summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRainer Gerhards <rgerhards@adiscon.com>2009-08-18 18:48:18 +0200
committerRainer Gerhards <rgerhards@adiscon.com>2009-08-18 18:48:18 +0200
commitbfc3eaf23cae0ef8685fc25b71e701e2c4690509 (patch)
tree4abd0b0fa2a7d2bc0ad405bc126d31405bca6108
parent56b781e5bb1ea08b76d5dcc1d5e5eab10a40a4c6 (diff)
downloadrsyslog-bfc3eaf23cae0ef8685fc25b71e701e2c4690509.tar.gz
rsyslog-bfc3eaf23cae0ef8685fc25b71e701e2c4690509.tar.xz
rsyslog-bfc3eaf23cae0ef8685fc25b71e701e2c4690509.zip
bugfix: potential segfault in output file writer (omfile)
In async write mode, we use modular arithmetic to index the output buffer array. However, the counter variables accidently were signed, thus resulting in negative indizes after integer overflow. That in turn could lead to segfaults, but was depending on the memory layout of the instance in question (which in turn depended on a number of variables, like compile settings but also configuration). The counters are now unsigned (as they always should have been) and so the dangling mis-indexing does no longer happen. This bug potentially affected all installations, even if only some may actually have seen a segfault.
-rw-r--r--ChangeLog10
-rw-r--r--runtime/stream.c1
-rw-r--r--runtime/stream.h4
3 files changed, 13 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index b8e884e3..d1ba8617 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,6 +11,16 @@ Version 4.5.2 [DEVEL] (rgerhards), 2009-07-??
does most probably not have any effect in practice.
- bugfix: if tcp listen port could not be created, no error message was
emitted
+- bugfix: potential segfault in output file writer (omfile)
+ In async write mode, we use modular arithmetic to index the output
+ buffer array. However, the counter variables accidently were signed,
+ thus resulting in negative indizes after integer overflow. That in turn
+ could lead to segfaults, but was depending on the memory layout of
+ the instance in question (which in turn depended on a number of
+ variables, like compile settings but also configuration). The counters
+ are now unsigned (as they always should have been) and so the dangling
+ mis-indexing does no longer happen. This bug potentially affected all
+ installations, even if only some may actually have seen a segfault.
---------------------------------------------------------------------------
Version 4.5.1 [DEVEL] (rgerhards), 2009-07-15
- CONFIG CHANGE: $HUPisRestart default is now "off". We are doing this
diff --git a/runtime/stream.c b/runtime/stream.c
index 605a9771..a6ed70fe 100644
--- a/runtime/stream.c
+++ b/runtime/stream.c
@@ -833,6 +833,7 @@ finalize_it:
* the very some producer comes back in sequence to submit the then-filled buffers.
* This also enables us to timout on partially written buffers. -- rgerhards, 2009-07-06
*/
+//#include <stdio.h>
static inline rsRetVal
doAsyncWriteInternal(strm_t *pThis, size_t lenBuf)
{
diff --git a/runtime/stream.h b/runtime/stream.h
index cb368835..64ffb6e1 100644
--- a/runtime/stream.h
+++ b/runtime/stream.h
@@ -131,8 +131,8 @@ typedef struct strm_s {
pthread_cond_t notFull;
pthread_cond_t notEmpty;
pthread_cond_t isEmpty;
- short iEnq;
- short iDeq;
+ unsigned short iEnq; /* this MUST be unsigned as we use module arithmetic (else invalid indexing happens!) */
+ unsigned short iDeq; /* this MUST be unsigned as we use module arithmetic (else invalid indexing happens!) */
short iCnt; /* current nbr of elements in buffer */
struct {
uchar *pBuf;