From 935f67669ac368a2cf8dc6b9ee3640c22f8b95d2 Mon Sep 17 00:00:00 2001 From: Tristan Date: Tue, 26 May 2026 15:01:44 -0400 Subject: [PATCH] in_syslog: fix integer overflow in octet-counting length parser The overflow guard uses strict greater-than (n > SIZE_MAX / 10) which misses the boundary case where n equals SIZE_MAX / 10 exactly. When n = 1844674407370955161 (SIZE_MAX / 10 on 64-bit), the subsequent n * 10 + digit overflows to a small value (0-5). This sets frame_expected_len to 0, which permanently corrupts the connection -- frame_have_len stays set while frame_expected_len is 0, causing all subsequent messages to be silently discarded. Change the guard to >= so that the boundary value is also clamped to SIZE_MAX before the multiplication. Signed-off-by: Tristan --- plugins/in_syslog/syslog_prot.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/in_syslog/syslog_prot.c b/plugins/in_syslog/syslog_prot.c index d1b4c0c87d7..f2624e3727f 100644 --- a/plugins/in_syslog/syslog_prot.c +++ b/plugins/in_syslog/syslog_prot.c @@ -240,7 +240,7 @@ int syslog_prot_process(struct syslog_conn *conn) char *sp = p; size_t n = 0; while (sp < end && *sp >= '0' && *sp <= '9') { - if (n > SIZE_MAX / 10) { + if (n >= SIZE_MAX / 10) { n = SIZE_MAX; break; }