[syslog-ng]Syslog-NG 1.6.6 memory leak when sending UDP logs

Balazs Scheidler syslog-ng@lists.balabit.hu
Fri, 04 Mar 2005 18:20:02 +0100


On Fri, 2005-03-04 at 11:48 -0500, henry@shoelacecity.com wrote:

> >The funny part is that this version of libnet seem to expect port
> >numbers in host byte order whereas I pass it to libnet in network
> byte
> >order. I'm almost confident that this used to work when I originally
> did
> >the libnet support, judging the libnet changelog again, this was a
> >change between 1.0 <-> 1.1
> > 
> >Is your syslog-ng sending messages to the correct port? Can you check
> >that with tcpdump for example? Or maybe you are using a big-endian
> >machine?
> 
> 
> Balasz,  spoofed UDP packets are being  sent properly, as far as I can
> tell  - the data is getting to the target properly. 

This is suspicious, unless you are using a non-x86 machine there should
be some problems with the port number as it was the case for my local
installation when trying to reproduce the problem.

> tcpdump shows some minor strangeness - the source  address is that of
> the spoofed syslog host, which is to be expected, and the target host
> is correct, as is the target port (514/UDP).  What is strange is that
> all the spopofed packets are all useing UDP/514 as the source. 

syslog-ng spoofs the source IP and source port as well, so it uses the
same port number as the originating syslog sender.

> 
> An example of a tcpdump ron on the UDP spoofer
> syslogmachine(syslogng1.testdomain.org): 
> 
> 10:10:39.4092332 IP cisco2121.testdomain.org.syslog >
> syslogng2.testdomain.org.syslog: UDP, length 150 
> 
> I don't thing the endianness is coming into play here.  Also, I
> verified that libnet was not installed prior to the 1.2.2 installtion,
> I am certain that syslog-ng was compiled against 1.2.2.   

There is no version 1.2.2, the latest version is 1.1.2.1 (or 1.1.3 which
is BETA)


-- 
Bazsi