bugfix: random data could be appended to message, possibly causing segfaults

6 files changed, 160 insertions, 80 deletions

diff --git a/ChangeLog b/ChangeLog
index 0c127d1b..6272aee2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,7 @@
 ---------------------------------------------------------------------------
 Version 4.4.2  [v4-stable] (rgerhards), 2009-09-??
+- bugfix: random data could be appended to message, possibly causing
+  segfaults
 - bugfix: reverse lookup reduction logic in imudp do DNS queries too often
   A comparison was done between the current and the former source address.
   However, this was done on the full sockaddr_storage structure and not
diff --git a/runtime/datetime.c b/runtime/datetime.c
index 40ab4e9c..fc56b27c 100644
--- a/runtime/datetime.c
+++ b/runtime/datetime.c
@@ -140,6 +140,7 @@ static void getCurrTime(struct syslogTime *t, time_t *ttSeconds)
  * DO NOT PUT ANY OTHER CODE IN THIS BEGIN ... END BLOCK!!!!
  */
 
+
 /**
  * Parse a 32 bit integer number from a string.
  *
@@ -147,17 +148,21 @@ static void getCurrTime(struct syslogTime *t, time_t *ttSeconds)
  *             must be positioned at the first digit. Will be updated 
  *             so that on return it points to the first character AFTER
  *             the integer parsed.
+ * \param pLenStr pointer to string length, decremented on exit by
+ *                characters processed
+ * 		  Note that if an empty string (len < 1) is passed in,
+ * 		  the method always returns zero.
  * \retval The number parsed.
  */
-
-static int srSLMGParseInt32(uchar** ppsz)
+static int srSLMGParseInt32(uchar** ppsz, int *pLenStr)
 {
 	register int i;
 
 	i = 0;
-	while(isdigit((int) **ppsz)) {
+	while(*pLenStr > 0 && isdigit((int) **ppsz)) {
 		i = i * 10 + **ppsz - '0';
 		++(*ppsz);
+		--(*pLenStr);
 	}
 
 	return i;
@@ -169,9 +174,13 @@ static int srSLMGParseInt32(uchar** ppsz)
  * updates the parse pointer position. The pTime parameter
  * is guranteed to be updated only if a new valid timestamp
  * could be obtained (restriction added 2008-09-16 by rgerhards).
+ * This method now also checks the maximum string length it is passed.
+ * If a *valid* timestamp is found, the string length is decremented
+ * by the number of characters processed. If it is not a valid timestamp,
+ * the length is kept unmodified. -- rgerhards, 2009-09-23
  */
 static rsRetVal
-ParseTIMESTAMP3339(struct syslogTime *pTime, uchar** ppszTS)
+ParseTIMESTAMP3339(struct syslogTime *pTime, uchar** ppszTS, int *pLenStr)
 {
 	uchar *pszTS = *ppszTS;
 	/* variables to temporarily hold time information while we parse */
@@ -186,6 +195,7 @@ ParseTIMESTAMP3339(struct syslogTime *pTime, uchar** ppszTS)
 	char OffsetMode;	/* UTC offset + or - */
 	char OffsetHour;	/* UTC offset in hours */
 	int OffsetMinute;	/* UTC offset in minutes */
+	int lenStr;
 	/* end variables to temporarily hold time information while we parse */
 	DEFiRet;
 
@@ -193,48 +203,50 @@ ParseTIMESTAMP3339(struct syslogTime *pTime, uchar** ppszTS)
 	assert(ppszTS != NULL);
 	assert(pszTS != NULL);
 
-	year = srSLMGParseInt32(&pszTS);
+	lenStr = *pLenStr;
+	year = srSLMGParseInt32(&pszTS, &lenStr);
 
 	/* We take the liberty to accept slightly malformed timestamps e.g. in 
 	 * the format of 2003-9-1T1:0:0. This doesn't hurt on receiving. Of course,
 	 * with the current state of affairs, we would never run into this code
 	 * here because at postion 11, there is no "T" in such cases ;)
 	 */
-	if(*pszTS++ != '-')
+	if(lenStr == 0 || *pszTS++ != '-')
 		ABORT_FINALIZE(RS_RET_INVLD_TIME);
-	month = srSLMGParseInt32(&pszTS);
+	month = srSLMGParseInt32(&pszTS, &lenStr);
 	if(month < 1 || month > 12)
 		ABORT_FINALIZE(RS_RET_INVLD_TIME);
 
