journald: bound field length in extra-fields reader

client_context_read_extra_fields() reads a 64-bit field length v from
the per-unit log-extra-fields file. n = sizeof(uint64_t) + v overflows
when v is near UINT64_MAX, so the "left < n" check is bypassed and the
following memchr() scans v bytes past the buffer. Bound v against the
remaining bytes instead, which cannot overflow.

diff --git a/src/journal/journald-context.c b/src/journal/journald-context.c
index 1eb142887d749f54844dfa5e4e9de9cb05a89f81..3040a132d6e13173a57cfe4b959d69263bce40e9 100644 (file)
--- a/src/journal/journald-context.c
+++ b/src/journal/journald-context.c
@@ -443,10 +443,13 @@ static int client_context_read_extra_fields(
                 if (v < 2)
                         return -EBADMSG;
 
-                n = sizeof(uint64_t) + v;
-                if (left < n)
+                /* left >= sizeof(uint64_t) here, so the subtraction is safe and we avoid
+                 * overflowing sizeof(uint64_t) + v when v is close to UINT64_MAX. */
+                if (v > left - sizeof(uint64_t))
                         return -EBADMSG;
 
+                n = sizeof(uint64_t) + v;
+
                 field = q + sizeof(uint64_t);
 
                 eq = memchr(field, '=', v);