[syslog-ng] Problems with rewrite set and template functions...
Balazs Scheidler
bazsi77 at gmail.com
Sat Jan 26 13:58:44 CET 2013
Hi
This patch should fix the segmentation fault, I've committed this to 3.4
master, thanks for reporting it.
Should apply to 3.3 too, I'm not sure which release you are using.
commit 077c669c2dcca7b7323e7a42dcaba94755d3bc23
Author: Balazs Scheidler <bazsi at balabit.hu>
Date: Sat Jan 26 13:53:22 2013 +0100
logrewrite: fix rewrite set/subst related segfault
If a set/rewrite operation is referenced from multiple locations, and
it uses template functions, a segfault has occurred, as the clone
operation didn't properly propagate the associated configuration object,
which rendered template->cfg to be NULL, which in turn caused
template-function lookup code to dereference a NULL pointer.
This was fixed by two dependent changes:
- always passing the already-compiled LogTemplate to the rewrite
operations instead of a string constant.
- reusing the compiled template object in clone()
Since LogTemplate is reused, and the first one contains a proper reference
to the appropriate configuration object, the NULL deref issue was
solved too.
Reported-By: Johnson, Chris <chris.johnson3 at hp.com>
Signed-off-by: Balazs Scheidler <bazsi at balabit.hu>
On Fri, 2013-01-25 at 23:43 +0000, Johnson, Chris (HP TippingPoint
Roseville) wrote:
> Hi all,
>
> I've come across a problem when using the rewrite set function with a
> template function.
>
> I've created a custom template function 'audit-TPTI-to-Email' and use
> it in a rewrite:
>
> rewrite r_audit_EMail {
>
> set("$(audit-TPTI-to-EMail ${MSG})", value("MSG"));
>
> };
>
>
>
> Then call it:
>
> filter f_audit_pgm{program("AUDIT-*" type("glob"));};
>
> log {
>
> source(s_local);
>
> filter(f_audit_pgm);
>
> log {
>
> destination(d_logID_02);
>
> };
>
> log {
>
> rewrite(r_audit_EMail);
>
> rewrite(r_quote_newlines);
>
> destination(d_logID_13);
>
> };
>
> flags(final);
>
> };
>
> Everything work fine.
>
> Then if I add another call to rewrite (i.e. add a second email
> destination):
>
> filter f_audit_pgm{program("AUDIT-*" type("glob"));};
>
> log {
>
> source(s_local);
>
> filter(f_audit_pgm);
>
> log {
>
> destination(d_logID_02);
>
> };
>
> log {
>
> rewrite(r_audit_EMail);
>
> rewrite(r_quote_newlines);
>
> destination(d_logID_13);
>
> };
>
> log {
>
> rewrite(r_audit_EMail);
>
> rewrite(r_quote_newlines);
>
> destination(d_logID_14);
>
> };
>
> flags(final);
>
> };
>
> Syslog-ng crashes with a segfault.
>
> I've narrowed in down to any template function (just to make sure *I*
> wasn't screwing something up in my custom function):
>
> rewrite r_echo { set("$(echo $PROGRAM)" value("PROGRAM")); };
>
> destination d_test1{ file("/var/log/test1.log"); };
>
> destination d_test2{ file("/var/log/test2.log"); };
>
>
>
> log {
>
> source(s_local);
>
> log {
>
> rewrite(r_echo);
>
> destination(d_test1);
>
> };
>
> log {
>
> rewrite(r_echo);
>
> destination(d_test2);
>
> };
>
> };
>
>
>
> The backtrace:
>
> Backtrace:
>
> /usr/local/lib/libsyslog-ng-3.3.3.so(plugin_find+0x39)[0x7f3eb76ff019]
>
> /usr/local/lib/libsyslog-ng-3.3.3.so(log_template_compile
> +0x84f)[0x7f3eb7703baf]
>
> /usr/local/lib/libsyslog-ng-3.3.3.so(log_rewrite_set_new
> +0x99)[0x7f3eb76f3349]
>
> /usr/local/lib/libsyslog-ng-3.3.3.so[0x7f3eb76f3371]
>
> /usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init_pipe_line
> +0x35d)[0x7f3eb76dfecd]
>
> /usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init_pipe_line
> +0xd2)[0x7f3eb76dfc42]
>
> /usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init
> +0x56)[0x7f3eb76e0226]
>
> /usr/local/lib/libsyslog-ng-3.3.3.so(cfg_init+0xb0)[0x7f3eb76e1530]
>
> /usr/local/lib/libsyslog-ng-3.3.3.so(main_loop_init
> +0x11b)[0x7f3eb76f9abb]
>
> /usr/local/sbin/syslog-ng(main+0x11f)[0x40168f]
>
> /lib/libc.so.6(__libc_start_main+0xe6)[0x7f3eb6240126]
>
> /usr/local/sbin/syslog-ng[0x401379]
>
>
>
> I threw in some debug statements:
>
> LogRewrite *
>
> log_rewrite_set_new(const gchar *new_value)
>
> {
>
> fprintf(stderr, "%s('%s'):\n", __FUNCTION__, new_value);
>
>
>
> Plugin *
>
> plugin_find(GlobalConfig *cfg, gint plugin_type, const gchar
> *plugin_name)
>
> {
>
> fprintf(stderr, "%s(%p, %d, '%s'): '\n", __FUNCTION__, cfg,
> plugin_type, plugin_name);
>
>
>
> Which showed that the 'cfg' pointer is null when rewrite is called the
> second time:
>
> log_rewrite_set_new('$(echo $PROGRAM)'):
>
> plugin_find(0x60e210, 13, 'echo'): '
>
> plugin_find: plugin->name = 'sys-to-EMail'
>
> plugin_find: plugin->name = 'audit-TPTI-to-EMail'
>
> plugin_find: plugin->name = 'quar-TPTI-to-EMail'
>
> plugin_find: plugin->name = 'quar-TPTI-to-CEF'
>
> plugin_find: plugin->name = 'tab-to-bar'
>
> plugin_find: plugin->name = 'tab-to-semicolon'
>
> plugin_find: plugin->name = 'tab-to-comma'
>
> plugin_find: plugin->name = 'to-upper-case'
>
> plugin_find: plugin->name = 'to-lower-case'
>
> plugin_find: plugin->name = 'ipv4-to-int'
>
> plugin_find: plugin->name = 'log-session-seqnum'
>
> plugin_find: plugin->name = 'indent-multi-line'
>
> plugin_find: plugin->name = 'if'
>
> plugin_find: plugin->name = 'grep'
>
> plugin_find: plugin->name = 'echo'
>
> plugin_find(0x60e210, 2, 'file'): '
>
> [...]
>
> log_rewrite_set_new('$(echo $PROGRAM)'):
>
> plugin_find((nil), 13, 'echo'): '
>
> *** Segmentation fault
>
>
>
> Sooo, my questions are:
>
> Is this expected behavior?
>
> Has this been patched already?
>
> Is there another way I can call a custom function to reformat the
> message field on a destination-by-destination basis?
>
>
>
> Thanks,
>
> Chris
>
>
>
> ----------------------------------------
>
> Christopher Johnson
>
> chris.johnson3 at hp.com
>
> HP Software - Security Product Group
>
> (916) 785-2817
>
> ----------------------------------------
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
More information about the syslog-ng
mailing list