-	if(*pszTS++ != '-')
+	if(lenStr == 0 || *pszTS++ != '-')
 		ABORT_FINALIZE(RS_RET_INVLD_TIME);
-	day = srSLMGParseInt32(&pszTS);
+	day = srSLMGParseInt32(&pszTS, &lenStr);
 	if(day < 1 || day > 31)
 		ABORT_FINALIZE(RS_RET_INVLD_TIME);
 
-	if(*pszTS++ != 'T')
+	if(lenStr == 0 || *pszTS++ != 'T')
 		ABORT_FINALIZE(RS_RET_INVLD_TIME);
 
-	hour = srSLMGParseInt32(&pszTS);
+	hour = srSLMGParseInt32(&pszTS, &lenStr);
 	if(hour < 0 || hour > 23)
 		ABORT_FINALIZE(RS_RET_INVLD_TIME);
 
-	if(*pszTS++ != ':')
+	if(lenStr == 0 || *pszTS++ != ':')
 		ABORT_FINALIZE(RS_RET_INVLD_TIME);
-	minute = srSLMGParseInt32(&pszTS);
+	minute = srSLMGParseInt32(&pszTS, &lenStr);
 	if(minute < 0 || minute > 59)
 		ABORT_FINALIZE(RS_RET_INVLD_TIME);
 
-	if(*pszTS++ != ':')
+	if(lenStr == 0 || *pszTS++ != ':')
 		ABORT_FINALIZE(RS_RET_INVLD_TIME);
-	second = srSLMGParseInt32(&pszTS);
+	second = srSLMGParseInt32(&pszTS, &lenStr);
 	if(second < 0 || second > 60)
 		ABORT_FINALIZE(RS_RET_INVLD_TIME);
 
 	/* Now let's see if we have secfrac */
-	if(*pszTS == '.') {
+	if(lenStr > 0 && *pszTS == '.') {
+		--lenStr;
 		uchar *pszStart = ++pszTS;
-		secfrac = srSLMGParseInt32(&pszTS);
+		secfrac = srSLMGParseInt32(&pszTS, &lenStr);
 		secfracPrecision = (int) (pszTS - pszStart);
 	} else {
 		secfracPrecision = 0;
@@ -242,23 +254,27 @@ ParseTIMESTAMP3339(struct syslogTime *pTime, uchar** ppszTS)
 	}
 
 	/* check the timezone */
-	if(*pszTS == 'Z')
-	{
+	if(lenStr == 0)
+		ABORT_FINALIZE(RS_RET_INVLD_TIME);
+
+	if(*pszTS == 'Z') {
+		--lenStr;
 		pszTS++; /* eat Z */
 		OffsetMode = 'Z';
 		OffsetHour = 0;
 		OffsetMinute = 0;
 	} else if((*pszTS == '+') || (*pszTS == '-')) {
 		OffsetMode = *pszTS;
+		--lenStr;
 		pszTS++;
 
-		OffsetHour = srSLMGParseInt32(&pszTS);
+		OffsetHour = srSLMGParseInt32(&pszTS, &lenStr);
 		if(OffsetHour < 0 || OffsetHour > 23)
 			ABORT_FINALIZE(RS_RET_INVLD_TIME);
 
-		if(*pszTS++ != ':')
+		if(lenStr == 0 || *pszTS++ != ':')
 			ABORT_FINALIZE(RS_RET_INVLD_TIME);
-		OffsetMinute = srSLMGParseInt32(&pszTS);
+		OffsetMinute = srSLMGParseInt32(&pszTS, &lenStr);
 		if(OffsetMinute < 0 || OffsetMinute > 59)
 			ABORT_FINALIZE(RS_RET_INVLD_TIME);
 	} else {
@@ -267,10 +283,12 @@ ParseTIMESTAMP3339(struct syslogTime *pTime, uchar** ppszTS)
 	}
 
 	/* OK, we actually have a 3339 timestamp, so let's indicated this */
-	if(*pszTS == ' ')
+	if(lenStr > 0 && *pszTS == ' ') {
+		--lenStr;
 		++pszTS;
-	else
+	} else {
 		ABORT_FINALIZE(RS_RET_INVLD_TIME);
+	}
 
