From 1ca6cc236d1dabf1633238b873fb1c057e52f95e Mon Sep 17 00:00:00 2001
From: Rainer Gerhards <rgerhards@adiscon.com>
Date: Wed, 10 Aug 2011 11:41:03 +0200
Subject: bugfix: off-by-one(two) bug in legacy syslog parser

---
 tools/syslogd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/syslogd.c b/tools/syslogd.c
index 12d94e9a..ba27d08a 100644
--- a/tools/syslogd.c
+++ b/tools/syslogd.c
@@ -1289,7 +1289,7 @@ int parseLegacySyslogMsg(msg_t *pMsg, int flags)
 		 * outputs so that only 32 characters max are used by default.
 		 */
 		i = 0;
-		while(lenMsg > 0 && *p2parse != ':' && *p2parse != ' ' && i < CONF_TAG_MAXSIZE) {
+		while(lenMsg > 0 && *p2parse != ':' && *p2parse != ' ' && i < CONF_TAG_MAXSIZE - 2) {
 			bufParseTAG[i++] = *p2parse++;
 			--lenMsg;
 		}
-- 
cgit 


From fcb98138a683c90e484e46eccb5c69e1034e1366 Mon Sep 17 00:00:00 2001
From: Andre Lorbach <alorbach@adiscon.com>
Date: Thu, 11 Aug 2011 10:57:06 +0200
Subject: Added MsgDup bugfix from v5-stable into v4-stable branch

---
 ChangeLog     | 1 +
 runtime/msg.c | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 785a60eb..721104fc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,7 @@ Version 4.6.8  [v4-stable] (rgerhards), 2011-??-??
 - bugfix: memcpy overflow can occur in allowed sender checkig
   if a name is resolved to IPv4-mapped-on-IPv6 address
   Found by Ismail Dönmez at suse
+- bugfix: The NUL-Byte for the syslogtag was not copied in MsgDup (msg.c)
 ---------------------------------------------------------------------------
 Version 4.6.7  [v4-stable] (rgerhards), 2011-07-11
 - added support for the ":omusrmsg:" syntax in configuring user messages
diff --git a/runtime/msg.c b/runtime/msg.c
index 0dbcdefd..c8046d1b 100644
--- a/runtime/msg.c
+++ b/runtime/msg.c
@@ -888,7 +888,7 @@ msg_t* MsgDup(msg_t* pOld)
 	*/
 	if(pOld->iLenTAG > 0) {
 		if(pOld->iLenTAG < CONF_TAG_BUFSIZE) {
-			memcpy(pNew->TAG.szBuf, pOld->TAG.szBuf, pOld->iLenTAG);
+			memcpy(pNew->TAG.szBuf, pOld->TAG.szBuf, pOld->iLenTAG + 1);
 		} else {
 			if((pNew->TAG.pszTAG = srUtilStrDup(pOld->TAG.pszTAG, pOld->iLenTAG)) == NULL) {
 				msgDestruct(&pNew);
-- 
cgit 


From d654e51e2c54e6042a73ee6c95062c916161cdbe Mon Sep 17 00:00:00 2001
From: Rainer Gerhards <rgerhards@adiscon.com>
Date: Tue, 30 Aug 2011 14:47:37 +0200
Subject: added bug info to ChangeLog

---
 ChangeLog | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 721104fc..bbdfc911 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,8 @@
 ---------------------------------------------------------------------------
-Version 4.6.8  [v4-stable] (rgerhards), 2011-??-??
+Version 4.6.8  [v4-stable] (rgerhards), 2011-09-01
+- bugfix/security: off-by-two bug in legacy syslog parser, CVE-2011-3200
 - bugfix: potential misadressing in property replacer
-- bugfix: memcpy overflow can occur in allowed sender checkig
+- bugfix: memcpy overflow can occur in allowed sender checking
   if a name is resolved to IPv4-mapped-on-IPv6 address
   Found by Ismail Dönmez at suse
 - bugfix: The NUL-Byte for the syslogtag was not copied in MsgDup (msg.c)
-- 
cgit