in_syslog: fix integer overflow in octet-counting length parser

[TristanInSec]

The overflow guard uses strict greater-than (n > SIZE_MAX / 10) which
misses the boundary case where n equals SIZE_MAX / 10 exactly. When
n = 1844674407370955161 (SIZE_MAX / 10 on 64-bit), the subsequent
n * 10 + digit overflows to a small value (0-5). This sets
frame_expected_len to 0, which permanently corrupts the connection
state: frame_have_len stays set while frame_expected_len is 0,
causing all subsequent messages to be silently discarded.

Change the guard to >= so that the boundary value is also clamped to
SIZE_MAX before the multiplication.

Summary by CodeRabbit

• Bug Fixes
  • Adjusted the boundary condition used during RFC 6587 octet-counting frame length parsing. This refines overflow handling for very large length values, improving stability and reducing the chance of incorrect length interpretation in extreme cases.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dd22aca9-ee26-47eb-85dc-2d31bff3913b

📥 Commits

Reviewing files that changed from the base of the PR and between b0273d2 and aae7a48.

📒 Files selected for processing (1)

• plugins/in_syslog/syslog_prot.c

🚧 Files skipped from review as they are similar to previous changes (1)

• plugins/in_syslog/syslog_prot.c

---

📝 Walkthrough

Walkthrough

A single-line boundary condition change in the RFC 6587 octet-counting framing parser adjusts the overflow guard from n > SIZE_MAX / 10 to n >= SIZE_MAX / 10, changing when numeric lengths are capped during syslog frame length parsing to prevent overflow.

Changes

Syslog RFC 6587 framing overflow boundary

Layer / File(s)	Summary
Octet-counting overflow boundary adjustment plugins/in_syslog/syslog_prot.c	The overflow guard before multiplying n by 10 changes from a strict comparison (n > SIZE_MAX / 10) to an inclusive comparison (n >= SIZE_MAX / 10), adjusting the exact threshold at which frame lengths are capped during RFC 6587 octet-counting framing.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• fluent/fluent-bit#11035: Introduced the RFC 6587 octet-counting length parsing logic that this PR refines with an adjusted overflow boundary condition.

Suggested labels

backport to v4.0.x, backport to v4.1.x

Suggested reviewers

• edsiper
• cosmo0920

Poem

🐰 A careful hop in parsing land,
I nudged a sign with gentle hand.
From strict > to >= I steer,
So huge lengths stop right — no fear. 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: fixing an integer overflow vulnerability in the syslog octet-counting length parser.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[edsiper]

@TristanInSec would you please sign off the commits ? (DCO error / git commit -s ...)

[TristanInSec]

@TristanInSec would you please sign off the commits ? (DCO error / git commit -s ...)

Hi @edsiper, sure, it's done. Thanks.

[cosmo0920]

Our commit lint complains like as:

❌ Commit 5268bdbce0 failed:
Bad squash detected: Unexpected subject-like prefix in body: ['state: frame_have_len stays set while frame_expected_len is 0,']


Commit prefix validation failed.

So, we need to change from a colon usage to another form without colon in the subsequent commit message lines after the commit title line.

[TristanInSec]

Fixed -- replaced the colon with a dash to avoid the commit lint error. Thanks for flagging it.

[cosmo0920]

DCO still complains that:

Summary

Commit sha: b0273d2, Author: TristanInSec, Committer: TristanInSec; Expected "TristanInSec tristan.mtn@gmail.com", but got "Tristan tristan@talencesecurity.com".

[TristanInSec]

DCO still complains that:

Summary

Commit sha: b0273d2, Author: TristanInSec, Committer: TristanInSec; Expected "TristanInSec tristan.mtn@gmail.com", but got "Tristan tristan@talencesecurity.com".

Hi @cosmo0920,
Fixed.
Committer now matches the sign-off. Thanks.