new file mode 100644

@@ -0,0 +1,148 @@

+From 0381a0de64a5a048c3d48b79055bd9848d0c7fc2 Mon Sep 17 00:00:00 2001

+From: PascalWithopf <pwithopf@adiscon.com>

+Date: Wed, 19 Apr 2017 13:06:30 +0200

+Subject: [PATCH] imptcp: fix Segmentation Fault when octet count is to high

+

+---

+ plugins/imptcp/imptcp.c                   | 14 ++++++-

+ tests/imptcp-msg-truncation-on-number.sh  | 37 +++++++++++++++++++

+ tests/imptcp-msg-truncation-on-number2.sh | 45 +++++++++++++++++++++++

+ 3 files changed, 94 insertions(+), 2 deletions(-)

+ create mode 100755 tests/imptcp-msg-truncation-on-number.sh

+ create mode 100755 tests/imptcp-msg-truncation-on-number2.sh

+

+diff --git a/plugins/imptcp/imptcp.c b/plugins/imptcp/imptcp.c

+index acf0dcd25..b9a4e2fdf 100644

+--- a/plugins/imptcp/imptcp.c

+@@ -902,7 +902,16 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis,

+ 

+ 	if(pThis->inputState == eInOctetCnt) {

+ 		if(isdigit(c)) {

+-			pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';

++			if(pThis->iOctetsRemain <= 200000000) {

++				pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';

++			} else {

++				errmsg.LogError(0, NO_ERRCODE, "Framing Error in received TCP message: "

++						"frame too large (at least %d%c), change to octet stuffing",

++						pThis->iOctetsRemain, c);

++				pThis->eFraming = TCP_FRAMING_OCTET_STUFFING;

++				pThis->inputState = eInMsg;

++			}

++			*(pThis->pMsg + pThis->iMsg++) = c;

+ 		} else { /* done with the octet count, so this must be the SP terminator */

+ 			DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);

+ 			if(c != ' ') {

+@@ -911,9 +920,9 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis,

+ 			}

+ 			if(pThis->iOctetsRemain < 1) {

+ 				/* TODO: handle the case where the octet count is 0! */

+-				DBGPRINTF("Framing Error: invalid octet count\n");

+ 				errmsg.LogError(0, NO_ERRCODE, "Framing Error in received TCP message: "

+ 					    "invalid octet count %d.", pThis->iOctetsRemain);

++				pThis->eFraming = TCP_FRAMING_OCTET_STUFFING;

+ 			} else if(pThis->iOctetsRemain > iMaxLine) {

+ 				/* while we can not do anything against it, we can at least log an indication

+ 				 * that something went wrong) -- rgerhards, 2008-03-14

+@@ -924,6 +933,7 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis,

+ 					        "max msg size is %d, truncating...", pThis->iOctetsRemain, iMaxLine);

+ 			}

+ 			pThis->inputState = eInMsg;

++			pThis->iMsg = 0;

+ 		}

+ 	} else {

+ 		assert(pThis->inputState == eInMsg);

+diff --git a/tests/imptcp-msg-truncation-on-number.sh b/tests/imptcp-msg-truncation-on-number.sh

+new file mode 100755

+index 000000000..e46486bdf

+--- /dev/null

+@@ -0,0 +1,37 @@

++#!/bin/bash

++# addd 2017-03-01 by RGerhards, released under ASL 2.0

++

++. $srcdir/diag.sh init

++. $srcdir/diag.sh generate-conf

++. $srcdir/diag.sh add-conf '

++$MaxMessageSize 128

++global(processInternalMessages="on")

++module(load="../plugins/imptcp/.libs/imptcp")

++input(type="imptcp" port="13514")

++

++action(type="omfile" file="rsyslog.out.log")

++

++'

++. $srcdir/diag.sh startup

++. $srcdir/diag.sh tcpflood -m1 -M "\"<120> 2011-03-01T11:22:12Z host tag: this is a way too long message that has to be truncatedtest1 test2 test3 test4 test5 ab

++9876543210 cdefghijklmn test8 test9 test10 test11 test12 test13 test14 test15 kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk tag: testtestetstetstetstetstetsstetstetsytetestetste\""

++. $srcdir/diag.sh shutdown-when-empty

++. $srcdir/diag.sh wait-shutdown

++

++grep "Framing Error.*change to octet stuffing" rsyslog.out.log > /dev/null

++if [ $? -ne 0 ]; then

++        echo

++        echo "FAIL: expected error message from imptcp truncation not found. rsyslog.out.log is:"

++        cat rsyslog.out.log

++        . $srcdir/diag.sh error-exit 1

++fi

++

++grep " 9876543210 cdefghijklmn test8 test9 test10 test11 test12 test13 test14 test15 kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk tag: testtestets" rsyslog.out.log > /dev/null

++if [ $? -ne 0 ]; then

++        echo

++        echo "FAIL: expected error message from imptcp truncation not found. rsyslog.out.log is:"

