Skip to content

Commit 992a4e5

Browse files
TristanInSecedsiper
authored andcommitted
in_syslog: fix integer overflow in octet-counting length parser
The overflow guard uses strict greater-than (n > SIZE_MAX / 10) which misses the boundary case where n equals SIZE_MAX / 10 exactly. When n = 1844674407370955161 (SIZE_MAX / 10 on 64-bit), the subsequent n * 10 + digit overflows to a small value (0-5). This sets frame_expected_len to 0, which permanently corrupts the connection -- frame_have_len stays set while frame_expected_len is 0, causing all subsequent messages to be silently discarded. Change the guard to >= so that the boundary value is also clamped to SIZE_MAX before the multiplication. Signed-off-by: Tristan <tristan@talencesecurity.com>
1 parent 10a748d commit 992a4e5

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

plugins/in_syslog/syslog_prot.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -240,7 +240,7 @@ int syslog_prot_process(struct syslog_conn *conn)
240240
char *sp = p;
241241
size_t n = 0;
242242
while (sp < end && *sp >= '0' && *sp <= '9') {
243-
if (n > SIZE_MAX / 10) {
243+
if (n >= SIZE_MAX / 10) {
244244
n = SIZE_MAX;
245245
break;
246246
}

0 commit comments

Comments
 (0)