We can't rule out a potential remote code
## DP: execution though.
## DP:
## DP: Fixes: CVE-2016-6254
## DP:
## DP: Upstream commit:
## DP: https://github.com/collectd/collectd/commit/b589096

@DPATCH@

diff a/src/network.c b/src/network.c
--- a/src/network.c
+++ b/src/network.c
@@ -1430,6 +1430,7 @@
 				printed_ignore_warning = 1;
 			}
 			buffer = ((char *) buffer) + pkg_length;
+			buffer_size -= (size_t) pkg_length;
 			continue;
 		}
 #endif /* HAVE_LIBGCRYPT */
@@ -1457,6 +1458,7 @@
 				printed_ignore_warning = 1;
 			}
 			buffer = ((char *) buffer) + pkg_length;
+			buffer_size -= (size_t) pkg_length;
 			continue;
 		}
 #endif /* HAVE_LIBGCRYPT */
@@ -1598,6 +1600,7 @@
 			DEBUG ("network plugin: parse_packet: Unknown part"
 					" type: 0x%04hx", pkg_type);
 			buffer = ((char *) buffer) + pkg_length;
+			buffer_size -= (size_t) pkg_length;
 		}
 	} /* while (buffer_size > sizeof (part_header_t)) */