Abnormal message causes Segmentation fault

[aleksandrgilfanov]

syslog-ng

Version of syslog-ng

syslog-ng 3 (3.27.1)
Config version: 3.22
Installer-Version: 3.27.1
Revision:
Module-Directory: /usr/local/lib/syslog-ng
Module-Path: /home/sense/test-fuzz/syslog-ng-3.27.1/inst/usr/local/lib/syslog-ng
Include-Path: /usr/local/share/syslog-ng/include
Available-Modules: stardate,basicfuncs,add-contextual-data,xml,examples,hook-commands,disk-buffer,appmodel,azure-auth-header,confgen,map-value-pairs,afsocket,affile,tfgetent,graphite,syslogformat,cryptofuncs,kvformat,secure-logging,cef,linux-kmsg-format,csvparser,tags-parser,afprog,afsql,afuser,timestamp,system-source,pseudofile,dbparser
Enable-Debug: on
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: off
Enable-TCP-Wrapper: off
Enable-Linux-Caps: off
Enable-Systemd: off

Platform

Debian 10

Issue

The message, that contains just bytes: "4\0 " causes Segmentation fault

Steps to reproduce

printf '4\0  ' | syslog-ng \
        --foreground \
        --cfgfile=$CONFIG
Segmentation fault

Configuration

@version:3.22

source s_src {
        stdin(follow-freq(1));
};

destination d_dst {
        file("/tmp/dest.log");
};

log {
        source(s_src);
        destination(d_dst);
};

[aleksandrgilfanov]

Possible fix: aleksandrgilfanov@25a3f8b

[Kokan]

Hello, nice findings. This turned out once when I tweaked a fuzzer[1] (and some other issue like this). I had a slightly different fixture for this error: Kokan@d4b4496 (Note this commit contains other possible fixes.)

Your patch imho is not correct, as the src and left should be in sync, but yours increment the src unconditionally and not later assignes it to data.

  *data = src;
  *length = left;

The data and length could be inconsistent, that may cause additional issues later on.
The reson I did not submit my version is that I had an open question what to do when this error occurs:

1. pretend that seq id not present and let the parsing continue
   • parsing continue after seq id
   • parsing continue at seq id
2. make the whole parser fail, and wrap the not parse-able message into a new one (msg_format_inject_parse_error).

I think the option 2 would be a good choose.
@aleksandrgilfanov Would you mind doing a pull request from it ?

[1] The comment describes how to use the fuzzer ed178e5 that works on this branch: master...Kokan:libfuzz-syslog-parser

[aleksandrgilfanov]

@Kokan #3329

[bazsi]

The Cisco sequence number is not a specified part of any rfc, nor is standard, so the entire sequence number parsing is just a heuristic, which fails at this point. We should just go back to the front and handle the message normally.

…

On Wed, Jun 17, 2020, 20:57 Kókai Péter ***@***.***> wrote: Hello, nice findings. This turned out once when I tweaked a fuzzer[1] (and some other issue like this). I had a slightly different fixture for this error: ***@***.*** <Kokan@d4b4496> (Note this commit contains other possible fixes.) Your patch imho is not correct, as the src and left should be in sync, but yours increment the src unconditionally and not later assignes it to data. *data = src; *length = left; The data and length could be inconsistent, that may cause additional issues later on. The reson I did not submit my version is that I had an open question what to do when this error occurs: 1. pretend that seq id not present and let the parsing continue - parsing continue after seq id - parsing continue at seq id 2. make the whole parser fail, and wrap the not parse-able message into a new one (msg_format_inject_parse_error). I think the option 2 would be a good choose. @aleksandrgilfanov <https://github.com/aleksandrgilfanov> Would you mind doing a pull request from it ? [1] The comment describes how to use the fuzzer ed178e5 <ed178e5> that works on this branch: master...Kokan:libfuzz-syslog-parser <master...Kokan:libfuzz-syslog-parser> — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#3328 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAFOK5SJT3JUMNRWNG7YINLRXEGY5ANCNFSM4OAP5ZXQ> .