[syslog-ng][PATCH] please test: syslog-ng message mangling fi x

Dustin Trammell DTrammell@PENSON.COM
Wed, 21 Aug 2002 09:47:44 -0500

Having a bit of a problem with this patch...  Using a freshly un-tarred copy
of 1.5.19:

[/usr/local/src/syslog-ng-1.5.19/src]# patch -p0 < /root/mangle.patch
patching file sources.c
[/usr/local/src/syslog-ng-1.5.19]# ./configure
(snip - configure completes with no problems)
[/usr/local/src/syslog-ng-1.5.19]# make
Making all in src
make[1]: Entering directory `/usr/local/src/syslog-ng-1.5.19/src'
make  all-recursive
make[2]: Entering directory `/usr/local/src/syslog-ng-1.5.19/src'
Making all in .
make[3]: Entering directory `/usr/local/src/syslog-ng-1.5.19/src'
gcc -DHAVE_CONFIG_H -I. -I/usr/local/src/syslog-ng-1.5.19/src -I.     -g -O2
-Wall -I/usr/local/include/libol -D_GNU_SOURCE -c main.c
make_class <sources.c >sources.c.xT
/bin/sh: /usr/local/bin/make_class: bad interpreter: No such file or
make[3]: *** [sources.c.x] Error 126
make[3]: Leaving directory `/usr/local/src/syslog-ng-1.5.19/src'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/usr/local/src/syslog-ng-1.5.19/src'
make[1]: *** [all-recursive-am] Error 2
make[1]: Leaving directory `/usr/local/src/syslog-ng-1.5.19/src'
make: *** [all-recursive] Error 1

Without the patch it configures and compiles fine.  Any ideas what could be
causing the problem that's related to the patch under Linux 2.4.18 (libc
2.2.3 & libol 0.3.3)?


Dustin D. Trammell
Information Security Specialist
Penson Financial Services, Inc.

-----Original Message-----
From: Balazs Scheidler [mailto:bazsi@balabit.hu]
Sent: Wednesday, August 21, 2002 07:51
To: syslog-ng@lists.balabit.hu
Subject: Re: [syslog-ng][PATCH] please test: syslog-ng message mangling

On Tue, Aug 20, 2002 at 07:38:21AM -0400, Stephen Frost wrote:
> Balazs and everyone,
>   The first fix which was posted to the list changing the if to be:
>   if (!eol && closure->pos == closure->max_log_line)
>   appeared to work correctly for me.  The second fix posted which
>   changed the if to be:
>   if (!eol && (start_pos == 0 || closure->pos == closure->max_log_line))
>   had the same (broken) behaviour as the unmodified if.  This leads me
>   to conclude that 'closure->pos == closure->max_log_line' is false,
>   '!eol' is true and 'start_pos == 0' is true.  log_msg_size() does not
>   appear to have any effect.  I have increased it to be 2048 and still
>   my logs are split amoung lines.  Message length doesn't appear to
>   matter either as messages which are longer can end up being intact
>   while shorter messages are split.  The one common factor is that all
>   of the messages being split are coming from /proc/kmsg.

hm. as it seems there was a change on the behaviour of /proc/kmsg. The
condition used to be:

-	if (!eol && closure->pos) {
-		/* we don't have a terminating nl nor \0 */

and there was no reports on mangled messages. Maybe 2.4 kernel introduced
a change, and syslog-ng reads kernel message parts with multiple read()

>   Since there was some concern about UDP messages being broken by this
>   my first thought is to change the if to be:
>   if (!eol && (closure->dgram || closure->pos == closure->max_log_line))
>   This makes the assumption that messages coming from streams such as a
>   TCP connection or /dev/log or a file/pipe will eventually have a
>   terminating newline or \0.  Of course, it keeps the sanity check to
>   not create messages over max_log_line.  I have this working on my
>   setup now but I don't swear that it's perfect, I'd love to hear
>   feedback on it, esp. from Balazs.  These messages being split causes
>   me a real problem on my firewall.

Relying on closure->dgram seems to me a sane decision. start_pos was only a
hack anyway.

Here's an updated patch (still against 1.5.19):

diff -u -r1.34 sources.c
--- sources.c	18 Jul 2002 13:18:02 -0000	1.34
+++ sources.c	21 Aug 2002 12:44:18 -0000
@@ -112,8 +113,11 @@
 		closure->pos = 0;
 		return ST_OK | ST_GOON;
-	if (!eol && closure->pos) {
-		/* we don't have a terminating nl nor \0 */
+	if (!eol && (closure->dgram || closure->pos ==
closure->max_log_line)) {
+		/* we don't have a terminating nl nor \0, and our buffer is
+		   full or we are a datagram receiver, when the message is
+		   its own packet.
+		 */
 		do_handle_line(closure, closure->pos, closure->buffer, salen
? (abstract_addr *) &sabuf : NULL, salen);
 		closure->pos = 0;
 		return ST_OK | ST_GOON;

PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1

syslog-ng maillist  -  syslog-ng@lists.balabit.hu
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html