[Bug 32] New: syslog-ng stops listening after receiving a zero length udp packet
https://bugzilla.balabit.com/show_bug.cgi?id=32 Summary: syslog-ng stops listening after receiving a zero length udp packet Product: syslog-ng Version: 3.0.x Platform: Other OS/Version: Other Status: NEW Severity: major Priority: unspecified Component: syslog-ng AssignedTo: bazsi@balabit.hu ReportedBy: ffs@ccn.net Type of the Report: bug Estimated Hours: 0.0 Created an attachment (id=12) --> (https://bugzilla.balabit.com/attachment.cgi?id=12) afsocket EOF patch Hi, if syslog-ng has an udp() source configured it stops listening after receiving a zero length udp packet. In debug mode it logs 'EOF occurred while reading'. After this message no udp messages get processed anymore. After a restart syslog-ng is logging again. As this bug is reproducible it could be abused for DOS attacks also. Tested on: Solaris 8/9 Attached is a patch for version 3.0.1. There might be a better way to solve this problem, but it's working for me. Thank you for syslog-ng! Florian -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=32 Balazs Scheidler <bazsi@balabit.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|major |critical --- Comment #1 from Balazs Scheidler <bazsi@balabit.hu> 2009-02-11 11:19:17 --- argh, this seems to be a regression in 3.0.x over 2.1.x. that code explicitly handles this case. Thanks for the bug report, I'm going to fix this ASAP. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
Hi, We have version 2.0.6 and version 2.1.1 on various servers. Is any of them affected by this - If yes, which one ? Thanks - Werner
On Wed, 2009-02-11 at 12:01 +0100, CentralRegion IPAdmin wrote:
Hi, We have version 2.0.6 and version 2.1.1 on various servers. Is any of them affected by this - If yes, which one ?
Those should not be affected. However here's a short testprogram to test them: #!/usr/bin/python import socket s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, 0) s.connect(('127.0.0.1', 514)) s.send('') Of course you can change the destination address in the script. I'd appreciate if you could report back on your findings. Thanks in advance. -- Bazsi
Hi, Many Thanks for your help. I have tried to test it but I'm struggling with the prereq components such as pyton and ssl, so I can't report any results. Werner Please respond to "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Sent by: syslog-ng-bounces@lists.balabit.hu To: "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> cc: Subject: Re: [syslog-ng] [Bug 32] syslog-ng stops listening after receiving a zero length udp packet On Wed, 2009-02-11 at 12:01 +0100, CentralRegion IPAdmin wrote:
Hi, We have version 2.0.6 and version 2.1.1 on various servers. Is any of them affected by this - If yes, which one ?
Those should not be affected. However here's a short testprogram to test them: #!/usr/bin/python import socket s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, 0) s.connect(('127.0.0.1', 514)) s.send('') Of course you can change the destination address in the script. I'd appreciate if you could report back on your findings. Thanks in advance. -- Bazsi ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Tue, 2009-02-17 at 09:54 +0100, CentralRegion IPAdmin wrote:
Hi, Many Thanks for your help. I have tried to test it but I'm struggling with the prereq components such as pyton and ssl, so I can't report any results. Werner
Ah, ssl is not needed by the script, a working python installation is fine. And you can run it even from your workstation, it does not need to be run on the same host as syslog-ng is running on. You only need to change the target address in the script to point to the syslog-ng receiver. Thanks for your efforts. -- Bazsi
Hi, these are the errors I'm getting. Traceback (most recent call last): File "./test_EOF_vul", line 2, in ? import socket File "/usr/local/lib/python2.1/socket.py", line 41, in ? from _socket import * ImportError: from module /usr/local/lib/python2.1/lib-dynload/_socket.so Exec format error can't load library: /usr/local/lib/python2.1/lib-dynload/_socket.so /usr/local/lib/libssl.a libssl.so libssl.so 8 can't load library: /usr/local/lib/libssl.a /usr/local/lib/libssl.a P.S. I don't insist in solving this, as I'm happy to replace 2.0.6 by 2.1.1 Cheers Werner Please respond to "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Sent by: syslog-ng-bounces@lists.balabit.hu To: "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> cc: Subject: Re: [syslog-ng] [Bug 32] syslog-ng stops listening after receiving a zero length udp packet On Tue, 2009-02-17 at 09:54 +0100, CentralRegion IPAdmin wrote:
Hi, Many Thanks for your help. I have tried to test it but I'm struggling with the prereq components such as pyton and ssl, so I can't report any results. Werner
Ah, ssl is not needed by the script, a working python installation is fine. And you can run it even from your workstation, it does not need to be run on the same host as syslog-ng is running on. You only need to change the target address in the script to point to the syslog-ng receiver. Thanks for your efforts. -- Bazsi ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
https://bugzilla.balabit.com/show_bug.cgi?id=32 Balazs Scheidler <bazsi@balabit.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #2 from Balazs Scheidler <bazsi@balabit.hu> 2009-02-14 17:27:20 --- I've fixed this problem with the patch below. Your patch was not completely correct as it made syslog-ng ignore EOF even for TCP connections, not only for UDP. I've also added an automated testcase to cover this, so hopefully no related regressions in future versions. commit 0844f9fdfdd12461e09fe8516e3054f3b9363bf4 Author: Balazs Scheidler <bazsi@balabit.hu> Date: Sat Feb 14 17:25:58 2009 +0100 [afsocket] ignore zero sized packets for incoming UDP listeners This is a regression over 2.1, upon the receipt of a zero size UDP datagram syslog-ng interpreted it as an EOF and gave up listening for messages. Added automated testcase to cover this. Reported-By: ffs@ccn.net -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
participants (3)
-
Balazs Scheidler
-
bugzilla@bugzilla.balabit.com
-
CentralRegion IPAdmin