From 86e37f70fe0e9de0e00362990c73536843c8fef3 Mon Sep 17 00:00:00 2001
From: Rainer Gerhards <rgerhards@adiscon.com>
Date: Tue, 23 Jun 2009 16:14:19 +0200
Subject: more strict parsing of the hostname in rfc3164 mode

... hopefully removes false positives (but may cause some trouble
with hostname parsing). For details, see this bug tracker:

  http://bugzilla.adiscon.com/show_bug.cgi?id=126

This patch is not optimal for v4 - another one will follow. The spirit
of this commit is to enable easier backporting if someone is interested
in doing so.
---
 tools/syslogd.c | 114 ++++++++++++++++++++------------------------------------
 1 file changed, 41 insertions(+), 73 deletions(-)

(limited to 'tools/syslogd.c')

diff --git a/tools/syslogd.c b/tools/syslogd.c
index 385fef1c..2f28cde0 100644
--- a/tools/syslogd.c
+++ b/tools/syslogd.c
@@ -1176,6 +1176,7 @@ int parseLegacySyslogMsg(msg_t *pMsg, int flags)
 	int bTAGCharDetected;
 	int i;	/* general index for parsing */
 	uchar bufParseTAG[CONF_TAG_MAXSIZE];
+	uchar bufParseHOSTNAME[CONF_TAG_HOSTNAME];
 	BEGINfunc
 
 	assert(pMsg != NULL);
@@ -1228,50 +1229,27 @@ int parseLegacySyslogMsg(msg_t *pMsg, int flags)
 		 * If I find them, I set a simple flag but continue. After parsing, I check the flag.
 		 * If it was set, then we most probably do not have a hostname but a TAG. Thus, I change
 		 * the fields. I think this logic shall work with any type of syslog message.
+		 * rgerhards, 2009-06-23: and I now have extended this logic to every character
+		 * that is not a valid hostname.
 		 */
 		bTAGCharDetected = 0;
 		if(flags & PARSE_HOSTNAME) {
-			/* TODO: quick and dirty memory allocation */
-			/* the memory allocated is far too much in most cases. But on the plus side,
-			 * it is quite fast... - rgerhards, 2007-09-20
-			 */
-			if((pBuf = malloc(sizeof(char)* (ustrlen(p2parse) +1))) == NULL)
-				return 1;
-			pWork = pBuf;
-			/* this is the actual parsing loop */
-			while(*p2parse && *p2parse != ' ' && *p2parse != ':') {
-				if(*p2parse == '[' || *p2parse == ']' || *p2parse == '/')
-					bTAGCharDetected = 1;
-				*pWork++ = *p2parse++;
+			i = 0;
+			while((isalnum(p2parse[i]) || p2parse[i] == '.' || p2parse[i] == '.'
+				|| p2parse[i] == '_') && i < CONF_TAG_MAXSIZE) {
+				bufParseHOSTNAME[i] = p2parse[i];
+				++i;
+			}
+
+			if(i > 0 && p2parse[i] == ' ' && isalnum(p2parse[i-1])) {
+				/* we got a hostname! */
+				p2parse += i + 1; /* "eat" it (including SP delimiter) */
+				bufParseHOSTNAME[i] = '\0';
+				MsgSetHOSTNAME(pMsg, bufParseHOSTNAME);
+				//MsgSetHOSTNAME(pMsg, bufParseHOSTNAME, i);
+			} else {
+				MsgSetHOSTNAME(pMsg, getRcvFrom(pMsg));
 			}
-			/* we need to handle ':' seperately, because it terminates the
-			 * TAG - so we also need to terminate the parser here!
-			 * rgerhards, 2007-09-10 *p2parse points to a valid address here in 
-			 * any case. We can reach this point only if we are at end of string,
-			 * or we have a ':' or ' '. What the if below does is check if we are
-			 * not at end of string and, if so, advance the parse pointer. If we 
-			 * are already at end of string, *p2parse is equal to '\0', neither if
-			 * will be true and the parse pointer remain as is. This is perfectly
-			 * well.
-			 */
-			if(*p2parse == ':') {
-				bTAGCharDetected = 1;
-				/* We will move hostname to tag, so preserve ':' (otherwise we 
-				 * will needlessly change the message format) */
-				*pWork++ = *p2parse++; 
-			} else if(*p2parse == ' ')
-				++p2parse;
-			*pWork = '\0';
-			MsgAssignHOSTNAME(pMsg, pBuf);
-		}
-		/* check if we seem to have a TAG */
-		if(bTAGCharDetected) {
-			/* indeed, this smells like a TAG, so lets use it for this. We take
-			 * the HOSTNAME from the sender system instead.
-			 */
-			DBGPRINTF("HOSTNAME contains invalid characters, assuming it to be a TAG.\n");
-			moveHOSTNAMEtoTAG(pMsg);
-			MsgSetHOSTNAME(pMsg, getRcvFrom(pMsg));
 		}
 
