[syslog-ng]bug report: interlaced messages
Thomas Morin
syslog-ng@lists.balabit.hu
Mon, 22 Sep 2003 13:34:48 +0200
Hi,
I've just run into a problem I had already seen during my tests for
the previous bug report I sent : I see pieces of logs that appear in the
middle of other messages.
Example:
$ grep 'Sep 22 06:17:0' messages
Sep 22 06:17:01 ker0009901 )<38>Sep 22 06:17:01 cron(pam_unix)[1173]: session
closed for user mail
We see, in the middle of a message, the beginning of a syslog
header ( "<..>" ) and the message that follows does not belong to
the 'messages' destination, and we see that it is actually missing
from the 'auth.log' file :
$ grep 'Sep 22 06:17:0' auth.log
Sep 22 06:17:01 ker0009901 cron(pam_unix)[1173]: session opened for user mail
by (uid=0)
Sep 22 06:17:01 ker0009901 cron(pam_unix)[1174]: session opened for user root
by (uid=0)
Sep 22 06:17:02 ker0009901 cron(pam_unix)[1174]: session closed for user root
(no "session closed" for user mail)
This kind of problem might be a security issue if it can be triggered easily.
I'm no expert here, but this looks a bit similar to the other bug I've just
reported, since the same thing (interlaced messages) is happening when
syslog-ng receives UDP syslog messages not NULL terminated of which size
exceeds log_msg_size.
Regards,
-Thomas
PS: this is syslog-ng 1.6.0, version 1.6.0rc1+20030310 (debian package),
running on Linux 2.6.0-test5
--
== Thomas Morin
== Ingénieur Consultant Atlantide - www.ago.fr - thomas.morin@ago.fr
== PGP Id:8CEA233D Key FP:503BF6CFD3AE8719377B832A02FB94E08CEA233D
--