fix(codecs): correct operand order in octet-counting framer underflow

[hhh6593]

Summary

While reading through the octet-counting framer (RFC 6587, used by the TCP syslog source) I noticed that the "discard the rest of an over-length frame" branch computes the remaining bytes as src.len() - chars. That branch only runs when src.len() < chars, so the subtraction always underflows. In debug builds it panics; in release it wraps to a value near usize::MAX, which leaves the decoder stuck in the Discarding state forever and silently drops every byte that arrives afterwards on that connection. The intent is clearly the other way around — how many bytes are still left to discard after consuming this buffer — so the fix is just swapping the operands to chars - src.len().

This only shows up when an over-length, length-prefixed message is split across multiple reads, which is normal TCP fragmentation, so it's reachable from untrusted input.

Vector configuration

A TCP syslog source with a small max_length sends over-length frames down the discard path; an over-length message that arrives split across reads then hits the bug.

[sources.in]
type = "syslog
mode = "tcp"
address = "0.0.0.0:5140"
max_length = 16

[sinks.out]
type = "console"
inputs = ["in"]
encoding.codec = "json"

How did you test this PR?

I added a regression test (octet_decode_discard_partial_frame_underflow) that drives the decoder into the Discarding state with an over-length frame and then feeds a small follow-up chunk so that src.len() < chars, which reproduces the underflow on the current code. After the fix the whole module is green:

cargo test -p codecs --lib octet_counting

Change Type

• Bug fix
• New feature
• Dependencies
• Non-functional (chore, refactoring, docs)
• Performance

Is this a breaking change?

• Yes
• No

Does this PR include user facing changes?

• Yes. Please add a changelog fragment based on our guidelines.
• No. A maintainer will apply the no-changelog label to this PR.

References

Notes

• Please read our Vector contributor resources.
• Do not hesitate to use @vectordotdev/vector to reach out to us regarding this PR.
• Some CI checks run only after we manually approve them.
  • We recommend adding a pre-push hook, please see this template.
  • Alternatively, we recommend running the following locally before pushing to the remote branch:
    • make fmt
    • make check-clippy (if there are failures it's possible some of them can be fixed with make clippy-fix)
    • make test
• After a review is requested, please avoid force pushes to help us review incrementally.
  • Feel free to push as many commits as you want. They will be squashed into one before merging.
  • For example, you can run git merge origin master and git push.
• If this PR introduces changes Vector dependencies (modifies Cargo.lock), please
  run make build-licenses to regenerate the license inventory and commit the changes (if any). More details on the dd-rust-license-tool.

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[hhh6593]

I have read the CLA Document and I hereby sign the CLA