 		/* now parse TAG - that should be present in message from all sources.
@@ -1287,40 +1265,30 @@ int parseLegacySyslogMsg(msg_t *pMsg, int flags)
 		 * in RFC3164...). We now receive the full size, but will modify the
 		 * outputs so that only 32 characters max are used by default.
 		 */
-		/* The following code in general is quick & dirty - I need to get
-		 * it going for a test, rgerhards 2004-11-16 */
-		/* lol.. we tried to solve it, just to remind ourselfs that 32 octets
-		 * is the max size ;) we need to shuffle the code again... Just for 
-		 * the records: the code is currently clean, but we could optimize it! */
-		if(!bTAGCharDetected) {
-			i = 0;
-			while(*p2parse && *p2parse != ':' && *p2parse != ' ' && i < CONF_TAG_MAXSIZE) {
-				bufParseTAG[i++] = *p2parse++;
-			}
-			if(*p2parse == ':') {
-				++p2parse; 
-				bufParseTAG[i++] = ':';
-			}
+		i = 0;
+		while(*p2parse && *p2parse != ':' && *p2parse != ' ' && i < CONF_TAG_MAXSIZE) {
+			bufParseTAG[i++] = *p2parse++;
+		}
+		if(*p2parse == ':') {
+			++p2parse; 
+			bufParseTAG[i++] = ':';
+		}
 
-			if(i == 0)
-			{	/* rger, 2005-11-10: no TAG found - this implies that what
-				 * we have considered to be the HOSTNAME is most probably the
-				 * TAG. We consider it so probable, that we now adjust it
-				 * that way. So we pick up the previously set hostname, assign
-				 * it to tag and use the sender system (from IP stack) as
-				 * the hostname. This situation is the standard case with
-				 * stock BSD syslogd.
-				 */
-				DBGPRINTF("No TAG in message, assuming that HOSTNAME is missing.\n");
-				moveHOSTNAMEtoTAG(pMsg);
-				MsgSetHOSTNAME(pMsg, getRcvFrom(pMsg));
-			} else { /* we have a TAG, so we can happily set it ;) */
-				bufParseTAG[i] = '\0';	/* terminate string */
-				MsgSetTAG(pMsg, bufParseTAG, i);
-			}
-		} else {
-			/* we have no TAG, so we ... */
-			/*DO NOTHING*/;
+		if(i == 0)
+		{	/* rger, 2005-11-10: no TAG found - this implies that what
+			 * we have considered to be the HOSTNAME is most probably the
+			 * TAG. We consider it so probable, that we now adjust it
+			 * that way. So we pick up the previously set hostname, assign
+			 * it to tag and use the sender system (from IP stack) as
+			 * the hostname. This situation is the standard case with
+			 * stock BSD syslogd.
+			 */
+			DBGPRINTF("No TAG in message, assuming that HOSTNAME is missing.\n");
+			moveHOSTNAMEtoTAG(pMsg);
+			MsgSetHOSTNAME(pMsg, getRcvFrom(pMsg));
+		} else { /* we have a TAG, so we can happily set it ;) */
+			bufParseTAG[i] = '\0';	/* terminate string */
+			MsgSetTAG(pMsg, bufParseTAG, i);
 		}
 	} else {
 		/* we enter this code area when the user has instructed rsyslog NOT
-- 
cgit