Skip to content

Commit b589096

Browse files
committed
network plugin: Fix heap overflow in parse_packet().
Emilien Gaspar has identified a heap overflow in parse_packet(), the function used by the network plugin to parse incoming network packets. This is a vulnerability in collectd, though the scope is not clear at this point. At the very least specially crafted network packets can be used to crash the daemon. We can't rule out a potential remote code execution though. Fixes: CVE-2016-6254
1 parent 4371ef7 commit b589096

File tree

1 file changed

+3
-0
lines changed

1 file changed

+3
-0
lines changed

Diff for: src/network.c

+3
Original file line numberDiff line numberDiff line change
@@ -1435,6 +1435,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
14351435
printed_ignore_warning = 1;
14361436
}
14371437
buffer = ((char *) buffer) + pkg_length;
1438+
buffer_size -= (size_t) pkg_length;
14381439
continue;
14391440
}
14401441
#endif /* HAVE_LIBGCRYPT */
@@ -1462,6 +1463,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
14621463
printed_ignore_warning = 1;
14631464
}
14641465
buffer = ((char *) buffer) + pkg_length;
1466+
buffer_size -= (size_t) pkg_length;
14651467
continue;
14661468
}
14671469
#endif /* HAVE_LIBGCRYPT */
@@ -1603,6 +1605,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
16031605
DEBUG ("network plugin: parse_packet: Unknown part"
16041606
" type: 0x%04hx", pkg_type);
16051607
buffer = ((char *) buffer) + pkg_length;
1608+
buffer_size -= (size_t) pkg_length;
16061609
}
16071610
} /* while (buffer_size > sizeof (part_header_t)) */
16081611

0 commit comments

Comments
 (0)