diff options
| author | Rainer Gerhards <rgerhards@adiscon.com> | 2010-03-25 08:03:37 +0100 |
|---|---|---|
| committer | Rainer Gerhards <rgerhards@adiscon.com> | 2010-03-25 08:03:37 +0100 |
| commit | a3e48b697fa664110567fcd0027d24ea5a239041 (patch) | |
| tree | 84a538e10842a8b00a4f8c02973d572d180ea587 | |
| parent | 28b3703c95cb06642ff245f4d7e265c4591c128f (diff) | |
| download | rsyslog-a3e48b697fa664110567fcd0027d24ea5a239041.tar.gz rsyslog-a3e48b697fa664110567fcd0027d24ea5a239041.tar.xz rsyslog-a3e48b697fa664110567fcd0027d24ea5a239041.zip | |
bugfix(temporary): message-induced off-by-one error (potential segfault)
Some types of malformed messages could trigger an off-by-one error
(for example, \0 or \n as the last character, and generally control
character escaption is questionable). This is due to not strictly
following a the \0 or string counted string paradigm (during the last
optimization on the cstring class). As a temporary fix, we have
introduced a proper recalculation of the size. However, a final
patch is expected in the future. See bug tracker for further details
and when the final patch will be available:
http://bugzilla.adiscon.com/show_bug.cgi?id=184
Note that the current patch is considered sufficient to solve the
situation, but it requires a bit more runtime than desirable.
| -rw-r--r-- | ChangeLog | 12 | ||||
| -rw-r--r-- | runtime/msg.c | 6 |
2 files changed, 18 insertions, 0 deletions
@@ -2,6 +2,18 @@ Version 4.6.2 [v4-stable] (rgerhards), 2010-03-?? - new feature: "." action type added to support writing files to relative pathes (this is primarily meant as a debug aid) +- bugfix(temporary): message-induced off-by-one error (potential segfault) + Some types of malformed messages could trigger an off-by-one error + (for example, \0 or \n as the last character, and generally control + character escaption is questionable). This is due to not strictly + following a the \0 or string counted string paradigm (during the last + optimization on the cstring class). As a temporary fix, we have + introduced a proper recalculation of the size. However, a final + patch is expected in the future. See bug tracker for further details + and when the final patch will be available: + http://bugzilla.adiscon.com/show_bug.cgi?id=184 + Note that the current patch is considered sufficient to solve the + situation, but it requires a bit more runtime than desirable. - bugfix: potential segfault in dynafile cache This bug was triggered by an open failure. The the cache was full and a new entry needed to be placed inside it, a victim for eviction was diff --git a/runtime/msg.c b/runtime/msg.c index 3a2331f4..2ce7843a 100644 --- a/runtime/msg.c +++ b/runtime/msg.c @@ -2319,6 +2319,12 @@ uchar *MsgGetProp(msg_t *pMsg, struct templateEntry *pTpe, *pPropLen = sizeof("**INVALID PROPERTY NAME**") - 1; return UCHAR_CONSTANT("**INVALID PROPERTY NAME**"); } + /* the following line fixes the symptom, but not the root cause -- at least MSG sometimes + * returns a size of one too less. To prevent all troubles, we recalculate the sizes based + * on what we actually got. TODO: remove once root cause is found. + * rgerhards, 2010-03-23 + */ + bufLen = ustrlen(pRes); /* If we did not receive a template pointer, we are already done... */ |