[syslog-ng]Security: syslog-ng 1.4.x and 1.5.x is vulnerable to
buffer overflow
William Yodlowsky
wyodlows@andromeda.rutgers.edu
Fri, 11 Oct 2002 10:39:10 -0400
Balazs Scheidler <bazsi@balabit.hu> wrote:
> On Wed, Oct 09, 2002 at 12:27:24PM -0400, William Yodlowsky wrote:
>
> > So, it seems the bug is in syslog-ng, introduced somewhere between
> > 1.5.17 and 1.5.19. I'll see if I can get 1.5.18 to build to narrow it
> > down even further.
>
> My suspicion is this code:
>
> void do_destroy_afinet_dest(struct log_handler *c, struct syslog_config
> *cfg, struct persistent_config *persistent)
> {
> CAST(afinet_dest, self, c);
> if (self->conn_fd) {
> /* KILL_RESOURCE(&self->conn_fd->super.super); */
> closekill_fd(&self->conn_fd->super, 0);
> self->conn_fd = NULL;
> }
> }
>
> 1.5.17 had the commented out version, anything since 1.5.18 has the
> closekill_fd version.
>
> This code path is only used _iff_ a HUP is sent to syslog-ng. Is the
> segfault triggered by sending a HUP to the process, or it is simply crashing
> without HUP?
I don't HUP the process, it just segfaults on its own. Just to test, I
changed the code above back to what it was in 1.5.17, and it segfaulted
the same way.