config_format: fix possible heap overflow (#7768)

The return value of `strchr` is not checked for failure. If it's failure then `tmp` will be `0` in the `(tmp-p)` calculation, causing `xlen` to be `p`. `xlen` is later used for copying memory by way of `memcpy` in string creation using `flb_sds_create_len`. This fixes it. Signed-off-by: David Korczynski <[email protected]>
fluent · Aug 8, 2023 · e784f9f · e784f9f
1 parent 5686334
commit e784f9f
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/src/config_format/flb_config_format.c b/src/config_format/flb_config_format.c
@@ -420,6 +420,9 @@ struct flb_kv *flb_cf_meta_property_add(struct flb_cf *cf, char *meta, int len)
 
     p = meta;
     tmp = strchr(p, ' ');
+    if (tmp == NULL) {
+        return NULL;
+    }
     xlen = (tmp - p);
 
     /* create k/v pair */