in_collectd: reject parts with length < 4 and fix null-terminator OOB by TristanInSec · Pull Request #11849 · fluent/fluent-bit

TristanInSec · 2026-05-26T19:37:04Z

The collectd binary protocol parser enters an infinite loop when it
receives a part with part_len=0: the loop counters are not advanced
and the while condition remains true forever. A single 4-byte UDP
packet can permanently hang the worker thread.

Additionally, the null-terminator check for string parts reads one
byte past the end of the received data (ptr[size] where size =
part_len - 4 accesses buf[part_len], which is past the buffer when
the last part fills exactly to the end).

Fix both by rejecting parts with part_len < 4 (minimum valid part
is 4 bytes: 2 type + 2 length) and checking ptr[size - 1] instead
of ptr[size] for the null terminator.

Summary by CodeRabbit

Bug Fixes
- Strengthened validation of incoming network packet parts to reject malformed or truncated parts before processing.
- Improved detection and handling of text fields to avoid out-of-bounds memory reads and potential crashes.

coderabbitai · 2026-05-26T19:39:38Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7678d006-6d9b-45ac-962e-56bab0ad896e

📥 Commits

Reviewing files that changed from the base of the PR and between 0b23d1d and dab2e75.

📒 Files selected for processing (1)

plugins/in_collectd/netprot.c

🚧 Files skipped from review as they are similar to previous changes (1)

plugins/in_collectd/netprot.c

📝 Walkthrough

Walkthrough

The PR hardens the collectd protocol parser in netprot_to_msgpack() by adding early validation for part lengths and replacing unsafe NUL-termination checks with in-bounds checks for string parts.

Changes

Parsing security and bounds fixes

Layer / File(s)	Summary
Part length validation `plugins/in_collectd/netprot.c`	Parser now rejects parts where `part_len < 4` or remaining buffer size `len < part_len`, emitting "invalid part length" error early.
NUL-termination bounds safety `plugins/in_collectd/netprot.c`	String parts (`PART_HOST`, `PART_PLUGIN`, `PART_PLUGIN_INSTANCE`, `PART_TYPE`, `PART_TYPE_INSTANCE`) now check `size > 0 && ptr[size - 1] == '\0'` instead of reading out-of-bounds at `ptr[size]`.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

backport to v4.2.x

Suggested reviewers

cosmo0920

Poem

A fuzzy fix for collectd's way,
We validate before we parse, hooray!
Bounds checks keep our strings safe and sound,
No sneaky reads past buffer's bound. 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the two main changes: rejecting parts with length < 4 and fixing null-terminator out-of-bounds access.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

edsiper · 2026-05-27T21:43:57Z

@TristanInSec would you please sign off the commits ? (DCO error / git commit -s ...)

The collectd binary protocol parser enters an infinite loop when it receives a part with part_len=0: the loop counters are not advanced and the while condition remains true forever. A single 4-byte UDP packet can permanently hang the worker thread. Additionally, the null-terminator check for string parts reads one byte past the end of the received data (ptr[size] where size = part_len - 4 accesses buf[part_len], which is past the buffer when the last part fills exactly to the end). Fix both by rejecting parts with part_len < 4 (minimum valid part is 4 bytes: 2 type + 2 length) and checking ptr[size - 1] instead of ptr[size] for the null terminator. Signed-off-by: Tristan <tristan@talencesecurity.com>

TristanInSec · 2026-06-02T12:07:28Z

Hi @edsiper @cosmo0920 -- just checking in on this batch (#11849-#11856). All 7 have DCO passing and Cosmo0920's approval. Is there anything else needed from my side to get these merged? Thanks!

github-actions Bot added the docs-required label May 26, 2026

TristanInSec temporarily deployed to pr May 27, 2026 21:44 — with GitHub Actions Inactive

edsiper added this to the Fluent Bit v5.0.7 milestone May 27, 2026

TristanInSec force-pushed the fix/collectd-infinite-loop branch from 0b23d1d to dab2e75 Compare May 27, 2026 21:55

TristanInSec temporarily deployed to pr May 27, 2026 22:59 — with GitHub Actions Inactive

TristanInSec temporarily deployed to pr May 27, 2026 23:18 — with GitHub Actions Inactive

cosmo0920 approved these changes May 28, 2026

View reviewed changes

edsiper merged commit c45d009 into fluent:master Jun 2, 2026
48 of 50 checks passed

cosmo0920 mentioned this pull request Jun 3, 2026

in_collectd: reject parts with length < 4 and fix null-terminator OOB [Backport to 4.2] #11896

Merged

7 tasks

cosmo0920 added the backport to v4.2.x label Jun 3, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

in_collectd: reject parts with length < 4 and fix null-terminator OOB#11849

in_collectd: reject parts with length < 4 and fix null-terminator OOB#11849
edsiper merged 1 commit into
fluent:masterfrom
TristanInSec:fix/collectd-infinite-loop

TristanInSec commented May 26, 2026 •

edited by coderabbitai Bot

Loading

Uh oh!

coderabbitai Bot commented May 26, 2026 •

edited

Loading

Walkthrough

Changes

Estimated code review effort

Suggested labels

Suggested reviewers

Poem

Uh oh!

edsiper commented May 27, 2026

Uh oh!

TristanInSec commented Jun 2, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

TristanInSec commented May 26, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

coderabbitai Bot commented May 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Suggested labels

Suggested reviewers

Poem

Uh oh!

edsiper commented May 27, 2026

Uh oh!

TristanInSec commented Jun 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

TristanInSec commented May 26, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented May 26, 2026 •

edited

Loading

TristanInSec commented Jun 2, 2026 •

edited

Loading