1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
From f6be4f9b49b949b379326c3d7002476e6ce4f211 Mon Sep 17 00:00:00 2001
From: Pavel Rochnyack <pavel2000@ngs.ru>
Date: Mon, 3 Apr 2017 11:57:09 +0600
Subject: [PATCH] network plugin: Fix endless loop DOS in parse_packet()
When correct 'Signature part' is received by Collectd, configured without
AuthFile option, condition for endless loop occurs due to missing increase
of pointer to next unprocessed part.
This is a forward-port of #2233.
Fixes: CVE-2017-7401
Closes: #2174
Signed-off-by: Florian Forster <octo@collectd.org>
---
src/network.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/src/network.c b/src/network.c
index be4c3ba..2ff09af 100644
--- a/src/network.c
+++ b/src/network.c
@@ -1003,14 +1003,6 @@ static int parse_part_sign_sha256(sockent_t *se, /* {{{ */
buffer_len = *ret_buffer_len;
buffer_offset = 0;
- if (se->data.server.userdb == NULL) {
- c_complain(
- LOG_NOTICE, &complain_no_users,
- "network plugin: Received signed network packet but can't verify it "
- "because no user DB has been configured. Will accept it.");
- return (0);
- }
-
/* Check if the buffer has enough data for this structure. */
if (buffer_len <= PART_SIGNATURE_SHA256_SIZE)
return (-ENOMEM);
@@ -1027,6 +1019,18 @@ static int parse_part_sign_sha256(sockent_t *se, /* {{{ */
return (-1);
}
+ if (se->data.server.userdb == NULL) {
+ c_complain(
+ LOG_NOTICE, &complain_no_users,
+ "network plugin: Received signed network packet but can't verify it "
+ "because no user DB has been configured. Will accept it.");
+
+ *ret_buffer = buffer + pss_head_length;
+ *ret_buffer_len -= pss_head_length;
+
+ return (0);
+ }
+
/* Copy the hash. */
BUFFER_READ(pss.hash, sizeof(pss.hash));
|
GitWeb
