On Tue, 2006-08-01 at 11:24 +1000, Dark Angael wrote:
I have been testing 2.0 rc1 for use in a production environment and have discovered a potential DOS exploit. I discovered this when I stopped receiving logs after a particular application started. It turns out that for some reason this app was sending a zero-length packet to syslog. After receiving this packet, syslog-ng gives the following output in debug mode:
EOF occurred while reading; fd='3' Closing log reader fd; fd='3'
This is reproducible using packet injection also. It has been shown to happen on both solaris 8 and linux (2.6.15-gentoo-r5).
It does not happen on syslog-ng version 1.6.11.
Can you check if this patch fixes this problem: --- orig/src/afsocket.c +++ mod/src/afsocket.c @@ -254,7 +254,8 @@ afsocket_sc_notify(LogPipe *s, LogPipe * case NC_CLOSE: case NC_READ_ERROR: { - afsocket_sd_close_connection(self->owner, self); + if (self->owner->flags & AFSOCKET_STREAM) + afsocket_sd_close_connection(self->owner, self); break; } } --- orig/src/logreader.c +++ mod/src/logreader.c @@ -359,7 +359,7 @@ log_reader_fetch_log(LogReader *self, FD return FALSE; } } - else if (rc == 0 && (self->flags & LR_FOLLOW) == 0) + else if (rc == 0 && (self->flags & (LR_FOLLOW + LR_PKTTERM)) == 0) { /* EOF read */ msg_verbose("EOF occurred while reading", -- Bazsi