From 0701a6a98801d169c7ec8c6cbdce06c73981a5f9 Mon Sep 17 00:00:00 2001
From: z30023150 <zhanghaolian@huawei.com>
Date: Mon, 23 May 2022 17:35:45 +0800
Subject: [PATCH] bugfix:fix CVE-2022-24903

---
 bugfix-CVE-2022-24903.patch | 46 +++++++++++++++++++++++++++++++++++++
 rsyslog.spec                |  5 +++-
 2 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 bugfix-CVE-2022-24903.patch

diff --git a/bugfix-CVE-2022-24903.patch b/bugfix-CVE-2022-24903.patch
new file mode 100644
index 0000000..7115f57
--- /dev/null
+++ b/bugfix-CVE-2022-24903.patch
@@ -0,0 +1,46 @@
+From 086085772c067616055b3eb3445ee8e50c80ae04 Mon Sep 17 00:00:00 2001
+From: Rainer Gerhards <rgerhards@adiscon.com>
+Date: Fri, 22 Apr 2022 09:49:46 +0200
+Subject: [PATCH] net bugfix: potential buffer overrun
+
+Conflict:no introduced imhttp.c
+Reference:https://github.com/rsyslog/rsyslog/commit/89955b0bcb1ff105e1374aad7e0e993faa6a038f
+
+---
+ plugins/imptcp/imptcp.c | 4 +++-
+ runtime/tcps_sess.c     | 4 +++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/plugins/imptcp/imptcp.c b/plugins/imptcp/imptcp.c
+index cdd29d4..e47a7c9 100644
+--- a/plugins/imptcp/imptcp.c
++++ b/plugins/imptcp/imptcp.c
+@@ -1107,7 +1107,9 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis,
+ 			if(pThis->iOctetsRemain <= 200000000) {
+ 				pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ 			}
+-			*(pThis->pMsg + pThis->iMsg++) = c;
++			if(pThis->iMsg < iMaxLine) {
++				*(pThis->pMsg + pThis->iMsg++) = c;
++			}
+ 		} else { /* done with the octet count, so this must be the SP terminator */
+ 			DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ 			prop.GetString(pThis->peerName, &propPeerName, &lenPeerName);
+diff --git a/runtime/tcps_sess.c b/runtime/tcps_sess.c
+index 58528c8..4170688 100644
+--- a/runtime/tcps_sess.c
++++ b/runtime/tcps_sess.c
+@@ -387,7 +387,9 @@ processDataRcvd(tcps_sess_t *pThis,
+ 			if(pThis->iOctetsRemain <= 200000000) {
+ 				pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ 			}
+-			*(pThis->pMsg + pThis->iMsg++) = c;
++			if(pThis->iMsg < iMaxLine) {
++				*(pThis->pMsg + pThis->iMsg++) = c;
++			}
+ 		} else { /* done with the octet count, so this must be the SP terminator */
+ 			DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ 			prop.GetString(pThis->fromHost, &propPeerName, &lenPeerName);
+-- 
+2.27.0
+
diff --git a/rsyslog.spec b/rsyslog.spec
index 8e33426..5e053b1 100644
--- a/rsyslog.spec
+++ b/rsyslog.spec
@@ -4,7 +4,7 @@
 
 Name:           rsyslog
 Version:        8.2006.0
-Release:        7
+Release:        8
 Summary:        The rocket-fast system for log processing
 License:        (GPLv3+ and ASL 2.0)
 URL:            http://www.rsyslog.com/
@@ -391,6 +391,9 @@ systemctl daemon-reload >/dev/null 2>&1
 %{_mandir}/man1/rscryutil.1.gz
 
 %changelog
+* Mon May 23 2022 zhanghaolian <zhanghaolian@huawei.com> - 8.2006.0-8
+- DESC:fix CVE-2022-24903
+
 * Thu Sep 16 2021 wuchaochao <wuchaochao4@huawei.com> - 8.2006.0-7
 - backport patches from upstream
 
-- 
Gitee