[syslog-ng] syslog-ng 1.0rc1 stops listening to UDP when
zero-length packet received
bazsi at balabit.hu
Tue Aug 1 12:26:16 CEST 2006
On Tue, 2006-08-01 at 11:24 +1000, Dark Angael wrote:
> I have been testing 2.0 rc1 for use in a production environment and have
> discovered a potential DOS exploit. I discovered this when I stopped
> receiving logs after a particular application started. It turns out that for
> some reason this app was sending a zero-length packet to syslog. After
> receiving this packet, syslog-ng gives the following output in debug mode:
> EOF occurred while reading; fd='3'
> Closing log reader fd; fd='3'
> This is reproducible using packet injection also. It has been shown to
> happen on both solaris 8 and linux (2.6.15-gentoo-r5).
> It does not happen on syslog-ng version 1.6.11.
Can you check if this patch fixes this problem:
@@ -254,7 +254,8 @@ afsocket_sc_notify(LogPipe *s, LogPipe *
- afsocket_sd_close_connection(self->owner, self);
+ if (self->owner->flags & AFSOCKET_STREAM)
+ afsocket_sd_close_connection(self->owner, self);
@@ -359,7 +359,7 @@ log_reader_fetch_log(LogReader *self, FD
- else if (rc == 0 && (self->flags & LR_FOLLOW) == 0)
+ else if (rc == 0 && (self->flags & (LR_FOLLOW + LR_PKTTERM)) == 0)
/* EOF read */
msg_verbose("EOF occurred while reading",
More information about the syslog-ng