You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

50 lines
1.5 KiB

  1. From f6be4f9b49b949b379326c3d7002476e6ce4f211 Mon Sep 17 00:00:00 2001
  2. From: Pavel Rochnyack <pavel2000@ngs.ru>
  3. Date: Mon, 3 Apr 2017 11:57:09 +0600
  4. Subject: [PATCH] network plugin: Fix endless loop DOS in parse_packet()
  5. When correct 'Signature part' is received by Collectd, configured without
  6. AuthFile option, condition for endless loop occurs due to missing increase
  7. of pointer to next unprocessed part.
  8. Fixes: CVE-2017-7401
  9. Signed-off-by: Florian Forster <octo@collectd.org>
  10. --- a/src/network.c
  11. +++ b/src/network.c
  12. @@ -1003,14 +1003,6 @@ static int parse_part_sign_sha256(socken
  13. buffer_len = *ret_buffer_len;
  14. buffer_offset = 0;
  15. - if (se->data.server.userdb == NULL) {
  16. - c_complain(
  17. - LOG_NOTICE, &complain_no_users,
  18. - "network plugin: Received signed network packet but can't verify it "
  19. - "because no user DB has been configured. Will accept it.");
  20. - return (0);
  21. - }
  22. -
  23. /* Check if the buffer has enough data for this structure. */
  24. if (buffer_len <= PART_SIGNATURE_SHA256_SIZE)
  25. return (-ENOMEM);
  26. @@ -1027,6 +1019,18 @@ static int parse_part_sign_sha256(socken
  27. return (-1);
  28. }
  29. + if (se->data.server.userdb == NULL) {
  30. + c_complain(
  31. + LOG_NOTICE, &complain_no_users,
  32. + "network plugin: Received signed network packet but can't verify it "
  33. + "because no user DB has been configured. Will accept it.");
  34. +
  35. + *ret_buffer = buffer + pss_head_length;
  36. + *ret_buffer_len -= pss_head_length;
  37. +
  38. + return (0);
  39. + }
  40. +
  41. /* Copy the hash. */
  42. BUFFER_READ(pss.hash, sizeof(pss.hash));