 	/* we had success, so update parse pointer and caller-provided timestamp */
 	*ppszTS = pszTS;
@@ -286,6 +304,7 @@ ParseTIMESTAMP3339(struct syslogTime *pTime, uchar** ppszTS)
 	pTime->OffsetMode = OffsetMode;
 	pTime->OffsetHour = OffsetHour;
 	pTime->OffsetMinute = OffsetMinute;
+	*pLenStr = lenStr;
 
 finalize_it:
 	RETiRet;
@@ -304,9 +323,13 @@ finalize_it:
  * permits us to use a pre-aquired timestamp and thus avoids to do
  * a (costly) time() call. Thanks to David Lang for insisting on
  * time() call reduction ;).
+ * This method now also checks the maximum string length it is passed.
+ * If a *valid* timestamp is found, the string length is decremented
+ * by the number of characters processed. If it is not a valid timestamp,
+ * the length is kept unmodified. -- rgerhards, 2009-09-23
  */
 static rsRetVal
-ParseTIMESTAMP3164(struct syslogTime *pTime, uchar** ppszTS)
+ParseTIMESTAMP3164(struct syslogTime *pTime, uchar** ppszTS, int *pLenStr)
 {
 	/* variables to temporarily hold time information while we parse */
 	int month;
@@ -316,6 +339,7 @@ ParseTIMESTAMP3164(struct syslogTime *pTime, uchar** ppszTS)
 	int minute;
 	int second;
 	/* end variables to temporarily hold time information while we parse */
+	int lenStr;
 	uchar *pszTS;
 	DEFiRet;
 
@@ -323,6 +347,8 @@ ParseTIMESTAMP3164(struct syslogTime *pTime, uchar** ppszTS)
 	pszTS = *ppszTS;
 	assert(pszTS != NULL);
 	assert(pTime != NULL);
+	assert(pLenStr != NULL);
+	lenStr = *pLenStr;
 
 	/* If we look at the month (Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec),
 	 * we may see the following character sequences occur:
@@ -341,6 +367,9 @@ ParseTIMESTAMP3164(struct syslogTime *pTime, uchar** ppszTS)
 	 * june, when it first manifested. This also lead to invalid parsing of the rest
 	 * of the message, as the time stamp was not detected to be correct. - rgerhards
 	 */
+	if(lenStr < 3)
+		ABORT_FINALIZE(RS_RET_INVLD_TIME);
+
 	switch(*pszTS++)
 	{
 	case 'J':
@@ -455,26 +484,31 @@ ParseTIMESTAMP3164(struct syslogTime *pTime, uchar** ppszTS)
 		ABORT_FINALIZE(RS_RET_INVLD_TIME);
 	}
 
+	lenStr -= 3;
+
 	/* done month */
 
-	if(*pszTS++ != ' ')
+	if(lenStr == 0 || *pszTS++ != ' ')
 		ABORT_FINALIZE(RS_RET_INVLD_TIME);
 
 	/* we accept a slightly malformed timestamp when receiving. This is
 	 * we accept one-digit days
 	 */
-	if(*pszTS == ' ')
+	if(*pszTS == ' ') {
+		--lenStr;
 		++pszTS;
+	}
 
-	day = srSLMGParseInt32(&pszTS);
+	day = srSLMGParseInt32(&pszTS, &lenStr);
 	if(day < 1 || day > 31)
 		ABORT_FINALIZE(RS_RET_INVLD_TIME);
 
-	if(*pszTS++ != ' ')
+	if(lenStr == 0 || *pszTS++ != ' ')
 		ABORT_FINALIZE(RS_RET_INVLD_TIME);
+	--lenStr;
 
 	/* time part */
-	hour = srSLMGParseInt32(&pszTS);
+	hour = srSLMGParseInt32(&pszTS, &lenStr);
 	if(hour > 1970 && hour < 2100) {
 		/* if so, we assume this actually is a year. This is a format found
 		 * e.g. in Cisco devices.
@@ -484,23 +518,26 @@ ParseTIMESTAMP3164(struct syslogTime *pTime, uchar** ppszTS)
 		year = hour;
 