++        cat rsyslog.out.log

++        . $srcdir/diag.sh error-exit 1

++fi

++

++. $srcdir/diag.sh exit

+diff --git a/tests/imptcp-msg-truncation-on-number2.sh b/tests/imptcp-msg-truncation-on-number2.sh

+new file mode 100755

+index 000000000..15c5aab15

+--- /dev/null

+@@ -0,0 +1,45 @@

++#!/bin/bash

++# addd 2017-03-01 by RGerhards, released under ASL 2.0

++

++. $srcdir/diag.sh init

++. $srcdir/diag.sh generate-conf

++. $srcdir/diag.sh add-conf '

++$MaxMessageSize 128

++global(processInternalMessages="on")

++module(load="../plugins/imptcp/.libs/imptcp")

++input(type="imptcp" port="13514" ruleset="ruleset1")

++

++template(name="templ1" type="string" string="%rawmsg%\n")

++ruleset(name="ruleset1") {

++	action(type="omfile" file="rsyslog.out.log" template="templ1")

++}

++

++'

++. $srcdir/diag.sh startup

++. $srcdir/diag.sh tcpflood -m2 -M "\"41 <120> 2011-03-01T11:22:12Z host msgnum:1\""

++. $srcdir/diag.sh tcpflood -m1 -M "\"214000000000 <120> 2011-03-01T11:22:12Z host msgnum:1\""

++. $srcdir/diag.sh tcpflood -m1 -M "\"41 <120> 2011-03-01T11:22:12Z host msgnum:1\""

++. $srcdir/diag.sh tcpflood -m1 -M "\"214000000000 <120> 2011-03-01T11:22:12Z host msgnum:1\""

++. $srcdir/diag.sh tcpflood -m1 -M "\"41 <120> 2011-03-01T11:22:12Z host msgnum:1\""

++. $srcdir/diag.sh tcpflood -m1 -M "\"2000000010 <120> 2011-03-01T11:22:12Z host msgnum:1\""

++. $srcdir/diag.sh tcpflood -m1 -M "\"4000000000 <120> 2011-03-01T11:22:12Z host msgnum:1\""

++. $srcdir/diag.sh tcpflood -m1 -M "\"0 <120> 2011-03-01T11:22:12Z host msgnum:1\""

++. $srcdir/diag.sh shutdown-when-empty

++. $srcdir/diag.sh wait-shutdown

++

++echo '<120> 2011-03-01T11:22:12Z host msgnum:1

++<120> 2011-03-01T11:22:12Z host msgnum:1

++214000000000 <120> 2011-03-01T11:22:12Z host msgnum:1

++<120> 2011-03-01T11:22:12Z host msgnum:1

++214000000000 <120> 2011-03-01T11:22:12Z host msgnum:1

++<120> 2011-03-01T11:22:12Z host msgnum:1

++2000000010 <120> 2011-03-01T11:22:12Z host msgnum:1

++4000000000 <120> 2011-03-01T11:22:12Z host msgnum:1

++<120> 2011-03-01T11:22:12Z host msgnum:1' | cmp rsyslog.out.log

++if [ ! $? -eq 0 ]; then

++  echo "invalid response generated, rsyslog.out.log is:"

++  cat rsyslog.out.log

++  . $srcdir/diag.sh error-exit  1

++fi;

++

++. $srcdir/diag.sh exit

@@ -1,7 +1,7 @@

 Summary:        Rocket-fast system for log processing

 Name:           rsyslog

 Version:        8.15.0

-Release:        8%{?dist}

+Release:        9%{?dist}

 License:        GPLv3+ and ASL 2.0

 URL:            http://www.rsyslog.com/

 Source0:        http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz

@@ -10,6 +10,7 @@ Source1:        rsyslog.service

 Source2:        50-rsyslog-journald.conf

 # Downloaded patch from https://github.com/rsyslog/rsyslog/pull/1565

 Patch0:         CVE-2017-12588.patch

+Patch1:         CVE-2018-16881.patch

 Group:          System Environment/Base

 Vendor:         VMware, Inc.

 Distribution:   Photon

@@ -34,6 +35,7 @@ It offers high-performance, great security features and a modular design. While

 %prep

 %setup -q

 %patch0 -p1

+%patch1 -p1

 %build

 ./configure \

     --prefix=%{_prefix} \

@@ -75,6 +77,8 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck}

 %{_libdir}/systemd/system/rsyslog.service

 %{_sysconfdir}/systemd/journald.conf.d/*

 %changelog

+*   Thu Feb 14 2019 Keerthana K <keerthanak@vmware.com> 8.15.0-9

+-   Fix for CVE-2018-16881

 *   Thu Dec 21 2017 Xiaolin Li <xiaolinl@vmware.com> 8.15.0-8

 -   Fix typos in change log.

 *   Fri Dec 15 2017 Anish Swaminathan <anishs@vmware.com>  8.15.0-7