diff options
| author | Lennart Poettering <lennart@poettering.net> | 2012-09-19 22:51:28 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2012-09-19 22:51:28 +0200 |
| commit | 505b6a61c22d5565e9308045c7b9bf79f7d0517e (patch) | |
| tree | db8479e90baf09f932389889fa8b4756707823f8 | |
| parent | 7d5e9c0f60cddf01ec803012cbdc02d2f55b78c1 (diff) | |
journald: don't accept arbitrarily sized journal data fields
https://bugzilla.redhat.com/show_bug.cgi?id=858746
| -rw-r--r-- | src/journal/journald-native.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c index 4e44c3ada..85458b50c 100644 --- a/src/journal/journald-native.c +++ b/src/journal/journald-native.c @@ -30,7 +30,8 @@ #include "journald-console.h" #include "journald-syslog.h" -#define ENTRY_SIZE_MAX (1024*1024*32) +#define ENTRY_SIZE_MAX (1024*1024*64) +#define DATA_SIZE_MAX (1024*1024*64) static bool valid_user_field(const char *p, size_t l) { const char *a; @@ -205,7 +206,12 @@ void server_process_native_message( memcpy(&l_le, e + 1, sizeof(uint64_t)); l = le64toh(l_le); - if (remaining < e - p + 1 + sizeof(uint64_t) + l + 1 || + if (l > DATA_SIZE_MAX) { + log_debug("Received binary data block too large, ignoring."); + break; + } + + if ((uint64_t) remaining < e - p + 1 + sizeof(uint64_t) + l + 1 || e[1+sizeof(uint64_t)+l] != '\n') { log_debug("Failed to parse message, ignoring."); break; |