 		/* re-query the hour, this time it must be valid */
-		if(*pszTS++ != ' ')
+		if(lenStr == 0 || *pszTS++ != ' ')
 			ABORT_FINALIZE(RS_RET_INVLD_TIME);
-		hour = srSLMGParseInt32(&pszTS);
+		--lenStr;
+		hour = srSLMGParseInt32(&pszTS, &lenStr);
 	}
 
 	if(hour < 0 || hour > 23)
 		ABORT_FINALIZE(RS_RET_INVLD_TIME);
 
-	if(*pszTS++ != ':')
+	if(lenStr == 0 || *pszTS++ != ':')
 		ABORT_FINALIZE(RS_RET_INVLD_TIME);
-	minute = srSLMGParseInt32(&pszTS);
+	--lenStr;
+	minute = srSLMGParseInt32(&pszTS, &lenStr);
 	if(minute < 0 || minute > 59)
 		ABORT_FINALIZE(RS_RET_INVLD_TIME);
 
-	if(*pszTS++ != ':')
+	if(lenStr == 0 || *pszTS++ != ':')
 		ABORT_FINALIZE(RS_RET_INVLD_TIME);
-	second = srSLMGParseInt32(&pszTS);
+	--lenStr;
+	second = srSLMGParseInt32(&pszTS, &lenStr);
 	if(second < 0 || second > 60)
 		ABORT_FINALIZE(RS_RET_INVLD_TIME);
 
@@ -508,8 +545,10 @@ ParseTIMESTAMP3164(struct syslogTime *pTime, uchar** ppszTS)
 	 * invalid format, it occurs frequently enough (e.g. with Cisco devices)
 	 * to permit it as a valid case. -- rgerhards, 2008-09-12
 	 */
-	if(*pszTS++ == ':')
+	if(lenStr == 0 || *pszTS++ == ':') {
 		++pszTS; /* just skip past it */
+		--lenStr;
+	}
 
 	/* we had success, so update parse pointer and caller-provided timestamp
 	 * fields we do not have are not updated in the caller's timestamp. This
@@ -526,6 +565,7 @@ ParseTIMESTAMP3164(struct syslogTime *pTime, uchar** ppszTS)
 	pTime->second = second;
  	pTime->secfracPrecision = 0;
 	pTime->secfrac = 0;
+	*pLenStr = lenStr;
 
 finalize_it:
 	RETiRet;
diff --git a/runtime/datetime.h b/runtime/datetime.h
index efb0a0af..6377a4a4 100644
--- a/runtime/datetime.h
+++ b/runtime/datetime.h
@@ -36,8 +36,8 @@ typedef struct datetime_s {
 /* interfaces */
 BEGINinterface(datetime) /* name must also be changed in ENDinterface macro! */
 	void (*getCurrTime)(struct syslogTime *t, time_t *ttSeconds);
-	rsRetVal (*ParseTIMESTAMP3339)(struct syslogTime *pTime, uchar** ppszTS);
-	rsRetVal (*ParseTIMESTAMP3164)(struct syslogTime *pTime, uchar** pszTS);
+	rsRetVal (*ParseTIMESTAMP3339)(struct syslogTime *pTime, uchar** ppszTS, int *);
+	rsRetVal (*ParseTIMESTAMP3164)(struct syslogTime *pTime, uchar** pszTS, int *);
 	int (*formatTimestampToMySQL)(struct syslogTime *ts, char* pDst, size_t iLenDst);
 	int (*formatTimestampToPgSQL)(struct syslogTime *ts, char *pDst, size_t iLenDst);
 	int (*formatTimestamp3339)(struct syslogTime *ts, char* pBuf, size_t iLenBuf);
diff --git a/runtime/parser.c b/runtime/parser.c
index 0b45bfd5..079bcf5e 100644
--- a/runtime/parser.c
+++ b/runtime/parser.c
@@ -274,6 +274,7 @@ finalize_it:
 	RETiRet;
 }
 
+
 /* Parse a received message. The object's rawmsg property is taken and
  * parsed according to the relevant standards. This can later be
  * extended to support configured parsers.
@@ -284,6 +285,7 @@ rsRetVal parseMsg(msg_t *pMsg)
 	DEFiRet;
 	uchar *msg;
 	int pri;
+	int lenMsg;
 	int iPriText;
 
