From: Syed Mohammed Nayyar <jmestwa@gmail.com>
Date: Wed, 24 Jun 2026 12:59:35 +0000 (+0530)
Subject: journald: bound field length in extra-fields reader
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=15bee24d4f2b0a019457892f43af806211bbdaae;p=thirdparty%2Fsystemd.git

journald: bound field length in extra-fields reader

client_context_read_extra_fields() reads a 64-bit field length v from
the per-unit log-extra-fields file. n = sizeof(uint64_t) + v overflows
when v is near UINT64_MAX, so the "left < n" check is bypassed and the
following memchr() scans v bytes past the buffer. Bound v against the
remaining bytes instead, which cannot overflow.
---

diff --git a/src/journal/journald-context.c b/src/journal/journald-context.c
index 1eb142887d7..3040a132d6e 100644
--- a/src/journal/journald-context.c
+++ b/src/journal/journald-context.c
@@ -443,10 +443,13 @@ static int client_context_read_extra_fields(
                 if (v < 2)
                         return -EBADMSG;
 
-                n = sizeof(uint64_t) + v;
-                if (left < n)
+                /* left >= sizeof(uint64_t) here, so the subtraction is safe and we avoid
+                 * overflowing sizeof(uint64_t) + v when v is close to UINT64_MAX. */
+                if (v > left - sizeof(uint64_t))
                         return -EBADMSG;
 
+                n = sizeof(uint64_t) + v;
+
                 field = q + sizeof(uint64_t);
 
                 eq = memchr(field, '=', v);