366981 – app-admin/syslog-ng-3.2.4: segfault when having an invalid flag in the configuration file

Bug 366981 - app-admin/syslog-ng-3.2.4: segfault when having an invalid flag in the configuration file

Summary: app-admin/syslog-ng-3.2.4: segfault when having an invalid flag in the config...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Mr. Bones. (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-05-12 13:00 UTC by roltel
Modified:	2012-01-31 09:59 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
syslog-ng-3.2.4-cfgparser-fix.patch (syslog-ng-3.2.4-cfgparser-fix.patch,585 bytes, patch) 2011-05-12 14:13 UTC, Stratos Psomadakis (RETIRED)	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description roltel 2011-05-12 13:00:39 UTC

If you define a flag in your syslog-ng configuration file that is not supported by syslog-ng, syslog-ng segfaults if you try to start the service:

/etc/init.d/syslog-ng: line 22: 10842 Segmentation fault      syslog-ng -s -f /etc/syslog-ng/syslog-ng.conf
 * Configuration error. Please fix your configfile (/etc/syslog-ng/syslog-ng.conf)                                    [ !! ]
 * ERROR: syslog-ng failed to start



Reproducible: Always

Steps to Reproduce:
1. Edit /etc/syslog-ng/syslog-ng.conf and add an invalid flag to configuration line (e.g.: destination df_dummy { file("/var/log/dummy" flags(invalid-flag)); };
2. Start the syslog-ng service ( rc-config start syslog-ng )

Actual Results:  
Syslog-ng segfaults, the service does not start

Expected Results:  
Syslog-ng should only print a message about an invalid configuration. The segmentation fault is highly irritating because it suggests that there is something wrong with the compilation / glibc is broken / etc.

The init-script of syslog-ng first tries to validate the configuration file:
syslog-ng -s -f /etc/syslog-ng/syslog-ng.conf

The error occurs in the source file lib/cfg-parser.c #263

  for (h = 0; handlers[h].name; h++)
    { 
      CfgFlagHandler *handler = &handlers[h];

      if (strcmp(handlers[h].name, flag) == 0)
        { 
          switch (handler->op)
...


The loop goes through all flags known to syslog-ng and tries to match it to the current flag which is read from the configuration file. The idea is that the for-loop will stop as soon as handlers[h].name == NULL. I debugged this code, and saw that handlers[h].name never equals NULL. After reaching the end of the array, handlers[h].name points to some random memory location. strcmp() then tries to access this invalid memory location and crashes.

I think there are 2 problems to be fixed here:

1. The for-loop should terminate by reaching the max. number of elements in the array, and not by looking at the value of a string address. Alternatively you have to make absolutely sure that the last element in the array contains a NULL address for the name variable.

2. strcmp() should be replaced by strncmp() to make sure that only a certain number of characters are used for comparison. In that way strcmp() would not crash even if one of the strings points to a string address that is not \0 terminated.

Comment 1 roltel 2011-05-12 13:24:40 UTC

Just forgot to mention that the segfault was introduced with version 3.2. Syslog-ng-3.1.x and older did not show this behavior.

Comment 2 Stratos Psomadakis (RETIRED) gentoo-dev

2011-05-12 14:13:11 UTC

Created attachment 272939 [details, diff]
syslog-ng-3.2.4-cfgparser-fix.patch

Something like this should probably work.

Comment 3 roltel 2011-05-12 16:51:57 UTC

Yes, works for me. No more segfault. Syslog-ng now shows the line and position of the invalid flag.

Comment 4 Mr. Bones. (RETIRED) gentoo-dev

2012-01-31 09:59:58 UTC

I think this is fixed in later syslog-ng versions.