 	CHKiRet(sanitizeMessage(pMsg));
@@ -292,8 +294,11 @@ rsRetVal parseMsg(msg_t *pMsg)
 	DBGPRINTF("msg parser: flags %x, from '%s', msg '%s'\n", pMsg->msgFlags, pMsg->pszRcvFrom, pMsg->pszRawMsg);
 
 	/* pull PRI */
-	pri = DEFUPRI;
+	lenMsg = pMsg->iLenRawMsg;
+	if(lenMsg == 0)
+		ABORT_FINALIZE(RS_RET_EMPTY_MSG);
 	msg = pMsg->pszRawMsg;
+	pri = DEFUPRI;
 	iPriText = 0;
 	if(*msg == '<') {
 		/* while we process the PRI, we also fill the PRI textual representation
@@ -301,7 +306,7 @@ rsRetVal parseMsg(msg_t *pMsg)
 		 * but it offers us performance...
 		 */
 		pri = 0;
-		while(isdigit((int) *++msg)) {
+		while(--lenMsg > 0 && isdigit((int) *++msg)) {
 			pMsg->bufPRI[iPriText++ % 4] = *msg;	 /* mod 4 to guard against malformed messages! */
 			pri = 10 * pri + (*msg - '0');
 		}
@@ -342,7 +347,7 @@ rsRetVal parseMsg(msg_t *pMsg)
 
 	/* finalize message object */
 	pMsg->msgFlags &= ~NEEDS_PARSING; /* this message is now parsed */
-	MsgPrepareEnqueue(pMsg); /* "historical" name - preparese for multi-threading */
+	MsgPrepareEnqueue(pMsg); /* "historical" name - prepare for multi-threading */
 
 finalize_it:
 	RETiRet;
diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h
index 32177a9f..13b54731 100644
--- a/runtime/rsyslog.h
+++ b/runtime/rsyslog.h
@@ -280,6 +280,7 @@ enum rsRetVal_				/** return value. All methods return this if not specified oth
 	RS_RET_ACTION_FAILED = -2123, /**< action failed and is now suspended (consider this permanent for the time being) */
 	RS_RET_NONFATAL_CONFIG_ERR = -2124, /**< non-fatal error during config processing */
 	RS_RET_FILENAME_INVALID = -2140, /**< filename invalid, not found, no access, ... */
+	RS_RET_EMPTY_MSG = -2141, /**< provided (raw) MSG is empty */
 
 	/* RainerScript error messages (range 1000.. 1999) */
 	RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */
diff --git a/tools/syslogd.c b/tools/syslogd.c
index ff6369c3..5671dcde 100644
--- a/tools/syslogd.c
+++ b/tools/syslogd.c
@@ -1242,10 +1242,12 @@ msgConsumer(void __attribute__((unused)) *notNeeded, void *pUsr)
  * to after the terminating SP. The caller must ensure that the 
  * provided buffer is large enough to hold the to be extracted value.
  * Returns 0 if everything is fine or 1 if either the field is not
- * SP-terminated or any other error occurs.
- * rger, 2005-11-24
+ * SP-terminated or any other error occurs. -- rger, 2005-11-24
+ * The function now receives the size of the string and makes sure
+ * that it does not process more than that. The *pLenStr counter is
+ * updated on exit. -- rgerhards, 2009-09-23
  */
-static int parseRFCField(uchar **pp2parse, uchar *pResult)
+static int parseRFCField(uchar **pp2parse, uchar *pResult, int *pLenStr)
 {
 	uchar *p2parse;
 	int iRet = 0;
@@ -1257,14 +1259,17 @@ static int parseRFCField(uchar **pp2parse, uchar *pResult)
 	p2parse = *pp2parse;
 
 	/* this is the actual parsing loop */
-	while(*p2parse && *p2parse != ' ') {
+	while(*pLenStr > 0  && *p2parse != ' ') {
 		*pResult++ = *p2parse++;
+		--(*pLenStr);
 	}
 
-	if(*p2parse == ' ')
+	if(*pLenStr > 0 && *p2parse == ' ') {
 		++p2parse; /* eat SP, but only if not at end of string */
-	else
+		--(*pLenStr);
+	} else {
 		iRet = 1; /* there MUST be an SP! */
+	}
 	*pResult = '\0';
 
