dilim/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2026-06-30 19:57:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

journald: bound field length in extra-fields reader

Browse Source 
client_context_read_extra_fields() reads a 64-bit field length v from
the per-unit log-extra-fields file. n = sizeof(uint64_t) + v overflows
when v is near UINT64_MAX, so the "left < n" check is bypassed and the
following memchr() scans v bytes past the buffer. Bound v against the
remaining bytes instead, which cannot overflow.
This commit is contained in:
Syed Mohammed Nayyar
2026-06-24 18:29:35 +05:30
committed by Luca Boccassi
parent a0343dabfa
commit 15bee24d4f
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/journal/journald-context.c
View File

@@ -443,10 +443,13 @@ static int client_context_read_extra_fields(
if (v < 2)
return -EBADMSG;
n = sizeof(uint64_t) + v;
if (left < n)
/* left >= sizeof(uint64_t) here, so the subtraction is safe and we avoid
* overflowing sizeof(uint64_t) + v when v is close to UINT64_MAX. */
if (v > left - sizeof(uint64_t))
return -EBADMSG;
n = sizeof(uint64_t) + v;
field = q + sizeof(uint64_t);
eq = memchr(field, '=', v);