From 43797330e75d7d4687b7ae6926a996c3c85c2679 Mon Sep 17 00:00:00 2001
From: mancha <mancha1 AT zoho DOT com>
Date: Wed, 1 Oct 2014
Subject: CVE-2014-3634

Rainer Gerhards, rsyslog project leader, discovered an issue in rsyslogd
where invalid priority values can trigger DoS and potentially RCE.

As his analysis reveals, the cause of the problem identified in rsyslog's
rsyslogd also exists in sysklogd's syslogd (from which rsyslogd was forked)
and stems from the use of a (LOG_FACMASK|LOG_PRIMASK) mask to detect invalid
priority values.

In sysklogd's syslogd, invalid priority values between 192 and 1023 (directly
or arrived at via overflow wraparound) can propagate through code causing
out-of-bounds access to the f_pmask array within the 'filed' structure by up
to 104 bytes past its end. Though most likely insufficient to reach
unallocated memory because there are around 544 bytes past f_pmask in 'filed'
(mod packing and other differences), incorrect access of fields at higher
positions of the 'filed' structure definition can cause unexpected behavior
including message mis-classification, forwarding issues, message loss,
or other.

This patch imposes a restriction on PRI message parts and requires they
be properly-delimited priority value strings that have non-negative
numerical values not exceeding 191. As before, sysklogd's syslogd permits
zero padding to not break compatibility with RFC-non-compliant loggers that
issue PRIs such as <0091>. Messages without well-formed PRI parts get
logged with priority user.notice (13). (c.f. RFC 3164)

Thanks to Rainer Gerhards for the initial report and analysis.

[1] http://www.rsyslog.com/remote-syslog-pri-vulnerability/
[2] http://www.rsyslog.com/remote-syslog-pri-vulnerability-cve-2014-3683/

---
 syslogd.c |   25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

--- a/syslogd.c
+++ b/syslogd.c
@@ -632,6 +632,8 @@ int funix[MAXFUNIX] = { -1, };
 #define TABLE_ALLPRI    0xFF    /* Value to indicate all priorities in f_pmask */
 #define	LOG_MARK	LOG_MAKEPRI(LOG_NFACILITIES, 0)	/* mark "facility" */
 
+#define MAX_PRI		191	/* Maximum Priority per RFC 3164 */
+
 /*
  * Flags to logmsg().
  */
@@ -1491,23 +1493,34 @@ void printline(hname, msg)
 	register char *p, *q;
 	register unsigned char c;
 	char line[MAXLINE + 1];
-	int pri;
+	unsigned int pri;       	// Valid Priority values are 0-191
+	int prilen=0;			// Track Priority value string len
+	int msglen;
 
 	/* test for special codes */
+	msglen=strlen(msg);
 	pri = DEFUPRI;
 	p = msg;
 
 	if (*p == '<') {
 		pri = 0;
-		while (isdigit(*++p))
-		{
-		   pri = 10 * pri + (*p - '0');
+		while (--msglen > 0 && isdigit((unsigned char)*++p) &&
+		      			pri <= MAX_PRI) {
+			pri = 10 * pri + (*p - '0');
+			prilen++;
 		}
-		if (*p == '>')
+		if (*p == '>' && prilen)
 			++p;
+		else {
+			pri = DEFUPRI;
+			p = msg;
+		}
 	}
-	if (pri &~ (LOG_FACMASK|LOG_PRIMASK))
+
+	if ((pri &~ (LOG_FACMASK|LOG_PRIMASK)) || (pri > MAX_PRI)) {
 		pri = DEFUPRI;
+		p = msg;
+	}
 
 	memset (line, 0, sizeof(line));
 	q = line;