[syslog-ng]bug report: interlaced messages

Thomas Morin syslog-ng@lists.balabit.hu
Mon, 22 Sep 2003 13:34:48 +0200


I've just run into a problem I had already seen during my tests for 
the previous bug report I sent : I see pieces of logs that appear in the
middle of other messages.


$ grep 'Sep 22 06:17:0' messages                                             
Sep 22 06:17:01 ker0009901 )<38>Sep 22 06:17:01 cron(pam_unix)[1173]: session
closed for user mail

We see, in the middle of a message, the beginning of a syslog 
header ( "<..>" ) and the message that follows does not belong to 
the 'messages' destination, and we see that it is actually missing 
from the 'auth.log' file :

$ grep 'Sep 22 06:17:0' auth.log                                             
Sep 22 06:17:01 ker0009901 cron(pam_unix)[1173]: session opened for user mail
by (uid=0)
Sep 22 06:17:01 ker0009901 cron(pam_unix)[1174]: session opened for user root
by (uid=0)
Sep 22 06:17:02 ker0009901 cron(pam_unix)[1174]: session closed for user root

(no "session closed" for user mail)

This kind of problem might be a security issue if it can be triggered easily. 

I'm no expert here, but this looks a bit similar to the other bug I've just
reported, since the same thing (interlaced messages) is happening when
syslog-ng receives UDP syslog messages not NULL terminated of which size
exceeds log_msg_size. 



PS: this is syslog-ng 1.6.0, version 1.6.0rc1+20030310 (debian package),
running on Linux 2.6.0-test5

== Thomas Morin 
== Ingénieur Consultant Atlantide - www.ago.fr - thomas.morin@ago.fr
== PGP Id:8CEA233D   Key FP:503BF6CFD3AE8719377B832A02FB94E08CEA233D