Balazs Scheidler <bazsi@balabit.hu> writes:
On Sat, 2011-10-29 at 11:15 +0200, Gergely Nagy wrote:
Szalay Attila <sasa@balabit.hu> writes:
diff --git a/lib/logproto.c b/lib/logproto.c index bdf9695..5047c98 100644 --- a/lib/logproto.c +++ b/lib/logproto.c @@ -299,7 +299,7 @@ log_proto_file_writer_flush(LogProto *s) /* allocate and copy the remaning data */ self->partial = (guchar *)g_malloc(self->partial_len); ofs = sum - rc; /* the length of the remaning (not processed) chunk in the first message */ - memcpy(self->partial, self->buffer[i0].iov_base + rc - (i0 > 0 ? (sum - self->buffer[i0 - 1].iov_len) : 0), ofs); + memcpy(self->partial, self->buffer[i0].iov_len - ofs, ofs); i = i0 + 1; while (i < self->buf_count) {
I think this patch has some problem too.
ACK. I really should not code half-asleep. Thanks for catching the mistake!
Can you post an updated patch please?
Sasa already posted one, but included below is his full version of the patch:
From 012a245281da19970d4e0b863e833e1909c2eea6 Mon Sep 17 00:00:00 2001 From: Szalay Attila <sasa@balabit.hu> Date: Sat, 29 Oct 2011 11:29:18 +0200 Subject: [PATCH] logproto: In case of partial writing there were a problem in the pos calculating (fixes: #24459)
If the log messages has different length and only a partial write happen the log_proto_file_writer_flush there are a possible buffer under/overflow happen. The problematic part is in the calculation about the last written byte of the last written message. The calculation is not just too difficult to follow but use the wrong message length in it. Because of this ther are buffer under/overflow may happen or starting to read the message in wrong position, causing messing the log. --- lib/logproto.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/logproto.c b/lib/logproto.c index 9ee6ec5..43f015f 100644 --- a/lib/logproto.c +++ b/lib/logproto.c @@ -271,7 +271,7 @@ static LogProtoStatus log_proto_file_writer_flush(LogProto *s) { LogProtoFileWriter *self = (LogProtoFileWriter *)s; - gint rc, i, i0, sum, ofs; + gint rc, i, i0, sum, ofs, pos; /* we might be called from log_writer_deinit() without having a buffer at all */ @@ -314,7 +314,8 @@ log_proto_file_writer_flush(LogProto *s) /* allocate and copy the remaning data */ self->partial = (guchar *)g_malloc(self->partial_len); ofs = sum - rc; /* the length of the remaning (not processed) chunk in the first message */ - memcpy(self->partial, self->buffer[i0].iov_base + rc - (i0 > 0 ? (sum - self->buffer[i0 - 1].iov_len) : 0), ofs); + pos = self->buffer[i0].iov_len - ofs; + memcpy(self->partial, self->buffer[i0].iov_base + pos, ofs); i = i0 + 1; while (i < self->buf_count) { -- 1.7.7.1 -- |8]