OxBat opened a new pull request, #583:
URL: https://github.com/apache/logging-log4cxx/pull/583
### Summary
I identified a critical robustness issue in `TelnetAppender` where logging a
message shorter than 4 characters (e.g., "OK", "404") triggers an infinite
loop, causing 100% CPU usage on the worker thread.
### Technical Analysis
The vulnerability is caused by a logic mismatch between the memory
allocation strategy in `TelnetAppender` and the safety requirements of the
`UTF8CharsetEncoder`.
1. **Vulnerable Allocation (`telnetappender.cpp`)**:
The buffer is allocated dynamically based strictly on message length:
```cpp
size_t bytesSize = msg.size() * 2;
```
For a 2-byte message ("Hi"), the allocated buffer is 4 bytes.
2. **Blocker Guard (`charsetencoder.cpp`)**: The `UTF8CharsetEncoder`
enforces a safety check requiring at least 8 bytes of remaining space:
```cpp
if (out.remaining() >= 8) { ... }
```
If the buffer is smaller, it returns `APR_SUCCESS` without consuming input
or advancing the iterator.
3. **The Infinite Loop**: `TelnetAppender` receives a success code but
detects the message hasn't been fully processed (`msgIter != msg.end()`). It
retries the loop indefinitely with the same insufficient buffer, creating a
deadlock.
**Remediation**
This patch modifies `TelnetAppender::append` to enforce a minimum buffer
allocation (1024 bytes). This ensures the buffer always satisfies the encoder's
requirements, preventing the infinite loop regardless of the input message
length.
**Threat Model Context**
While this requires an untrusted log event, it results in a high-severity
availability impact (Thread Hang).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