 	/* set the new parse pointer */
@@ -1280,20 +1285,24 @@ static int parseRFCField(uchar **pp2parse, uchar *pResult)
  * to after the terminating SP. The caller must ensure that the 
  * provided buffer is large enough to hold the to be extracted value.
  * Returns 0 if everything is fine or 1 if either the field is not
- * SP-terminated or any other error occurs.
- * rger, 2005-11-24
+ * SP-terminated or any other error occurs. -- rger, 2005-11-24
+ * The function now receives the size of the string and makes sure
+ * that it does not process more than that. The *pLenStr counter is
+ * updated on exit. -- rgerhards, 2009-09-23
  */
-static int parseRFCStructuredData(uchar **pp2parse, uchar *pResult)
+static int parseRFCStructuredData(uchar **pp2parse, uchar *pResult, int *pLenStr)
 {
 	uchar *p2parse;
 	int bCont = 1;
 	int iRet = 0;
+	int lenStr;
 
 	assert(pp2parse != NULL);
 	assert(*pp2parse != NULL);
 	assert(pResult != NULL);
 
 	p2parse = *pp2parse;
+	lenStr = *pLenStr;
 
 	/* this is the actual parsing loop
 	 * Remeber: structured data starts with [ and includes any characters
@@ -1301,40 +1310,47 @@ static int parseRFCStructuredData(uchar **pp2parse, uchar *pResult)
 	 * structured data. There may also be \] inside the structured data, which
 	 * do NOT terminate an element.
 	 */
-	if(*p2parse != '[')
+	if(lenStr == 0 || *p2parse != '[')
 		return 1; /* this is NOT structured data! */
 
 	if(*p2parse == '-') { /* empty structured data? */
 		*pResult++ = '-';
 		++p2parse;
+		--lenStr;
 	} else {
 		while(bCont) {
-			if(*p2parse == '\0') {
+			if(lenStr < 2) {
 				iRet = 1; /* this is not valid! */
 				bCont = 0;
 			} else if(*p2parse == '\\' && *(p2parse+1) == ']') {
 				/* this is escaped, need to copy both */
 				*pResult++ = *p2parse++;
 				*pResult++ = *p2parse++;
+				lenStr -= 2;
 			} else if(*p2parse == ']' && *(p2parse+1) == ' ') {
 				/* found end, just need to copy the ] and eat the SP */
 				*pResult++ = *p2parse;
 				p2parse += 2;
+				lenStr -= 2;
 				bCont = 0;
 			} else {
 				*pResult++ = *p2parse++;
+				--lenStr;
 			}
 		}
 	}
 
-	if(*p2parse == ' ')
+	if(lenStr > 0 && *p2parse == ' ') {
 		++p2parse; /* eat SP, but only if not at end of string */
-	else
+		--lenStr;
+	} else {
 		iRet = 1; /* there MUST be an SP! */
+	}
 	*pResult = '\0';
 
 	/* set the new parse pointer */
 	*pp2parse = p2parse;
+	*pLenStr = lenStr;
 	return 0;
 }
 
@@ -1359,23 +1375,26 @@ int parseRFCSyslogMsg(msg_t *pMsg, int flags)
 {
 	uchar *p2parse;
 	uchar *pBuf;
+	int lenMsg;
 	int bContParse = 1;
 
 	BEGINfunc
 	assert(pMsg != NULL);
 	assert(pMsg->pszRawMsg != NULL);
 	p2parse = pMsg->pszRawMsg + pMsg->offAfterPRI; /* point to start of text, after PRI */
+	lenMsg = pMsg->iLenRawMsg - (pMsg->offAfterPRI + 1);
 
-	/* do a sanity check on the version and eat it */
+	/* do a sanity check on the version and eat it (the caller checked this already) */
 	assert(p2parse[0] == '1' && p2parse[1] == ' ');
 	p2parse += 2;
+	lenMsg -= 2;
 
 	/* Now get us some memory we can use as a work buffer while parsing.
 	 * We simply allocated a buffer sufficiently large to hold all of the
 	 * message, so we can not run into any troubles. I think this is
 	 * more wise then to use individual buffers.
 	 */
-	if((pBuf = malloc(sizeof(uchar) * ustrlen(p2parse) + 1)) == NULL)
+	if((pBuf = malloc(sizeof(uchar) * (lenMsg + 1))) == NULL)
 		return 1;
 		
 	/* IMPORTANT NOTE:
@@ -1386,7 +1405,7 @@ int parseRFCSyslogMsg(msg_t *pMsg, int flags)
 	 */
 
