bugfix:fix CVE-2022-24903

bugfix-CVE-2022-24903.patch

@@ -0,0 +1,61 @@
+From 66c63027b95dce0fcfe50fa8baf2366ac83b340d Mon Sep 17 00:00:00 2001
+From: Rainer Gerhards <rgerhards@adiscon.com>
+Date: Fri, 22 Apr 2022 09:49:46 +0200
+Subject: [PATCH] net bugfix: potential buffer overrun
+
+Conflict:NA
+Reference:https://github.com/rsyslog/rsyslog/commit/89955b0bcb1ff105e1374aad7e0e993faa6a038f
+---
+ contrib/imhttp/imhttp.c | 4 +++-
+ plugins/imptcp/imptcp.c | 4 +++-
+ runtime/tcps_sess.c     | 4 +++-
+ 3 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/contrib/imhttp/imhttp.c b/contrib/imhttp/imhttp.c
+index f09260b..95704af 100644
+--- a/contrib/imhttp/imhttp.c
++++ b/contrib/imhttp/imhttp.c
+@@ -487,7 +487,9 @@ processOctetMsgLen(const instanceConf_t *const inst, struct conn_wrkr_s *connWrk
+ 				connWrkr->parseState.iOctetsRemain = connWrkr->parseState.iOctetsRemain * 10 + ch - '0';
+ 			}
+ 			// temporarily save this character into the message buffer
+-			connWrkr->pMsg[connWrkr->iMsg++] = ch;
++			if(connWrkr->iMsg + 1 < s_iMaxLine) {
++				connWrkr->pMsg[connWrkr->iMsg++] = ch;
++			}
+ 		} else {
+ 			const char *remoteAddr = "";
+ 			if (connWrkr->propRemoteAddr) {
+diff --git a/plugins/imptcp/imptcp.c b/plugins/imptcp/imptcp.c
+index cdd29d4..e47a7c9 100644
+--- a/plugins/imptcp/imptcp.c
++++ b/plugins/imptcp/imptcp.c
+@@ -1107,7 +1107,9 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis,
+ 			if(pThis->iOctetsRemain <= 200000000) {
+ 				pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ 			}
+-			*(pThis->pMsg + pThis->iMsg++) = c;
++			if(pThis->iMsg < iMaxLine) {
++				*(pThis->pMsg + pThis->iMsg++) = c;
++			}
+ 		} else { /* done with the octet count, so this must be the SP terminator */
+ 			DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ 			prop.GetString(pThis->peerName, &propPeerName, &lenPeerName);
+diff --git a/runtime/tcps_sess.c b/runtime/tcps_sess.c
+index b12d873..0831192 100644
+--- a/runtime/tcps_sess.c
++++ b/runtime/tcps_sess.c
+@@ -389,7 +389,9 @@ processDataRcvd(tcps_sess_t *pThis,
+ 			if(pThis->iOctetsRemain <= 200000000) {
+ 				pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ 			}
+-			*(pThis->pMsg + pThis->iMsg++) = c;
++			if(pThis->iMsg < iMaxLine) {
++				*(pThis->pMsg + pThis->iMsg++) = c;
++			}
+ 		} else { /* done with the octet count, so this must be the SP terminator */
+ 			DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ 			prop.GetString(pThis->fromHost, &propPeerName, &lenPeerName);
+-- 
+2.27.0
+

rsyslog.spec

@@ -7,7 +7,7 @@
 
 Name:           rsyslog
 Version:        8.2110.0
-Release:        8
+Release:        9
 Summary:        The rocket-fast system for log processing
 License:        (GPLv3+ and ASL 2.0)
 URL:            http://www.rsyslog.com/
@@ -30,6 +30,7 @@ Patch9003:      rsyslog-8.37.0-initialize-variables-and-check-return-value.patch
 Patch9004:      print-main-queue-info-to-journal-when-queue-full.patch
 Patch9005:      print-main-queue-info-to-journal-when-receive-USR1-signal.patch
 %endif
+Patch9006:      bugfix-CVE-2022-24903.patch
 
 BuildRequires:  gcc autoconf automake bison dos2unix flex pkgconfig python3-docutils libtool
 BuildRequires:  libgcrypt-devel libuuid-devel zlib-devel krb5-devel libnet-devel gnutls-devel
@@ -492,6 +493,9 @@ done
 %{_mandir}/man1/rscryutil.1.gz
 
 %changelog
+* Mon May 23 2022 zhanghaolian <zhanghaolian@huawei.com> - 8.2110.0-9
+- fix CVE-2022-24903
+
 * Fri Mar 25 2022 wuchaochao <cyanrose@yeah.net> - 8.2110.0-8
 - add systemd_lived macro