journal: fix out-of-bounds read CVE-2018-16866

The original code didn't account for the fact that strchr() would match on the '\0' character, making it read past the end of the buffer if no non-whitespace character was present. This bug was introduced in commit ec5ff44 which was first released in systemd v221 and later fixed in commit 8595102 which was released in v240, so versions in the range [v221, v240) are affected.
systemd · Jan 14, 2019 · 33583cc · 33583cc
1 parent 44b4dcb
commit 33583cc
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c
@@ -238,7 +238,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid)
         if (t)
                 *identifier = t;
 
-        if (strchr(WHITESPACE, p[e]))
+        if (p[e] != '\0' && strchr(WHITESPACE, p[e]))
                 e++;
         *buf = p + e;
         return e;