dcavalca / rpms / systemd

Forked from rpms/systemd 3 months ago
Clone
Blob Blame History Raw
From dec34b2c3b66f9ccf3977e3a45d3a8365ba92027 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Thu, 3 Jan 2019 16:28:30 +0100
Subject: [PATCH] journal-remote: set a limit on the number of fields in a
 message

Existing use of E2BIG is replaced with ENOBUFS (entry too long), and E2BIG is
reused for the new error condition (too many fields).

This matches the change done for systemd-journald, hence forming the second
part of the fix for CVE-2018-16865
(https://bugzilla.redhat.com/show_bug.cgi?id=1653861).

Resolves: #1657792
---
 src/journal-remote/journal-remote-parse.c |  2 +-
 src/journal-remote/journal-remote-write.c |  3 +++
 src/journal-remote/journal-remote.c       | 14 ++++++++++++--
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/src/journal-remote/journal-remote-parse.c b/src/journal-remote/journal-remote-parse.c
index 64089da19b..53f4e36123 100644
--- a/src/journal-remote/journal-remote-parse.c
+++ b/src/journal-remote/journal-remote-parse.c
@@ -107,7 +107,7 @@ static int get_line(RemoteSource *source, char **line, size_t *size) {
                 source->scanned = source->filled;
                 if (source->scanned >= DATA_SIZE_MAX) {
                         log_error("Entry is bigger than %u bytes.", DATA_SIZE_MAX);
-                        return -E2BIG;
+                        return -ENOBUFS;
                 }
 
                 if (source->passive_fd)
diff --git a/src/journal-remote/journal-remote-write.c b/src/journal-remote/journal-remote-write.c
index 99820fa7b8..99920e62c5 100644
--- a/src/journal-remote/journal-remote-write.c
+++ b/src/journal-remote/journal-remote-write.c
@@ -22,6 +22,9 @@
 #include "journal-remote.h"
 
 int iovw_put(struct iovec_wrapper *iovw, void* data, size_t len) {
+        if (iovw->count >= ENTRY_FIELD_COUNT_MAX)
+                return -E2BIG;
+
         if (!GREEDY_REALLOC(iovw->iovec, iovw->size_bytes, iovw->count + 1))
                 return log_oom();
 
diff --git a/src/journal-remote/journal-remote.c b/src/journal-remote/journal-remote.c
index a455fb6bd8..e65daf6a0b 100644
--- a/src/journal-remote/journal-remote.c
+++ b/src/journal-remote/journal-remote.c
@@ -524,11 +524,18 @@ static int process_http_upload(
                         break;
                 else if (r < 0) {
                         log_warning("Failed to process data for connection %p", connection);
-                        if (r == -E2BIG)
+                        if (r == -ENOBUFS)
                                 return mhd_respondf(connection,
                                                     MHD_HTTP_REQUEST_ENTITY_TOO_LARGE,
                                                     "Entry is too large, maximum is %u bytes.\n",
                                                     DATA_SIZE_MAX);
+
+                        else if (r == -E2BIG)
+                                return mhd_respondf(connection,
+                                                    MHD_HTTP_REQUEST_ENTITY_TOO_LARGE,
+                                                    "Entry with more fields than the maximum of %u\n",
+                                                    ENTRY_FIELD_COUNT_MAX);
+
                         else
                                 return mhd_respondf(connection,
                                                     MHD_HTTP_UNPROCESSABLE_ENTITY,
@@ -1043,7 +1050,10 @@ static int handle_raw_source(sd_event_source *event,
                 log_debug("%zu active sources remaining", s->active);
                 return 0;
         } else if (r == -E2BIG) {
-                log_notice_errno(E2BIG, "Entry too big, skipped");
+                log_notice_errno(E2BIG, "Entry with too many fields, skipped");
+                return 1;
+        } else if (r == -ENOBUFS) {
+                log_notice_errno(ENOBUFS, "Entry too big, skipped");
                 return 1;
         } else if (r == -EAGAIN) {
                 return 0;