 	/* TIMESTAMP */
-	if(datetime.ParseTIMESTAMP3339(&(pMsg->tTIMESTAMP),  &p2parse) == RS_RET_OK) {
+	if(datetime.ParseTIMESTAMP3339(&(pMsg->tTIMESTAMP),  &p2parse, &lenMsg) == RS_RET_OK) {
 		if(flags & IGNDATE) {
 			/* we need to ignore the msg data, so simply copy over reception date */
 			memcpy(&pMsg->tTIMESTAMP, &pMsg->tRcvdAt, sizeof(struct syslogTime));
@@ -1398,7 +1417,7 @@ int parseRFCSyslogMsg(msg_t *pMsg, int flags)
 
 	/* HOSTNAME */
 	if(bContParse) {
-		parseRFCField(&p2parse, pBuf);
+		parseRFCField(&p2parse, pBuf, &lenMsg);
 		MsgSetHOSTNAME(pMsg, pBuf);
 	} else {
 		/* we can not parse, so we get the system we
@@ -1409,30 +1428,30 @@ int parseRFCSyslogMsg(msg_t *pMsg, int flags)
 
 	/* APP-NAME */
 	if(bContParse) {
-		parseRFCField(&p2parse, pBuf);
+		parseRFCField(&p2parse, pBuf, &lenMsg);
 		MsgSetAPPNAME(pMsg, (char*)pBuf);
 	}
 
 	/* PROCID */
 	if(bContParse) {
-		parseRFCField(&p2parse, pBuf);
+		parseRFCField(&p2parse, pBuf, &lenMsg);
 		MsgSetPROCID(pMsg, (char*)pBuf);
 	}
 
 	/* MSGID */
 	if(bContParse) {
-		parseRFCField(&p2parse, pBuf);
+		parseRFCField(&p2parse, pBuf, &lenMsg);
 		MsgSetMSGID(pMsg, (char*)pBuf);
 	}
 
 	/* STRUCTURED-DATA */
 	if(bContParse) {
-		parseRFCStructuredData(&p2parse, pBuf);
+		parseRFCStructuredData(&p2parse, pBuf, &lenMsg);
 		MsgSetStructuredData(pMsg, (char*)pBuf);
 	}
 
 	/* MSG */
-	MsgSetMSG(pMsg, (char*)p2parse);
+	MsgSetMSG(pMsg, (lenMsg == 0) ? "" : (char*)p2parse);
 
 	free(pBuf);
 	ENDfunc
@@ -1460,11 +1479,15 @@ int parseLegacySyslogMsg(msg_t *pMsg, int flags)
 	char *pWork;
 	cstr_t *pStrB;
 	int iCnt;
+	int lenMsg;
 	int bTAGCharDetected;
 	BEGINfunc
 
 	assert(pMsg != NULL);
 	assert(pMsg->pszRawMsg != NULL);
+	lenMsg = pMsg->iLenRawMsg - (pMsg->offAfterPRI + 1);
+RUNLOG_VAR("%d", pMsg->offAfterPRI);
+RUNLOG_VAR("%d", lenMsg);
 	p2parse = pMsg->pszRawMsg + pMsg->offAfterPRI; /* point to start of text, after PRI */
 
