[syslog-ng]Security: syslog-ng 1.4.x and 1.5.x is vulnerable to buffer overflow

William Yodlowsky wyodlows@andromeda.rutgers.edu
Fri, 04 Oct 2002 09:44:55 -0400


Balazs Scheidler <bazsi@balabit.hu> wrote:

> On Fri, Oct 04, 2002 at 12:24:49AM -0400, William Yodlowsky wrote:

> > #0  0xff141f74 in realfree () from /usr/lib/libc.so.1
> > #1  0xff142880 in cleanfree () from /usr/lib/libc.so.1
> > #2  0xff1419b4 in _malloc_unlocked () from /usr/lib/libc.so.1
> > #3  0xff1418a8 in malloc () from /usr/lib/libc.so.1
> > #4  0x2abf8 in xalloc ()
> > #5  0x2adc0 in ol_space_alloc ()
> > #6  0x199c0 in make_log_info ()
> > #7  0x1628c in do_handle_line ()
> > #8  0x16750 in do_read_line ()
> > #9  0x28e9c in read_callback ()
> > #10 0x28b78 in io_iter ()
> > #11 0x1548c in main_loop ()
> > #12 0x1607c in main ()
> > (gdb) The program is running.  Exit anyway? (y or n) y
> > #
> > 
> > If there's a way I can help in debugging this further, please let me
> > know.  I refrain from posting my config file because it's quite large
> > (over 100 lines).
>
> Hmm.. I've started syslog-ng on a solaris 8 system. It started and seems to
> work. I try to send log traffic to it, but at first I was unable to
> reproduce the problem. (the system I run it on is a Sun Ultra II with two
> 300 MHz processors and 768 MB RAM)
>
> The fact that it segfaults in malloc() seems to indicate that there's a
> problem in syslog-ng (double free, overwritten memory block chains or
> something)

Some more info...

* 1.5.13 runs flawlessly on that system

* Our syslog clients seem to work fine (minimal config file)

* Central syslog server segfaults (I know kondou@isc.org mentioned that it 
  was their central server too)

Since I haven't tried running 1.5.14-1.5.20 I'm going to give them a try
to see if the problem is in one of those previous releases.  That may
make it easier to track down.

Thanks!