[syslog-ng]syslog-ng-1.4.17 crashes

Balazs Scheidler bazsi@balabit.hu
Fri, 15 Nov 2002 10:24:24 +0100 

On Thu, Nov 14, 2002 at 07:49:00PM +0100, Heinz Ekker wrote:
> On Thu, Nov 14, 2002 at 06:07:02PM +0100, Balazs Scheidler wrote:
> > can you analyze the core a bit more? (it is no use to send it to me, as it
> > might contain libc different from my system)
> > 
> > gdb syslog-ng -c core
> > (gdb) frame 4
> > 
> > this selects the frame of xalloc()
> > 
> > now display part of the stack:
> > 
> > p $ebp
> > x/40 $ebp-20
> > 
> > I'll try to find how many bytes c_format_() wants to allocate. This might
> > help to track down the problem.
> 
> Is that of any help for you?
> 
> (gdb) frame 4
> #4  0x080530a7 in xalloc ()
> (gdb) p $ebp
> $1 = (void *) 0xbfffe868
> (gdb) x/40 $ebp-20
> 0xbfffe854:     0x00000098      0x4014afa0      0x00000000      0xcedfcc12
> 0xbfffe864:     0xcedfcc12      0xbfffe888      0x080531f7      0xcedfcc21
> 0xbfffe874:     0x4014afa0      0xcedfcc12      0x0000003b      0x08075ce0
> 0xbfffe884:     0x0000003b      0xbfffe8b8      0x0805068f      0xcedfcc12
> 0xbfffe894:     0xbfffe8c4      0xbfffe8b8      0x4009f548      0x08075b70
> 0xbfffe8a4:     0x0806c224      0xbffff8e8      0x0000003b      0x08075ce0
> 0xbfffe8b4:     0x080817ac      0xbffff8f8      0x08053501      0x080540bd
> 0xbfffe8c4:     0xcedfcc12      0x3927911d      0x00000000      0x0806f5ac
> 0xbfffe8d4:     0x31203431      0x00001000      0x080691a8      0x3e32323c
> 0xbfffe8e4:     0x20766f4e      0x31203431      0x30303a33      0x2034323a

hmm.. as it seems the length c_format() wants to allocate is 0xcedfcc21
bytes, cca 3.5GB, somehow the log entry to be written is completely bogus.

do_flush() calls c_format with a format "%s", string length 0xcedfcc12 and
data pointer 0x3927911d, if the allocation would succeed, syslog-ng would
crash anyway, when trying to dereference 0x3927911d.

The funny thing is that A_WRITE() is called with exactly these parameters,
and it didn't crash, so something changed the data between A_WRITE() and
c_format().

Can you send me your syslog-ng binary and the core file in private? Maybe I
can do some more analyisis. (I hope core files don't depend on libc version,
or if they do, it would still show some valid data)

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1