 	/* Check to see if msg contains a timestamp. We start by assuming
@@ -1473,13 +1496,14 @@ int parseLegacySyslogMsg(msg_t *pMsg, int flags)
 	 * message. There we go from high-to low precison and are done
 	 * when we find a matching one. -- rgerhards, 2008-09-16
 	 */
-	if(datetime.ParseTIMESTAMP3339(&(pMsg->tTIMESTAMP), &p2parse) == RS_RET_OK) {
+	if(datetime.ParseTIMESTAMP3339(&(pMsg->tTIMESTAMP), &p2parse, &lenMsg) == RS_RET_OK) {
 		/* we are done - parse pointer is moved by ParseTIMESTAMP3339 */;
-	} else if(datetime.ParseTIMESTAMP3164(&(pMsg->tTIMESTAMP), &p2parse) == RS_RET_OK) {
+	} else if(datetime.ParseTIMESTAMP3164(&(pMsg->tTIMESTAMP), &p2parse, &lenMsg) == RS_RET_OK) {
 		/* we are done - parse pointer is moved by ParseTIMESTAMP3164 */;
-	} else if(*p2parse == ' ') { /* try to see if it is slighly malformed - HP procurve seems to do that sometimes */
+	} else if(*p2parse == ' ' && lenMsg > 1) { /* try to see if it is slighly malformed - HP procurve seems to do that sometimes */
 		++p2parse;	/* move over space */
-		if(datetime.ParseTIMESTAMP3164(&(pMsg->tTIMESTAMP), &p2parse) == RS_RET_OK) {
+		--lenMsg;
+		if(datetime.ParseTIMESTAMP3164(&(pMsg->tTIMESTAMP), &p2parse, &lenMsg) == RS_RET_OK) {
 			/* indeed, we got it! */
 			/* we are done - parse pointer is moved by ParseTIMESTAMP3164 */;
 		} else {
@@ -1487,6 +1511,7 @@ int parseLegacySyslogMsg(msg_t *pMsg, int flags)
 			 * for this try.
 			 */
 			--p2parse;
+			++lenMsg;
 		}
 	}
 
@@ -1520,14 +1545,15 @@ int parseLegacySyslogMsg(msg_t *pMsg, int flags)
 			/* the memory allocated is far too much in most cases. But on the plus side,
 			 * it is quite fast... - rgerhards, 2007-09-20
 			 */
-			if((pBuf = malloc(sizeof(char)* (ustrlen(p2parse) +1))) == NULL)
+			if((pBuf = malloc(sizeof(char) * (lenMsg + 1))) == NULL)
 				return 1;
 			pWork = pBuf;
 			/* this is the actual parsing loop */
-			while(*p2parse && *p2parse != ' ' && *p2parse != ':') {
+			while(lenMsg > 0 && *p2parse != ' ' && *p2parse != ':') {
 				if(*p2parse == '[' || *p2parse == ']' || *p2parse == '/')
 					bTAGCharDetected = 1;
 				*pWork++ = *p2parse++;
+				--lenMsg;
 			}
 			/* we need to handle ':' seperately, because it terminates the
 			 * TAG - so we also need to terminate the parser here!
@@ -1539,13 +1565,17 @@ int parseLegacySyslogMsg(msg_t *pMsg, int flags)
 			 * will be true and the parse pointer remain as is. This is perfectly
 			 * well.
 			 */
-			if(*p2parse == ':') {
-				bTAGCharDetected = 1;
-				/* We will move hostname to tag, so preserve ':' (otherwise we 
-				 * will needlessly change the message format) */
-				*pWork++ = *p2parse++; 
-			} else if(*p2parse == ' ')
-				++p2parse;
+			if(lenMsg > 0) {
+				if(*p2parse == ':') {
+					bTAGCharDetected = 1;
+					/* We will move hostname to tag, so preserve ':' (otherwise we 
+					 * will needlessly change the message format) */
+					*pWork++ = *p2parse++; 
+				} else if(*p2parse == ' ') {
+					++p2parse;
+				}
+				--lenMsg;
+			}
 			*pWork = '\0';
 			MsgAssignHOSTNAME(pMsg, pBuf);
 		}
@@ -1584,12 +1614,14 @@ int parseLegacySyslogMsg(msg_t *pMsg, int flags)
 			rsCStrSetAllocIncrement(pStrB, 33);
 			pWork = pBuf;
 			iCnt = 0;
-			while(*p2parse && *p2parse != ':' && *p2parse != ' ') {
+			while(lenMsg > 0 && *p2parse != ':' && *p2parse != ' ') {
 				cstrAppendChar(pStrB, *p2parse++);
 				++iCnt;
+				--lenMsg;
 			}
-			if(*p2parse == ':') {
+			if(lenMsg > 0 && *p2parse == ':') {
 				++p2parse; 
+				--lenMsg;
 				cstrAppendChar(pStrB, ':');
 			}
 			cstrFinalize(pStrB);
@@ -1625,7 +1657,7 @@ int parseLegacySyslogMsg(msg_t *pMsg, int flags)
 	}
 
 	/* The rest is the actual MSG */
-	MsgSetMSG(pMsg, (char*)p2parse);
+	MsgSetMSG(pMsg, (lenMsg == 0) ? "" : (char*)p2parse);
 
 	ENDfunc
 	return 0; /* all ok */