[syslog-ng]embedded newlines
Balazs Scheidler
syslog-ng@lists.balabit.hu
Tue, 24 Feb 2004 11:39:40 +0100
2004-02-23, h keltezéssel 17:09-kor Chuck Berg ezt írta:
> A message with an embedded newline will cause the next message to be mangled.
> For example:
>
> dream:~$ echo -ne '<27>test: test: foo\nfoo' | nc -u loghost 514
>
> Produces this:
>
> Feb 17 12:38:53 dream test: foo
> Feb 17 12:38:54 xyzzy foo<38>Feb 17 12:38:54 sshd[18588]: Accepted publickey for nobody from 10.1.2.3 port 48651 ssh2
>
> Where xyzzy is an innocent victim who just happened to send the next message.
>
> I see that this has been discussed on the list several times over the past few
> years. Is there no proper solution possible? Can't we just end the message at the
> end of the packet (as if it was always null/newline terminated)?
>
> It seems to me that no matter what the content of a message, it should not cause
> another message to be mangled.
syslog-ng assumes that NL or NUL terminates messages regardless of the
transport medium used.
This can easily be changed, however I'm reluctant to include changes to
the log parsing code as there are so many different devices generating
log messages that changing the code can easily break one or the other.
Nevertheless here's the patch:
diff -u -r1.37.4.1 sources.c
--- sources.c 13 Jan 2004 18:08:02 -0000 1.37.4.1
+++ sources.c 24 Feb 2004 10:37:43 -0000
@@ -115,7 +115,7 @@
closure->pos = 0;
return ST_OK | ST_GOON;
}
- if (!eol && (closure->dgram || closure->pos == closure->max_log_line)) {
+ if (closure->dgram || (!eol && closure->pos == closure->max_log_line)) {
/* we don't have a terminating nl nor \0, and our buffer is
full or we are a datagram receiver, when the message is in
its own packet.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1