From a3e48b697fa664110567fcd0027d24ea5a239041 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Thu, 25 Mar 2010 08:03:37 +0100 Subject: bugfix(temporary): message-induced off-by-one error (potential segfault) Some types of malformed messages could trigger an off-by-one error (for example, \0 or \n as the last character, and generally control character escaption is questionable). This is due to not strictly following a the \0 or string counted string paradigm (during the last optimization on the cstring class). As a temporary fix, we have introduced a proper recalculation of the size. However, a final patch is expected in the future. See bug tracker for further details and when the final patch will be available: http://bugzilla.adiscon.com/show_bug.cgi?id=184 Note that the current patch is considered sufficient to solve the situation, but it requires a bit more runtime than desirable. --- ChangeLog | 12 ++++++++++++ runtime/msg.c | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/ChangeLog b/ChangeLog index 4d452459..467196cd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,18 @@ Version 4.6.2 [v4-stable] (rgerhards), 2010-03-?? - new feature: "." action type added to support writing files to relative pathes (this is primarily meant as a debug aid) +- bugfix(temporary): message-induced off-by-one error (potential segfault) + Some types of malformed messages could trigger an off-by-one error + (for example, \0 or \n as the last character, and generally control + character escaption is questionable). This is due to not strictly + following a the \0 or string counted string paradigm (during the last + optimization on the cstring class). As a temporary fix, we have + introduced a proper recalculation of the size. However, a final + patch is expected in the future. See bug tracker for further details + and when the final patch will be available: + http://bugzilla.adiscon.com/show_bug.cgi?id=184 + Note that the current patch is considered sufficient to solve the + situation, but it requires a bit more runtime than desirable. - bugfix: potential segfault in dynafile cache This bug was triggered by an open failure. The the cache was full and a new entry needed to be placed inside it, a victim for eviction was diff --git a/runtime/msg.c b/runtime/msg.c index 3a2331f4..2ce7843a 100644 --- a/runtime/msg.c +++ b/runtime/msg.c @@ -2319,6 +2319,12 @@ uchar *MsgGetProp(msg_t *pMsg, struct templateEntry *pTpe, *pPropLen = sizeof("**INVALID PROPERTY NAME**") - 1; return UCHAR_CONSTANT("**INVALID PROPERTY NAME**"); } + /* the following line fixes the symptom, but not the root cause -- at least MSG sometimes + * returns a size of one too less. To prevent all troubles, we recalculate the sizes based + * on what we actually got. TODO: remove once root cause is found. + * rgerhards, 2010-03-23 + */ + bufLen = ustrlen(pRes); /* If we did not receive a template pointer, we are already done... */ -- cgit v1.2.3