From eedce284c91b1d5fd700f739bfdc98bc5b00a505 Mon Sep 17 00:00:00 2001 From: Tristan Date: Tue, 26 May 2026 15:01:26 -0400 Subject: [PATCH] in_forward: validate array size before accessing message mode fields The forward protocol parser accesses root.via.array.ptr[2] when the second element is a positive integer or EXT type (message mode), but only checks that the array has at least 2 elements. A 2-element array [tag, integer] passes the size check but causes an out-of-bounds heap read when accessing index 2. Add a size >= 3 check before the message mode branch. Signed-off-by: Tristan --- plugins/in_forward/fw_prot.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/plugins/in_forward/fw_prot.c b/plugins/in_forward/fw_prot.c index aa84ba8d243..f11e2a7f780 100644 --- a/plugins/in_forward/fw_prot.c +++ b/plugins/in_forward/fw_prot.c @@ -1478,6 +1478,14 @@ int fw_prot_process(struct flb_input_instance *ins, struct fw_conn *conn) /* * Forward format 2 (message mode) : [tag, time, map, ...] */ + if (root.via.array.size < 3) { + flb_plg_warn(ctx->ins, + "message mode requires at least 3 elements"); + msgpack_unpacked_destroy(&result); + msgpack_unpacker_free(unp); + flb_sds_destroy(out_tag); + return -1; + } map = root.via.array.ptr[2]; if (map.type != MSGPACK_OBJECT_MAP) { flb_plg_warn(ctx->ins, "invalid data format, map expected");