Skip to content

in_forward: validate PING is a msgpack array in check_ping#12034

Merged
edsiper merged 1 commit into
fluent:masterfrom
saddamr3e:fw-check-ping-array-type
Jul 2, 2026
Merged

in_forward: validate PING is a msgpack array in check_ping#12034
edsiper merged 1 commit into
fluent:masterfrom
saddamr3e:fw-check-ping-array-type

Conversation

@saddamr3e

Copy link
Copy Markdown
Contributor

ASan, with a malformed secure-forward PING where the client sends a 6-byte msgpack str where the array is expected:

==ERROR: AddressSanitizer: SEGV on unknown address 0x414141414141
  #0 strncmp
  #1 check_ping fw_prot.c:568

check_ping reads root.via.array.size and root.via.array.ptr[0] before checking root.type == MSGPACK_OBJECT_ARRAY. via is a union, so a non-array PING makes via.array.ptr alias attacker-controlled bytes and the strncmp at line 568 dereferences a pointer the client fully controls. The PING is read straight off the socket during the shared_key handshake, before auth completes. Every other array parser in this file (fw_prot_process, get_options_chunk, get_options_metadata) checks the type first; check_ping was the only one missing it.

Signed-off-by: Saddam <saddamr3e@gmail.com>
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a5262666-ebee-442c-8d9a-13626145493f

📥 Commits

Reviewing files that changed from the base of the PR and between 54235a2 and 6aac14d.

📒 Files selected for processing (1)
  • plugins/in_forward/fw_prot.c
👮 Files not reviewed due to content moderation or server errors (1)
  • plugins/in_forward/fw_prot.c

📝 Walkthrough

[!WARNING]

Walkthrough skipped

File diffs could not be summarized.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@edsiper edsiper added this to the Fluent Bit v5.0.9 milestone Jul 2, 2026
@edsiper edsiper merged commit f239a0a into fluent:master Jul 2, 2026
58 of 60 checks passed
@edsiper

edsiper commented Jul 2, 2026

Copy link
Copy Markdown
Member

thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants