in_collectd: reject parts with length < 4 and fix null-terminator OOB [Backport to 4.2]#11896
Conversation
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
cosmo0920
changed the title
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9a7858c29b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if (size > 0 && ptr[size - 1] == '\0') { | ||
| hdr.type = ptr; |
There was a problem hiding this comment.
When a packet already set hdr.type, an empty or unterminated PART_TYPE now just skips this assignment and leaves the previous type in place, so the following PART_VALUE can be encoded under stale metadata instead of rejecting the malformed identifier. This is reachable with a multi-value collectd datagram where a later type part has part_len == 4 or lacks the trailing NUL; returning an error here (and for the other string identifiers) avoids silently corrupting the emitted metric labels.
Useful? React with 👍 / 👎.
The collectd binary protocol parser enters an infinite loop when it receives a part with part_len=0: the loop counters are not advanced and the while condition remains true forever. A single 4-byte UDP packet can permanently hang the worker thread. Additionally, the null-terminator check for string parts reads one byte past the end of the received data (ptr[size] where size = part_len - 4 accesses buf[part_len], which is past the buffer when the last part fills exactly to the end). Fix both by rejecting parts with part_len < 4 (minimum valid part is 4 bytes: 2 type + 2 length) and checking ptr[size - 1] instead of ptr[size] for the null terminator. Signed-off-by: Tristan <tristan@talencesecurity.com>
cosmo0920
force-pushed
the
fix/collectd-infinite-loop-4.2
branch
from
9a7858c to
a485cc0
Compare
1 participant
Backporting of #11849.
Enter
[N/A]in the box, if an item is not applicable to your change.Testing
Before we can approve your change; please submit the following in a comment:
If this is a change to packaging of containers or native binaries then please confirm it works for all targets.
ok-package-testlabel to test for all targets (requires maintainer to do).Documentation
Backporting
Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.