Skip to content

snappy: read frame length as 3 bytes to avoid OOB at boundary [Backport to 4.2]#11901

Merged
cosmo0920 merged 1 commit into
4.2from
fix/snappy-frame-parsing-4.2
Jun 3, 2026
Merged

snappy: read frame length as 3 bytes to avoid OOB at boundary [Backport to 4.2]#11901
cosmo0920 merged 1 commit into
4.2from
fix/snappy-frame-parsing-4.2

Conversation

@cosmo0920
Copy link
Copy Markdown
Contributor

@cosmo0920 cosmo0920 commented Jun 3, 2026

BVackporting of #11855.

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

  • Example configuration file for the change
  • Debug log output from testing the change
  • Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

  • Run local packaging test showing all targets (including any new ones) build.
  • Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

  • Documentation required for this feature

Backporting

  • Backport to latest stable release.

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

@cosmo0920
snappy: read frame length as 3 bytes to avoid OOB at boundary
c79c8bb 
The frame header is 4 bytes: 1 byte type + 3 bytes little-endian
length. The previous code read a uint32_t at frame_buffer[1] which
touches byte index 4, but the bounds check only ensures indices 0-3
are valid. When exactly 4 bytes remain, byte 4 is out of bounds.

Read the 3-byte length field byte-by-byte instead. This also fixes
a potential unaligned memory access on strict-alignment architectures.

Signed-off-by: Tristan <tristan@talencesecurity.com>
@cosmo0920 cosmo0920 requested a review from edsiper as a code owner June 3, 2026 01:49
@cosmo0920 cosmo0920 added this to the Fluent Bit v4.2.5 milestone Jun 3, 2026
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Jun 3, 2026

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1f6fac82-2127-4772-b53b-8af42287fe43

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/snappy-frame-parsing-4.2

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c79c8bbbec

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/flb_snappy.c
Comment on lines +173 to +175
frame_length = ((uint32_t)((unsigned char) frame_buffer[1])) |
((uint32_t)((unsigned char) frame_buffer[2]) << 8) |
((uint32_t)((unsigned char) frame_buffer[3]) << 16);
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Reject truncated frame headers before reading length

For malformed framed snappy input with fewer than 4 bytes remaining (for example an HTTP/Prometheus/OTel request body that starts with the stream-identifier byte but is only 1–3 bytes long, or has a 1–3 byte trailing frame), while (offset < in_len) still enters the loop and these byte loads read past the supplied buffer. The previous unaligned 32-bit load was narrowed, but the frame header still needs an in_len - offset >= 4 check before reading frame_buffer[1..3].

Useful? React with 👍 / 👎.

@cosmo0920 cosmo0920 merged commit e7c40a6 into 4.2 Jun 3, 2026
25 checks passed
@cosmo0920 cosmo0920 deleted the fix/snappy-frame-parsing-4.2 branch June 3, 2026 02:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@edsiper edsiper Awaiting requested review from edsiper edsiper is a code owner

Assignees

No one assigned

Labels

docs-required

Projects

None yet

Milestone

Fluent Bit v4.2.5

Development

Successfully merging this pull request may close these issues.

1 participant

@cosmo0920