From 82cb106ff4d0f8f99d6331705b0c602c512a3e4c Mon Sep 17 00:00:00 2001 From: Pavel Rochnyack Date: Mon, 3 Apr 2017 11:57:09 +0600 Subject: [PATCH] Fix endless loop DOS in parse_packet() When correct 'Signature part' is received by Collectd, configured without AuthFile option, condition for endless loop occurs due to missing increase of pointer to next unprocessed part. Fixes: CVE-2017-7401 Closes: #2174 --- src/network.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/src/network.c b/src/network.c index f4b8024e..2e7506fe 100644 --- a/src/network.c +++ b/src/network.c @@ -1050,14 +1050,6 @@ static int parse_part_sign_sha256 (sockent_t *se, /* {{{ */ buffer_len = *ret_buffer_len; buffer_offset = 0; - if (se->data.server.userdb == NULL) - { - c_complain (LOG_NOTICE, &complain_no_users, - "network plugin: Received signed network packet but can't verify it " - "because no user DB has been configured. Will accept it."); - return (0); - } - /* Check if the buffer has enough data for this structure. */ if (buffer_len <= PART_SIGNATURE_SHA256_SIZE) return (-ENOMEM); @@ -1075,6 +1067,18 @@ static int parse_part_sign_sha256 (sockent_t *se, /* {{{ */ return (-1); } + if (se->data.server.userdb == NULL) + { + c_complain (LOG_NOTICE, &complain_no_users, + "network plugin: Received signed network packet but can't verify it " + "because no user DB has been configured. Will accept it."); + + *ret_buffer = buffer + pss_head_length; + *ret_buffer_len -= pss_head_length; + + return (0); + } + /* Copy the hash. */ BUFFER_READ (pss.hash, sizeof (pss.hash)); -- 2.11.0