Preserve remaining bytes in the log server read callback functions.

millert · millert · commit 06382b85dbd1 · 2025-09-14T16:26:47.000-06:00
We were not properly handling the case where there were a few bytes
left over after processing the message(s).  Previously, we would
reset the length without moving the remaining bytes to the head of
the buffer.  This could result in a corrupted message.

Thanks to Joshua Rogers for finding this.
diff --git a/logsrvd/logsrvd.c b/logsrvd/logsrvd.c
@@ -1149,6 +1149,9 @@ client_msg_cb(int fd, int what, void *v)
 	}
 	buf->off += msg_len;
     }
+    if (buf->len != buf->off) {
+	memmove(buf->data, buf->data + buf->off, buf->len - buf->off);
+    }
     buf->len -= buf->off;
     buf->off = 0;
 
diff --git a/logsrvd/logsrvd_relay.c b/logsrvd/logsrvd_relay.c
@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2019-2023, 2025 Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -897,6 +897,9 @@ relay_server_msg_cb(int fd, int what, void *v)
 	    goto send_error;
 	buf->off += msg_len;
     }
+    if (buf->len != buf->off) {
+	memmove(buf->data, buf->data + buf->off, buf->len - buf->off);
+    }
     buf->len -= buf->off;
     buf->off = 0;
     debug_return;
diff --git a/logsrvd/sendlog.c b/logsrvd/sendlog.c
@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2019-2023 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2019-2023, 2025 Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -1428,6 +1428,9 @@ server_msg_cb(int fd, int what, void *v)
 	    goto bad;
 	buf->off += msg_len;
     }
+    if (buf->len != buf->off) {
+	memmove(buf->data, buf->data + buf->off, buf->len - buf->off);
+    }
     buf->len -= buf->off;
     buf->off = 0;
     debug_return;
diff --git a/plugins/sudoers/log_client.c b/plugins/sudoers/log_client.c
@@ -1856,6 +1856,9 @@ server_msg_cb(int fd, int what, void *v)
 	    goto bad;
 	buf->off += msg_len;
     }
+    if (buf->len != buf->off) {
+	memmove(buf->data, buf->data + buf->off, buf->len - buf->off);
+    }
     buf->len -= buf->off;
     buf->off = 0;
     debug_return;

Original file line number	Diff line number	Diff line change
`@@ -1149,6 +1149,9 @@ client_msg_cb(int fd, int what, void *v)`
`1149`	`1149`	`}`
`1150`	`1150`	`buf->off += msg_len;`
`1151`	`1151`	`}`
	`1152`	`+ if (buf->len != buf->off) {`
	`1153`	`+ memmove(buf->data, buf->data + buf->off, buf->len - buf->off);`
	`1154`	`+ }`
`1152`	`1155`	`buf->len -= buf->off;`
`1153`	`1156`	`buf->off = 0;`
`1154`	`1157`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`/*`
`2`	`2`	`* SPDX-License-Identifier: ISC`
`3`	`3`	`*`
`4`		`- * Copyright (c) 2019-2022 Todd C. Miller <[email protected]>`
	`4`	`+ * Copyright (c) 2019-2023, 2025 Todd C. Miller <[email protected]>`
`5`	`5`	`*`
`6`	`6`	`* Permission to use, copy, modify, and distribute this software for any`
`7`	`7`	`* purpose with or without fee is hereby granted, provided that the above`
`@@ -897,6 +897,9 @@ relay_server_msg_cb(int fd, int what, void *v)`
`897`	`897`	`goto send_error;`
`898`	`898`	`buf->off += msg_len;`
`899`	`899`	`}`
	`900`	`+ if (buf->len != buf->off) {`
	`901`	`+ memmove(buf->data, buf->data + buf->off, buf->len - buf->off);`
	`902`	`+ }`
`900`	`903`	`buf->len -= buf->off;`
`901`	`904`	`buf->off = 0;`
`902`	`905`	`debug_return;`