From ce1475b4f69f0a4382c6190f55e080d91de84611 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Fri, 7 Dec 2018 10:48:10 +0100
Subject: [PATCH] journal-remote: set a limit on the number of fields in a
 message

Existing use of E2BIG is replaced with ENOBUFS (entry too long), and E2BIG is
reused for the new error condition (too many fields).

This matches the change done for systemd-journald, hence forming the second
part of the fix for CVE-2018-16865
(https://bugzilla.redhat.com/show_bug.cgi?id=1653861).

Patch backported from systemd master at
ef4d6abe7c7fab6cbff975b32e76b09feee56074.

Patch for 237 from:
systemd_237-3ubuntu10.13.debian CVE-2018-16865_2.patch

CVE: CVE-2018-16865
Upstream-Status: Backport

---
 src/journal-remote/journal-remote-main.c | 7 +++++--
 src/journal-remote/journal-remote.c      | 3 +++
 src/shared/journal-importer.c            | 5 ++++-
 3 files changed, 12 insertions(+), 3 deletions(-)

--- a/src/basic/journal-importer.c
+++ b/src/basic/journal-importer.c
@@ -38,6 +38,9 @@
 };
 
 static int iovw_put(struct iovec_wrapper *iovw, void* data, size_t len) {
+        if (iovw->count >= ENTRY_FIELD_COUNT_MAX)
+                return -E2BIG;
+
         if (!GREEDY_REALLOC(iovw->iovec, iovw->size_bytes, iovw->count + 1))
                 return log_oom();
 
@@ -113,7 +116,7 @@
                 imp->scanned = imp->filled;
                 if (imp->scanned >= DATA_SIZE_MAX) {
                         log_error("Entry is bigger than %u bytes.", DATA_SIZE_MAX);
-                        return -E2BIG;
+                        return -ENOBUFS;
                 }
 
                 if (imp->passive_fd)
--- a/src/journal-remote/journal-remote.c
+++ b/src/journal-remote/journal-remote.c
@@ -517,10 +517,16 @@
                         break;
                 else if (r < 0) {
                         log_warning("Failed to process data for connection %p", connection);
-                        if (r == -E2BIG)
+                        if (r == -ENOBUFS)
                                 return mhd_respondf(connection,
                                                     r, MHD_HTTP_PAYLOAD_TOO_LARGE,
                                                     "Entry is too large, maximum is " STRINGIFY(DATA_SIZE_MAX) " bytes.");
+
+                        else if (r == -E2BIG)
+                                return mhd_respondf(connection,
+                                                    r, MHD_HTTP_REQUEST_ENTITY_TOO_LARGE,
+                                                    "Entry with more fields than the maximum of " STRINGIFY(ENTRY_FIELD_COUNT_MAX) ".");
+
                         else
                                 return mhd_respondf(connection,
                                                     r, MHD_HTTP_UNPROCESSABLE_ENTITY,
@@ -1090,6 +1096,9 @@
                 log_debug("%zu active sources remaining", s->active);
                 return 0;
         } else if (r == -E2BIG) {
+                log_notice("Entry with too many fields, skipped");
+                return 1;
+        } else if (r == -ENOBUFS) {
                 log_notice_errno(E2BIG, "Entry too big, skipped");
                 return 1;
         } else if (r == -EAGAIN) {