[syslog-ng] syslog-ng af_sql driver experiencing segfault

Matthew Hall mhall at mhcomputing.net
Mon Feb 7 19:08:57 CET 2011 

On Sun, Feb 06, 2011 at 10:34:41AM +0100, Balazs Scheidler wrote:
> On Fri, 2011-02-04 at 15:27 -0800, Matthew Hall wrote:
> > Program received signal SIGSEGV, Segmentation fault.
> > [Switching to Thread 0xf7b12b90 (LWP 23608)]
> > 0x00c5c7dc in memcpy () from /lib/libc.so.6
> > (gdb) bt
> > #0  0x00c5c7dc in memcpy () from /lib/libc.so.6
> > #1  0xf7e21fed in g_string_insert_len () from /home/y/lib/libglib-2.0.so.0
> > #2  0xf7e223e8 in g_string_append_len () from /home/y/lib/libglib-2.0.so.0
> > #3  0xf7edc1d6 in result_append (result=0x8cc1780, sstr=0x910ffaf "", len=3160627, escape=0) at templates.c:213
> > #4  0xf7ede535 in log_template_append_format_with_context (self=0x8ba0098, messages=0xf7b12204, num_messages=1, opts=0x8bb8aec, tz=1, seq_num=945, result=0x8cc1780) at templates.c:1058
> > #5  0xf7ede83f in log_template_append_format (self=0x8ba0098, lm=0x90d93b0, opts=0x8bb8aec, tz=1, seq_num=945, result=0x8cc1780) at templates.c:1109
> > #6  0xf7ede898 in log_template_format (self=0x8ba0098, lm=0x90d93b0, opts=0x8bb8aec, tz=1, seq_num=945, result=0x8cc1780) at templates.c:1116
> > #7  0xf7b459e6 in afsql_dd_insert_db (self=0x8bb8a58) at afsql.c:681
> > #8  0xf7b45fd9 in afsql_dd_database_thread (arg=0x8bb8a58) at afsql.c:823
> > #9  0xf7ed1405 in worker_thread_func (st=0x8ba4238) at misc.c:593
> > #10 0xf7e28c51 in ?? () from /home/y/lib/libglib-2.0.so.0
> > #11 0x08ba4238 in ?? ()
> > #12 0x08ba4248 in ?? ()
> > #13 0x00000005 in ?? ()
> > #14 0xf7e28b06 in ?? () from /home/y/lib/libglib-2.0.so.0
> > #15 0x00d352c6 in ?? () from /lib/libpthread.so.0
> > #16 0x00000000 in ?? ()
> > (gdb) 
> > 
> > Looks like I am running into problems with the database code.
> > 
> > I'll investigate but it's going to take a while so I hope somebody else might have an idea.
> 
> Not nice. Can you send me the core file and the binaries in private? The
> length of the string to be appended to the result certainly looks
> suspicios being 3160627 bytes.

I can't send the core because it will have PII. If I try to reproduce it 
I might not be able to get it to happen without using real data. But 
I'll see if I can do it.

I can definitely investigate anything you think would be suspicious or 
run any diagnostics you would like to have.

> Can you show me the template that is being expanded here?

I put the sql related directives below.

> The message syslog-ng is trying to operate on is probably bogus, but in
> order to diagnose I'd probably need the core file.

What did you mean by the message being bogus? If you clarify I might be 
able to track it down and file a better report.

