diff options
| author | Rainer Gerhards <rgerhards@adiscon.com> | 2009-08-18 18:48:18 +0200 |
|---|---|---|
| committer | Rainer Gerhards <rgerhards@adiscon.com> | 2009-08-18 18:48:18 +0200 |
| commit | bfc3eaf23cae0ef8685fc25b71e701e2c4690509 (patch) | |
| tree | 4abd0b0fa2a7d2bc0ad405bc126d31405bca6108 | |
| parent | 56b781e5bb1ea08b76d5dcc1d5e5eab10a40a4c6 (diff) | |
| download | rsyslog-bfc3eaf23cae0ef8685fc25b71e701e2c4690509.tar.gz rsyslog-bfc3eaf23cae0ef8685fc25b71e701e2c4690509.tar.xz rsyslog-bfc3eaf23cae0ef8685fc25b71e701e2c4690509.zip | |
bugfix: potential segfault in output file writer (omfile)
In async write mode, we use modular arithmetic to index the output
buffer array. However, the counter variables accidently were signed,
thus resulting in negative indizes after integer overflow. That in turn
could lead to segfaults, but was depending on the memory layout of
the instance in question (which in turn depended on a number of
variables, like compile settings but also configuration). The counters
are now unsigned (as they always should have been) and so the dangling
mis-indexing does no longer happen. This bug potentially affected all
installations, even if only some may actually have seen a segfault.
| -rw-r--r-- | ChangeLog | 10 | ||||
| -rw-r--r-- | runtime/stream.c | 1 | ||||
| -rw-r--r-- | runtime/stream.h | 4 |
3 files changed, 13 insertions, 2 deletions
@@ -11,6 +11,16 @@ Version 4.5.2 [DEVEL] (rgerhards), 2009-07-?? does most probably not have any effect in practice. - bugfix: if tcp listen port could not be created, no error message was emitted +- bugfix: potential segfault in output file writer (omfile) + In async write mode, we use modular arithmetic to index the output + buffer array. However, the counter variables accidently were signed, + thus resulting in negative indizes after integer overflow. That in turn + could lead to segfaults, but was depending on the memory layout of + the instance in question (which in turn depended on a number of + variables, like compile settings but also configuration). The counters + are now unsigned (as they always should have been) and so the dangling + mis-indexing does no longer happen. This bug potentially affected all + installations, even if only some may actually have seen a segfault. --------------------------------------------------------------------------- Version 4.5.1 [DEVEL] (rgerhards), 2009-07-15 - CONFIG CHANGE: $HUPisRestart default is now "off". We are doing this diff --git a/runtime/stream.c b/runtime/stream.c index 605a9771..a6ed70fe 100644 --- a/runtime/stream.c +++ b/runtime/stream.c @@ -833,6 +833,7 @@ finalize_it: * the very some producer comes back in sequence to submit the then-filled buffers. * This also enables us to timout on partially written buffers. -- rgerhards, 2009-07-06 */ +//#include <stdio.h> static inline rsRetVal doAsyncWriteInternal(strm_t *pThis, size_t lenBuf) { diff --git a/runtime/stream.h b/runtime/stream.h index cb368835..64ffb6e1 100644 --- a/runtime/stream.h +++ b/runtime/stream.h @@ -131,8 +131,8 @@ typedef struct strm_s { pthread_cond_t notFull; pthread_cond_t notEmpty; pthread_cond_t isEmpty; - short iEnq; - short iDeq; + unsigned short iEnq; /* this MUST be unsigned as we use module arithmetic (else invalid indexing happens!) */ + unsigned short iDeq; /* this MUST be unsigned as we use module arithmetic (else invalid indexing happens!) */ short iCnt; /* current nbr of elements in buffer */ struct { uchar *pBuf; |