From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/2949
Path: news.gmane.org!not-for-mail
From: Szabolcs Nagy <nsz@port70.net>
Newsgroups: gmane.linux.lib.musl.general
Subject: Re: Weird bug in syslog
Date: Wed, 20 Mar 2013 13:41:26 +0100
Message-ID: <20130320124125.GL19010@port70.net>
References: <1363721555.2099.0@eros>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: ger.gmane.org 1363783305 19661 80.91.229.3 (20 Mar 2013 12:41:45 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Wed, 20 Mar 2013 12:41:45 +0000 (UTC)
To: musl@lists.openwall.com
Original-X-From: musl-return-2950-gllmg-musl=m.gmane.org@lists.openwall.com Wed Mar 20 13:42:07 2013
Return-path: <musl-return-2950-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@plane.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by plane.gmane.org with smtp (Exim 4.69)
	(envelope-from <musl-return-2950-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1UIILC-0000Ju-K0
	for gllmg-musl@plane.gmane.org; Wed, 20 Mar 2013 13:42:02 +0100
Original-Received: (qmail 12079 invoked by uid 550); 20 Mar 2013 12:41:37 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
Original-Received: (qmail 12071 invoked from network); 20 Mar 2013 12:41:37 -0000
Content-Disposition: inline
In-Reply-To: <1363721555.2099.0@eros>
User-Agent: Mutt/1.5.21 (2010-09-15)
Xref: news.gmane.org gmane.linux.lib.musl.general:2949
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/2949>

* William Haddon <william@haddonthethird.net> [2013-03-19 15:32:35 -0400]:
> I noticed seg-faults and other weird behavior when using the syslog() 
> function with large messages. I've attached the simplest test program 
> that reproduces the problem. I've observed it to break on 0.9.9 on i386 
> and current git on x86_64. The problem seems to be that although the 
> syslog function successfully truncates its input to 256 bytes, it 
> passes the size of the un-truncated form to the sendto() call because 
> snprintf returns the number of bytes that would be written if 
> truncation did not occur. Fixing syslog to check if truncation occurred 
> seems to fix the problem. I've attached the patch that does this.

i can confirm this


> Report the correct length of the datagram to the kernel to fix strange behavior
> in the syslog function.
> --- musl-0.9.9/src/misc/syslog.c
> +++ src/src/misc/syslog.c
> @@ -90,9 +90,11 @@
>  		priority, timebuf,
>  		log_ident ? log_ident : "",
>  		"["+!pid, pid, "]"+!pid);
> +	if (l > sizeof buf) l = sizeof buf - 1;

l >= sizeof buf

(it is not correct when l<0 but that snprintf cannot fail)

>  	l2 = vsnprintf(buf+l, sizeof buf - l, message, ap);
>  	if (l2 >= 0) {
>  		l += l2;

these are int values
maybe we should care about overflow
(eg making l size_t works)

> +		if (l > sizeof buf) l = sizeof buf - 1;

l >= sizeof buf

>  		if (buf[l-1] != '\n') buf[l++] = '\n';
>  		sendto(log_fd, buf, l, 0, (void *)&log_addr, 11);
>  	}
>