Skip to content

in_tail: fix out-of-bounds read in unesc_ends_with_nl#11952

Open
saddamr3e wants to merge 1 commit into
fluent:masterfrom
saddamr3e:tail-dockermode-empty-log-oob
Open

in_tail: fix out-of-bounds read in unesc_ends_with_nl#11952
saddamr3e wants to merge 1 commit into
fluent:masterfrom
saddamr3e:tail-dockermode-empty-log-oob

Conversation

@saddamr3e

@saddamr3e saddamr3e commented Jun 17, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown

AddressSanitizer, in_tail with Docker_Mode On parsing a container log line whose log field is empty ({"log":"","stream":"stdout",...}):

READ of size 1 at 0x... thread T0
    #0 unesc_ends_with_nl plugins/in_tail/tail_dockermode.c:193
0x... is located 1 bytes before 1-byte region

modify_json_cond calls the unesc_ends_with_nl predicate with the value of the log key. For an empty value len is 0, flb_unescape_string returns 0, and unesc[unesc_len - 1] indexes unesc[-1]. Container stdout is attacker-controlled, so a single empty log line triggers the underflow. Guarding the index on unesc_len keeps the trailing-newline check correct for non-empty messages.

Testing

  • Example configuration file for the change
[INPUT]
    Name          tail
    Path          /var/log/containers/*.log
    Docker_Mode   On

[OUTPUT]
    Name   stdout
    Match  *

Feed it a docker json line with an empty message, e.g. {"log":"","stream":"stdout","time":"2024-01-01T00:00:00Z"}.

  • Debug log output from testing the change

Reduced the predicate to a standalone harness over the unmodified flb_unescape_string and unesc_ends_with_nl:

before: AddressSanitizer: heap-buffer-overflow ... READ of size 1 ... 1 bytes before 1-byte region at the unesc[unesc_len - 1] line.
after: runs clean, returns 0.

  • Attached Valgrind/ASan output that shows no leaks or memory corruption was found

ASan flags the read on the unpatched tree and is clean after the patch.

  • [N/A] Run local packaging test showing all targets build.
  • [N/A] Set ok-package-test label to test for all targets.

Documentation

  • [N/A] Documentation required for this feature

Backporting

  • Backport to latest stable release.

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

  • Bug Fixes
    • Fixed a potential issue in Docker mode tail functionality that could occur when processing certain input conditions, ensuring more stable operation.

@saddamr3e
in_tail: fix out-of-bounds read in unesc_ends_with_nl
8b33c03 
An empty docker log message reaches unesc_ends_with_nl with len 0, so flb_unescape_string returns 0 and unesc[unesc_len - 1] reads one byte before the heap buffer. Guard the index on unesc_len.

Signed-off-by: saddamr3e <saddamr3e@gmail.com>
@coderabbitai

coderabbitai Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2bf3c3d4-b48b-486c-b774-8d5839c754c4

📥 Commits

Reviewing files that changed from the base of the PR and between 4ddcb11 and 8b33c03.

📒 Files selected for processing (1)
  • plugins/in_tail/tail_dockermode.c
📝 Walkthrough

Walkthrough

A one-line guard (unesc_len > 0) is added to unesc_ends_with_nl() in plugins/in_tail/tail_dockermode.c before accessing unesc[unesc_len - 1], preventing an out-of-bounds read when unesc_len is zero.

Changes

Docker mode newline check fix

Layer / File(s) Summary
Zero-length guard in unesc_ends_with_nl()
plugins/in_tail/tail_dockermode.c		 Condition updated to check unesc_len > 0 before indexing unesc[unesc_len - 1], eliminating the potential out-of-bounds access when the unescaped buffer is empty.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐇 A tiny guard, a single line,
No buffer overrun — how fine!
When length is zero, skip the peek,
The last byte's not ours to seek.
Safe bounds, safe logs, all is well! 🌿

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main change: fixing an out-of-bounds read vulnerability in the unesc_ends_with_nl function, which is the primary objective of this PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@edsiper edsiper added this to the Fluent Bit v5.0.8 milestone Jun 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@edsiper edsiper Awaiting requested review from edsiper edsiper is a code owner

@cosmo0920 cosmo0920 Awaiting requested review from cosmo0920 cosmo0920 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

docs-required

Projects

None yet

Milestone

Fluent Bit v5.0.8

Development

Successfully merging this pull request may close these issues.

2 participants

@saddamr3e @edsiper