Commit 992a4e5
in_syslog: fix integer overflow in octet-counting length parser
The overflow guard uses strict greater-than (n > SIZE_MAX / 10) which
misses the boundary case where n equals SIZE_MAX / 10 exactly. When
n = 1844674407370955161 (SIZE_MAX / 10 on 64-bit), the subsequent
n * 10 + digit overflows to a small value (0-5). This sets
frame_expected_len to 0, which permanently corrupts the connection
-- frame_have_len stays set while frame_expected_len is 0,
causing all subsequent messages to be silently discarded.
Change the guard to >= so that the boundary value is also clamped to
SIZE_MAX before the multiplication.
Signed-off-by: Tristan <tristan@talencesecurity.com>1 parent 10a748d commit 992a4e5
1 file changed
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
240 | 240 | | |
241 | 241 | | |
242 | 242 | | |
243 | | - | |
| 243 | + | |
244 | 244 | | |
245 | 245 | | |
246 | 246 | | |
| |||
0 commit comments