[syslog-ng] syslog-ng 1.0rc1 stops listening to UDP when zero-length packet received

[Balazs Scheidler]

On Tue, 2006-08-01 at 11:24 +1000, Dark Angael wrote:
> I have been testing 2.0 rc1 for use in a production environment and have 
> discovered a potential DOS exploit. I discovered this when I stopped 
> receiving logs after a particular application started. It turns out that for 
> some reason this app was sending a zero-length packet to syslog. After 
> receiving this packet, syslog-ng gives the following output in debug mode:
> 
> EOF occurred while reading; fd='3'
> Closing log reader fd; fd='3'
> 
> 
> This is reproducible using packet injection also. It has been shown to 
> happen on both solaris 8 and linux (2.6.15-gentoo-r5).
> 
> It does not happen on syslog-ng version 1.6.11.
> 

Can you check if this patch fixes this problem:

--- orig/src/afsocket.c
+++ mod/src/afsocket.c
@@ -254,7 +254,8 @@ afsocket_sc_notify(LogPipe *s, LogPipe *
     case NC_CLOSE:
     case NC_READ_ERROR:
       {
-        afsocket_sd_close_connection(self->owner, self);
+        if (self->owner->flags & AFSOCKET_STREAM)
+          afsocket_sd_close_connection(self->owner, self);
         break;
       }
     }


--- orig/src/logreader.c
+++ mod/src/logreader.c
@@ -359,7 +359,7 @@ log_reader_fetch_log(LogReader *self, FD
               return FALSE;
             }
         }
-      else if (rc == 0 && (self->flags & LR_FOLLOW) == 0)
+      else if (rc == 0 && (self->flags & (LR_FOLLOW + LR_PKTTERM)) == 0)
         {
           /* EOF read */
           msg_verbose("EOF occurred while reading",



-- 
Bazsi