> Bazsi

destination d_database {
    sql(
        type(mysql)
        host("localhost") username("syslog") password("")
        database("syslog") table("syslog")
        flags(dont-create-tables, explicit-commits)
        columns(
            "raw varchar(4000) COLLATE utf8_unicode_ci NOT NULL",
            "device char(45) COLLATE utf8_unicode_ci NOT NULL",
            "msgtype char(60) COLLATE utf8_unicode_ci NOT NULL",
            "msgtime char(60) COLLATE utf8_unicode_ci NOT NULL",
            "src char(45) COLLATE utf8_unicode_ci NOT NULL",
            "xsrc char(45) COLLATE utf8_unicode_ci NOT NULL",
            "user char(40) COLLATE utf8_unicode_ci NOT NULL",
            "relay char(45) COLLATE utf8_unicode_ci NOT NULL",
            "task char(20) COLLATE utf8_unicode_ci NOT NULL",
            "sev char(20) COLLATE utf8_unicode_ci NOT NULL",
            "srcmac char(20) COLLATE utf8_unicode_ci NOT NULL",
            "dst char(45) COLLATE utf8_unicode_ci NOT NULL",
            "xdst char(45) COLLATE utf8_unicode_ci NOT NULL",
            "_group char(40) COLLATE utf8_unicode_ci NOT NULL",
            "action char(25) COLLATE utf8_unicode_ci NOT NULL",
            "svr char(30) COLLATE utf8_unicode_ci NOT NULL",
            "srcport smallint(5) unsigned NOT NULL",
            "xsrcport smallint(5) unsigned NOT NULL",
            "interface char(35) COLLATE utf8_unicode_ci NOT NULL",
            "tx char(15) COLLATE utf8_unicode_ci NOT NULL",
            "rx char(15) COLLATE utf8_unicode_ci NOT NULL",
            "reason char(15) COLLATE utf8_unicode_ci NOT NULL",
            "duration char(15) COLLATE utf8_unicode_ci NOT NULL",
            "protocol char(20) COLLATE utf8_unicode_ci NOT NULL",
            "dstport smallint(5) unsigned NOT NULL",
            "xdstport smallint(5) unsigned NOT NULL",
            "method char(25) COLLATE utf8_unicode_ci NOT NULL",
            "acl char(40) COLLATE utf8_unicode_ci NOT NULL",
            "status char(30) COLLATE utf8_unicode_ci NOT NULL",
            "ap char(15) COLLATE utf8_unicode_ci NOT NULL",
            "dstdns varchar(1000) COLLATE utf8_unicode_ci NOT NULL",
            "time char(50) COLLATE utf8_unicode_ci NOT NULL",
            "apmac char(15) COLLATE utf8_unicode_ci NOT NULL",
            "zone char(15) COLLATE utf8_unicode_ci NOT NULL",
            "vlan smallint(5) unsigned NOT NULL",
            "trunk char(35) COLLATE utf8_unicode_ci NOT NULL",
            "snmp char(25) COLLATE utf8_unicode_ci NOT NULL",
            "role char(15) COLLATE utf8_unicode_ci NOT NULL",
            "level char(15) COLLATE utf8_unicode_ci NOT NULL",
            "dstmac char(20) COLLATE utf8_unicode_ci NOT NULL",
            "count int(11) NOT NULL",
            "attack varchar(600) COLLATE utf8_unicode_ci NOT NULL",
            "activity char(15) COLLATE utf8_unicode_ci NOT NULL",
            "ssid char(35) COLLATE utf8_unicode_ci NOT NULL",
            "srcid char(25) COLLATE utf8_unicode_ci NOT NULL",
            "offset char(15) COLLATE utf8_unicode_ci NOT NULL",
            "interface1 char(35) COLLATE utf8_unicode_ci NOT NULL",
            "interface2 char(35) COLLATE utf8_unicode_ci NOT NULL",
            "file char(30) COLLATE utf8_unicode_ci NOT NULL",
        )
        values(
            "$raw", "$device", "$msgtype", "$msgtime", "$src", "$xsrc",
            "$user", "$relay", "$task", "$sev", "$srcmac", "$dst",
            "$xdst", "$group", "$action", "$svr", "$srcport", "$xsrcport",
            "$interface", "$tx", "$rx", "$reason", "$duration", "$protocol",
            "$dstport", "$xdstport", "$method", "$acl", "$status", "$ap",
            "$dstdns", "$time", "$apmac", "$zone", "$vlan", "$trunk",
            "$snmp", "$role", "$level", "$dstmac", "$count", "$attack",
            "$activity", "$ssid", "$srcid", "$offset", "$interface1", "$interface2",
            "$file",
        )
        indexes("date", "device", "level_num", "host", "r_date")
    );
};

parser p_database { db-parser(file("/.../database.xml")); };

template t_raw {
    template("${MSGONLY}\n");
};

rewrite r_strip_empty_values {
    subst('\b(\w+)="" ', "", value(MESSAGE), flags("global"), type("pcre"));
};

destination d_raw {
    file(".../raw/raw_${YEAR}-${MONTH}-${DAY}.log"
         owner("root")
         group("root")
         perm(0640)
         create_dirs(no)
         template(t_raw) suppress(3)
    );
};

destination d_vpn_analysis {
    program("... perl code ..."
            flags(no-multi-line)
            suppress(0)
            template(t_raw)
    );
};

log {
    source(s_tcp);
    parser(p_database);
    destination(d_database);
    rewrite(r_strip_empty_values);
    destination(d_raw);
    destination(d_vpn_analysis);
};

More information about the syslog-ng mailing list