Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Winlogbeat - fix large message panic for Windows Vista and newer #1499

Merged
merged 1 commit into from Apr 27, 2016

Conversation

Projects
None yet
2 participants
@andrewkroh
Copy link
Member

commented Apr 27, 2016

Fix panic that occurs when reading a large events on Windows Vista and newer.

This occurs in an error recovery path so in order for the panic to occur, first there had to have been an error rendering the event as XML with the event message string. When that error occurs Winlogbeat tries to render the event as XML, but without the message string. If the XML was larger than half the buffer size a panic would occur.

The cause was invalid handling of the "BufferUsed [out]" parameter value. The value specifies the number of bytes in this case and it was treated as if it where the number of characters. This is opposite of the behavior of FormatMessage() used in earlier versions of Windows which returns the number of characters rather than bytes.

Reported here: https://discuss.elastic.co/t/report-a-bug-of-winlogbeat-5-0-0-alpha1-windows-32/47550/4

@ruflin

This comment has been minimized.

Copy link
Collaborator

commented Apr 27, 2016

Needs rebase, probably overlaps with #1498.

Fix panic that occurs when reading a large events on Windows Vista an…
…d newer.

This occurs in an error recovery path so in order for the panic to occur, first there had to have been an error rendering the event as XML with the event message string. When that error occurs Winlogbeat tries to render the event as XML, but without the message string. If the XML was larger than half the buffer size a panic would occur.

The cause was invalid handling of the "BufferUsed [out]" parameter value. The value specifies the number of bytes in this case and it was treated as if it where the number of characters. This is opposite of the behavior of FormatMessage() used in earlier versions of Windows which returns the number of characters rather than bytes.

@andrewkroh andrewkroh force-pushed the andrewkroh:bugfix/wineventlog-format-panic branch from fbdcf89 to 16738a0 Apr 27, 2016

@andrewkroh

This comment has been minimized.

Copy link
Member Author

commented Apr 27, 2016

Rebased, it must have been a changelog conflict.

@ruflin ruflin merged commit 63c0f44 into elastic:master Apr 27, 2016

4 checks passed

CLA Commit author has signed the CLA
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
default Build finished.
Details

@andrewkroh andrewkroh deleted the andrewkroh:bugfix/wineventlog-format-panic branch May 4, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.