From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/2948 Path: news.gmane.org!not-for-mail From: William Haddon Newsgroups: gmane.linux.lib.musl.general Subject: Weird bug in syslog Date: Tue, 19 Mar 2013 15:32:35 -0400 Message-ID: <1363721555.2099.0@eros> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-SYyagrWLhSxkjs/YneYl" X-Trace: ger.gmane.org 1363721586 22592 80.91.229.3 (19 Mar 2013 19:33:06 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 19 Mar 2013 19:33:06 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-2949-gllmg-musl=m.gmane.org@lists.openwall.com Tue Mar 19 20:33:30 2013 Return-path: Envelope-to: gllmg-musl@plane.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1UI2Hp-0001Dg-5a for gllmg-musl@plane.gmane.org; Tue, 19 Mar 2013 20:33:29 +0100 Original-Received: (qmail 1998 invoked by uid 550); 19 Mar 2013 19:33:05 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 1990 invoked from network); 19 Mar 2013 19:33:05 -0000 X-Mailer: Balsa 2.4.1 Xref: news.gmane.org gmane.linux.lib.musl.general:2948 Archived-At: --=-SYyagrWLhSxkjs/YneYl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi all. I noticed seg-faults and other weird behavior when using the syslog()=20 function with large messages. I've attached the simplest test program=20 that reproduces the problem. I've observed it to break on 0.9.9 on i386=20 and current git on x86_64. The problem seems to be that although the=20 syslog function successfully truncates its input to 256 bytes, it=20 passes the size of the un-truncated form to the sendto() call because=20 snprintf returns the number of bytes that would be written if=20 truncation did not occur. Fixing syslog to check if truncation occurred=20 seems to fix the problem. I've attached the patch that does this. William Haddon --=-SYyagrWLhSxkjs/YneYl Content-Type: text/x-csrc; charset=us-ascii; name=test3.c Content-Disposition: attachment; filename=test3.c Content-Transfer-Encoding: quoted-printable #include #include #include #define A 8 #define B 8 int main(int argc, char **argv) { char *temp; char v; size_t i, j; for (j =3D A; j < 10000; j +=3D B) { temp =3D malloc(j+1); for (i =3D 0; i < j; i++) temp[i] =3D 'x'; temp[j] =3D 0; syslog(LOG_ERR, temp); free(temp); } printf("Success\n"); } --=-SYyagrWLhSxkjs/YneYl Content-Type: text/x-patch; charset=us-ascii; name=musl-syslog.patch Content-Disposition: attachment; filename=musl-syslog.patch Content-Transfer-Encoding: quoted-printable Report the correct length of the datagram to the kernel to fix strange beha= vior in the syslog function. --- musl-0.9.9/src/misc/syslog.c +++ src/src/misc/syslog.c @@ -90,9 +90,11 @@ priority, timebuf, log_ident ? log_ident : "", "["+!pid, pid, "]"+!pid); + if (l > sizeof buf) l =3D sizeof buf - 1; l2 =3D vsnprintf(buf+l, sizeof buf - l, message, ap); if (l2 >=3D 0) { l +=3D l2; + if (l > sizeof buf) l =3D sizeof buf - 1; if (buf[l-1] !=3D '\n') buf[l++] =3D '\n'; sendto(log_fd, buf, l, 0, (void *)&log_addr, 11); } --=-SYyagrWLhSxkjs/YneYl--