You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
50 lines
1.5 KiB
50 lines
1.5 KiB
From f6be4f9b49b949b379326c3d7002476e6ce4f211 Mon Sep 17 00:00:00 2001
|
|
From: Pavel Rochnyack <pavel2000@ngs.ru>
|
|
Date: Mon, 3 Apr 2017 11:57:09 +0600
|
|
Subject: [PATCH] network plugin: Fix endless loop DOS in parse_packet()
|
|
|
|
When correct 'Signature part' is received by Collectd, configured without
|
|
AuthFile option, condition for endless loop occurs due to missing increase
|
|
of pointer to next unprocessed part.
|
|
|
|
Fixes: CVE-2017-7401
|
|
|
|
Signed-off-by: Florian Forster <octo@collectd.org>
|
|
|
|
|
|
--- a/src/network.c
|
|
+++ b/src/network.c
|
|
@@ -1003,14 +1003,6 @@ static int parse_part_sign_sha256(socken
|
|
buffer_len = *ret_buffer_len;
|
|
buffer_offset = 0;
|
|
|
|
- if (se->data.server.userdb == NULL) {
|
|
- c_complain(
|
|
- LOG_NOTICE, &complain_no_users,
|
|
- "network plugin: Received signed network packet but can't verify it "
|
|
- "because no user DB has been configured. Will accept it.");
|
|
- return (0);
|
|
- }
|
|
-
|
|
/* Check if the buffer has enough data for this structure. */
|
|
if (buffer_len <= PART_SIGNATURE_SHA256_SIZE)
|
|
return (-ENOMEM);
|
|
@@ -1027,6 +1019,18 @@ static int parse_part_sign_sha256(socken
|
|
return (-1);
|
|
}
|
|
|
|
+ if (se->data.server.userdb == NULL) {
|
|
+ c_complain(
|
|
+ LOG_NOTICE, &complain_no_users,
|
|
+ "network plugin: Received signed network packet but can't verify it "
|
|
+ "because no user DB has been configured. Will accept it.");
|
|
+
|
|
+ *ret_buffer = buffer + pss_head_length;
|
|
+ *ret_buffer_len -= pss_head_length;
|
|
+
|
|
+ return (0);
|
|
+ }
|
|
+
|
|
/* Copy the hash. */
|
|
BUFFER_READ(pss.hash, sizeof(pss.hash));
|
|
|