[syslog-ng] problem receiving non-NULL terminated UDP messages

e09f6a7593f8ae3994ea57e1117f67ec e09f6a7593f8ae3994ea57e1117f67ec at email.si
Mon Jul 25 22:05:56 CEST 2005 

Hi, I have the same problem as someone 2 years ago 
(https://lists.balabit.hu/pipermail/syslog-ng/2003-September/005414.html) 
with UDP messages.

Problem:

My OpenWRT based wifi router messages are not recognized and written to 
file via syslog-ng-1.9.5. The configuration file constsits of single 
udp() source and destination to single file.


Symptoms:

I am running `./syslog-ng -F -v -d -e` and after receiving an UDP log 
message I get a log_reader_fd_prepare(); messages in console window, so 
that means that the packet has arrived. (also checked with tcpdump for 
that).
Despite packet arrival nothing is written to log file.
The udp message does not end with NULL character as expected in 
logreader.c/log_reader_iterate_buf() function. I scanned the RFC for 
that but there is not defined that the message must terminate with a 
NULL character.


Workaround: (needs testing for side-efects)

Replace in afsocket.c:425 line with
self->reader = log_reader_new(... (self->flags & AFSOCKET_LOCAL) ? 
LR_LOCAL|LR_PKTTERM : LR_PKTTERM,...);
(Insert fixed LR_PKTTERM flag)


Debugging process and toughts:

After a while debugging with gdb I noticed that 
logreader.c/log_reader_iterate_buf() does not recognise the incoming 
message because it is not terminated by a NULL or NL character. I 
noticed that there exists a flag LR_PKTTERM which is supposed to be used 
in UDP sources so I went after LR_PKTTERM flag.

The only place that flag is set is in afsocket.c/afsocket_sc_init() 
function and only if socket is a DGRAM type. If you trace back you see 
that afsocket_sc_init() is used from afsocket_sc_new() which is used 
from afsocket_sd_process_connection() which is used from 
afsocket_sd_accept() which is used from afsocket_sd_init().
Let's stop now at afsocket_sd_init() function:
If you look carefully you can notice that afsocket_sd_accept() function 
is used as callback _only_ if used in STREAM sockets and not DGRAM! For 
DGRAM sockets the reader is creaded by log_reader_new() and with flags 
set as `(self->flags & AFSOCKET_LOCAL) ? LR_LOCAL : 0`. That means that 
log_reader_iterate_buf() does not have LR_PKTTERM flag set and thus not 
extracting UDP message from my router.
As I can see afsocket.c/afsocket_sc_init() function is not used by DGRAM 
connections at all thus LR_PKTTERM is never set.


Thanks for patience :)

Pinky

More information about the syslog-ng mailing list