92 lines
3.0 KiB
Diff
92 lines
3.0 KiB
Diff
From 43797330e75d7d4687b7ae6926a996c3c85c2679 Mon Sep 17 00:00:00 2001
|
|
From: mancha <mancha1 AT zoho DOT com>
|
|
Date: Wed, 1 Oct 2014
|
|
Subject: CVE-2014-3634
|
|
|
|
Rainer Gerhards, rsyslog project leader, discovered an issue in rsyslogd
|
|
where invalid priority values can trigger DoS and potentially RCE.
|
|
|
|
As his analysis reveals, the cause of the problem identified in rsyslog's
|
|
rsyslogd also exists in sysklogd's syslogd (from which rsyslogd was forked)
|
|
and stems from the use of a (LOG_FACMASK|LOG_PRIMASK) mask to detect invalid
|
|
priority values.
|
|
|
|
In sysklogd's syslogd, invalid priority values between 192 and 1023 (directly
|
|
or arrived at via overflow wraparound) can propagate through code causing
|
|
out-of-bounds access to the f_pmask array within the 'filed' structure by up
|
|
to 104 bytes past its end. Though most likely insufficient to reach
|
|
unallocated memory because there are around 544 bytes past f_pmask in 'filed'
|
|
(mod packing and other differences), incorrect access of fields at higher
|
|
positions of the 'filed' structure definition can cause unexpected behavior
|
|
including message mis-classification, forwarding issues, message loss,
|
|
or other.
|
|
|
|
This patch imposes a restriction on PRI message parts and requires they
|
|
be properly-delimited priority value strings that have non-negative
|
|
numerical values not exceeding 191. As before, sysklogd's syslogd permits
|
|
zero padding to not break compatibility with RFC-non-compliant loggers that
|
|
issue PRIs such as <0091>. Messages without well-formed PRI parts get
|
|
logged with priority user.notice (13). (c.f. RFC 3164)
|
|
|
|
Thanks to Rainer Gerhards for the initial report and analysis.
|
|
|
|
[1] http://www.rsyslog.com/remote-syslog-pri-vulnerability/
|
|
[2] http://www.rsyslog.com/remote-syslog-pri-vulnerability-cve-2014-3683/
|
|
|
|
---
|
|
syslogd.c | 25 +++++++++++++++++++------
|
|
1 file changed, 19 insertions(+), 6 deletions(-)
|
|
|
|
--- a/syslogd.c
|
|
+++ b/syslogd.c
|
|
@@ -632,6 +632,8 @@ int funix[MAXFUNIX] = { -1, };
|
|
#define TABLE_ALLPRI 0xFF /* Value to indicate all priorities in f_pmask */
|
|
#define LOG_MARK LOG_MAKEPRI(LOG_NFACILITIES, 0) /* mark "facility" */
|
|
|
|
+#define MAX_PRI 191 /* Maximum Priority per RFC 3164 */
|
|
+
|
|
/*
|
|
* Flags to logmsg().
|
|
*/
|
|
@@ -1491,23 +1493,34 @@ void printline(hname, msg)
|
|
register char *p, *q;
|
|
register unsigned char c;
|
|
char line[MAXLINE + 1];
|
|
- int pri;
|
|
+ unsigned int pri; // Valid Priority values are 0-191
|
|
+ int prilen=0; // Track Priority value string len
|
|
+ int msglen;
|
|
|
|
/* test for special codes */
|
|
+ msglen=strlen(msg);
|
|
pri = DEFUPRI;
|
|
p = msg;
|
|
|
|
if (*p == '<') {
|
|
pri = 0;
|
|
- while (isdigit(*++p))
|
|
- {
|
|
- pri = 10 * pri + (*p - '0');
|
|
+ while (--msglen > 0 && isdigit((unsigned char)*++p) &&
|
|
+ pri <= MAX_PRI) {
|
|
+ pri = 10 * pri + (*p - '0');
|
|
+ prilen++;
|
|
}
|
|
- if (*p == '>')
|
|
+ if (*p == '>' && prilen)
|
|
++p;
|
|
+ else {
|
|
+ pri = DEFUPRI;
|
|
+ p = msg;
|
|
+ }
|
|
}
|
|
- if (pri &~ (LOG_FACMASK|LOG_PRIMASK))
|
|
+
|
|
+ if ((pri &~ (LOG_FACMASK|LOG_PRIMASK)) || (pri > MAX_PRI)) {
|
|
pri = DEFUPRI;
|
|
+ p = msg;
|
|
+ }
|
|
|
|
memset (line, 0, sizeof(line));
|
|
q = line;
|