syslog-ng 1.0rc1 stops listening to UDP when zero-length packet received
I have been testing 2.0 rc1 for use in a production environment and have discovered a potential DOS exploit. I discovered this when I stopped receiving logs after a particular application started. It turns out that for some reason this app was sending a zero-length packet to syslog. After receiving this packet, syslog-ng gives the following output in debug mode: EOF occurred while reading; fd='3' Closing log reader fd; fd='3' This is reproducible using packet injection also. It has been shown to happen on both solaris 8 and linux (2.6.15-gentoo-r5). It does not happen on syslog-ng version 1.6.11. _________________________________________________________________ New year, new job there's more than 100,00 jobs at SEEK http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fninemsn%2Eseek%2Ecom%2Eau&_t...
On Tue, 2006-08-01 at 11:24 +1000, Dark Angael wrote:
I have been testing 2.0 rc1 for use in a production environment and have discovered a potential DOS exploit. I discovered this when I stopped receiving logs after a particular application started. It turns out that for some reason this app was sending a zero-length packet to syslog. After receiving this packet, syslog-ng gives the following output in debug mode:
EOF occurred while reading; fd='3' Closing log reader fd; fd='3'
This is reproducible using packet injection also. It has been shown to happen on both solaris 8 and linux (2.6.15-gentoo-r5).
It does not happen on syslog-ng version 1.6.11.
Can you check if this patch fixes this problem: --- orig/src/afsocket.c +++ mod/src/afsocket.c @@ -254,7 +254,8 @@ afsocket_sc_notify(LogPipe *s, LogPipe * case NC_CLOSE: case NC_READ_ERROR: { - afsocket_sd_close_connection(self->owner, self); + if (self->owner->flags & AFSOCKET_STREAM) + afsocket_sd_close_connection(self->owner, self); break; } } --- orig/src/logreader.c +++ mod/src/logreader.c @@ -359,7 +359,7 @@ log_reader_fetch_log(LogReader *self, FD return FALSE; } } - else if (rc == 0 && (self->flags & LR_FOLLOW) == 0) + else if (rc == 0 && (self->flags & (LR_FOLLOW + LR_PKTTERM)) == 0) { /* EOF read */ msg_verbose("EOF occurred while reading", -- Bazsi
This appears to fix the problem :)
From: Balazs Scheidler <bazsi@balabit.hu> Reply-To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] syslog-ng 1.0rc1 stops listening to UDP whenzero-length packet received Date: Tue, 01 Aug 2006 12:26:16 +0200
On Tue, 2006-08-01 at 11:24 +1000, Dark Angael wrote:
I have been testing 2.0 rc1 for use in a production environment and have discovered a potential DOS exploit. I discovered this when I stopped receiving logs after a particular application started. It turns out that for some reason this app was sending a zero-length packet to syslog. After receiving this packet, syslog-ng gives the following output in debug mode:
EOF occurred while reading; fd='3' Closing log reader fd; fd='3'
This is reproducible using packet injection also. It has been shown to happen on both solaris 8 and linux (2.6.15-gentoo-r5).
It does not happen on syslog-ng version 1.6.11.
Can you check if this patch fixes this problem:
--- orig/src/afsocket.c +++ mod/src/afsocket.c @@ -254,7 +254,8 @@ afsocket_sc_notify(LogPipe *s, LogPipe * case NC_CLOSE: case NC_READ_ERROR: { - afsocket_sd_close_connection(self->owner, self); + if (self->owner->flags & AFSOCKET_STREAM) + afsocket_sd_close_connection(self->owner, self); break; } }
--- orig/src/logreader.c +++ mod/src/logreader.c @@ -359,7 +359,7 @@ log_reader_fetch_log(LogReader *self, FD return FALSE; } } - else if (rc == 0 && (self->flags & LR_FOLLOW) == 0) + else if (rc == 0 && (self->flags & (LR_FOLLOW + LR_PKTTERM)) == 0) { /* EOF read */ msg_verbose("EOF occurred while reading",
-- Bazsi
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_________________________________________________________________ Research and compare new cars side by side at carpoint.com.au http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fsecure%2Dau%2Eimrworldwide%2...
On Wed, 2006-08-02 at 13:15 +1000, Dark Angael wrote:
This appears to fix the problem :)
I have committed the change. It should be available in tomorrow's snapshot. -- Bazsi
participants (2)
-
Balazs Scheidler
-
Dark Angael