[syslog-ng] syslog-ng 1.0rc1 stops listening to UDP
whenzero-length packet r
Dark Angael
darkangael81 at hotmail.com
Wed Aug 2 05:15:05 CEST 2006
This appears to fix the problem :)
>From: Balazs Scheidler <bazsi at balabit.hu>
>Reply-To: Syslog-ng users' and developers' mailing list
><syslog-ng at lists.balabit.hu>
>To: Syslog-ng users' and developers' mailing list
><syslog-ng at lists.balabit.hu>
>Subject: Re: [syslog-ng] syslog-ng 1.0rc1 stops listening to UDP
>whenzero-length packet received
>Date: Tue, 01 Aug 2006 12:26:16 +0200
>
>On Tue, 2006-08-01 at 11:24 +1000, Dark Angael wrote:
> > I have been testing 2.0 rc1 for use in a production environment and have
> > discovered a potential DOS exploit. I discovered this when I stopped
> > receiving logs after a particular application started. It turns out that
>for
> > some reason this app was sending a zero-length packet to syslog. After
> > receiving this packet, syslog-ng gives the following output in debug
>mode:
> >
> > EOF occurred while reading; fd='3'
> > Closing log reader fd; fd='3'
> >
> >
> > This is reproducible using packet injection also. It has been shown to
> > happen on both solaris 8 and linux (2.6.15-gentoo-r5).
> >
> > It does not happen on syslog-ng version 1.6.11.
> >
>
>Can you check if this patch fixes this problem:
>
>--- orig/src/afsocket.c
>+++ mod/src/afsocket.c
>@@ -254,7 +254,8 @@ afsocket_sc_notify(LogPipe *s, LogPipe *
> case NC_CLOSE:
> case NC_READ_ERROR:
> {
>- afsocket_sd_close_connection(self->owner, self);
>+ if (self->owner->flags & AFSOCKET_STREAM)
>+ afsocket_sd_close_connection(self->owner, self);
> break;
> }
> }
>
>
>--- orig/src/logreader.c
>+++ mod/src/logreader.c
>@@ -359,7 +359,7 @@ log_reader_fetch_log(LogReader *self, FD
> return FALSE;
> }
> }
>- else if (rc == 0 && (self->flags & LR_FOLLOW) == 0)
>+ else if (rc == 0 && (self->flags & (LR_FOLLOW + LR_PKTTERM)) == 0)
> {
> /* EOF read */
> msg_verbose("EOF occurred while reading",
>
>
>
>--
>Bazsi
>
>_______________________________________________
>syslog-ng maillist - syslog-ng at lists.balabit.hu
>https://lists.balabit.hu/mailman/listinfo/syslog-ng
>Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
_________________________________________________________________
Research and compare new cars side by side at carpoint.com.au
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fsecure%2Dau%2Eimrworldwide%2Ecom%2Fcgi%2Dbin%2Fa%2Fci%5F450304%2Fet%5F2%2Fcg%5F801459%2Fpi%5F1004813%2Fai%5F833884&_t=54321&_r=hotmail_endtext&_m=EXT
More information about the syslog-ng
mailing list