Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 20 Mar 2013 13:41:26 +0100
From: Szabolcs Nagy <nsz@...t70.net>
To: musl@...ts.openwall.com
Subject: Re: Weird bug in syslog

* William Haddon <william@...donthethird.net> [2013-03-19 15:32:35 -0400]:
> I noticed seg-faults and other weird behavior when using the syslog() 
> function with large messages. I've attached the simplest test program 
> that reproduces the problem. I've observed it to break on 0.9.9 on i386 
> and current git on x86_64. The problem seems to be that although the 
> syslog function successfully truncates its input to 256 bytes, it 
> passes the size of the un-truncated form to the sendto() call because 
> snprintf returns the number of bytes that would be written if 
> truncation did not occur. Fixing syslog to check if truncation occurred 
> seems to fix the problem. I've attached the patch that does this.

i can confirm this


> Report the correct length of the datagram to the kernel to fix strange behavior
> in the syslog function.
> --- musl-0.9.9/src/misc/syslog.c
> +++ src/src/misc/syslog.c
> @@ -90,9 +90,11 @@
>  		priority, timebuf,
>  		log_ident ? log_ident : "",
>  		"["+!pid, pid, "]"+!pid);
> +	if (l > sizeof buf) l = sizeof buf - 1;

l >= sizeof buf

(it is not correct when l<0 but that snprintf cannot fail)

>  	l2 = vsnprintf(buf+l, sizeof buf - l, message, ap);
>  	if (l2 >= 0) {
>  		l += l2;

these are int values
maybe we should care about overflow
(eg making l size_t works)

> +		if (l > sizeof buf) l = sizeof buf - 1;

l >= sizeof buf

>  		if (buf[l-1] != '\n') buf[l++] = '\n';
>  		sendto(log_fd, buf, l, 0, (void *)&log_addr, 11);
>  	}
> 

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.