[syslog-ng] Spoofed source bug introduced in 3.3.5

Marvin Nipper Marvin.Nipper at stream.com
Mon Apr 30 16:57:05 CEST 2012


Hi.

All of this pertains to a Solaris 10 (x86) environment....

I tried, at the end of the week, to jump up to the new 3.3.5 release, mostly to get up to a version that already included all of the memory leak fixes that I had manually deployed to 3.3.4.  It all compiled fine, and seemed to work fine.... Until this weekend.

When my log rotation script ran this weekend, all hell broke loose.  The specific issue is that the instant that syslog-ng 3.3.5 receives the HUP (from my rotation script), all of the packets that are being forwarded (via UDP, with source spoofing) instantly start being forwarded with null (0.0.0.0) destination addresses.  (And, FYI, I can easily recreate, and see this behavior.)  Unfortunately, instead of _only_ resulting in the destination server not receiving these packets, the effect is actually far worse, because a null destination address is (at least on Solaris) interpreted as an old form of a broadcast packet, and all of these packets actually create an exponential feedback loop.  I.E. they are seen by this same syslog-ng server's UDP listener, as valid inbound packets, which (of course), then are forwarded, outbound (by syslog-ng, as part of the spoofed forwarding), which then (of course) causes them to be seen (yet again) by syslog-ng as inbound packets.  And "very quickly" the whole thing piles up on itself, causing the server to pretty much collapse under the weight of an ever increasing volume of "perceived" inbound UDP syslog packets.

So... I'm hoping that someone will say "ah ha", and have some idea about what code might have changed between 3.3.4 and 3.3.5, that might have (accidentally) resulted in this behavior.  Certainly, I've dropped back (for now) to 3.3.4 (as it does not have the problem), but if there is some sort of debugging that you need me to do (i.e. "if it's not obvious what coding change may have introduced this bug"), I'm more than willing to deploy the 3.3.5 code in a test environment, and do whatever testing that you might need.  Again, it's easily reproducible with a simple HUP.

Sorry to bring you a new/different issue.  Any and all input/help would be appreciated.

As always, THANKS for your help!!

Marvin Nipper




This e-mail may contain confidential and/or privileged information. If you are
not the intended recipient (or have received this e-mail in error) please 
notify the sender immediately and destroy this e-mail. Any unauthorized 
copying, disclosure or distribution of the material in this e-mail is strictly 
forbidden.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120430/74bd9c72/attachment.htm 


More information about the syslog-ng mailing list