From afdccceefa30306cf720a27efd5a29bcc5a916c9 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Thu, 4 Dec 2008 14:09:38 +0100 Subject: security fix: imudp emitted a message when a non-permitted sender... ...tried to send a message to it. This behaviour is operator-configurable. If enabled, a message was emitted each time. That way an attacker could effectively fill the disk via this facility. The message is now emitted only once in a minute (this currently is a hard-coded limit, if someone comes up with a good reason to make it configurable, we will probably do that). --- ChangeLog | 13 ++++++++++++- configure.ac | 2 +- doc/manual.html | 2 +- plugins/imudp/imudp.c | 15 +++++++++++++-- 4 files changed, 27 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index ee9de415..501c9ff1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,16 @@ --------------------------------------------------------------------------- -Version 3.20.1 [v3-stable] (rgerhards), 2008-112-04 +Version 3.20.2 [v3-stable] (rgerhards), 2008-12-04 +- re-release of 3.20.1 with an additional fix, that could also lead + to DoS; 3.20.1 has been removed from the official download archives +- security fix: imudp emitted a message when a non-permitted sender + tried to send a message to it. This behaviour is operator-configurable. + If enabled, a message was emitted each time. That way an attacker could + effectively fill the disk via this facility. The message is now + emitted only once in a minute (this currently is a hard-coded limit, + if someone comes up with a good reason to make it configurable, we + will probably do that). +--------------------------------------------------------------------------- +Version 3.20.1 [v3-stable] (rgerhards), 2008-12-04 - security bugfix: $AllowedSender was not honored, all senders were permitted instead - enhance: regex nomatch option "ZERO" has been added diff --git a/configure.ac b/configure.ac index f4a08440..7fa59012 100644 --- a/configure.ac +++ b/configure.ac @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.61) -AC_INIT([rsyslog],[3.20.1],[rsyslog@lists.adiscon.com]) +AC_INIT([rsyslog],[3.20.2],[rsyslog@lists.adiscon.com]) AM_INIT_AUTOMAKE AC_CONFIG_SRCDIR([ChangeLog]) AC_CONFIG_HEADERS([config.h]) diff --git a/doc/manual.html b/doc/manual.html index 394f7c41..12020fbd 100644 --- a/doc/manual.html +++ b/doc/manual.html @@ -16,7 +16,7 @@ relay chains while at the same time being very easy to setup for the novice user. And as we know what enterprise users really need, there is also professional rsyslog support available directly from the source!

-

This documentation is for version 3.20.1 (v3-stable branch) of rsyslog. +

This documentation is for version 3.20.2 (v3-stable branch) of rsyslog. Visit the rsyslog status page to obtain current version information and project status.

If you like rsyslog, you might diff --git a/plugins/imudp/imudp.c b/plugins/imudp/imudp.c index 57c5c02d..b18c0db7 100644 --- a/plugins/imudp/imudp.c +++ b/plugins/imudp/imudp.c @@ -51,6 +51,10 @@ DEFobjCurrIf(errmsg) DEFobjCurrIf(glbl) DEFobjCurrIf(net) +static time_t ttLastDiscard = 0; /* timestamp when a message from a non-permitted sender was last discarded + * This shall prevent remote DoS when the "discard on disallowed sender" + * message is configured to be logged on occurance of such a case. + */ static int *udpLstnSocks = NULL; /* Internet datagram sockets, first element is nbr of elements * read-only after init(), but beware of restart! */ static uchar *pszBindAddr = NULL; /* IP to bind socket to */ @@ -199,8 +203,15 @@ CODESTARTrunInput } else { dbgprintf("%s is not an allowed sender\n", (char*)fromHostFQDN); if(glbl.GetOption_DisallowWarning) { - errmsg.LogError(0, NO_ERRCODE, "UDP message from disallowed sender %s discarded", - (char*)fromHost); + time_t tt; + + time(&tt); + if(tt > ttLastDiscard + 60) { + ttLastDiscard = tt; + errmsg.LogError(0, NO_ERRCODE, + "UDP message from disallowed sender %s discarded", + (char*)fromHost); + } } } } -- cgit